The Zero Day Patch Workflow Template runs on a schedule to automatically on a schedule to identify, stage and create policies for bulletins/patches that meet a pre-defined set of criteria.
The above video and attached document will help you download, configure, test and deploy the attached Workflow Template. Although the template is built to run as is, you can modify the project in workflow to meet the unique process and goals of our organization.
00:14:06
There's a new API in SMP 8.5
SMP - Patch Management - Disable Bulletins https://www.symantec.com/connect/articles/smp-patch-management-disable-bulletins
@mafoe did you change this in the component itself?
Is this when you run in Debug or Published?
What App Pool is the workflow runnings as?
Hi Jason,
first of all thanks for the efforts put in creating that workflow.
I hope you are still into this, 'cause I ran into an authentication Problem at the 'spPMCoreReport_SoftwareBulletinSummary' component. It will ignore the user account on the sql-connection string and instead tries to connect to the database with the one out of the NSAuthentication token and that it uses without the domain prefix or tries to connect as an local SQL accoutn - which it isn't.
Kind Regards,
Matthias
Thank you for this great workflow implementation!
Hi,
i have a question about Policy handling. i have deploy the workflow with two different option sets.
Workflow 1: Server 1 Server 2
Workflow 2: Server 3 Server 4
Now workflow 1 is running and find some bulletins and create a policy with srv1 and 2 as target. What happens if workflow 2 is running and find the same bulletins. Does the workflow overwrite the policy or add the two server to the existing policy?
Thank you very much!
Best Regards,
Stephan
-.-
The problem was an empty string in Vendor_Filter array.
Thank you!
can anyone help me out with this issue.
___runtime_Linked_Model_Flag = True CurrentVendorGUID = "" ErrorMessage = " cannot be converted to a Guid" LastComponent = "sp PMCore Report_ Software Bulletin Summary" ModelID = "7cf7eb9c-9437-11e2-a847-000c294e9052" ReportProcessID = "Patch-0Day-000297" StackTrace = " at LogicBase.Components.Default.DataTypes.GuidDataHandler.doConvert(Object o) at LogicBase.Core.Data.DataTypes.VariableOrValueDataType.GetValue(IData data) at spPMCoreReport_SoftwareBulletinSummary.SqlQuery.spPMCoreReport_SoftwareBulletinSummary.Run(IData data) at LogicBase.Core.ExecutionEngine.SinglePathProcessComponentExecutionDelegate.Execute(IData data, IOrchestrationComponent comp, String& outputPath, IExecutionEngine engine, TLExecutionContext context) at LogicBase.Core.ExecutionEngine.AbstractExecutionEngine.RunComponent(TLExecutionContext context, IData data, IOrchestrationComponent comp)"
I think it can't handle the GUID of the Bulletin.
King Regards,
One option is to pre-stage the patches.
--
https://www.symantec.com/connect/forums/errormessage-operation-has-timed-out-zero-day-patch
Hello,
i have some trouble with timeouts at my Workflow. Has any one Ideas to solve the problem?
Error Message: The operation has timed out Stack Trace: at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request) at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request) at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters) at PatchWorkflowSvcDynamicService.PatchWorkflowSvc.EnsureStaged(String bulletinGuids, Boolean sync) at PatchWorkflowSvcDynamicService.EnsureStaged.Run(IData data) at LogicBase.Core.ExecutionEngine.SinglePathProcessComponentExecutionDelegate.Execute(IData data, IOrchestrationComponent comp, String& outputPath, IExecutionEngine engine, TLExecutionContext context) at LogicBase.Core.ExecutionEngine.AbstractExecutionEngine.RunComponent(TLExecutionContext context, IData data, IOrchestrationComponent comp) Report Process ID: Patch-0Day-000220 Model ID: 7e82176f-0fe0-11e2-85c7-005056a27acc Last Component: Ensure Staged
What i can do?
Sorry i fix the problem by my self.
Many thanks to everyone :-D
Hi Boys and Girls,
i have a problem while running zero day in debug mode.
___runtime_Linked_Model_Flag = True CurrentVendorGUID = "00000000-0000-0000-0000-000000000000" ErrorMessage = "Keyword not supported: 'inital catalog'." LastComponent = "sp PMCore Report_ Software Bulletin Summary" ModelID = "7cf7eb9c-9437-11e2-a847-000c294e9052" ReportProcessID = "Patch-0Day-000107" StackTrace = " at System.Data.Common.DbConnectionOptions.ParseInternal(Hashtable parsetable, String connectionString, Boolean buildChain, Hashtable synonyms, Boolean firstKey) at System.Data.Common.DbConnectionOptions..ctor(String connectionString, Hashtable synonyms, Boolean useOdbcRules) at System.Data.SqlClient.SqlConnectionString..ctor(String connectionString) at System.Data.SqlClient.SqlConnectionFactory.CreateConnectionOptions(String connectionString, DbConnectionOptions previous) at System.Data.ProviderBase.DbConnectionFactory.GetConnectionPoolGroup(DbConnectionPoolKey key, DbConnectionPoolGroupOptions poolOptions, DbConnectionOptions& userConnectionOptions) at System.Data.SqlClient.SqlConnection.ConnectionString_Set(DbConnectionPoolKey key) at System.Data.SqlClient.SqlConnection.set_ConnectionString(String value) at System.Data.SqlClient.SqlConnection..ctor(String connectionString, SqlCredential credential) at spPMCoreReport_SoftwareBulletinSummary.SqlQuery.spPMCoreReport_SoftwareBulletinSummary.GetConnection(IData data) at spPMCoreReport_SoftwareBulletinSummary.SqlQuery.spPMCoreReport_SoftwareBulletinSummary.Run(IData data) at LogicBase.Core.ExecutionEngine.SinglePathProcessComponentExecutionDelegate.Execute(IData data, IOrchestrationComponent comp, String& outputPath, IExecutionEngine engine, TLExecutionContext context) at LogicBase.Core.ExecutionEngine.AbstractExecutionEngine.RunComponent(TLExecutionContext context, IData data, IOrchestrationComponent comp)"
Can anybody help me a little?
Guys Question..
I have my workflow manager installed on my SMP.
Here are my question:
1. I can't determine the basis for bulletin download (is it date released, revised, compliance).
2. Will the superseded bulletins can still be downloaded?
3. How to correctly publish the zero patch template on SMP?
I have schedule for the workflow to run at a certain time. I have downloaded the patch and deleted the created policies but it didnt recreate when the schedule kicks. Also I did not receive that no bulletin is available.
3. How to correctly publish the zero path template on SMP?
Just a question.. I am encountering a redownload of patches.. I already have them but whenever the schedule set on workflow kicks I see patches being downloaded on Altiris Log Viewer..
I'm already have it recognize the GUID of my filter.
I am inputing the values on process manager portal and not being recognize by workflow hahaha.
My luck, it happened out of my curiosity to click the link of my project on application properties on workflow manager that leads me to correct page on where I should input the values needed.
Thanks guys!!
The GUID causes the error?
When I have installed the workflow.. I have installed also the process manager portal and process manager database.. And that's where I have uploaded the application profile for this project and input the GUIDs.. I'm thinking if the data is being process on workflow from the data i have put on service desk portal..
if you get a result back, then you're GUID.
Thanks guys!!!
Tried accessing http://localhost/itemmanagementservices.asmx and it display The resource cannot be found.
Tried accessing http://localhost/Altiris/ASDK.NS/ItemManagementService.asmx and it redirect me to the ItemManagementService page.
There are two items named GetItemByGuid, the other one has a text on the bottom "MessageName="GetItemsInFolderX". One the first GetItemByGuid, There's a box to test the GUID I think (To test the operation using the HTTP POST protocol, click the 'Invoke' button). I put the GUID that extracted from SQL and I see the name of the filter that I've created.
I think its working? hahaha what to do next?
http://localhost/Altiris/ASDK.NS/ItemManagementService.asmx
is what i assume you're trying to reach.
Marilou,
be sure you add the servername in the url (eg. http://localhost/itemmanagementservices.asmx)
Hi Nonos,
I've tried typing http://itemmanagementservices.asmx but there's notting to display (Internet Explorer cannot display the web page). Am I doing it right??
It's my first time trying out this process.. I will be grateful if you can help me on troubleshooting steps that i should perform.
Thanks!
Did you try to use the GUID given in the error log on the Web Service itself?
Like you open a web browser and type in the URL to the "itemmanagementservices.asmx" and you'll get a list of all available methods in which you'll find "Get Item By GUID".
When you try that, do you get the item itself or does it crash?
If it crashes, it mainly means that the GUID you are using does not correspond to any item.
Been working a lot on 7.1 SP2 but don't know if things are still out there in 7.5.
Hope this helps.
Regards,
Cédric
Hi Africo,
I only have 1 Altiris on my lab.. the GUID that i have provided on the project is for my target filter (extracted from SQL)..
I attached the image on the part where the process stops..
Thanks for your comment.. Appreciate your help on this.
I'm not familiar with that project, but it looks as though you're either mixing two altiris environments (grabbing an item from one database and then trying to save it to another; the GUID may not exist in both places) or the mappings aren't correct somewhere. That's just a guess though; check any mapping components to ensure you're mapping the item guid properly.
I'm getting this error when running the project on debug mode. Can anyone help me pinpoint the problem here?
CurrentResourceGUID = "D27E6007-9A73-4E22-92AE-95BA7AA9A40E" ErrorMessage = "System.Web.Services.Protocols.SoapException: Server was unable to process request. ---> System.Exception: The specified item guid does not exist. at Altiris.ASDK.NS.ItemManagementLib.GetItemByGuid(Guid itemGuid) at Altiris.ASDK.NS.Web.ItemManagementService.GetItemByGuid(Guid itemGuid) --- End of inner exception stack trace ---" IteratorPrefix_c487e7b2-9591-11e2-a847-000c294e9052 = 0 LastComponent = "Get Item By Guid Component" ModelID = "e317bec1-0fe0-11e2-85c7-005056a27acc" ReportProcessID = "Patch-0Day-000162" ShortDateString = "1/26/2015" StackTrace = " at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall) at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters) at Altiris7.WebServices.Item.ItemManagementService.GetItemByGuid(Guid itemGuid) at Altiris7.WebServices.Item.GetItemByGuidComponent.Run(IData data) at LogicBase.Core.ExecutionEngine.SinglePathProcessComponentExecutionDelegate.Execute(IData data, IOrchestrationComponent comp, String& outputPath, IExecutionEngine engine, TLExecutionContext context) at LogicBase.Core.ExecutionEngine.AbstractExecutionEngine.RunComponent(TLExecutionContext context, IData data, IOrchestrationComponent comp)" Today = 1/26/2015 11:37:00 AM
Hello guys,
Please share me a guide on how to do it without Process Manager....
Also, is the process still the same for 7.5 SP1?
Thanks!!
Thanks for your comment Harris. Eventually you put me on track with this. It happened to be that the workflow was crashing when it reached the stage where it needed to send the email. As I explained already, I needed to convert the application properties to global properties because we do not have the process manager installed in our environment. It seems that when a workflow is published, for some reason it cannot correctly handle some of the global variables. After I converted the global variables which were related to email to project properties, it started to work.
I will definitely start looking at implenting the process manager as for this purpose I see a lot of benefits there.
Well .... at least for now this is working, but I may need to convert the variables again at some point to application properties
Try putting a "Create Log Entry" component at the very beginning of your Workflow, and set the logging level to "Fatal". Then save/publish the workflow and open your Log Viewer. You will be able to see your log entry component write a fatal error to the logs. This is a great way to confirm whether the Workflow ran or not.
Because I wasn't able to install Process Manager on my workflow server, I had to disable the application properties. I have 'converted' the application properties to global properties and that works fine. It's a bit less flexible, but for us still very acceptable. I obviously also changed all the components which were using values from the application properties and when I run the workflow in debugger, I get exactly the result that I expect. Currently the result is that I get an email telling that no bulletins were available and all the variables in the email are filled with correct data.
Now the problem ...... once I publish the workflow, it will not send any emails anymore. Besides, I cannot really check if it has been running on the defined schedule so I have no clue if it has been running on the schedule. That's one of the nice features of Process Manager, but not available for me at this point.
Is there anyone out there who knows why email works when running the workflow in debugger and why it doesn't if it's published?
And then it would be also nice if I could somehow trace if the workflow has been running.
I published the workflow on my workflow server, which is a different one than the SMP server but that shouldn't make a difference, should it?
Any input is very welcome.
Hendrik
Hi Pascal,
Keep us updated on how this is going for you, I got this working in my lab and have a few tips to help along the way.
1) When you test the workflow by running the debug, it should run through, enable the policy but then the workflow will start again, This is because the workflow is set to "autorun" and in a live environment this is kicked off at a certain time and will only run once. So be sure to not let the workflow continually run in debug mode or you will have lots of policys and a server slowdown. In fact close it after letting it run through twice and you should have the following as a result.
There is a setting in the config page to "ignore staged policys" or something similar (I dont have access to a console right now to tell you the exact setting wording) so basically it does not duplicate policys.
Hope this helps
Rich
Any body know what is the Application property "Age_filter"
I also try to switch https to http; same issue... Here the settings I was using. PatchWorkflowSvcURL http://tms1.itsm.demo/patchmanagementcore/patchworkflowsvc.asmx
Must also say; Workflow installed with a domain service account; was needing to change the Application pool Identity for Process Manager to run using "NETWORK SERVICE" for Portal process manager able to open. But NETWORK SERVICE has the right on Patch also, this service account is also the Altiris server service account. I added the rights on windows\temp, and framework folders...
I also try opening with domain admin account; same error.
I wanted to verify the workflow able to process only "missing" and "applicable" Bulletins, not "all" including useless ones...
And also: if able to avoid requesting to edit each policy manualy; to add the pilot2 goup; and another time for PROD1 group; and a 3rd time the PROD2 final group in addition. As we must deploy "by wave", for validation steps: It is absolutly required being able to associate all those automated policies, to a single "editable" target, so we can swtich all the policies; to next wave level with a single simple change. NOT needing to edit each 30 to 60 or more policies; to add the additionnal wave targets. If you deploy in 4 waves: this will ask for about 120 to 240 "edit" operations per month on this so "quick answering" Altiris web console (just joking about "quick")...
I feel we will have to create a new "Named target" each month, and edit the GUID inside the DATA/Application properties: "Zero Day Patch settings". So we will be able to edit and change a single "Named target" 4 times, for extending each week; the additionnal targets with the next wave of computers to deploy patches this month... Instead of editing 30 policies or more, 4 times ;-)
Zero Day Patch Settings Category: Not Set IsDefault True InstanceName Default Category: Configuration Enable_New_Policy_After_Creation True Resource_Targets_To_Apply_To_Policy 25353043-FA7D-4B25-A416-9237EEC2B156 Category: Connection PatchWorkflowSvcURL http://tms1.itsm.demo/patchmanagementcore/patchworkflowsvc.asmx Symantec_CMDB_ConnectionString Data Source=(local);Initial Catalog=Symantec_CMDB;Integrated Security=SSPI; Category: Email Email_Server 192.168.100.10 Email_To_Address service.altiris@itsm.demo Email_From_Address PatchZeroDay.tms1@itms.demo Category: Filter Settings Age_Filter 15 Ignore_Bulletins_With_Policies True Ignore_Staged_Bulletins False Vendor_Filter 00000000-0000-0000-0000-000000000000 Platform_Filter Any Severity_Levels_To_Analyze Critical Important Unclassified
The URL setup is not answering:
http://tms1.itsm.demo/patchmanagementcore/patchworkflowsvc.asmx
Server Error in '/' Application. -------------------------------------------------------------------------------- The resource cannot be found. Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable. Please review the following URL and make sure that it is spelled correctly. Requested URL: /patchmanagementcore/patchworkflowsvc.asmx/Default.aspx -------------------------------------------------------------------------------- Version Information: Microsoft .NET Framework Version:2.0.50727.5477; ASP.NET Version:2.0.50727.5479
Server Error in '/' Application.
Well: Email notify
Error Message: The request failed with HTTP status 404: Not Found. Stack Trace: at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall) at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters) at PatchWorkflowSvcDynamicService.PatchWorkflowSvc.EnsureStaged(String bulletinGuids, Boolean sync) at PatchWorkflowSvcDynamicService.EnsureStaged.Run(IData data) at LogicBase.Core.ExecutionEngine.SinglePathProcessComponentExecutionDelegate.Execute(IData data, IOrchestrationComponent comp, String& outputPath, IExecutionEngine engine, TLExecutionContext context) at LogicBase.Core.ExecutionEngine.AbstractExecutionEngine.RunComponent(TLExecutionContext context, IData data, IOrchestrationComponent comp) Report Process ID: Patch-0Day-001007 Model ID: 7e82176f-0fe0-11e2-85c7-005056a27acc Last Component: Ensure Staged
Application Name : Symantec.Patch.Zero_Day Process ID : 5780 Date :3/3/2014 1:10:50 AM Log Level :Error Log Category :LogicBase.ExecutionEngine.Delegates Machine Name : TMS1 Message : the component Setup Process declares that it outputs variable [PolicyName] of typeString but did not.
Application Name : Symantec.Patch.Zero_Day Process ID : 5780 Date :3/3/2014 1:10:52 AM Log Level :Error Log Category :PatchWorkflowSvcDynamicService.EnsureStaged Machine Name : TMS1 Message : Exception at Run method with message :The request failed with HTTP status 404: Not Found.
Application Name : Symantec.Patch.Zero_Day Process ID : 5780 Date :3/3/2014 1:10:52 AM Log Level :Error Log Category :LogicBase.ExecutionEngine Machine Name : TMS1 Message : Exception was thrown from the exception handling model in project.
And what about the Ludovic tools ?
and about this more light and simple option ?
was initialy design for 7.0 but perhaps reusable for 7.5? But probably less features :) OK just joking. But... ?
Any body know what is the Application property "Age_filter"; with default '15' value not explain in the PDF :(
I guess about 15 days old maximum for activation and processing ? But not sure about :)
If it is; we should extend it for a start; with older bulletin to be auto-activated?
Good point, you are very right: If not supported from Symantec support, not "part" the SMS or CMS or Patch Solution support, not an "integrated" supported extension...
But I do not see any disclaimer, or EULA, and this Workflow published accessible from "Workflow Manager", part of the solution. So legaly, they forgot to "exclude" it from support explicitly, and so, it should be part of the solution. Of course; if support refuse the case opening; the support will takes some additional time and cost; to be fulfilled; after a legal pursuit and so on ;)
I will try this, and open a case if I got an issue... We'll see if I got one ;)
I guess you are not that much wrong Pascal, as I think this is just a workflow outside of Symantec product release, meaning it might not ( I could be worng here too :) be supported by support. But it gives you a very good start on auomating the patch.
Thanks a lot; I was seeing this feature inside the "What's new under 7.5" but was absolutly not able to find it after installing 7.5, reading all patch doc manuals, or try to find it under Connect, any 7.5 patch area or CMS or SMS, I was not able to find any about this Workflow.
I was not thinking about installing 1st the workflow designer; and latest going a look inside this nice "solution center" I was not know before... That's why I was thinking a false promess of Symantec. Happy to see I was wrong.
Hi Jason, I am not good with workflow, and need some help with this workflow, once policies are created and emial is sent, can we have another approval process that will add the other targets based on the response by applciation owner.
For example policies are created and tested on the test target, now we want to add other targets but based on which team have tested, how can this be completed. I am hoping the end user can go on a console and click click on check mark next to thier targets and that be added?
Very nice Jason - thanks !