How do I fast track patch distribution as part of an initial deployment process?

book

Article ID: 179846

calendar_today

Updated On:

Products

Patch Management Solution for Windows

Issue/Introduction

 

Resolution

Question

There is an identified need to be able to have a near immediate delivery of patches to freshly deployed Operating Systems.

How do I expedite the distribution of patches to these machines?

Answer

Best Practices

It is recommended to use a Staging Symantec Management Platform server to perform the initial deployment of new client machines where a high frequency Patch Management Vulnerability scan is required.

Machines can be built against the staging server, patched quickly using high frequency refresh cycles and then moved to the production Symantec Management Platform server for on-going management.

It is not possible on a single server managing a medium to large number of end points to increase the frequency of the Patch Management Vulnerability scans and the Altiris Agent policy refresh intervals due to the amount of data which is processed against all resources.

Details for each configuration item which needs to be modified on the Staging Server and the reasons for using a Staging Server are below.

Client side:
Altiris Agent Download new configuration interval.
  • This is located within Settings > Agents/Plug-ins > Altiris Agent > Settings > Altiris Agent Settings - Targeted.
  • This interval is recommended to be scaled up to several hours for larger implementations.
  • This setting affects how often an agent requests a policy update from the server.  It is dependent upon the Policy Update Schedule.
Vulnerability Analysis scans.
  • There are four is located within
    • Settings > Software > Patch Management > Microsoft Settings > Microsoft Vulnerability Analysis.
    • Settings > Software > Patch Management > Adobe Settings > Adobe Vulnerability Analysis
    • Settings > Software > Patch Management > Novell Settings > Default Novell Inventory Policy
    • Settings > Software > Patch Management > Red Hat Settings > Default red Hat Inventory Policy
  • These have a default 4 hour interval.
  • This setting affects how often a client machine will perform a vulnerability scan and send the results to the server.
  • This setting affects all resources and cannot be partitioned to a subset of resources.
  • These policies cannot be disabled.  This is by design.
Server side:

These schedules perform a refresh on specific data for all resources and cannot be partitioned to refresh the data for a subset of resources.

Patch Filter Update Interval.
  • This is located within Settings > Software > Patch Management > Microsoft Settings > Microsoft.
  • This defaults to a 10 minute schedule interval and is recommended to be scaled up to several hours for larger implementations.
  • This settings affects how often the client Vulnerability Analysis results are processed.
  • This processing needs to be completed prior to a Policy Update Shcedule to allow software update agent policies to be merged into the Altiris Agent configuration.
Policy Update Schedule.
  • This is located within Settings > Notification Server > Resource and Data Class Settings > Resource Membership Update.
  • This defaults to a 10 minute schedule and is recommended to be scaled up to several hours for larger implementations.
  • This setting affects how often the server refreshes client policy configuration settings for delivery to clients.

Also see KB Article ID: 48264 - Creating a Staging NS for Patch Management