search cancel

Client Automation - How to avoid automatic distribution of Patch Management patch from Enterprise to Domain Manager ?


Article ID: 207534


Updated On:


CA Client Automation CA Client Automation - Patch Manager CA Client Automation - IT Client Manager


On Enterprise Server, when a Patch is accepted in Patch Management it is automatically downloaded, regisered in ITCM and distributed to all Domain Managers linked to Enterprise.

How to avoid this automatic distribution of SD package ?



Client Automation - All Versions



1- On Enterprise server, create a new local Windows user (ex: PMUSER)

This user should not belong to Administrators group.


2- In DSM GUI, go under Security - Security Profiles

Click Add button and add the user created in step 1


3- Give it Full Control permissions on all class except for 

Software Distribution Container and Software Distributions where we give Read permissions



4- In DSM GUI, connect with new created user to initiliaze it in ITCM database and check that all is ok.



5- On Windows folder C:\Program Files (x86)\CA\DSM\SD\ASM\LIBRARY add user IUSR in Security with Full Control


6- Open DSM Web Console, go in Patch Management - Administration - Manager

And put the user created in step 1 in User Name field :

Example : winnt://JY-W2K16-ES/pmuser

Click on Save button


7- Recycle tomcat

caf stop tomcat
caf start tomcat
8- Then accept a patch in Patch Management
It should appear in ITCM as a SD package and no Distribution job should be created as user has no rights to create it.
The patch is set in status "Packaging Failed' because creation of Software Distribution job failed (access denied).
It is possible to change it manually to Testing with a SQL Query like :

UPDATE ca_install_package
SET status=9
WHERE ipkg_name = 'Windows Malicious Software Removal Tool x86 - January 2021 (KB890830)' and status=8
Replace the name of patch in ipkg_name