Philadelphia Security User Group

I'm just starting to use the Patch Management product, so looking for some recommendations for best practices.

About a month ago, I staged and successfully rolled out our first windows and adobe updates.  I rolled out all July updates as part of one update policy.

Now, I need to roll out new updates.  I'm starting with a filter of test machines so I can target those machines initially with the newly staged policies.  Once I feel like everything is ok, I will change the target to all machines.  I assume this is good practice?

My question really is - some of those updates will supersede previously installed updates (MS11-069, for example, flash, shockwave, etc). 

I obviously need to download those new updates, but do I need to stage the updates again, or is PM smart enough to see I already have Flash and MS11-069 staged and it will just push the newer update? 

I assume not, otherwise it would be hard to test new patches - since those old policies are already set to go to all machines.

If I have to stage the newer updates, do I have to touch the older staged update policies?  If I need to, how do I handle if that superseded patch (MS11-069) is part of a staged update with 4 other patches (not updated this cycle) in it, ?

I do have the box checked "Delete the updates that are no longer in use from the file system" - which the user guide says will ""delete the downloaded updates that are not part of any software update policy or belong to a superseded bulletin"

Thanks for any help, as always  - we are 7.1 sp1 if that matters.

In 7.1 SP1, you no longer need to stage bulletins before you can create policies.  So regarding your question about knowing what to stage, you really just need to know what you want to deploy.  Altiris Patch Management will figure out what to stage/download and take care of this for you.

Regarding supercedence, this is handled through associations (Software Component Supercedes Software Component), so it shouldn't matter that you have old policies.  A trivial amount of diskspace could be saved if every superceded software component were found and its policy modified.

And regarding best practice, yes, a test/pilot/production rollout is ideal.  So between your test systems and your full production roll-out, you would be targeting a small percentage (2%) of systems in your environment.  These are real-world systems with randomly-installed software, viruses, and so forth, and you're looking to detect any issues in the 2% of systems before they reach the 98% of systems.  You would do the same thing with a software rollout, where you might discover (for example) that Program XYZ requires Hotfix 123456 or .NET 4.0.  All your test PCs were fully patched, but real-world systems were missing one or the other, so now you know you need to modify your software rollout to include these items.  In the same way, a patch pilot can let you know what the patches are functional, do not break things, do not prompt the user for input (e.g. EULAs), and have the reboot behavior you expected and advertised to users.

Does this help?

Thanks for replying.  You're right I got confused with the old version - no more staging, but it's still a 2 step process, right click download and then right click distribute - or are you saying now you can just go right to the distribute step?

As an example, I have an existing policy for Flash and Shockwave - new versions has come out since then... I leave those policies on and just distribute the new patch as well? Same with MS bulletins that get updated over time, like MS11-069 - leave the old policies there (and enabled) and just create new policies as needed?

Is PM smart enough to not install the old bulletins/flash/shockwave from last months updates if a new one is downloaded and policy is turned on?

Right-Click > Download is exactly the same thing as "Stage" in the previous versions...they just cleaned up the wording.

I haven't tried creating the policy without staging a bulletin yet.  I guess that I'll try that this coming month.

Patch is smart enough to install the most currently available update and older updates are automatically set to superseded when you import the metadata for a newer update.

You don't have to go and disable the previous months' updates but it's something that I do just for a sanity and cleanliness perspective.  You can run the report that shows superseded bulletins (I only look for completely superseded) and then go and remove those bulletins from your policies. It's not highly automated yet and those previously-staged bulletins won't remove their binaries from the NS but that's something that I've submitted as an Idea for a future update.

Download is the new word for Stage, which makes a lot more sense.  It's now a one-step process.  If an old policy remains enabled and the content within is superceded, the associations and metadata understand that and will not be running around deploying the older, superceded update.  This is regardless of vendor.  7.1 SP1 PM is a great strength to Altiris, and although there are the typical bugs, they're relatively minor, and the benefits far outweigh them.

thanks again mclemson.  I put a ticket in with support asking similar questions, and I was told that PM isn't smart enough to not deploy the old updates... he told me I should be unchecking superseded bulletins in old policies, or disabling the policy if it only contains superseded bulletins, and that PM would install old updates possibly out of order but then at least know it still needs the newer one and then install the newer one again.  glad I posted here too.. probably not necessary to be policing my old policies too much.

As the months go on and same things get updated over and over, and the list of PM policies grow, do you think it's recommended (but not necessary) to disable old ones where I can?  Just as housekeeping measure ?

Just trying to get on the right track from the beginning - appreciate all the feedback

think this just answered the question i just posted above. thanks i didnt even know (or maybe i did at one point and forgot), there's a report for superseded bulletins.