Patch Management Solution

To patch a server in our company our admins have to execute a multistep process to bring the server into "Maintenance Mode" where they can safely apply the patch, test the server after teh patch has been applied and return the server from "Maintenance Mode"

Automating the tasks from Altiris seems straight forward but I can't figure out how to tell the Endpoints within this sequence that they may download and install their patches. 

Once I get that solved I'm hoping it won't be too difficult for Altiris to acknowledge that the patches have been installed and proceed with the automated testing and restoration of the server.

To give you an idea of what I have been able to build:

I've created a Server Patch Job with tasks that:

Run a script locally on the endpoint that tells our monitoring system that the endpoint is now in maintenance mode and to ignore any events or triggered alerts for this endpoint.

Checks to see if any sessions are open and moves them to one of the other available servers

Pulls Server from Cluster

Checks to see if any admins are logged into the server and passively waits or aggressively kicks them out of the server

======

I thought I could script the execution of AexPatchUtil.exe but that doesn't seem to install the patches that have been listed on the endpoint for installation.

======

Places Server back into cluster

Confirms application is running again

Executes quick test of application

Removes Server from Maintenance Mode

 

The Symantec documentation and Support say to create a Software Update Policy per target and set the schedule to neve run. Then when I want to patch my endpoints modify the schedule and settings so the endpoint will patch itself after the successful config update. Seem slike extra work to turn policies on and off and let the servers do as they please during the patch window.

 

Any ideas?

Which ones did it install on the client instead? Did you try the following? AeXPatchUtil /Xa How can I start a Patch software update cycle from the command line? https://support.symantec.com/us/en/article.howto4198.html —- How to Immediately Download, Install and Report a Software Update in Patch Management https://support.symantec.com/us/en/article.howto84003.html

Hi Tsutomu

If you are running the latest Version 8.5 RU2 you could also leverage the newly introduced "Install Software Updates" Task.
Take a look at: https://support.symantec.com/us/en/article.doc11414.html

AeXPatchUtil got some new options in 8.5 RU2!

Network23

I'm going to try the new tasks in 8.5RU2

In my use case our servers are never meant to be regularly patched so I configured the target policy to end in the past. This way the Software Update plugin will never run.

When I do wish to patch our servers I want it to be part of an automated procedure which as far as I know you can't do with the patch policy.

 

So if the patching tasks of 8.5 RU2 work then I'll be able to disable the scheduled patching and instead provision the patches and patch policies on the target systems then run a job that will automate our patch policy.

 

I'll test right away and get back to this thread.

No dice the Install update tasks are for Mac OS.

I spoke with Symantec Support today and they think that what I am looking for will become available in 8.5 RU3 (The ability to execute pre and post image tasks)

I'm surprized that no one else has asked for this already or has figured this out some way using the product.

If I fidn out more tomorrow I'll share here.

Hi Tsutomu,

Windows Software Update Installation task was indeed introduced in 8.5 RU2. Please note that it doesn't have any instance visible out-of-the-box in Console.
You need to follow these steps to get started:

1. In the Symantec Management Console, on the Manage menu, click Jobs and Tasks.

2. In the left pane, right-click the folder where you want to create the task, and then click New > Task.

3. In the Create New Task dialog box, in the left pane, expand Software > Patch Management, and then click Install Software Updates.

As for RU3 we will be adding Software Update Assessment task to accompany Software Update Installation task there.
So it would be possible to double check that selected updates are actually required for given endpoint(s) and start with the whole job sequence only if they are.

Hello Dmitri,

The solution was as Alex said to use AeXPatchUtil /Xa the problem I had was using the /reboot switch.

Creating a new Install Software Update task isn't pratical and makes more sense to use if my use case was to deploy a specific patch to a specific target outside of my patch management process. 

 

I want the patches and compliance reporting to function as is. I want the patches downloaded and distributed as policies.

I can't leverage policy patch deployment for two reasons:

-Our business cannot adhere to a strict patching schedule. 

-We require additional pre and post patching tasks to automate the patch deployment procedure.

Ex. Disable the monitoring system placing this specific server in maintenance mode. Move workload from the server to others within the cluster. Remove this server from the cluster. Identify the hypervisor from which this server is being hosted from. Create a snapshot of the server. Deploy the patch. Rejoin the server to the cluster. Validate the functionality of the server. Restore monitoring. Mark the snapshot for deletion X days after this patch has been applied. 

Using AeXPatchUtil will allow me to simplify the Deploy patch part of this job.