How it works

A policy or task delivery follows this sequence:

1. The administrator creates or modifies a policy or task on the SMP server.
2. The SMP pushes the policy to targeted clients as a client policy XML file, stored locally at:

1. The Symantec Management Agent (SMA) evaluates the policy's applicability rule (can this software run on this machine?) and detection rule (is this software already installed?).
2. If both conditions are met—the software is applicable and not yet detected as installed—the agent executes the task.
3. Execution is recorded in TaskManagement\TaskHistory on the client and reported back to the SMP as an NSE.

Recommendations

Step 1 — Identify which failure scenario applies

Determine whether the issue is a wrong-target failure, a wrong-time failure, or a SWD loop. This determines which artifacts to collect first.

If the policy or task still exists in the SMP Console, check Properties → Audit tab immediately. This tab shows when the item was last modified and by whom. It is unavailable once the item is deleted.

Figure 1 — Policy Properties → Audit tab. Check this immediately while the policy still exists.

Step 2 — Collect reactive investigation artifacts

Collect these artifacts as close to the incident time as possible. Log data can be overwritten by subsequent activity.

Server-side (SMP)

NS logs from the time of the incident:

Server-side policy XML:
In the SMP Console, right-click the policy → Export.
For Managed Delivery policies, also right-click each participating software component → Detailed Export. This exports the complete collection of items associated with each software component and is required to reproduce the policy behavior in a test environment. Tasks referenced in the policy are included automatically; do not export them separately.

Figure 2 — Detailed Export options for each software component participating in the policy.

Figure 3 — Detailed Export dialog. Select all applicable options shown.

Client-side (affected machines)

Agent logs from the time of the incident:

Client policy XML (only useful if the policy is still active on the client—it is removed once the policy is retracted):

Task history folder (collect as a zipped archive):

For Managed Delivery policies — Software Management data folder (zipped; exclude SoftwareCache_v2.xml if it is large):

Client-side active SWD policy file:

For patch policies — patch install log:

For patch policies where detection rules appear to be failing — patch assessment log:

Step 3 — Check policy configuration

Review the following in the SMP Console:

• Target definition: Confirm the resource collection or filter used as the policy target. Check for unintended inclusions or missing exclusions.
• Applicability rule: Confirm the rule correctly restricts deployment to machines where the software is applicable. A rule that is too broad will match machines outside the intended scope.
• Detection rule: Confirm the rule correctly identifies machines where the software is already installed. A detection rule that is too narrow, or that uses a static file path that differs by OS version, will fail to recognize an existing installation and cause repeated install attempts.

Step 4 — Query the database for deleted or modified items

If the policy or task no longer exists in the SMP Console, query Evt_NS_Item_Management to find deletion and modification events:

To locate the item's GUID across all database tables, see Find all tables that contain a specific GUID (KB 171823).

Step 5 — Diagnose a SWD loop (task repeating after restart)

If a specific job within a multi-job Managed Delivery policy repeats after every reboot, the nextjobindex counter may not be advancing. Follow these steps:

1. Collect the TaskManagement\TaskHistory folder and the SoftwareManagement\data folder from the affected client (see Step 2).
2. Collect AeXSWDPolicy.xml from the affected client (see Step 2).
3. Collect the server-side policy XML and the Detailed Export for each software component in the policy (see Step 2).
4. Review the TaskHistory entries for the repeating job. Confirm the job is completing and a restart is occurring.
5. Check whether nextjobindex remains at the same value after restart. If it does, the counter is not advancing.

Step 6 — Enable auditing to capture future incidents

Enable Item Trackers

Item Trackers provide in-depth auditing of changes made through the SMP Console. See Using Item Trackers to audit/research who made changes in the Management Console (KB 173483) for setup steps, including a Samples.xml file covering patch and software management trackers.

Item Trackers are found at: Settings → Notification Server → Internals → Item Tracking → Item Trackers

• Best practice: select IIS Process (w3wp) under Modules in the Tracking Filter to capture changes made by users in the console.
• Do not store Item Tracking data on the system drive.

Increase client-side log verbosity

Add the following registry values on affected client machines. Restart the Symantec Management Agent service after making changes.

After troubleshooting, revert: set Severity to 7 (hex), and delete MaxFiles and MaxSize.

Increase SMP server log verbosity

Add or confirm the following registry values on the SMP server. Restart the Altiris Services service after making changes.

After troubleshooting, revert all three keys to their previous values. If they did not previously exist, delete them.

Step 7 — Default Software Update Plug-in policy (DSUP) considerations

If patches were pushed to servers outside their maintenance window and no custom policy appears responsible, check whether the DSUP was inadvertently enabled.

The DSUP is active by default. If it is left enabled between patching cycles, it can push patches to servers that are in scope before their scheduled maintenance period begins. There is no way to determine who enabled the DSUP after the fact unless Item Trackers were configured beforehand.

To prevent recurrence:

• Disable the DSUP between patching cycles.
• If Windows System Assessment scans are needed while the DSUP is off, set the DSUP installation schedule far in the future so scans run without triggering installs.
• Configure Item Trackers on the DSUP (and any DSUP clones) to capture future enable/disable events. See Using Item Trackers to audit/research who made changes in the Management Console (KB 173483).

Verification

Confirm the root cause has been identified when:

• You can trace the triggering event to a specific policy state, rule evaluation, or user action in the logs, audit tab, or Evt_NS_Item_Management query results.
• The detection or applicability rule, when re-evaluated against the affected machines, produces the expected result.
• For SWD loop cases: nextjobindex advances correctly on a test machine after the root cause is addressed.
• Item Trackers are in place to capture any recurrence.