How do I configure Patch Management 7?
Setup collections and perform network discovery as needed:
- The Patch Agent is not a stand-alone agent. Patch Management will only push updates to machines that have the Notification Server’s Altiris Agent installed.
Install Licenses (Patch Management requires License node count and AUP to be current or Inventories for Patch will fail):
- Go to Symantec Installation Manager > click on Add/Update licenses > click on install Licenses in the top right hand corner then browse to your license file
Configure the Settings for the Microsoft Vendor Policy: Configure Filter Update interval, set up exclusions for unwanted update types and configure Package Server usage.
- Settings > All Settings > Software > Patch Management > Microsoft
- Patch Filter Update Interval: Schedule the NS Tasks that update Microsoft Patch Management Collections
- Patch Management exclusion selection: Exclude the Vista/64bit .cab files if they are not needed
- Settings> All Settings > Software > Patch Management > Microsoft Settings > Microsoft > Policy and Package Settings Tab
- Configure 'Delete Packages after:' to clean up the unused packages on the client machines after the updates have run
- Package Server Distribution -
- Allow Package Server Distribution: Set to All Package Servers, or Individual Package Servers if needing to specify which will be Patch Package Servers
- Use alternate download location on Package Server: Enable and input a path for a location on the Package Server to store update packages
Configuration of QChain Download: This is a Microsoft Software and only needs to be download once to the NS and replicates when downloaded to the clients that have the Patch Agent Plug-in.
- Manage > Jobs and Tasks > System Jobs and Tasks > Software> Patch Management > Download QChain
- Note: There is nothing in this to configure and therefore it will error out as outlined in TECH41590
Configuration of Check Software Update Package Integrity: This will only need to be run when there are orphaned packages or if the download location for Update Packages has been moved.
- Manage > Jobs and Tasks > System Jobs and Tasks > Software> Patch Management > Check Software Update Package Integrity
- Deletes orphaned packages
- Deletes packages that have no associated Update Policies
- Changes location for existing packages if the download location for packages have changed as set on the Patch Management Core Solution
Configuration of the Software Update Agent Rollout to Clients (Patch Agent): Configure to target specific clients to install the Patch Agent Plug-in
- Settings > All Settings > Agents/Plug-ins > Software > Windows Software Update Plug-in Install
- Software Update Agent Install: Installs the PM Agent to the targeted collections.
- Software Update Agent Uninstall: Uninstalls the PM Agent from the targeted collections.
- Software Update Agent Upgrade: Upgrades the PM Agent to the newest version released.
Configuration of the Default Software Update Plug-in Policy (Software Update Cycle/Reboot Schedule): Sends the command to install updates, that have downloaded to the clients, at a specific time. This policy may be cloned, if needed to target a specific filter for software update cycle / reboot scheduling, by right-click / Clone.
- Settings > All Settings > Agents/Plug-ins > Software > Windows > Default Software Update Plug-in
- Configure the schedule for the Software Update Cycle - Schedule can be added or a Windowed Schedule with multiple checks can be configured in the drop down. Note: The Windowed Schedule is not available for cloned policies unless the Default Policy is set up for this when the clone is enabled. This is outlined on KM Article: TECH133418
- Configure to allow the user to run the update cycle manually from the client
- Configure to allow restart after installation
- Configure to override maintenance window schedule if desired - For more details see: TECH127411
- Configure the Notifications for users to receive popups concerning the update cycle / rebooting - TECH127404
Configuration of the Microsoft Vulnerability Analysis Policy (Patch Inventories): Interval for requesting Patch Inventories from the clients.
- Settings > All Settings > Software > Patch Management > Microsoft Settings > Microsoft Vulnerability Analysis
- Configures the intervals for Patch Inventories – Best configuration is every 4 hours and ‘Only if changed.’
- However, this may be set to ‘Always’ if there Inventory troubleshooting is needed in the environment.
Configuration of the Microsoft Patch Management Import (PMImport .cab files and the Revised Software Update Task Schedule): Must be ran before pushing updates for Microsoft and Adobe
- Manage > Jobs and Tasks > System Jobs and Tasks > Software> Patch Management > Microsoft Patch Management Import
- Configure Revised Software Update Task to run on schedule with the PMImport - for more information see HOWTO10493
- Configure location of download for the .cab files
- Manual Download of .cab files
- De-select the ‘Only download if modified’ option and Save Changes
- Select the New Schedule and schedule ‘Now’ from the Popup window
- Configure schedule for download of the .cab files
- Note: Altering the schedule for the PMImport will cause it to run twice, for the default is 2:30am and is not editable. So if another schedule is added, then the process will execute at 2:30am and the new set schedule
Patch Remediation Center:
- Staging Bulletins and Updates (Downloading them from Microsoft): Creates the packages on the NS and puts the codebases in the database for the Microsoft Updates
- Manage > Policies > Software > Patch Management > Patch Remediation Center
- Drop down – Filter listed bulletins for different components of Patch Management
- Right click – Stage the individual Bulletin/KB - Suggested limit is 30 total downloads, for the NS will queue this process. Please test your system starting with 10 bulletins to determine how long the process may take.
- Create and Configure the Software Update Policies (distribute the updates to managed computers): Job that pushes the package to the client and rests in scheduled status until the Default Software Update Plug-in Policy schedule runs.
- Right click – desired bulletin\s and select ‘Software Update Policy Wizard’ from the menu or
- Select the ‘Actions’ drop down box and select ‘Software Update Policy Wizard’
- Walkthrough the configuration settings for the Update Policy to best suit the needs for the environment
- Note: There is a 50 update advertisement limit per policy. This count can be viewed from the Remediation Center > Downloads Column.
- Advisory: It is best practice to disable any unwanted Software Update Policies. This will ensure the clients will no longer request data regarding updates that have installed. Having Software Update Policies enabled after the update is installed was addressed in Patch Management SP2 MR3 as outlined in KM: TECH147912
Running Reports to view vulnerabilities:
- Reports > All Reports > Software > Patch Management > Compliance
- View Vulnerabilities for machines to see what Update Policies are needed
- Select Microsoft Compliance by Computer
- Configure ranges for dates to cover report
- Configure Distribution Status (All – shows all updates available)
- Configure Operating System (Windows XP, Server 2008, etc.)
Configuration of Patch Management Core Services:
- Settings > All Settings > Software > Patch Management > PM Core Solution
- Languages and Locations:
o Managed Languages: Enable all desired languages and Apply changes (Running the PMImport will pull down the .cab files for these languages)
o Download location configuration for the Software Update Packages
· Custom Severity
o Patch Management mirrors the severities from Microsoft; however, this is where custom severities can be implemented to fit a desired structure outside the Microsoft severity list.
Configuration of Hierarchy Settings for Patch Policy Replication: Outlined in KM Article: HOWTO9874
To Setup Patch Management 7.0 for Linux: Please view KM Article: HOWTO10327