Distribute and Report On Compliance Regarding Software Updates That Cannot Be Automatically Downloaded From the Vendor

Products

Patch Management Solution

Issue/Introduction

Note: The features described in this document are available starting with version 8.6 RU3

Some updates required for remediation of vulnerabilities known to Symantec Patch Management solution cannot be downloaded automatically from the corresponding software vendors’ websites.
Typical examples:

Updates that require EULA acceptance for download
Updates that require login using a registered user account
Updates that require a subscription to a specific service (for example, Windows 10 feature updates available through Microsoft MSDN or Enterprise Licensing)
Updates that are replaced with newer versions by the vendor (for example, Google Chrome)

Earlier versions of Patch Management solution were not able to support such updates and they were filtered out from the datafeed (with few exceptions for Windows 10 feature updates and Oracle Java – both requiring manual workaround to get them distributed).
With automated support for manually downloaded updates (MDU) added in ITMS 8.6 RU3 they will not be filtered out from datafeed anymore but still hidden for the earlier versions of Patch Management solution.

Environment

Patch Management 8.6 RU3 or later

Resolution

Create the SWU policy with MDU

To create a policy with manually downloaded updates:

Create the SWU policy in a usual way
Upload files to the update's package using the new MDU upload UI (click on the ‘pencil’ button near the package to show a dialog with the uploader, see screenshot below) or do the steps like were described in KB article https://knowledge.broadcom.com/external/article/184951/deploying-windows-10-feature-updates-wit.html
Enable the update in the SWU policy

Delivery of MDU will be disabled until the package becomes ready (in ‘missing’ state - doesn't contain all required files)

Example: SWU policy UI with the manually downloaded update not yet uploaded by the customer

Example: MDU uploads UI after uploading the required file

After uploading all required files (status of package changes to ‘available’), delivery of update can be enabled.

Warning: MDU package is shared among all existing SWU policies that reference it. Any change in the package affects immediately all existing policies. For example deletion of previously provided MDU using uploader, UI triggers the change of update right after closure of uploader. A new upload of a file would be required to enable its distribution again.

Updates filtering in the SWU policy:
It is possible to use new filtering criteria to find MDUs in the SWU policy

Download type
1. automatic - the Patch Management solution can download the file itself
2. manual - no public URL is available for download, customer must download files from a vendor and upload them to the package
Status of manually downloaded update
1. available - all required files are uploaded to the package
2. missing - no required files in the package

MDU Upload UI
Upload UI allows you to rename an uploaded file automatically to the name expected by the Patch Management solution (for example, Windows 10 feature updates need to be renamed based on the language and edition of the specific update distributed).
If the user commits changes to the contents of the package (by adding or deleting the files), an automatic update of distribution points is performed to notify the management server and package servers about modifications.

When a software vendor changes an update not to be downloadable automatically (replaces with a newer version, EOLs the product, etc.) this is reflected in datafeed by changing the update type to MDU. This results in update (and corresponding SWU policies) deletion for the customers of earlier versions. With Patch Management 8.6 RU3 the update and SWU policies remain intact, UI would just indicate the change of update type.
Should the user need to clean up the updates that are no more up-to-date, it’s possible using the general Patch Management solution functionality (cleanup options in Patch Data import task or disabling bulletins manually in reports).
MDU visibility in reports
It is possible to identify bulletins with MDU updates in reports ‘Software Bulletin Details’ and ‘All Software Bulletin’ as they now contain the additional column ‘Manual Download’

Additional warnings that notify the user about MDUs are shown in Distribute Software Update wizard during SWU policy creation and on the Advanced tab of SWU policy when editing it.

Hierarchy support

Software updates were traditionally not replicated from the parent Notification Server to its children but it changed for MDU use case and the content of corresponding packages will be delivered to children's Notifications Servers if:

parent package is ready (status ‘available’)
parent package is not ready (status ‘missing’) and the child package is also not ready (status ‘missing’)

Note:

The same package may be shared between several SWU policies. Some policies can be created on a child NS, others may arrive from the parent NS. If the package from parent NS is ready then it will always override the package of child NS. But if the parent package is not ready and the child package is ready then the content of the child package will not be changed.
As SWU policies are delivered to child NSs in scope of 'Differential replication' replication rule and packages are delivered in the scope of other rule, then replication of packages for manually downloaded updates may take several replication cycles to synchronize the policies and metadata with the content of packages. The preferred case is where metadata with packages gets replicated first and then the SWU policies are replicated.

Additional Information

Instructions for delivery of manually downloaded updates in releases before 8.6 RU3:

Windows 10 feature updates: Deploying Windows 10 feature updates with Patch Management Solution
Oracle Java updates: Patching Java 8 after January 2019 changes
Windows 10 feature updates on endpoints with drive encryption: Using Patch Management Solution to deploy Windows 10 feature updates to endpoints with drive encryption

Note: these instructions are still valid for ITMS 8.6 RU3 and could be used to provide large files as direct copying to management server drive is 2-3 times faster than using MDU upload UI.