Configuring Patch Management for Windows - Best practices for 7.5.x - 8.x
Updated On:20-03-2019 15:12
Patch Management Solution for Windows
1. Licensing: Ensure Annual Upgrade Protection is current to allow for downloading Patch Management Import Data, which enhance the software's abilities to deploy current updates.
Found at Start > Programs > Symantec > Symantec Installation Manager - open the SIM and select the Licensing link in the upper left corner.
Ensure sufficient Node Count is up to cover the amount of clients to be utilized by Patch Management Solution.
2. Software Update Plug-in Install / Upgrade Policy: deploys the Patch Agent Plug-in to clients with the Altiris Agent Installed.
Found at Console > Settings > Agents/Plug-ins > Software > Patch Management - Software Update Plug-in Install
Configure the targeted filter; schedule to run daily and ASAP to ensure maximum deployment of the Patch Agent
Caution! Do not enable more than one daily single schedule, for multiple schedules / windowed schedule will cause conflicts and fail to deploy.
Review the rest of this section for more detailed information concerning the Software Update Plug-in Install / Upgrade process.
Configure the targeted Filter
Ensure the targeted Filter holds the desired clients to receive the Patch Plug-in
Configure to run at a specific time or windowed time frame.
Configure to repeat daily until targeted filter holds 0 members or desired deployment count reached
Configure Extra schedule options
Run once ASAP: Runs and executes only once. If it succeeds or fails it is finished.
User can run: Allows the user to view this in the GUI and they can run it from the Software Delivery Tab > Application Tasks in the blue pane
Notify user when the task is available: Notification Popup on the desktop
Warn before running: Notification Popup is received on the desktop
Enable the policy by selecting the Off/On in the upper right corner
Advisory (1): Cloning Install / Upgrade Policies if desired
Advisory (2): Deployment is not real time. The Altiris Agent needs to compile Basic Inventory and then Patch Inventory, and these policies may take several hours to be received by the client and executed.
3. Import Patch Data for - Windows: Downloads the rules for all enabled vendor updates from Adobe / Microsoft and others
Found at Console > Manage > Jobs and Tasks > System Jobs and Tasks > Software > Patch Management > Import Patch Data
Patch Management Import Settings:
Incremental import - Enabled; to provide better performance as it downloads only the segments of the .cab data that are needed.
Note. Disabled will run a full import to ensure complete .cab file is downloaded.
Delete previously downloaded data for vendors, software and languages that are now excluded - Disabled, for this is only needed to be Enabled if a recent change was made to the Vendors and Software listing to remove unwanted patch data
Note. Enabled will clear all packages and resource associations from the database for anything no longer present in the Vendor list
Caution!: A corrupt Vendor List, having missing data from a previous healthy listing, would delete Patch Packages & Policies for updates that were not meant to be cleared. This is rare, but has happened, so leaving this setting Disabled is best practices, unless the clean up of recent exclusions is in order by the Admin.
General: Enable clean-up check boxes to ensure rules for revised and superseded updates are updated and able to deploy newly revised updates.
Vendors and Software: Update - downloads the selected languages and vendor data
Task Status > New Schedule > Run download 'Now' and download the PMImport.
Review the rest of this section for more detailed information concerning the PMImport.
Patch Management Import Settings:
Enable: downloads the modified components for selected vendors
Disable: force a Complete PMImport download for selected vendors
Delete previously downloaded data for vendors, software and languages that are now excluded
Cleans up any previously downloaded / staged updates that are now excluded under 'Vendors and Software
Default Location: Enabled will download from the Solution Sam Site
Alternative Location: Input path to download from when using DMZ Management Server Configurations
Superseded Software Updates will be disabled after the Import Patch Data task has completed.
Enable: Disable all superseded Software Updates to remove them from the PMImport
Advisory: Helps to clean up Patch Rules, for Patch Reporting automatically removes superseded updates
Vendors and Software:
Import of Available vendors, software and languages:
Click 'Update' to execute the import.
Run this to display the list of Vendors, software and languages available for this PMImport
Check the main box to support all updates for the selected Vendor
Exclusions: Expand the [+] to deselect undesired update types
Enable the check box for each language type supported in this environment
Now: allows the PMImport to run now with current saved settings
Schedule: configure to run at a specified date / time with current saved settings
Date: configure the date to start the PMImport
Time: configure the time to start the PMImport
Repeat Every: configure interval to repeat the process
Advisory: Best practice is to set Date: Today, Time: 03:00am, and Repeat: 1 - Daily
Advisory: It is best practice to schedule the PMImport for 03:00am / Daily.
Custom schedule will appear in the Task Library as 'NS.Run Import Patch Data...'
4. Patch Management Inventories: Windows System Assessment Scan
Advisory (1) - Newly installed systems from unpatched or non-slipstreamed media may need updated vendor certificates installed on the SMP Server/and or on the client machines. Please see this article for more information and methods of updating the clients (or servers): https://www.symantec.com/docs/TECH239756
Found on the Console > Settings > All Settings > Software > Patch Management > Windows System Assessment Scan
Default configuration is best practice.
Review the rest of this section for more detailed information concerning the Patch Management Inventory processes.
Runs daily and every 4 hours.
This schedule may be adjusted, but this is optimal settings for environments up to 10,000 clients. This setting may be adjusted to run every 6 hours if the environment exceeds 11,000 clients.
Start the scan immediately when new or updated policy is received (Setting only provided in Patch Management Solution 7.5+):
This setting controls only when a new Windows System Assessment Scan policy targets the Client (e.g. a clone of the default policy)
This setting is detailed further on HOWTO110220 - Section #3
Send Inventory Results Only If Changed:
Keep this enabled unless testing / troubleshooting Patch Inventories are needed.
Disabled: All targeted clients will return all Patch Inventories regardless if they have already been received and processed to the database. Resulting in unnecessary processes for the Management Server.
This policy targets the default filter: Windows Computers with Software Update Plug-in Installed Target.
Ensure the targeted count is the proper number of clients that have Patch installed, for there may be a problem regarding the Software Update Plug-in Install or Upgrade policies.
Note. There is no need to add to, or remote from, the targeted filter for this policy.
5. Scheduling the Software Update Cycle to install updates: Default Software Update Plug-in (DSUP) Policy
Found on the Console > Agents/Plug-ins > All Agents/Plug-ins > Software > Patch Management > Windows > Default Software Update Plug-in Policy
Schedule the Software Update Cycle
Schedule reboot settings
Enable override maintenance windows if needed
Review the rest of this section for more detailed information concerning the Software Update Cycle process.
Advisory (1): This policy can be cloned to target specific filters for individual Software Update Cycle / Reboot Schedules. The original DSUP policy will release the targeted client when the cloned DSUP policy is created and targets the filter; however, it is best practice to disable the original DSUP policy if the cloned filter is populated by AD Import or if Maintenance Windows are active. This will ensure any clients that 'fall out' of the cloned DSUP target will not get updated through the original DSUP policy.
Advisory (2): When cloning a DSUP policy; always ensure the clone is of the original DSUP policy, for cloning a clone of that policy has been found to cause corruption in the code and database resource associations.
Advisory (3): At least one DSUP policy will need to be enabled to ensure resource associations are established during Patch Package creation process. Ensure one policy is enabled at all times.
If needed; set the DSUP policy schedule in the far future (year 2030) if the Software Update Cycle needs to be delayed or disabled.
The schedule may be deleted altogether if needed; review the behavior of this configuration in HOWTO51921.
Installation Schedules tab:
Software Update Installation:
Schedule: Best practice is to run the Software Update Cycle on a daily repeating schedule to ensure updates install soon.
Windowed Schedule: Also a good practice, for the Software Update Cycle can repeat as needed during a windowed timeframe.
Example: Start at 3am, End at 5am, and run every 1 hour with reboot schedule 'At end of software update cycle;' this allows for the updates to install, reboot, wait one hour and then install any that were unable to install during the last update cycle due to OS limitations (registry needed refresh before more updates could install)
Start / End dates: Configure the date to begin and end the Software Update Cycle
Add Schedule: Configure a Windowed Schedule if multiple Software Update Cycles are needed
Note. for a Manual Install Schedule: Configure this schedule to run in the far future; something like year 2030, for that will ensure the client never starts the Software Update Cycle.
Additionally, confirm that the Software Update Policy is not configured to run the Software Update Cycle and leave all Package Options disabled on the Software Update Policy, for that will ensure the packages are merely deployed to the clients and will wait in a 'Scheduled' status until the far future date.
Restart Defaults: Best practice is to configure the reboot at the end of the Software Update Cycle, for that will refresh the client's registry following the update.
Note. Some Microsoft Updates will affect the registry in a manner that a reboot is required to install more updates. Setting the Windowed Schedule to run for 4 hours and setting the 'During window, check every' to a 1 hour interval will assist with this, for the Software Update Cycle will execute every 1 hour for 4 hours, and reboot at the end of the Software Update Cycle.
Maintenance Windows override DSUP policy schedules and trigger all patches to immediately install once the window opens.
Enable this setting to allow the Software Update Cycle to run while Maintenance Windows are closed.
Note. If Maintenance Window Schedules are to be used as the start of the Software Update Cycle; ensure the start date on this schedule is configured to far in the future. Example: Set start date to begin in the year 2030 or later, for the product has been designed to ensure that any missed schedules will run ASAP. Setting the schedule to run in the year 1985 will cause a 'Run ASAP' state for this policy.
The Notification Tab is outlined for PM 8.0.x in TECH235000 and for PM 7.5.x & 7.6.x in KM: TECH127404
6. Patch Remediation Center (PRC): Download Packages and Create Software Update Policies
Found at Console > Actions > Software > Patch Remediation Center
Vendor > Microsoft
Highlight the Bulletin, right-click / Distribute Software Updates
This will run the 'Download Packages' process first and then run the Software Update Policy creation process
Target the desired filter and configure as desired
Enable and save policy
Review the rest of this section for more detailed information concerning the PRC.
Show: All Software Bulletins
Vendor: Select to choose which Vendor to view (e.g. Microsoft)
Create the Software Update Package
Highlight a Bulletin:
Right-click / Download Packages for the specified Bulletin(S)
Advisory: Do not select too many to download at once, for the PRC will take the time to download each, and may timeout on the download. Also, any further action taken following the download will not be immediate, for it will be queued behind the previous download action. Staging one month's released updates at a time is generally safe.
Right-click / Disable: Optional: Disconnect the Bulletin from the PRC
Right-click / Recreate Packages: Recreate the packages to clear any stale codebase
Creating the Software Update Policy to deploy the packages
Right-click / Distribute Software Updates:
Name: Set customer name or leave default for Bulletin
Software Bulletins and Updates: Displays Bulletin and Update list associated
Package Options: Set to execute Reboot and/or the Software Update Cycle As soon as possible or on Schedule
Advisory: It is best to schedule the Software Update Cycle through the Default Software Update Plug-in Policy to ensure there are no scheduling conflicts as outlined on KM: TECH41865
This utilizes the Software Update Policy to merely be a method to deploy the Software Update Package and hold it on the client in a 'Scheduled' Status.
Override Maintenance Windows settings: May be used to override Maintenance Window settings, but keep in mind that the rebooting is part of the core schedule from the Default Software Update Plug-in Policy as outlined in KM: TECH164464
Apply to Computers: Ensure the targeted filter is one that requires the listed Bulletin / Updates.
To enable: select the On/Off in the upper right-hand corner and then Next > Distribute Software Updates.
Caution! Creating Software Update Policies with too many software updates may cause time out issues when saving changes. The limitation is around 100 Updates. Keep in mind each Bulletin holds multiple updates. Best practice is to limit a Software Update Policy to all Bulletins released that month.
Note. If there are too many and unable to save / delete the policy view resolution on KM: TECH122266
Warning: Never delete a Software Update Policy without first disabling it for a duration that allows all targeted clients to receive the change in policy status. Create a sub folder in the tree for Old Policies, and store them for deletion at a later time.
Advisory: The Patch Plug-in relies on the Altiris Agent to Update Configuration and receive new tasks / policies, or changes to these policies. The default for this setting is every 1 hour. Keep this in mind when scheduling the Software Update Cycle.
7. Package Storage and Replication:
Found at Console > Settings > All Settings > Software > Patch Management > Windows Settings > Windows Patch Remediation Settings:
Target: Configured to one filter, and ensure that it targets at least one Client Resource as detailed on KM: HOWTO79488
Policy and Package Settings tab > Policy and Package Settings tab > Package Distribution: Best practice setting is 'All Package Servers' or 'Package Servers Individually' and enable the ones to be used.
Advisory: Changing these settings will execute the Check Software Update Package Integrity job and that will run a refresh of ALL Software Update Packages.
Note. The purpose for changing from default 'Package Servers automatically with manual prestaging' is this setting will only replicate the Software Update Packages to Site Servers/Package Servers that receive a request for the package from its managed Clients. So if there are any problems in the environment with dropped processes due to poor performance; the Client's request to the Site Server/Package Server, or the SS/PS request to the SMP Server, may be lost and the package is never replicated.
Review the rest of this section for more detailed information concerning the Package Storage and Replication settings.
Windows Patch Remediation Settings (Microsoft Vendor Policy):
Software Update Options tab:
Patch Filter Update Interval: Schedules the interval in which the NS.Microsoft scheduled task is run. This task will update the Patch Intersect Filters and targeted filters for Patch Policies.
Configured to run every 30 minutes by default; should only be increased in heavy loads of management for over 8k nodes or if the SMP sees heavy burden during this scheduled task run
The Default Resource Target used by the Software Update Policy Wizard: Change the targeted filter to automatically change the filter that is set in place when creating Software Update Policies through the PRC.
Policy and Package Settings tab:
Delete Packages After: This setting deletes the packages from the client if they are unused for the specific amount of time.
Best practice is to set this to 1 Week
Note: This process timer is generated within the Policy.xml upon creation of the Software Update Policy and stored on the Client, so as long as the package is "in use" it will not start the configured countdown.
Example: The Software Update Policy targeted and the update installed on the Client, yet the Client needs a reboot for the update to return Installed=TRUE status, the Client will hold the package in an "in use" status until the status is cleared on the SMP Server, and then the countdown timer will be initiated to clean-up the package as configured
Caution: If this time is set to 0 Days, the package will be deleted immediately, and will most likely fail to run on the Software Update Cycle.
Use multicast when the SMA multicast option is enabled: Allows for clients to download packages from other clients.
Note: May increase bandwidth usage in larger environments (10K+ Clients)
Package Distribution: Best practice setting is 'All Package Servers' or 'Package Servers Individually' and enable the ones to be used.
Use Alternate download location on Package Server: Enable and input the file structure to be used for storing Software Update Packages on Package Servers.
Use Alternate download location on Clients: Enable and input the file structure to be used for storing Software Update Packages on the clients.
Caution: Changing these settings will execute the Check Software Update Package Integrity job and that will run a refresh of ALL Software Update Packages; selector popup will allow for choosing if this would run immediately or manually, but if manually is chose, the packages will go unaffected until that process is executed.
Terminate after: Best practice setting is 4 hours.
Run with rights: Best practice setting is System Account
Program can run: Best Practice setting is Whether or not a user is logged on
Send package events: Enable to provide more data concerning the package events for the agent
Send status events: Enable to provide more data concerning the status events for the agent
Note. These 'Send Event' settings will create more inventory and cause for more resources, bandwidth and processing, to be used.
To Location: Implements the file structure where the Software Update Packages will be stored on the Management Server
Download from staging location: Targets the Software Update Packages for downloading from a shared file structure when configuring the a DMZ Management Server
Custom Severity tab:
Severity Level: Add and adjust custom severities to view in the PRC
8. Reporting Compliance for Patch Management:
Found on the Console > Reports > All Reports > Software > Patch Management > Compliance
Run the Windows Compliance by Bulletin, Computer or Update to view vulnerabilities in the environment.