Symantec Management Platform (Notification Server)

 View Only

  • 1.  Collections updated before Software Update Agent proceeds with install

    Posted Sep 15, 2009 08:53 AM
    Hello,

    My software update agent configuration has install time at 12pm. Restart is scheduled to occur in one hour after installation.

    Automatic Collection Update settings:

    Policy Changed Collection Update Schedule: hourly
    Collection Delta Update Schedule: hourly
    Always Refresh Collection Update Schedule: daily at 2am

    Patch Management Inventory settings:

    Default Windows OS Inventory Policy: Always, 1 hours
    Default Windows Software Release Inventory Policy: Only if changed, 4 hours
    Default Microsoft Software Inventory Policy: Only if changed, 4 hours
    Default Microsoft Vulnerability Analysis Policy: Only if changed, 4 hours

    I want to enable mechanism to launch update installations before/after 12pm, without creating separate software update tasks or collections. I want to know, how I can tell client: check for available updates on server, tell it what you got installed and start installing new available updates now.

    I've used this batch file to speed up update installations on client, but it not always work. Updates just doesn't appear in NSAgent Software Update tab, even they have been staged and software update task has been created and enabled.

    "C:\Program Files\Altiris\Altiris Agent\Agents\PatchMgmtAgent\AeXPatchUtil.exe" /I /C /q
    SLEEP 1200
    "C:\Program Files\Altiris\Altiris Agent\Agents\PatchMgmtAgent\AeXPatchUtil.exe" /C /Xa

    Can somebody tell me what collections needs to be automatically updated, before client receives information about new updates and can start installation with eg. aexpatchutil.exe /xa command? I'm in total darkness with my settings here, because I really don't know what are collections and mechanics involved with this process.



  • 2.  RE: Collections updated before Software Update Agent proceeds with install

    Posted Sep 15, 2009 10:05 AM
    affected by the inventory you listed..

    Patch Management Inventory settings:

    Default Windows OS Inventory Policy: Always, 1 hours
    Default Windows Software Release Inventory Policy: Only if changed, 4 hours
    Default Microsoft Software Inventory Policy: Only if changed, 4 hours
    Default Microsoft Vulnerability Analysis Policy: Only if changed, 4 hours

    ...

    Are separate from the other system collections. These are internal 'hidden' collections, and are updated by the Notification Server on the interval specified under the Patch Management Settings. The default for this is 10 minutes.




  • 3.  RE: Collections updated before Software Update Agent proceeds with install

    Posted Sep 15, 2009 10:51 AM
    Hello Jim,

    10 minutes? For all of these 4 settings? Are they all updated 'Always' or 'Only if changed' by default?

    Our environment has 2000 workstations.



  • 4.  RE: Collections updated before Software Update Agent proceeds with install

    Posted Sep 15, 2009 10:54 AM
    Those settins you have specified are fine (if not a little agressive). What I meant was, that data those inventory settings provide feed internal collections that updated (by default) every 10 minutes. These internal collections are hidden, and the interval is controlled from within a setting in patch management.


  • 5.  RE: Collections updated before Software Update Agent proceeds with install
    Best Answer

    Posted Sep 15, 2009 12:55 PM
    It could be that the SLEEP isn't long enough; for that to work the previous AeXPatchUtil.exe must complete (the Inventory scan initiated by using the /I switch can run for ~15 minutes even on very fast hardware), the Patch inventory must post to the NS (check the \\NSServer\NSCap\EvtQFast for a back-log of events), then the Patch collections Jim referenced must be updated (on a 10 minute cycle), THEN the client needs to check for new policies, download the patches and install them.  So, maybe extending the batch file a bit:

    @ECHO OFF
REM *** Run patch inventory
    "C:\Program Files\Altiris\Altiris Agent\Agents\PatchMgmtAgent\AeXPatchUtil.exe" /I /q
    REM *** Sleep 1500 seconds which is 15 minutes for Patch inventory and 10 minutes for collection update
    SLEEP 1500
    ECHO Inventory completed, update configuration...
    REM *** Update configuration again...
    "C:\Program Files\Altiris\Altiris Agent\Agents\PatchMgmtAgent\AeXPatchUtil.exe" /C /q
    REM *** 660 allows for 11 minutes for the Patch collections to refresh...just in case
    SLEEP 660
    ECHO Configuration updated; check for patches on Software Update tab of Agent
    "C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe"
    REM *** Now silently install the patches
    "C:\Program Files\Altiris\Altiris Agent\Agents\PatchMgmtAgent\AeXPatchUtil.exe" /C /Xa /q


  • 6.  RE: Collections updated before Software Update Agent proceeds with install

    Posted Oct 01, 2009 01:50 PM
    Hello,

    Thanks Kyle and Jim.

    Kyle your modified script did the job, thanks.

    However, I decided to discard idea to use Patch Management deploying patches to new computers. Instead, I'll put them directly to OS image. Less hassle.


  • 7.  RE: Collections updated before Software Update Agent proceeds with install

    Posted Oct 01, 2009 03:19 PM
    That's an option, but a lot of hassle to compile all the patches together each month.  But hey, whatever works for you :)


  • 8.  RE: Collections updated before Software Update Agent proceeds with install

    Posted Oct 01, 2009 04:48 PM
    is to firm copy the patches down into the install directory (something I create for Hardware Independent Imaging). Then I run the setup from the cmdlines.txt.