How does the Windows System Assessment Scan policy work?

book

Article ID: 178560

calendar_today

Updated On:

Products

Patch Management Solution for Windows

Issue/Introduction

 

Resolution

Question: How does the Windows System Assessment Scan (WSAS) Policy work in Patch Management?

Answer:

The Windows System Assessment Scan will execute on the targeted Clients during the following processes:

  • Altiris Agent initially starts up
  • New Software Update Policy is received from the SMP Server to Client upon Update Configuration through the Altiris Agent processes
  • Software Update Cycle initially begins
  • Software Update Cycle concludes
  • Scheduled per the Windows System Assessment Scan policy

Note: Clients will run the Assessment Scan outside Maintenance Windows. This ensures the Assessment Scan will respect the Maintenance Window schedule and allow the Administrator to maintain control over when the Client runs the Assessment Scan

The WSAS Policy configuration is detailed as follows on the Console > Settings > All Settings > Software > Patch Management:

  1. On/Off: Toggle to enable or disable the policy.
     
  2. Schedule:
    • Windowed Schedule by default.
      • Modify Start/End times, Duration span as desired.
      • Modify 'check every' to run at desired intervals.
        • Best practice: configure no more aggressively than 4 hours by default unless in a test lab.
        • May be modified to 6 or 8 hours if the SMP is managing 10k or more clients.
    • Click 'Add Schedule' and then select 'Scheduled time' in the drop-down for a specific time.
      • Best practice is to delete the default schedule if a specific Scheduled Time is desired to avoid conflicts 
    • Click 'Repeat daily' and select repetition interval for the scan:
      • Best practice is to leave repeating daily but can be set less aggressive for larger environments (e.g. Week, Month, Year).
    • Click 'Advanced' to set a Start/End date if needed.
       
  3. Start the scan immediately when new or updated policy is received:
    • Toggle enabled/disabled checkbox for desired execution on targeted clients.
    • This setting enabled will ensure that the Windows System Assessment Scan will run on the targeted clients when there are changes made to this WSAS Policy, or if a new WSAS is received.
      • Note: This setting does not apply to Software Update Policies being added/modified, for the Windows System Assessment Scan will run on the client if it receives a change in those policies based on checks to ensure what is currently applicable and then send results back to the SMP to confirm targeting is still in order.
         
  4. Send Inventory Results Only If Changed:
    • Toggle enabled/disabled checkbox for desired execution on targeted clients.
    • Enabling this setting will discard results of the Windows System Assessment Scan on the Client once the hash check with the SMP has deemed the inventory results unchanged.
    • Disabling this setting is useful for troubleshooting Patch Updates failing to target, or Patch Updates failing to display IsInstalled=TRUE in reports
      • The scan process merely checks the datahash on the Patch DataClasses and will return only if changed, so deselecting the option will merely force the check to return inventory. Note that this process does not force the inventory unless the hash is different
      • Caution: Disabling this setting will increase processes on the SMP as the Client data is returned and processed on each interval.
         
  5. Applied To:
    • Configured by default to Target: Windows Computers with Software Update Plug-in Installed Target.
    • This Target Filter can be modified if needed, but best practice is to target all managed Clients with a Patch Plug-in.
       

Additional administrative notes:

  1. The execution of this process is best to be scheduled via the Windows System Assessment Scan Policy as outlined above, for the Task Execution of this process is not supported as it is part of the backbone of the process to be run via the policy detailed above.
    • Task is found in the Console > Manage > Jobs and Tasks > System Jobs and Tasks > Software > Patch Management; Run System Assessment Scan on Windows Computers:

    • Note: This is to be left un-scheduled as the policy will determine when this targeted task job will execute. 
    • Advisory: Another method that has been viewed to run the Assessment Task is via the Console > Manage > Computers > All Computers; run the individual Jobs/Tasks from that Client in the Task picker (as seen below). Note: This too is not the best practice, for the process could be tripping over other tasks, including the Assessment Scan itself, and that could be causing a failure:

       
  2. Cloning the Windows System Assessment Scan Policy:
    • Cloning will help ease the burden of returning Client Scan data as it is on schedule for all targeted Clients. Example: SMP Server manages 20k Clients and the scheduled interval returns inventory for all 20k Clients as configured, so the cloned WSAS Policy would break up the schedule and reduce the burden 
    • To clone:
      • Highlight the Default WSAS Policy > Right-click > Clone
        • Caution: Cloning an already cloned WSAS Policy causes resource association corruption in the database to the policy XML; be certain to only clone the Default WSAS Policy for each target required to maintain newly created associations for the new cloned WSAS Policy
      • Rename the newly created WSAS Policy different from the Default WSAS Policy:
      • Ensure the Default WSAS Policy does not have the Default Target in place
        • Allowing both Default and cloned policies to target will cause duplicate processes on the same Client which results in decreased performance on the SMP and data corruption for the Client's targeted Software Updates
           
  3. IIS Communications:
    • The Windows System Assessment Scan process creates the NSE (Notification Server Event) file and returns through the Altiris Agent communications and is processed in the EventQueue (C:\ProgramData\Symantec\SMP\EventQueue\EvtQueue).
  4. During replication; the WSAS Policy settings are replicated on the Core Differential Replication
    • The WSAS will not be editable on the Child SMP and should display exactly the same as the Parent SMP configurations
    • The Target should be Default in Hierarchy, for the Parent SMP may have Targets of Clients that are not managed by the Child SMP
    • Advisory: The WSAS Package download refresh takes place on the PMImport replication schedule; however the package is not replicated from the Parent SMP to the Child SMP, for once the process to download it is executed at the end of the PMImport replication process, it is downloaded from SolutionSam.com, and when it is downloaded, it will conclude the PMImport replication and the Download Software Updates process will then begin on the Child SMP.
      • Note: The BlueCoat Proxy has been found to require standard port usage and ensure that this package is able to download moving forward.
  5. WSAS Package Contents are as follows on the SMP: C:\Program Files\Altiris\Patch Management\Packages\WindowsVulnerabilityScan:
    • Note: This is also what the contents of the package would be on the Site Server/Package Server.
    • Package contents are as follows on the Client: C:\Program Files\Altiris\Altiris Agent\Agents\SoftwareManagement\Software Delivery\{6D417916-467C-46A7-A870-6D86D9345B61}\cache:
      • Note: The STPatchAssessment (XML / log) files are generated by the initial scan and may be reviewed to see the results of the scan directly on the Client regarding the results of the most recent scan executed.
    • The contents of this folder can be refreshed per the process outlined on HOWTO101482.
  6. Force Scan Return

Attachments

PF3734905_Patch_7.6.zip get_app
PF3734383_Patch_7.5_SP1.zip get_app