Created Software Update Policies for December 2016 release and targeted vulnerable Server Operating System (OS) Clients.

Executed the Software Update Cycle on the targeted Server OS Client: Checked Client's Agent GUI > Software Updates tab and found it displays the Software Updates in Scheduled status following the Software Update Cycle. 

Client Logs detail the change state to download packages and show errors package does not exist for the Patch Install Tools package GUID, followed by warnings pertaining to unknown exception on that package, and the process continues with assigning an install order for each targeted Software Update, yet when it tries to check on the Applicability, the warning is thrown for is not ready on that package.

Error: refreshPackageStatusVerbose(): Auxilliary package {832C527C-B9C9-46FB-B1F1-2F35434FF90D} does not exist.

Warning: DownloadPackage (id - {832C527C-B9C9-46FB-B1F1-2F35434FF90D})- unknown exception

Warning: Auxilliary package {832C527C-B9C9-46FB-B1F1-2F35434FF90D} is not ready.

ITMS 8.x

Patch Management 8.x

Confirmed the Server OS Clients fail to be populated in the Windows Computers with Software Update Plug-in Installed - Target in the SMP Console under:

Settings > All Settings > Software > Patch Management > Windows Settings > Windows Patch Remediation Settings policy

This is the main target that the Patch Filter is built on. The Clients are unable to download the Patch Install Tools for they are not included in the Target required for install.

Confirmed that none of the scoping roles had ownership over the managed Clients included in the Filters which build the Windows Computers with Software Update Plug-in Installed - Target .

This issue is generally resolved by refreshing the owner of the Windows Computers with Software Update Plug-in Installed - Target, for it needs to be the Application Identity (AppID) which is the Symantec Service Account. If the owner of the target does not show as the AppID, Log in as the AppID, edit the target, and click Update results followed by Cancel. Verify that the owner now shows as the AppID.

It was found in some cases that the target is owned by AppID, yet the Clients were still unable to download the Patch Install Tools package. This is quickly resolved by running the attached SQL Script - Add Symantec Admin to Patch Target, for it will add the Symantec Administrators role to the ownership of the Windows Computers with Software Update Plug-in Installed - Target, and that will override the lower permissions to allow the Target to update membership associations in the database without compromising security for the lesser roles.

If unable to modify the Symantec_CMDB database; work through the following:

1. Import the attached Patch Target Membership Roles custom report.
   • Open the Console > Reports > All Reports > Software > Patch Management
   • Highlight Patch Management > Right-click > Import
   • Browse to the storage directory of this custom report
   • Click Open
2. Review the listed Roles; give them rights to the computers which are in the Target.
   • Generally the two roles owning this policy are Patch Management Rollout & Patch Management Administrators
   • Ensure they are able to own the All Computers filter and that will allow the permissions access to update the Windows Computers with Software Update Plug-in Installed - Target ownership associations in the database