Altiris Patch Management Solution for Windows Help

ALTIRIS® PATCH MANAGEMENT SOLUTION 6.1 FOR WINDOWS HELP Notice Copyright © 2001-2005 Altiris Inc. All rights reserved. Product Version: 6.1 Document Date: March 25, 2005 Bootworks U.S. Patent No. 5,764,593. RapiDeploy U.S. Patent No. 6,144,992. Recovery Solution U.S. Patent No. 5,778,395, 5,907,672, 4701745, 5016009, 5146221, 5144425, 5463390, 5506580, 5532694, GB 2172127, B 904359, 3606869. Other patents pending. Due to the inherently complex nature of computer software, Altiris does not warrant that the Altiris software is error-free, will operate without interruption, is compatible with all equipment and software configurations, or will otherwise meet your needs. The content of this documentation is furnished for informational use only, is subject to change without notice, and should not be construed as a commitment by Altiris. Altiris, Inc. assumes no responsibility or liability for any errors or inaccuracies that may appear in this documentation. For the latest documentation, visit our Web site at www.altiris.com. Altiris, the Altiris logo, BootWorks, Inventory Solution, LabExpert, PC Transplant, RapiDeploy, and RapidInstall are registered trademarks of Altiris, Inc. in the United States and in other countries. Carbon Copy is a registered trademark licensed to Altiris, Inc. in the United States and a trademark of Altiris, Inc. in other countries. Altiris eXpress, Altiris Protect, Application Management Solution, Application Metering Solution, Asset Control Solution, Asset Management Suite, Client Management Suite, Compliance Toolkit, Connector Solution, Conflict Analysis Solution, Contract Management Solution, Deployment Server, Deployment Solution, Energy Saver Toolkit, Education Management Suite, Helpdesk Solution Software, Lab Management Suite, Migration Toolkit, Mobile Client for SMS, Monitor Solution, Notification Server, Patch Management Solution, Problem Management Suite, Recovery Solution, Server Management Suite, Site Monitor Solution, Software Delivery Solution, TCO Management Solution, UNIX Client for SMS, Web Administrator for SMS, Web Reports, and other product names are trademarks of Altiris, Inc. in the United States and other countries. Microsoft, Windows, and the Windows logo are trademarks, or registered trademarks of Microsoft Corporation in the United States and/or other countries. HP and Compaq are registered trademarks of the Hewlett-Packard Corporation. Dell is a registered trademark of Dell Inc. Macintosh is a registered trademark of the Apple Computer Corporation. Palm OS is a registered trademark of Palm Computing, Inc. BlackBerry is a service mark and a trademark of Research In Motion Limited Corporation. RIM is a service mark and trademark of Research In Motion (RIM). All other brand names are trademarks or registered trademarks of their respective companies. Altiris Patch Management Solution Help 2 Contents Patch Management Solution 6.1 for Windows Altiris® Help Notice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Chapter 1: Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Overview ......................................................................... 8 Chapter 2: Installing Patch Management Solution for Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Prerequisites Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Upgrading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Uninstalling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Chapter 3: Using Patch Management Solution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Setting Up Patch Management Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Step 1 - Deploy the Software Update Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Step 2 - Determine the Updates Needed to Deploy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Step 3 - Enable the Software Bulletins You Want to Deploy ............................. Step 4 - Create Software Update Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Step 5 - Deploy the Software Update Tasks ......................................... Step 6 - Get the Status of Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 13 14 14 15 15 16 User Interface .................................................................... Tasks Tab View ............................................................... Notification Policies ......................................................... Software Update Task ...................................................... Manage Software Updates ................................................... Resources Tab View ........................................................... Reports Tab View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Patch Management Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Reports .................................................................. Configuration Tab View ......................................................... Global Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Microsoft Settings .......................................................... Software Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Software Update Agent Configuration ........................................... Software Update Agent Rollout ................................................ Software Update Agent Uninstall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Distribute Software Update Wizard ................................................ Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring Background Actions .................................................. 16 16 16 17 20 23 24 24 24 25 25 27 30 31 34 34 35 35 37 Software Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Altiris Patch Management Solution Help 3 Contents Software Bulletins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Viewing Available Software Bulletins ............................................... Viewing Details on a Software Bulletin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Downloading Software Bulletins and Distributing Software Updates ....................... 39 39 39 40 Software Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Using the Distribute Software Update Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Modifying Software Update Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Software Update Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Software Update Agent Configuration Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Software Update Agent User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Upgrading the Software Update Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Uninstalling the Software Update Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Notification Policies and Reports 43 43 44 46 46 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Resource Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Software Update Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Inventory Data Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Reporting on Patch Management Data in a Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Software Updates Not Downloading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Reboot on a Schedule not Working Properly ......................................... Agent Reboot Warning and Snooze Option does not Appear to a User Remotely Connected via Terminal Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Windows Update Error Codes .................................................... 48 48 49 49 49 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Altiris Patch Management Solution Help 4 Chapter 1: Introduction Patch Management Solution lets you scan computers for security vulnerabilities, report on the findings, and automate the downloading and distribution of needed Microsoft security patches. This solution helps you review and download specific patches from Microsoft, create collections of computers that require a specific patch, and apply the patch to the computers that need them. Patch Management Solution provides improved functionality in terms of the analysis, collection and distribution of operating system and application updates. It consists of a central, extensible repository to house various operating systems, hardware and software vendors' patches, as well as improved installation inventory, specific software distribution options, and integration with other Altiris products, such as Recovery Solution. Some of the key features include • Expanded support for operating system and applications for English, German, Spanish, Japanese, Chinese, and French. • Information Repository that provides detailed information on each software bulletin, such as technical details, severity ratings, and number of executables. • Software Repository that automates the downloads from the vendor site prior to distribution without administrator intervention. • Patch-specific inventory for determining supported operating systems, applications, and the associated service pack level, and whether a patch is installed. • Improved distribution wizard and targeting that automatically determines the patch installation requirements and assigns Notification Server collections based on the requirements. • Extensive control over installations, such as integration with QChain, reboot control, and easy selection of command line options. Altiris Patch Management Solution Help 5 Chapter 1: Introduction Patch Management Features 2. Download Security Patch Web Administration 3. Scan Results 4. Install Security Patch Automated Alerts Altiris Web Site Microsoft Web Site 1. Download Software Management Resources Notification Server Managed Computers Patch Management Solution Features Feature Description Information Repository Patch Management Solution includes an information repository specifically tailored to automate the patch management process. The repository provides comprehensive data on software bulletins, software updates, inventory rules, and so on. The process to populate the information repository from the Altiris PMImport CAB files starts after installation is complete. Comprehensive Inventory Patch Management Solution discovers detailed information on the operating system and installed applications, as well as inventory on software update installations. For effective targeting during distribution, inventory results populate predefined collections based on operating system service pack levels and application versions. Software Repository Patch Management Solution automatically downloads all enabled software updates from the vendor site prior to distribution. This allows for staging of software updates prior to distribution. You control rollout options such as Package Server and Multicast settings. Software Update Analysis Patch Management Solution provides automated evaluation of patch dependencies to substantially reduce the labor requirements of patch management. Simplified Patch Management Solution includes a wizard that simplifies the management Distribution Tasks of distribution policies. Instead of creating a task for each individual software update, you create a single policy for the software bulletin. For example, if you have 3 software bulletins with 7 software updates, you only have to manage 3 distribution tasks instead of 21 distribution tasks. In addition, most software bulletins have software updates for different operating system versions and the languages associated with them. Recovery Solution After Altiris Recovery Solution is installed, Patch Management Solution Integration provides an agent option to automatically create a snapshot prior to software update installations. This allows for effective roll back when a software update disrupts computer functions. Altiris Patch Management Solution Help 6 Chapter 1: Introduction Previous releases of Patch Management Solution used Microsoft Baseline Security Analyzer (MBSA) as the primary means for the verification that a patch was installed. This release of Patch Management Solution uses the Altiris PMImport CAB files as the means for patch management. These files contain information on Microsoft Bulletins, updates, and new software. The files are updated by Altiris whenever Microsoft releases new software, software updates, or bulletins. Patch Management Solution uses this information to download and distribute needed software updates. A Background Action automatically downloads this file from an Altiris Web site on a schedule so you have the latest information from Microsoft. For more information on the Altiris PMImport CAB files, see “Configuring Background Actions” on page 37. When Microsoft releases additional patches, Patch Management Solution makes it easy to identify and download the new patches available from Microsoft and to create new patch packages, patch policies, and collections of computers that need the patch. Quick Link • “Overview” on page 8 Altiris Patch Management Solution Help 7 Chapter 1: Introduction Overview This section gives you a brief overview of Patch Management Solution and how it uses inventory it gathers to create Software Update packages. After you create Software Update tasks, the associated packages are sent to Altiris-enabled computers and the appropriate software update programs are installed. A. Collections are automatically created from inventory As part of the deployment of the Software Update Agent, the Inventory Rule Agent gets installed on Altiris-enabled computers and sends back inventory specifically needed for managing software updates. This inventory includes software vendor, software release, and service pack information. From this inventory, Patch Management Solution creates specific collections to target only the computers individual software updates should go to. These collections are created when the software bulletins that contain them are enabled. These collections contain computers which are applicable for the software update. Altiris Patch Management Solution Help 8 Chapter 1: Introduction B. Software bulletin information is automatically downloaded from Altiris Immediately after Patch Management Solution gets installed, it downloads complete software bulletin information from an Altiris Web site. This information includes the severity of each software bulletin as well as details on its software updates and where they can be downloaded from Microsoft. This information also includes rules for creating collections and rules how to verify that the software update is installed. Note: Notification Server needs an internet connection to download the Altiris PMImport.cab files. C. You enable software bulletins to download software updates and create packages When you enable a software bulletin, each associated software update executable automatically gets downloaded from Microsoft. You can then create a Software Update task for each software bulletin you want to deploy. From the information in software bulletin executables, Patch Management Solution then creates a Software Update package for each software update. There are one or more software updates associated with each software bulletin. Every software update applies to a software release/service pack combination. Each software update also has a Software Installation Type. D. You create Software Update tasks to deploy downloaded software updates Software Update tasks can easily be created using the Distribute Software Update Wizard. Software Update tasks use the associations created from the inventory received from the Inventory Rule Agent to select the appropriate collections to which the software updates should go. When you create a Software Update task, one or more programs are automatically created and attached to the Software Update package associated with the software update. When the Altirisenabled computer receives the Software Update task, it first verifies that the software update is needed, then downloads the Software Update package and launches the required program. This program then installs the software update. The agent first verifies that the software update is needed to save network bandwidth. The software update may already be there for multiple reasons (Example: sometimes another process rolls out a software update). If the software update is already installed, it does not download and reinstall (Example: You image a computer and its image already has the Software Update Agent. In this case, the Software Update Agent will find the software update and not reinstall). Then, at an interval, the Software Update task is re-evaluated and, if needed, the software updates will be reinstalled. Example: If some operation removes the software update, it will be reinstalled. Note: Notification Server needs an internet connection so it can automatically download these files from the Microsoft Web site. E. Behind the scenes Each software bulletin is associated with a Software Installation Type. This association is transferred down to software updates and Software Update packages. Each Software Installation Type can have one or more Software Installation Options associated with it. Note: The Software Installation Type and Software Installation Option can be viewed on the Configuration tab view by navigating to Configuration > Resource Settings > Resource Types > Software Management > Patch Management. To view all resources in a Software Installation Type or Software Installation Option, click either Software Installation Type or Software Installation Option in the treeview pane, and then click the List Resources tab in the content pane. When a Software Update task is created, one or more programs are created using the selected Software Installation Options (found under the Installation Options section of the Advanced tab). The Installation Options that are available depend on the Software Installation Type. For more information on the Installation Options section, see “New Software Update Task Page” on page 17. Altiris Patch Management Solution Help 9 Chapter 2: Installing Patch Management Solution for Windows This section tells you how to install Patch Management Solution. • “Prerequisites” on page 10 • “Installation” on page 10 • “Upgrading” on page 11 • “Licensing” on page 11 • “Uninstalling” on page 11 Prerequisites Prerequisites for Patch Management Solution • Patch Management Solution requires that you install and configure the Altiris Notification Server 6.0 SP2 or later. See the Altiris Notification Server Help for Notification Server requirements. Note: If you use language packs, you must install Notification Server 6.0 SP2 Hotfix 16. • The Altiris Agent 6.0 SP2 (build 1508 or higher) must be installed on or upgraded to every computer to which you are sending patches. IMPORTANT: It may take some planning and time before you install Patch Management Solution. Microsoft typically releases patches on the second Tuesday of each month and Altiris updates the PMImport.cab file shortly afterwards. Because of this, we recommend that you install or update Patch Management Solution at least two weeks before Microsoft releases its patches. This gives you enough time before a PMImport.cab file update to make sure that you have the Altiris Agent upgraded to 6.0 SP2 on all computers as well as install and set up Patch Management Solution. Notification Server provides reports (in particular, see the reports under the Altiris Agent Installation Status folder) that let you know the status of the Altiris Agent installation. For more information, see the Altiris Notification Server Help. Minimum requirements for running the Software Update Agent • Win32 computers running Windows 95 or later • MSI 1.1 Installation Before installing Patch Management Solution, review the requirements information (see “Prerequisites” on page 10). IMPORTANT: The software updates that Patch Management Solution distributes are provided by Microsoft Corporation for its software products. It is your responsibility to ensure that each software update will work correctly in your environment before deploying it. We recommend that you first install the software update in a test environment before deploying it to your production environment. Altiris Patch Management Solution Help 10 Chapter 2: Installing Patch Management Solution for Windows To install Patch Management Solution on the Notification Server 1 Click Start > Programs > Altiris > Altiris Console. This starts the Altiris Console. 2 In the Altiris Console, click the Getting Started tab. 3 Click the Install Altiris Solutions from the Solutions Center link. 4 Click the Solutions button. 5 Click Patch Management Solution. 6 Click Start. 7 Follow the instructions in the installation wizard. Note: The Import Microsoft Software Management Resources task will run immediately after install and will take around 20 minutes to run. Upgrading Note: You must have Patch Management Solution 6.0 Hotfix 1 or later installed before you can upgrade to Patch Management Solution 6.1. Note: Patch Management Solution 6.1 will only work with the Software Update Agent 6.1. To upgrade from Patch Management Solution 6.0, you must also upgrade the Software Update Agent on your Altiris-enabled computers. To upgrade Patch Management Solution to 6.1 1 Make sure you have Patch Management Solution 6.0 Hotfix 1 or later installed. 2 Install Patch Management Solution as described in “Installation” on page 10. 3 Upgrade the Software Update Agent on your Altiris-enabled computers. Licensing Each Altiris product comes with a 7-day trial license that is installed by default. You can register and obtain a 30-day evaluation license through our Web site at www.altiris.com or purchase a full product license. To view your current license, open the Altiris Console, click the Configuration tab, and select Licensing. For more information, see “Licensing Altiris Software” in the Altiris Getting Started Guide on the product CD or on our Web site at www.altiris.com/support/documentation. Uninstalling To uninstall Patch Management Solution 1 2 Uninstall all Patch Management Agents on your Altiris-enabled computers (see “Uninstalling the Software Update Agent” on page 46). On the Notification Server computer click Start > Settings > Control Panel > Add/Remove Programs. Altiris Patch Management Solution Help 11 Chapter 3: Using Patch Management Solution Setting up and configuring the Patch Management Solution is easy. Most of the work required to set up and use it has already been taken care of by predefined policies that are installed along with the solution. Note: If Notification Server proxy settings have been configured, Patch Management Solution uses them to download software update information from the Altiris Web site and to download software updates from Microsoft. For more information on proxy settings, see the Altiris Notification Server 6.0 Release Notes or the Altiris Notification Server Help. The following is a list of tasks that are performed in the background after the solution setup is complete. • Download and install the latest Altiris PMImport CAB files, extract them, and place their information in the Notification Database • Download and install Microsoft QChain • Deliver and install client prerequisites to targeted computers (after certain policies are enabled) Quick Links • “Setting Up Patch Management Solution” on page 12 • “User Interface” on page 16 • “Software Resources” on page 38 • “Software Bulletins” on page 39 • “Software Updates” on page 40 • “Software Update Agent” on page 43 • “Notification Policies and Reports” on page 46 • “Resource Manager” on page 47 • “Reporting on Patch Management Data in a Hierarchy” on page 48 • “Troubleshooting” on page 48 Setting Up Patch Management Solution After Patch Management Solution is installed, the Import Microsoft Software Management Resources Background Action is automatically run. This Background Action downloads the Altiris PMImport CAB files and imports all software management resources from these files into the Notification Database. These resources are needed before you can use this solution. They are necessary for populating the Manage Software Updates page and updating patches to Altiris-enabled computers. After the CAB files are downloaded and the software management resources are imported into the Notification Database, you can proceed with setting up Patch Management Solution. Altiris Patch Management Solution Help 12 Chapter 3: Using Patch Management Solution Setting Up Patch Management Solution To confirm that the PMImport.cab files downloaded successfully and the software management resources were imported. 1 In the Altiris Console, click the Configuration tab. 2 In the treeview pane, navigate to Configuration > Solution Settings > Software Management > Patch Management > Server Settings > Microsoft Settings > Import Microsoft Software Management Resources. 3 Click on the History tab. 4 Check the Status column. When it says “Completed”, the software management resources have been imported. The following is a quick-start guide that will walk you through the process of setting up and using Patch Management Solution. Quick Links • “Step 1 - Deploy the Software Update Agent” on page 13 • “Step 2 - Determine the Updates Needed to Deploy” on page 14 • “Step 3 - Enable the Software Bulletins You Want to Deploy” on page 14 • “Step 4 - Create Software Update Tasks” on page 15 • “Step 5 - Deploy the Software Update Tasks” on page 15 • “Step 6 - Get the Status of Updates” on page 16 Step 1 - Deploy the Software Update Agent Patch Management Solution includes a Software Update Agent that must be deployed on Altirisenabled computers on which you want to use the Patch Management Solution features. The Software Update Agent inventories programs that are installed on the Altiris-enabled computer and sends this data to the Notification Server. It then uses this information to track applications that are installed on the Altiris-enabled computer and matches them with packages that are defined by the Notification Server. You can use this information in deciding which applications to send to which Altiris-enabled computers. Note: When the Software Update Agent is installed, the Inventory Rule Agent and the Package Agent are automatically installed also. IMPORTANT: If you have a large number of computers to which you want to deploy the Software Update Agent, consider deploying the agent during off-peak hours to minimize network traffic at peak times. To deploy the Software Update Agent IMPORTANT: Before deploying the Software Update Agent on a computer, the Altiris Agent must already be installed on that computer. 1 In the Altiris Console, click the Configuration tab. 2 In the treeview pane, navigate to Configuration > Solutions Settings > Software Management > Patch Management > Windows > Software Update Agent Rollout. 3 Select the Software Update Agent Install policy. 4 In the content pane, make any desired changes. By default, the Software Update Agent will be deployed as soon as possible after the policy is enabled to computers in the All Windows Computers without Software Update Agent Installed collection. 5 Select the Enable check box. 6 Click the Apply button. By default, a new Software Updates tab appears in the Altiris Agent console which shows software updates for that computer. Altiris Patch Management Solution Help 13 Chapter 3: Using Patch Management Solution Setting Up Patch Management Solution Note: This can take some time depending on how many Altiris-enabled computers you have and on your Altiris Agent settings. Inventory Policies After the Software Update Agent policy has run, other inventory policies run automatically. These inventory policies are found in the Microsoft folder. This folder can be found by clicking on the Configuration tab and then navigating to Configuration > Solutions Settings > Software Management > Patch Management > Windows > Software Inventory in the treeview pane. You can track the status of the inventory policies by viewing the Notification Server log file. For more information, see “Error Logging” in Altiris Notification Server Help. Also, you may want to review inventory data for a computer using the Resource Manager. For more information, see “Inventory Data Classes” on page 47. See Also • “Software Inventory” on page 30 • “Software Update Agent Rollout” on page 34 Step 2 - Determine the Updates Needed to Deploy Note: This step is optional. You do not need to view reports before deploying updates. This solution is designed to let you easily deploy updates by enabling the software bulletins that are listed. After the necessary policies have run on the Altiris-enabled computers and the data has been sent back to the Notification Server, you can run reports to help you determine which software updates need to be installed on which Windows computers. For more information on the available reports, see “Reports Tab View” on page 24. The reports in the Compliance, Component Version Reports, and Inventory folders are particularly useful for determining which software updates to deploy. Note: You can enable or distribute software updates directly from reports by double-clicking on the update name in the report. If you want to view compliance reports for your entire organization from a single console when using more than one Notification Server, see “Reporting on Patch Management Data in a Hierarchy” on page 48. Step 3 - Enable the Software Bulletins You Want to Deploy After you determine which software bulletins to deploy (either by running the appropriate reports or by some other means), you need to enable them. This solution is designed so that software bulletins only get deployed to the computers that need them. Therefore, enabling all software bulletins ensures that they will be deployed to all appropriate computers in your environment. After the software bulletins have been enabled, the associated software updates are automatically downloaded from the Microsoft Web site. To view their progress, click the Update button to refresh. When the # Downloaded column equals the # Updates column, all software updates for each enabled software bulletin has been downloaded. Note: Depending on how many software bulletins you enable and your network speed, this may take some time. The software updates need to be downloaded before you can create a Software Update task for each software bulletin. Software Update tasks install the software updates to the Windows computers that need them. Altiris Patch Management Solution Help 14 Chapter 3: Using Patch Management Solution Setting Up Patch Management Solution To enable the software bulletins you want to deploy 1 2 In the Altiris Console, click the Tasks tab. In the treeview pane, navigate to Tasks > Software Management > Patch Management > Manage Software Updates. 3 In the content pane, select the software bulletins you want to enable. 4 Click the Enable Bulletin toolbar item. See Also • “Software Bulletins” on page 39 Step 4 - Create Software Update Tasks After the software bulletins have been enabled and the associated software updates have been downloaded, you need to create Software Update tasks that deploy the software updates to the appropriate Windows computers. A wizard is provided that quickly walks you through the process of creating Software Update tasks. The wizard automatically selects the Windows computers that need the software updates you want to deploy. To create Software Update tasks for the software bulletins you want to deploy 1 2 In the Altiris Console, click the Tasks tab. In the treeview pane, navigate to Tasks > Software Management > Patch Management > Manage Software Updates. 3 In the content pane, select the software bulletin that you want to deploy. 4 Click the Software Bulletin Wizard toolbar item. 5 Note: This wizard will not run unless all software updates from the selected software bulletin 6 Follow the steps through the wizard. You can use the default settings or make any changes you want. See “Distribute Software Update Wizard” on page 35 and “Using the Distribute Software Update Wizard” on page 41. have downloaded. Step 5 - Deploy the Software Update Tasks Now, all you need to do to deploy the Software Update tasks is enable them. When a Software Update task is distributed, its package gets deployed according to a schedule. This package downloads and installs the selected software updates on your Altiris-enabled computers. Notes • Updates are installed according to Microsoft specifications. Example: if Microsoft requires a reboot, then the computer is rebooted after the update has been installed. • Reboots on Altiris-enabled computers are minimized because the updates that do not require a reboot are installed before the software updates that do require a reboot. • Patch Management Solution uses targeted deployments. Updates will not be deployed to a computer unless that computer specifically needs that software update. • A computer must meet Microsoft prerequisites before any software updates can be sent to that server. A particular software update will only be sent to a computer that meets the Microsoft prerequisites and also is applicable to that computer (Example: the computer has the appropriate hardware device, computer model or operating system installed). • You can add frequently used items to the Shortcuts tab. For more information, see the Altiris Notification Server Help. See Also • “Software Update Task” on page 17 Altiris Patch Management Solution Help 15 Chapter 3: Using Patch Management Solution User Interface Step 6 - Get the Status of Updates After the selected updates have been deployed, you can run a report to see their status on your computers. This report, called Task Execution by Computer, can be accessed on the Reports tab by navigating to Reports > Software Management > Patch Management > Agent Task Execution. Microsoft patches return error codes, both for successful and unsuccessful updates. This report provides the successful error codes. For an explanation of these error codes, see “Windows Update Error Codes” on page 49. For more information on the available reports, see “Reports Tab View” on page 24. User Interface When Patch Management solution is installed, folders and items are placed in various tab views of the Altiris Console. All folders and items for the Patch Management Solution are placed in the Software Management folder in the Tasks, Resources, Reports, and Configuration tab views in the Altiris Console. Note: The Software Management folder is also shared with Software Delivery Solution. • “Tasks Tab View” on page 16 • “Resources Tab View” on page 23 • “Reports Tab View” on page 24 • “Configuration Tab View” on page 25 • “Distribute Software Update Wizard” on page 35 • “Security” on page 35 • “Configuring Background Actions” on page 37 Tasks Tab View Patch Management Solution provides the following folders and items in the Tasks tab view. These folders and items provide the tasks for the solution to run to perform patch management. Quick Links • “Notification Policies” on page 16 • “Software Update Task” on page 17 • “Manage Software Updates” on page 20 Notification Policies Notification Policies allow you to automatically be notified when certain conditions exist. One of the Notification Policies supplied by Patch Management Solution is the New Software Bulletin Available policy. This policy generates a report whenever a new software bulletin becomes available. Generally, the Notification Policies in the Notification Policies folder get enabled and disabled automatically. However, you can edit or clone them to fit your needs. To access these policies 1 In the Altiris Console, click the Tasks tab. 2 In the treeview pane, select Tasks > Software Management > Patch Management > Notification Policies > Global. Altiris Patch Management Solution Help 16 Chapter 3: Using Patch Management Solution User Interface Software Update Task The Software Update Task folder stores Software Update tasks that you create. The Altiris PMImport CAB files provide the information needed to create a Software Update task. You must create a Software Update task for each software bulletin that contains software updates that you want to distribute. Software Update tasks can be created manually in this folder or by using the Distribute Software Update Wizard. We recommend that you use the Distribute Software Update Wizard to create your Software Update tasks. After Software Update tasks are created and enabled, they distribute the enabled software updates to the requested Altiris-enabled computers. For more information, see “Software Updates” on page 40. To access this folder 1 In the Altiris Console, click the Tasks tab. 2 In the treeview pane, select Tasks > Software Management > Patch Management > Software Update Task. To create a new Software Update task without using the Distribute Software Update Wizard 1 2 3 In the Altiris Console, click the Tasks tab. In the treeview pane, navigate to Tasks > Software Management > Patch Management > Software Update Tasks > Microsoft. Right-click on the Microsoft folder and select New > Software Update Task. Note: Software Update tasks can be located in other folders depending on where they were placed after their creation. New Software Update Task Page General Tab Page Items Item Description Enable Enables the Software Update task when selected. Disables the Software Update task when cleared. Enabling the Software Update task automatically enables all software updates associated with the software bulletin. See the Advanced tab. Name Name of the Software Update task. Description Description of the Software Update task. Software Bulletin Lets you select the software bulletin to which this task will be applied. This opens the Find Resource dialog box, which displays all available software bulletins. Click on the Select a view drop-down list to filter software bulletins. Double-click on a software bulletin to open the Resource Manager. This gives you detailed information on the software bulletin. You can only select a software bulletin that has been previously enabled. Note: If you use the Distribute Software Update Wizard, the correct software bulletin will be automatically selected. Altiris Patch Management Solution Help 17 Chapter 3: Using Patch Management Solution User Interface General Tab Page Items (Continued) Item Description Applies to target Collection Specifies the target collection or collections to which the Software Update task applies. If you use the Distribute Software Update Wizard, the correct target collection for the selected software bulletin is automatically applied. The default collection is also automatically applied to the Software Update task. If you want to change the collection, click on the link to open the Collection Selector. If you are not using the Distribute Software Update Wizard, you must select a target collection that is broad enough to include all computers that the updates in this bulletin will go to. The correct sub-collections for each software update are automatically selected on the Advanced tab. Note: At least one collection must be selected before you can apply the Software Update task. Apply Click Apply to save changes. Cancel Click Cancel to discard changes. Options Tab Page Items Item Description Select when to run This section lets you select when you want this Software Update task to run this task the first time. After the Software Update task runs once, the Agent’s default schedule is used from then on. Use the Agent’s default schedule - Select to use the Patch Management Agent’s default schedule to run this Software Update task. For information on the Patch Management Agent default options, see “Patch Management Agent Settings” on page 32. Run as soon as possible - Select to run this Software Update task as soon as possible. • Power on the computer (wake on LAN) before installing software updates - If you choose Run as soon as possible, this check-box lets you choose to power on the computer using wake on LAN for computers that support it. Select when to first run this task - Select this to set your own schedule for when this Software Update task should first run. After you select this setting, click the No schedule has been defined link. Next, when the Schedule Editor opens, select Once under the Schedule Task section. Then, select the Start Time and the Run on date and click the OK button. IMPORTANT: Patch Management Solution for Windows does not support any custom schedule other than “Once” for the Select when to first run this task setting. If you select any setting under the Schedule Task section other than Once, the Agent’s default schedule will automatically be used. Altiris Patch Management Solution Help 18 Chapter 3: Using Patch Management Solution User Interface Options Tab Page Items (Continued) Item Description Reboot options for This section lets you select your reboot options for this Software Update task. this task Use the Agent’s default schedule - Select to use the Patch Management Agent’s default reboot options for this Software Update task. For information on the Patch Management Agent default options, see “Patch Management Agent Settings” on page 32. Allow immediate reboot - Select to allow an immediate reboot after the installation of the update. Select multicast This section lets you select Multicast options for this Software Update task. options for this task Use Default Multicast Settings - Select this to use the default Notification Server Multicast settings. Customize Multicast Settings - Select this to choose whether or not to Multicast the package depending on whether or not Multicast Package is selected. • Multicast Package - Select this to multicast the package to other Altiris Agent computers receiving the same package. If this is not selected, then the package does not get multicast. For information about multicasting, see “Multicasting” in the Software Delivery Solution for Windows Product Guide. Advanced Tab Page Items Item Description Select software Displays the software updates contained in the selected software bulletin. update to configure Select a software update from this list to edit its options under the Configure the options for the selected software update section. Installation Requirements Displays the language and prerequisites for the selected software update. Go to Software Update Click to view the Software Update resource information. Enable Enables the software update currently selected. Disables the selected software update when cleared. Software updates must be enabled to get sent to targeted computers. When you enable the Software Update task on the General tab view, all associated software updates get automatically enabled. After the Software Update task is enabled, you can disable any software updates that you do not want to distribute. Applies to prerequisites collection Specifies the collection to which the selected software update applies. The correct collection for the software update based on information from the software bulletin is automatically applied. You should not need to change this. If you want to change the collection, click on the link to open the Collection Selector. If you change this collection, you must select a collection that is a subset of the target collection you selected on the General tab. Altiris Patch Management Solution Help 19 Chapter 3: Using Patch Management Solution User Interface Advanced Tab Page Items (Continued) Item Description Installation Options These are the installation options for the selected software update. If you are using the Distribute Software Update Wizard, you will get what is determined to be the correct command line options to use for the selected software update. No command line arguments - Select this if you do not want any command line arguments for the selected software update. Custom command line arguments - This lets you select command line options for the selected software update. These are: • Do not prompt - Does not prompt the user during installation of the software update. • Do not display - Does not display user interface elements, such as dialog boxes, during the installation of the software update. • No Reboot - Will not reboot the computer after install of each software update. The computer will still reboot on the next Reboot Schedule if the software update indicates that a reboot is required to complete the installation. If this option is not specified, the software update may reboot the computer immediately following application install. • Unattended install - This is a combination of Do not display, Do not prompt, and No reboot. This setting does not prompt the user, does not display any user interface and does not reboot after installation of the software update. If you do not use the Do not display and Do not prompt options, an interactive user must be logged on to the Altiris-enabled computer receiving software updates. If there is no interactive user, then the patch will fail because user interface items are displayed to the user. Go to Software Update Package Click to view and edit the Software Update package. The Software Update package contains all of the files necessary for installing the software update to the Altiris-enabled computer. Manage Software Updates The Manage Software Updates page lets you view and enable all software bulletins provided by the Altiris PMImport CAB files. After Patch Management Solution is installed, the Altiris PMImport CAB files are downloaded and extracted and its information is placed in the Notification Database. The Manage Software Updates page gets populated from the Notification Database. From the Manage Software Updates page, you can enable the software bulletins that you want downloaded from the Microsoft Web site. When you enable a software bulletin from the Manage Software Updates page, all associated updates get downloaded to the Notification Server from the Microsoft Web site as soon as possible. When the number in the # Updates column equals the number in the # Downloaded column, then all associated updates for the software bulletin have been downloaded. Sometimes not all software updates can be downloaded for a software bulletin because Microsoft may stop hosting the bulletin or relocate it. A Software Update task can be created for any software bulletin as long as it contains at least one downloaded software update. To access this page 1 In the Altiris Console, click the Tasks tab. 2 In the treeview pane, select Tasks > Software Management > Patch Management > Manage Software Updates. Altiris Patch Management Solution Help 20 Chapter 3: Using Patch Management Solution User Interface Page Items Item Description Show The Show drop-down list gives you flexibility in viewing available software bulletins. Select the view that best meets your needs. Update Click to refresh the Software Bulletin list. Use this when you have made changes to the list, such as enabling software bulletins. Software Bulletin list Displays the available software bulletins. From this list, you can perform an action on one or more software bulletins by either right-clicking on the bulletin or selecting a toolbar item. The following table gives a description of the columns found in the Software Bulletin list. Software Bulletin List Columns Column Description Software Bulletin The name Microsoft assigned to the software bulletin. Severity The severity as assigned by Microsoft. Enabled True = Enabled False = Disabled Note: You must enable the software bulletin to download its associated software updates. # Tasks The number of Software Update tasks you created for the bulletin. # Updates The number of software updates assigned by Microsoft to the software bulletin. # Downloaded The number of software updates downloaded from the Microsoft Web site. Note: If you want to see which software updates have not been downloaded, run the Software Update Download Status report and select “Fail” as the Download Status. You can view specific information on a particular software update by right-clicking on the software update name and selecting Resource Manager. First Release Date The date Microsoft released the software bulletin. Revision Date The last date Microsoft revised this software bulletin. Bulletin Description The description Microsoft gave to the software bulletin. Software Bulletin Page Toolbar Altiris Patch Management Solution Help 21 Chapter 3: Using Patch Management Solution User Interface The clickable icons on the Software Bulletin Page toolbar are: • Table View - Lets you change the table view. • Copy - Creates a copy of the entire grid to paste elsewhere. • Search - Lets you search for a software bulletin in the table. Enter the search text in the Search field, then click the Find button. • Search Again - Finds the next software bulletin based on the last search criteria you entered in Search. • Grid right click menu - Provides a shortcut for the right-click menu. • Save - Saves the displayed information as a Saved Report. • Print - Prints the table information. • Enable Bulletin - Enables the selected software bulletin. Patches are not downloaded until the corresponding bulletin is enabled. • Disable Bulletin - Disables the selected software bulletin. • Software Bulletin Wizard - Opens the Distribute Software Update Wizard populated with the selected software bulletin’s information. See “Distribute Software Update Wizard” on page 35. Shortcut Menu Items The following table lists the Patch Management Solution shortcut menu items that may be available when you right-click a software bulletin on the Manage Software Updates page or on a Report. For information on other shortcut menu items provided by Notification Server, see “Tasks Tab View” in the Altiris Notification Server Help. Shortcut Menu Item Description View Tasks Lets you view a report of all Software Update tasks that have been created for the selected software bulletin. In this report, you can select a task name to be taken directly to that task. View Targeted Computers Runs the Computers with Software Bulletin Prerequisites Installed report. View Computers with Bulletin Prerequisites Installed Runs the Computers with Software Bulletin Prerequisites Installed report when you right-click a software bulletin from a report page. View Distributed Computers Runs the Task Execution by Computer report when you right-click a software bulletin from a report page. List Software Updates Runs a report listing all updates for this software bulletin. To view resource information for the update, double click on the update name. Resource Manager Shows detailed information on the selected software bulletin. This provides valuable information on the software bulletin, such as the summary, severity, and affected platforms. A link is provided to the Microsoft Web site where that update is explained in further detail. Move Allows you to relocate this resource to another location in the Resource tab. Disable Disables the selected software bulletin. This also disables all associated Software Update tasks. Altiris Patch Management Solution Help 22 Chapter 3: Using Patch Management Solution User Interface Shortcut Menu Item Description Distribute Software Updates Launches the Distribute Software Update Wizard and automatically inputs information from the selected software bulletin. Note: This option is only available after the software bulletin has been enabled and all associated software updates have been downloaded. Recreate All Packages Redownloads and recreates the software updates in the selected software bulletin. Software updates that are missing will be downloaded. Software updates that are partially downloaded (Example: a disconnected network) will be recreated. Note: This option is only available after the software bulletin has been enabled. Drill down to tasks From the Software Bulletin list, you can drill down to see a report on all Software Update tasks that have been created for a software bulletin. To see this report, double-click on a software bulletin name in the Software Bulletin list. If that software bulletin has Software Update tasks created for it, you will see a report showing a list of those tasks. The following table gives a description of the columns found in this report. Column Description Software Update Task The name of the Software Update task. # Software Updates The number of software updates assigned to the associated software bulletin. # Active The number of software updates enabled for the task. Created By The user who created the task. Modified By The last user who modified the task. Modified Date The date the task was modified. Created Date The date the task was created. See Also • “Software Bulletins” on page 39 Resources Tab View This section discusses the folders and items that Patch Management Solution places in the Resources tab view. These can be found by clicking on the Resources tab, and then navigating to Resource Management > Collections > Software Management and Resource Management > Resources > Software Management in the treeview pane. Patch Management Solution creates collections that are populated when the Notification Database receives inventory from the Inventory Rule Agent. These collections are then used by Patch Management Solution to distribute software updates to the appropriate Altiris-enabled computers. You do not need to do anything with these collections. They are automatically populated and used by Patch Management Solution when needed. However, you can create or change any collection to fit your needs. For more information on collections, see the Altiris Notification Server Help. Collections that are created by Patch Management Solution are found in the Resources tab by navigating to Resource Management > Software Management > Patch Management > Software Update Aggregate Collections. Altiris Patch Management Solution Help 23 Chapter 3: Using Patch Management Solution User Interface The collections that Patch Management Solution creates are based on the resource folders that Patch Management Solution creates under the Resource Management > Resources > Software Management > Software folder. The Altiris PMImport CAB files populate the resource folders. The resource folders that Patch Management Solution adds contain information on applications, operating systems, drivers, and other software. You can double-click on any resource in the resource folders to launch the Resource Manager. The Resource Manager shows details about that resource. See Also • “Software Resources” on page 38 Reports Tab View This section discusses the folders and items that Patch Management Solution places in the Reports tab view. Quick Links • “Patch Management Dashboard” on page 24 • “Reports” on page 24 Patch Management Dashboard The Patch Management Dashboard gives you a quick look at valuable Patch Management information. From this dashboard, you can see how many computers have the Software Update Agent installed, how many bulletins have been added in the last week, and a summary of software update distribution. Links are provided in the left pane of the Dashboard to three specific reports. When you click on a report link, the report runs in the right pane. Many more reports are provided in the Patch Management folder. A distribution report is also provided that shows in a bar graph the items from the Software Update Distribution Summary. This report is called Distribution Graph and can also be accessed from the Reports folder in the treeview pane. Reports Reports allow you to analyze your data. Each Altiris solution includes predefined reports that you can use or modify, or you can create your own reports. Patch Management Solution provides numerous predefined reports to help you analyze your patch management information. These reports are found in the Altiris Console under the Reports tab by navigating to Reports > the treeview pane. The reports are organized into the following categories: Software Management > Patch Management in • • • • • • • Agent Information - Contains reports on software update download and execution, such as package download errors (wrong platform, insufficient space, and so forth), and information about computers with the Software Update Agent installed. Agent Software Update Packages - Contains reports on Software Update packages. Agent Task Execution - Contains reports on Software Update task execution and reboot status. Compliance - Contains reports on computer compliance levels. Inventory - Contains reports on computer inventory. Software Bulletins - Contains reports on Software Bulletin Status. For example: software bulletins for which some updates have not been downloaded. Also software bulletins by Software Release which displays all software bulletins and whether the bulletin is enabled or disabled. Software Update Summary - Contains reports on software update download status, which lists all failed or successful software update downloads. Altiris Patch Management Solution Help 24 Chapter 3: Using Patch Management Solution • • User Interface Vulnerability Analysis - Contains reports on detected vulnerabilities by computer and severity rating. Also contains a report of computers requiring reboot to complete software update installation. Distribution Graph - This report shows software update distribution items in a bar graph. This report is used in the Patch Management Dashboard. Note: Any report that displays software updates lets you enable or distribute those updates by right- clicking on the update name (see “Shortcut Menu Items” on page 22). In addition to the above reports, you can create your own reports. Notification Server provides the ability to automatically delete old reports. For information on these features as well as using predefined reports and creating custom reports, see Altiris Notification Server Help. Configuration Tab View Patch Management Solution places several configuration items in the Configuration tab view. These items let you configure Patch Management Solution to meet your needs. Here you will find all the server side configuration for deploying the Software Update Agent. The following folders can be found by clicking on the Configuration tab and then navigating to Configuration > Solutions Settings > Software Management > Patch Management in the treeview pane. Quick Links • “Global Settings” on page 25 • “Microsoft Settings” on page 27 • “Software Inventory” on page 30 • “Software Update Agent Configuration” on page 31 • “Software Update Agent Rollout” on page 34 • “Software Update Agent Uninstall” on page 34 Global Settings The Global Settings folder contains items used for setting up Patch Management globally, regardless of platform. This folder contains one configuration item page and two Background Actions. The Global Settings folder can be found by clicking on the Configuration tab and then navigating to Configuration > Solutions Settings > Software Management > Patch Management > Server Settings in the treeview pane. Quick Links • “Patch Management Core Configuration” on page 25 • “Download Software Update Packages” on page 26 See Also • “Configuring Background Actions” on page 37 Patch Management Core Configuration This configuration page lets you set global settings that apply to all software updates, regardless of platform. This lets you configure the software update download process to include languages to manage, exclude software updates, or retry when downloads fail. Altiris Patch Management Solution Help 25 Chapter 3: Using Patch Management Solution User Interface To access this page 1 In the Altiris Console, click the Configuration tab. 2 In the treeview pane, select Configuration > Solution Settings > Software Management > Patch Management > Server Settings > Global Settings > Patch Management Core Solution. Page Items Item Description Locale Selection Option In addition to English, Patch Management Solution supports French, German, Japanese, and Spanish software updates. These settings let you select the languages that you want Patch Management Solution to manage. Note: Only software updates for the languages you select will be available to download. Manage all software management resources - Select this to manage all supported software updates regardless of language. Customize software management resources - Select this to customize which languages to manage. • Select a language to manage - If you select Customize Software management resources, this lets you add or remove the languages that you want to manage. Click the pencil icon to edit the languages to manage. Note: If you add a locale, you need to re-create packages so the software updates can to be added to the existing Software Update Tasks Resource Exclusion Selection Option Select Software Releases to exclude - Lets you exclude software updates by excluding software releases that are not relevant to your organization. To save time, exclude software products that you do not have on any of your computers. Background Action Options Retry failed downloads - Select how many times the software update download process will retry when attempting to download when using the download process, such as when downloading software updates or Altiris PMImport CAB files. Apply Click Apply to save changes. Note: These settings will not be applied until the next time the software update download process runs. Cancel Click Cancel to discard changes. Download Software Update Packages This Background Action is started after you enable a software bulletin to check software update package availability. It downloads the appropriate software update packages from the Microsoft Web site. Note: Background Actions can be triggered immediately from the context menu (by right-clicking on the Background Action) by clicking Start Task and Stop Task. Altiris Patch Management Solution Help 26 Chapter 3: Using Patch Management Solution User Interface General Tab General Tab Items Item Description Package Download Folder The package download folder. We recommend that you not change this folder unless you have a different location for downloading this file. UNC paths are supported. Apply Click Apply to save changes. Cancel Click Cancel to discard changes. History Tab The History tab displays the download history. Check here to see if the Background Action download has completed. Microsoft Settings The Microsoft Settings folder contains items used for setting up Patch Management specifically for Windows. This folder contains one configuration item page and two Background Actions. The Microsoft Settings folder can be found by clicking on the Configuration tab and then navigating to Configuration > Solutions Settings > Software Management > Patch Management > Server Settings in the treeview pane. After the Patch Management Solution install process is complete, two Background Actions are launched in the background. These include the QChain download and the Import Microsoft Software Management Resources Background Action. The Import Microsoft Software Management Resources Background Action downloads the Altiris PMImport CAB files and imports all software management resources from these files into the Notification Database. Quick Links • “Download QChain” on page 27 • “Import Microsoft Software Management Resources” on page 28 • “Microsoft” on page 28 See Also • “Configuring Background Actions” on page 37 Download QChain QChain is downloaded as soon as Patch Management Solution is installed. If you need the most recent download of QChain, you can enable the schedule on this Background Action. Note: Background Actions can be triggered immediately from the context menu (by right-clicking on the Background Action) by clicking Start Task and Stop Task. Altiris Patch Management Solution Help 27 Chapter 3: Using Patch Management Solution User Interface General Tab General Tab Items Item Description Download URL The URL of the download site. We recommend that you not change this URL unless you have a different location for downloading this file. Only download if modified Select to download this file only if it has been modified since the last download. Enable Schedule Select to enable the selected schedule from the drop down list. Apply Click Apply to save changes. Cancel Click Cancel to discard changes. History Tab The History tab displays the download history. Check here to see if the Background Action download has completed. Import Microsoft Software Management Resources This Background Action downloads the Altiris PMImport CAB files and imports all software management resources from these Altiris PMImport CAB files. These resources are necessary for populating the Manage Software Updates page and updating patches to Altiris-enabled computers. To see when this process has completed, look on the History tab view. If there is a time in the EndTime column, the process has completed. Note: Background Actions can be triggered immediately from the context menu (by right-clicking on the Background Action) by clicking Start Task and Stop Task. General Tab General Tab Items Item Description Download URL The URL of the download site. We recommend that you not change this URL unless you have a different location for downloading this file. Only download if modified Select to download this file only if it has been modified since the last download. Enable Schedule Select to enable the selected schedule from the drop down list. Apply Click Apply to save changes. Cancel Click Cancel to discard changes. History Tab The History tab displays the download history. Check here to see if the Background Action download has completed. Microsoft This configuration page lets you set up how you want Microsoft software updates distributed. Some of these settings are used as default values in the Distribute Software Update Wizard (see “Distribute Software Update Wizard” on page 35). All Microsoft software updates will have these settings by default. If you change these settings, existing Software Update Tasks and packages will not be updated with these defaults. You can force them to be updated by re-creating packages from the Manage Software Updates page (see “Manage Software Updates” on page 20). Altiris Patch Management Solution Help 28 Chapter 3: Using Patch Management Solution User Interface General Tab Items Item Description Software Update Distribution Options Default target collection - The default target collection displayed on the first page of the Distribute Software Update Wizard. Apply Click Apply to save changes. Cancel Click Cancel to discard changes. Package Server Tab Items Item Description Package Server Replication Options These settings override the default package server replication options. Allow Package Server replication - Select this to allow Package Server replication for the Software Update package. When this is selected, the other options on the Package Server tab view are available. Allow Package Server package event - Select this to allow Package Server package event. Use alternate download destination on client - Select this to use an alternate download destination on the Altiris-enabled computer. Enter the desired destination in the field below this check-box. UNC paths are supported. Package destination location on Package Servers (leave blank for default) If desired, enter an alternate download destination on the Package Servers. UNC paths are supported. Altiris Patch Management Solution Help 29 Chapter 3: Using Patch Management Solution User Interface Advanced Tab Items Item Description Package Default Options Package files will be deleted from the client if computer is unused for - This lets you select when software update packages will be deleted from the Altiris-enabled computer if unused. Override Default Multicast Settings - Select this to override the default Multicast Settings from Notification Server. Multicast Package - This option becomes available when the Override Default Multicast Settings option is selected. Select this to multicast the software update package. Program Default Options Run with rights - Specifies whether the program is run with the System Account, Logged in User, or Specified User account. If you select the Specified User, you must specify the user domain in the field below this one. Program can run - Specifies the conditions in which the program can run. The options are Only when a user is logged on, Whether or not a user is logged on, and Only when no user is logged on. If you select Only when a user is logged on, you can select User Input required if you want to allow user input. The User Input required option is only valid when a user is logged in. This option is available if the program run on a computer brings up a User Interface that may require user input to complete its process. Usually, it is safe to keep this option selected, which is why it is selected by default. Minimum connection speed - Select the minimum connection speed for Software Delivery programs to be executed. Before the program is run, the connection speed from the Altiris Agent to the Notification Server is tested. If the connection speed is below the selected speed, the program will not be run. The default is no network connection required. This means there is no default minimum connection speed for Software Delivery programs to run. If a _ kByte/sec speed is chosen, before an Altiris Agent executes a Software Delivery program, it checks the connection speed between the Altiris Agent and the Notification Server. If the connection speed is faster than this speed, then the program gets executed. This only applies to program execution, not package download. The package must already be downloaded for this setting to be utilized. Status Event Options This section lets you enable status events. Enabling status events can add significant overhead to your network. Enable Software Delivery package events - Select to enable Software Delivery package events. These events include packages now being delivered and packages pending. Enable Software Delivery status events - Select to enable Software Delivery status events. Terminate software update task after Terminates the update task after the specified time. Software Inventory One of the most labor-intensive aspects of patch management is the evaluation of patch installation requirements. Patch Management Solution inventories supported operating systems and applications, and the associated service pack level, as well as inventories for installed patches. The inventory information is utilized to automatically create collections based on service pack level for effective distribution targeting. When the Software Update Agent gets deployed, the Inventory Rule Agent also gets installed on the Altiris-enabled computers. The Inventory Rule Agent gathers inventory that is specialized towards identifying different Microsoft product versions. Altiris Patch Management Solution Help 30 Chapter 3: Using Patch Management Solution User Interface The Software Inventory folder can be found by clicking on the Configuration tab and then navigating to Configuration > Solutions Settings > Software Management > Patch Management > Windows in the treeview pane. Global • Default Windows OS Inventory Policy - Gathers operating system (version information) inventory on the Altiris-enabled computer. This helps you determine what OS components need to be installed before you install software updates. • Default Windows Software Release Inventory Policy - Gathers operating system (software release and service pack) inventory from the Altiris-enabled computer. This helps you determine which software updates need to be installed. Microsoft • Default Microsoft Software Inventory Policy - Gathers non-operating system inventory on installed applications, such as Microsoft Office, from the Altiris-enabled computer so collections can be created. These collections are used when creating Software Update tasks. This must be enabled before you can install software updates to a computer. • Default Microsoft Vulnerability Analysis Policy - Gathers data on which software updates have already been installed on the Altiris-enabled computer. This data helps you determine which software updates need to be installed on the computer. When enabled, each of the policies in the Software Inventory folder gather inventory on a specific aspect of the computer. The data gathered can help you determine which computers need which software updates. These policies are enabled by default. To modify an inventory schedule 1 In the Altiris Console, click the Configuration tab. 2 In the treeview pane, select Configuration > Solution Settings > Software Management > Patch Management > Windows > Software Inventory > Global > {policy} or Configuration > Solution Settings > Software Management > Patch Management > Windows > Software Inventory > Microsoft > {policy}. 3 In the content pane, modify the schedule by entering a different time interval. 4 Click the Apply button to save changes. To view Software Management collections Software Management collections are organized by software categories, such as operating system, desktop applications, and server applications. 1 In the Altiris Console, click the Resources tab. 2 In the treeview pane, select Resource Management > Collections > Software Management > Patch Management > Software Update Aggregate Collections. 3 Select a collection and view its members in the content pane. To enable a policy 1 Select Enable. 2 Click the Apply button. Software Update Agent Configuration The Software Update Agent is a plug-in agent for the Altiris Agent that performs the distribution of software updates. This agent needs to be deployed to all Altiris-enabled computers that you want to distribute software updates. The Software Update Agent Configuration folder provides all of the policies and collections needed for configuring the Software Update Agent. The Software Update Agent Configuration folder can be found by clicking on the Configuration tab and then navigating to Configuration > Solutions Settings > Software Management > Patch Management > Windows in the treeview pane. Altiris Patch Management Solution Help 31 Chapter 3: Using Patch Management Solution User Interface The policies in this folder are enabled automatically and get sent to the Software Update Agent as soon as it is deployed. To change the behavior of the agent on a collection of computers, change the policy that is associated with that collection. Microsoft This folder contains these policies and associated collections that are specifically for Microsoft software updates: • All Windows Computers (NT 4.0 and Pre Windows 2000 SP2) with Software Update Agent • All Windows Computers (Post Windows 2000 SP2) with Software Update Agent • All Windows Computers (Windows 98 and Windows ME) with Software Update Agent There are three separate policies because QChain and Windows file protection are not supported on all platforms. IMPORTANT: We recommend that you do not change these settings. By default, these policies are configured for the best performance for Patch Management. General Tab Page Items Item Description Enable Select to enable the policy. Applies to Collections Specifies the collection or collections to which this policy applies. Clicking on the link opens the Collection Selector. Installation Options Reapply all scheduled software updates Apply Click Apply to save changes. Cancel Click Cancel to discard changes. - Select to reapply all scheduled software updates on the Altiris-enabled computer. Software updates can be reapplied when an earlier software update is installed after later software updates. All updates will be installed in the appropriate order to ensure proper file versioning. Patch Management Agent Settings This page lets you provide the settings for the Software Update Agent (see “Software Update Agent” on page 43). These settings apply to all Windows computers that have the Software Update Agent installed. To access this page 1 In the Altiris Console, click the Configuration tab. 2 In the treeview pane, select Configuration > Solutions Settings > Software Management > Patch Management > Windows > Software Update Agent Configuration > All Windows Computers with Software Update Agent Installed. General Tab Items Item Description Enable Select to enable the policy. Applies to Collections Specifies the collection or collections to which this policy applies. Clicking on the link opens the Collection Selector. Altiris Patch Management Solution Help 32 Chapter 3: Using Patch Management Solution User Interface General Tab Items Item Description Scheduling Options These options determine when software updates get installed on the Altiris-enabled computer and when the Altiris-enabled computer gets rebooted after software updates are installed. This allows for effective batching of software update installations. Install software updates - Click on the link to create a schedule for applying software updates to the Altiris-enabled computer. On this schedule, QChain is called to chain the software updates together, and then the software updates are sent to the Altiris-enabled computer. QChain is only applicable to computers running Windows NT 4 or later. This schedule displays on the Software Updates tab of the Altiris Agent. Maximum reinstallation attempts after task failure - Set the number of times Patch Management should attempt to reinstall a software update after a task failure. Number of times to retry software update installation if a reboot is required Sometimes, a software update requires a reboot. This sets the number of times to retry the software update installation after the reboot. Allow users to initiate software update installation - Allows users to initiate the software updates installation from the Altiris Agent by clicking the Start Software Update button. Recovery Option When Altiris Recovery Solution is installed, this option automatically creates a snapshot prior to software update installations. This allows for effective roll back when a software update disrupts computer functions. Apply Click Apply to save changes. Cancel Click Cancel to discard changes. Reboot Tab Items Item Description Default Reboot Options Do not reboot after installation - Select this if you do not want to automatically reboot the user’s computer after a software update installation. Reboot immediately after installation - Select this to reboot the user’s computer immediately after a software update installation. • Allow multiple reboots during the default installation schedule - If you select Reboot immediately after installation, you can select this box to allow multiple reboots during the default installation schedule. Reboot on a schedule - The reboot schedule if the software update requires a reboot. This schedule displays on the Software Updates tab of the Altiris Agent. Reboot Notification Altiris Patch Management Solution Help - These buttons let you control whether or not you want to notify a user when a reboot is required by a software update. Select Never to never notify a user that a reboot is required. The reboot will then happen according to your settings in the Default Reboot Options section. Select Once to notify a user one time that a reboot is required. If the user does not manually reboot, the reboot will happen according to your settings in the Default Reboot Options section. Select On a schedule to notify a user according to the specified schedule that a reboot is required. If the user does not manually reboot, the reboot will happen according to your settings in the Default Reboot Options section. Warn user of pending reboot - Select this option to warn user of a pending reboot. The time you select represents how soon before the pending reboot the user will be warned. After installation notify user a reboot is required 33 Chapter 3: Using Patch Management Solution User Interface Notification Tab Items Item Description Patch Management Notify in advance - Allows users to be notified in advance that a Patch Task Notification Prior Management task is about to run. To Running - Lets users view a dialog showing the progress of Software Update Monitor. Show the Software Update Monitor progress dialog Show the Software Update Monitor progress dialog Reboot Deferral User can defer reboot - Gives the user the option to defer the reboot according to the time you select. Custom Notification Messages This section lets you override default notification messages, which are displayed when the associated notification occurs. Override default reboot notification message - Enter the message you want displayed when a reboot notification occurs. Override default reboot reminder message - Enter the message you want displayed when a reboot reminder occurs. Override default reboot pending message - Enter the message you want displayed when a reboot is pending. Override default update pending message - Enter the message you want displayed when an update is pending. Override default update progress message - Enter the message you want displayed when an update is in progress. Software Update Agent Rollout The Software Update Agent Rollout folder contains two policies and their associated packages and collections. These policies are used for deploying the Software Update Agent and upgrading the Software Update Agent. • The Software Update Agent Install policy deploys the Software Update Agent to all computers in the All Windows Computers Requiring Software Update Agent Install collection (by default). • The Software Update Agent Upgrade policy performs an upgrade of the Software Update Agent to all computers in the All Windows Computers Requiring Software Update Agent Upgrade collection (by default). The Software Update Agent Rollout folder can be found by clicking on the Configuration tab and then navigating to Configuration > Solutions Settings > Software Management > Patch Management > Windows in the treeview pane. Note: Under the Software Update Agent Rollout folder, you will also find two collections and a package associated with these policies. When the Software Update Agent is deployed, the Inventory Rule Agent and the Package Agent are also installed. The Inventory Rule Agent gathers inventory that is granular enough for Patch Management Solution to inform you of which patches need to be distributed to which computers. The Package Agent helps in the sending of software updates. The Software Update Agent gets installed on Altiris-enabled computers after you enable the Software Update Agent Install policy. Software Update Agent Uninstall The Software Update Agent Uninstall folder contains a policy you can use to uninstall the Software Update Agent. This policy uninstalls the Software Update Agent from all computers listed in the Computers With Software Update Agent Installed collection (by default). The Software Update Agent Uninstall folder can be found by clicking on the Configuration tab and then navigating to Configuration > Solutions Settings > Software Management > Patch Management > Windows in the treeview pane. Altiris Patch Management Solution Help 34 Chapter 3: Using Patch Management Solution User Interface Note: Before using this policy, ensure that the Software Update Agent Install policy is disabled. If you want to uninstall the Software Update Agent from your Altiris-enabled computers, enable the Software Update Agent Uninstall policy. A collection has been provided which this policy will use for the uninstallation. You can, however, change the collection or collections that apply to this policy to meet your needs. Distribute Software Update Wizard The Distribute Software Update Wizard allows you to easily create and set up Software Update tasks. These tasks are stored in the Software Update Task folder. Software Update tasks must be created before you can install software updates to Altiris-enabled computers. See Also • “Software Update Task” on page 17 • “Using the Distribute Software Update Wizard” on page 41 Step 1 - Create and Set Up Software Update Tasks What you enter in this step corresponds to the General tab on the Software Bulletin Task page. For more information, see “General Tab Page Items” on page 17. Step 2 - Select the Installation and Reboot Schedule What you enter in this step corresponds to the Options tab on the Software Bulletin Task page. For more information, see “Options Tab Page Items” on page 18. Step 3 - Configure Options for Each Software Update What you enter in this step corresponds to the Advanced tab on the Software Bulletin Task page. For more information, see “Advanced Tab Page Items” on page 19. Step 4 - Summary The summary page allows you to review your settings and go back through the wizard if any changes are necessary. When you click Finish, a Software Update task gets created for this software update on the Tasks tab by navigating to Tasks > Software Management > Patch Management > Software Update Task and clicking on the appropriate vendor folder. Security In addition to standard security roles privileges included in Notification Server, Patch Management Solution provides additional security privileges and permissions for administrating your patches. These privileges and permissions let you assign access to specific tasks, such as enabling patches for distribution and creating distribution tasks. Global Privileges Patch Management Solution adds two global privileges to each role: Enable Software Bulletin and Distribute Software Update. These privileges are similar, but are provided to allow a separation of duties within your organization. • Enable Software Bulletin • Distribute Software Update - If this is enabled, users in this role have the privilege of distributing - If this is enabled, users in this role can enable software bulletins to download the software updates. However, to distribute software updates, they also need the Distribute Software Update privilege. software updates, which includes creating a functional Software Update task. If this is not enabled, users cannot run the Distribute Software Update Wizard or select software bulletins in new Software Update tasks that they create. Therefore, they cannot to create a functional Software Update task. Use this for granting privileges to distribute approved software updates throughout your organization. Altiris Patch Management Solution Help 35 Chapter 3: Using Patch Management Solution User Interface Enable Software Bulletin Versus Distribute Software Update If you grant the Enable Software Bulletin privilege in a role, but not the Distribute Software Update privilege, users in that role can enable or disable any software bulletin. However, they cannot create a functional Software Update task. Users can enable Software Update tasks that have already been created. If you grant the Distribute Software Update privilege in a role, but not the Enable Software Bulletin privilege, users in that role can distribute any software update for any enabled software bulletin. They can enable any Software Update task; however, they cannot enable any software bulletin. If you grant both of these privileges, users can enable software bulletins and distribute software updates for enabled software bulletins. To view or edit Patch Management Security Privileges 1 In the Altiris Console, click the Configuration tab. 2 In the treeview pane, click on Configuration > Server Settings > Notification Server Settings > Security Role Management. 3 In the content pane, choose a security role. 4 View and edit the Software Update Management Privileges section under Global Privileges. 5 Click Apply to save changes. Permissions Patch Management Solution adds a Software Update Management permission to the Permission Selection of a collection. This permission is called Apply Software Update Tasks. Each Software Update task has a target collection. Rights must be granted on the target collection to apply Software Update tasks. This permission lets you limit who can distribute software updates to different classes of computers. Example: this lets you control who can distribute software to servers in your organization. Suppose you have a server support team and a desktop support team. You can limit permissions so each of these teams can only apply software update tasks to the computers that they have responsibility for. You control who has permission to apply software update tasks by limiting who has permission to access the target collection on the Software Update task page. This is found on either the General tab of a Software Update task or the first step in the Distribute Software Update Wizard. With the Apply Software Update Tasks permission, users can only access those collections that they have permission to access in the Applies to target collection field. If they do not have permission, they cannot select any collections for this field, and the Software Update task cannot be properly created. To create an Apply Software Update Tasks permission 1 Set up a role containing the users to whom you want to grant permission. 2 In the Resources tab view, navigate to the collection that the role will be granted permission to use. 3 Right-click on the collection, and select Properties. 4 Select the Security tab. 5 Click the Add button. 6 Select the role you previously set up, and click the Select button. 7 Select the Apply Software Update Tasks permission and any other permissions that you want this role to have. 8 Click the Select button. 9 Click the Apply button to save changes. Altiris Patch Management Solution Help 36 Chapter 3: Using Patch Management Solution User Interface Note: Make sure you grant the necessary parent permissions for this role by granting limited viewing permissions for the tree path on which the collection is located. Example: In the Resources tab view, in the treeview pane, grant this role limited viewing permissions on the Resource Management folder. This lets the role view the whole path to the collection. Otherwise, even though you grant the role permissions for the collection, the user cannot view the path to that collection and cannot actually see the collection. Now, users in the role you have set up can select those collections in the Software Update task that they have permission to select. Configuring Background Actions Patch Management Solution includes a number of Background Actions for the Notification Server. These actions run automatically when required and assist in updating key components of Patch Management Solution. This section shows you how to locate the Background Actions in the Altiris Console, modify parameters associated with the actions, and track the status of ongoing updates. To locate Background Actions 1 Open the Altiris Console, and click the Configuration tab. 2 In the treeview pane, select Configuration > Solution Settings > Software Management > Patch Management > Server Settings. 3 Some Background Actions are found in the Global Settings folder and some in the Microsoft folder. The descriptions for the Background Actions appear in the following tables. Settings Global Settings Action Description Download Software Update Packages This action specifies where software updates are stored on the Notification Server when they are automatically downloaded from the vendor Web site. Microsoft Settings Action Description Download QChain This action automatically downloads the Microsoft QChain executable and places it in the appropriate directory on the Notification Server. This program is used to chain software updates together when sending them to the Altiris-enabled computer. This will only work for Altiris Agents running Windows NT 4 or later. Import Microsoft Software Management Resources This action downloads the Altiris PMImport CAB files and starts the data import into the Notification Database. Note: A PMImport.cab file is downloaded as well as PMImport CAB files for each language you select in “Patch Management Core Configuration” on page 25. To modify Background Action Parameters Background Actions include configurable parameters that specify the download locations, how often the actions are run, and whether or not to update the item when a file change is detected. 1 Select a Background Action. 2 On the General tab, review the options available or modify the schedule to a weekly or custom schedule. Note: The Download Software Update Packages Background Action has no schedule to edit. Altiris Patch Management Solution Help 37 Chapter 3: Using Patch Management Solution Software Resources To track Background Action 1 Select a Background Action. 2 Click the History tab to view the information on the Background Action. The table includes the status, when the task started, and when the task completed. To run a Background Action • In the treeview pane, right-click the Background Action you want to run, and select Start Task from the context menu. See Also • “Global Settings” on page 25 • “Microsoft Settings” on page 27 Software Resources Patch Management Solution includes an information repository specifically tailored to automate the patch management process. This repository consists of the software management resources imported by the Import Microsoft Software Management Resources Background Action (see “Configuring Background Actions” on page 37). This repository provides a significant amount of data on software bulletins and software updates. These resources are then exposed and utilized in various aspects of the Patch Management Solution, including being used for creating collections. This section discusses software management resources so you can gain a general understanding of the information used in the Patch Management Solution. See Also • “Resources Tab View” on page 23 Resource Types A resource type is a template for entering resource data. With each resource type, attributes are specified, which define the data stored about a resource. There are a number of resource types specific to Patch Management Solution. To view resource type information 1 In the Altiris Console, click the Configuration tab. 2 In the treeview pane, select Configuration > Resource Settings > Resource Types > Software Management > Patch Management. 3 Select a folder, then select a resource. 4 In the content pane, click the List Resources tab. You can view the various software installation types. This information helps classify software update packages and provides information on the methods required to install a particular software update. Resources A resource is the most generic term to mean any item that is tracked or managed by the Altiris Infrastructure. Patch Management Solution utilizes resources to track the various software bulletins, software updates, and software releases. Altiris Patch Management Solution Help 38 Chapter 3: Using Patch Management Solution Software Bulletins To view a Patch Management resource 1 In the Altiris Console, click the Resources tab. 2 In the treeview pane, select Resource Management > Resources > Software Management > Software Releases > Operating Systems > Operating System Applications. 3 In the content pane, right-click on a resource and select Resource Manager. 4 The Managing Resource window appears. This view provides additional information on the selected resource. Example: if you selected an operating system resource, it provides general information on the version. 5 Click the Associations tab. This view provides additional information that associates other resource data to the selected resource. 6 In the drop-down menu, select Service Pack Applies to Software Release. The table now displays all the service packs available for resource. Software Bulletins This section tells you how to view software bulletins and use them to distribute software updates. For more information on software bulletins, see “Manage Software Updates” on page 20. Quick Links • “Viewing Available Software Bulletins” on page 39 • “Viewing Details on a Software Bulletin” on page 39 • “Downloading Software Bulletins and Distributing Software Updates” on page 40 Viewing Available Software Bulletins To view available software bulletins 1 In the Altiris Console, click the Tasks tab. 2 In the treeview pane, select Tasks > Software Management > Patch Management > Manage Software Updates. In the content pane, you can view all of the current software bulletins in the database. The default view is All Software Bulletins. You can modify the contents of the table to view the data in different ways. To view software bulletins by software release 1 From the drop-down list, select Software Bulletins by Software Component for Windows. 2 Select the Status, Bulletin Severity, Software Component, and Software Bulletin information to filter the results. 3 Click the Update button. Viewing Details on a Software Bulletin Each software bulletin has a Resource Manager view that provides summary information on the software bulletin and lists all of the available executables for the software bulletin. 1 In the Altiris Console, click the Tasks tab. 2 In the treeview pane, select Tasks > Software Management > Patch Management > Manage Software Updates. 3 In the Software Bulletin list, right-click on a software bulletin, and select Resource Manager. 4 The Summary tab provides summary information on the selected software bulletin. Scroll down to view information on the affected software release or to access the Microsoft TechNet bulletin. Altiris Patch Management Solution Help 39 Chapter 3: Using Patch Management Solution Software Updates 5 Select the Associations tab to view information on all the software update executables available for this software bulletin. 6 From the Associations tab, you can right-click on the Software Bulletin To Software Update association type and select Resource Manager to view software update drill-down information. From this Resource Manager page, you can view specific information on the software update. Downloading Software Bulletins and Distributing Software Updates After Patch Management Solution is installed, the Altiris PMImport CAB files are automatically downloaded from an Altiris Web site and extracted to the install path\Altiris\Patch Management\Import folder. After the Altiris PMImport CAB files have been extracted, its information gets placed in the Notification Database. This process can take several minutes depending on the speed of your processor. When this process is completed, you can view the imported information on the Manage Software Updates page (see “Manage Software Updates” on page 20). From the Manage Software Updates page, you can view software bulletins (see “Viewing Available Software Bulletins” on page 39), enable them for download, and create Software Update tasks to distribute security patches to Altiris-enabled computers. To download software updates for one or more software bulletins 1 Open the Altiris Console. 2 Click the Tasks tab. 3 In the treeview pane, navigate to Tasks > Software Management > Patch Management > Manage Software Updates. 4 In the content pane, in the Show drop-down menu, select All Software Bulletins. 5 Click the Update button. 6 Select one or more software bulletins from the bulletin list. 7 Click the Enable Bulletin toolbar item to enable all selected bulletins. Note: Alternatively, you can right-click on a software bulletin, and select Enable. Note: After software bulletins have been enabled, “True” is displayed in the Enabled column. Click the Update button to see a refresh of this list. Patch Management Solution now launches the Download Software Update Packages Background Action to download software updates for each enabled software bulletin. You can view the status of the download by clicking the History tab on the Download Software Update Packages page. You can also view the status through the Notification Server Log Files. For more information, see the Altiris Notification Server Reference. After the software updates are downloaded, Patch Management Solution automatically creates the package shares on the Notification Server, and the software bulletin packages get deployed. In the All Software Bulletins view, you can view the enabled bulletins and the number of executables available for distribution. To distribute a software update using a Software Update task, see “Using the Distribute Software Update Wizard” on page 41. Software Updates Patch Management Solution includes a Distribute Software Update Wizard that simplifies the management of distribution policies. Instead of creating a task for each individual software update, you create a single policy for each software bulletin. Example: if you have 3 software bulletins with 7 software updates each, you only have to manage 3 distribution tasks instead of 21 distribution tasks. Altiris Patch Management Solution Help 40 Chapter 3: Using Patch Management Solution Software Updates Patch Management Solution also provides automated evaluation of patch dependencies to substantially reduce the labor requirements of patch management. This is accomplished by using two computer collections: one to target the general distribution and one to target the correct executable to the right computer. For more information on these collections, see “Software Update Task” on page 17. This section discusses software updates, including how to use the Distribute Software Update Wizard and modifying Software Update tasks. Quick Links • “Using the Distribute Software Update Wizard” on page 41 • “Modifying Software Update Tasks” on page 42 Using the Distribute Software Update Wizard The Distribute Software Update Wizard has four steps. The first step is similar to the General tab view of the Software Update task (see “Software Update Task” on page 17). This step lets you select general information for the Software Update task. The second step is similar to the Options tab view of the Software Update task (see “Software Update Task” on page 17). This step lets you select the schedule, reboot, and multicast options. The third step is similar to the Advanced tab view of the Software Update task (see “Software Update Task” on page 17). This step lets you configure each software update in the software bulletin. The fourth step lets you review your configuration before finishing the wizard. If you do not choose to use the wizard, you can create a new Software Update task and configure it to send software updates. However, we highly recommend using the wizard. Using the wizard ensures that the software bulletin information is already selected and the correct collections are automatically applied. To use the Distribute Software Update Wizard to distribute software updates 1 Open the Altiris Console. 2 Click the Tasks tab. 3 In the treeview pane, navigate to Tasks > Software Management > Patch Management > Manage Software Updates. 4 In the content pane, in the Show drop-down menu, select All Software Bulletins. 5 Select the software bulletin that you want to distribute from the bulletin list. Note: All updates for the software bulletin must be downloaded before launching the Distribute Software Update Wizard. 6 Click the Software Bulletin Wizard toolbar item to launch the Distribute Software Update Wizard. 7 If you want to enable the Software Update task as soon as it is created, select Enable. 8 Enter a name for the task, or accept the default. 9 Enter a description, or accept the default. 10 The chosen software bulletin is listed under Software Bulletin. This is automatically inserted based on the software bulletin you selected. If you want to change it, select a different software bulletin. 11 Under Applies to target collection, the appropriate collection for the selected software bulletin is displayed. If you need to, you can select another collection to which you want to apply the Software Update task. However, we recommend accepting the default. If you change this collection, the one you choose should be broad enough to include all computers that the updates in this bulletin will go to. You can narrow the targeted computers for each update in step 3 of the wizard. Altiris Patch Management Solution Help 41 Chapter 3: Using Patch Management Solution Software Updates Note: The target collection is automatically populated based on the software bulletin you chose. Note: The target collection can contain any combination of operating systems and applications. This collection is used to target the distribution. If you change this collection, we recommend that you use general management collections (Example: an Active Directory OU collection) or a functional collection (Example: all computers in a specific office). 12 Click Next to go to step 2 in the wizard. In this step, you can configure the installation and reboot schedule for the task 13 Select the desired options according to your needs or accept the default. 14 Click Next to go to step 3 in the wizard. 15 The settings on this page can be left alone until the Software Update task is created. However, the following steps will take you through this page if you do want to make any changes. a Select a software update from the software update list (Select software update to configure). Note: The options on this page apply to the selected software update. b The Installation Requirements section is for informational purposes. c You do not need to enable the selected software update now. After the Software Update task is created and enabled, all of its software updates are automatically enabled. If you want any software updates disabled, you must manually do so after the task has been enabled. d Next to Applies to prerequisites collection, the appropriate prerequisites collection is displayed. If you need to, you can select another prerequisites collection for this software update to go to. However, we recommend that you accept the default. Note: The collections specified on this page are used to ensure that the correct software update is applied to the correct computer in the target collection based on the computer's inventory and the software update's installation requirements. e f 16 The appropriate Installation Options are automatically entered for the selected software update. Only experienced users should change these. If you want to view and edit the Software Update package, click Go to Software Update Package. Click Next to see the summary page. Note: You can click Back to change any of these settings. 17 Click Finish to create the Software Update task. The task will be created in the Software Update Task > Microsoft folder (see “Software Update Task” on page 17). Note: The task needs to be enabled before it will send the software update(s). When you enable the task, each software update associated with the software bulletin will be enabled automatically. However, you can then disable any unwanted software update before clicking the Apply button. After a Software Update task has been created and enabled, it gets sent to the computers in the selected collection(s). The Software Update agent then runs the task, which downloads the Software Update package and installs it on the Altiris-enabled computer. Modifying Software Update Tasks To modify Software Update Tasks 1 In the Altiris Console, click the Tasks tab. 2 In the treeview pane, select Tasks > Software Management > Patch Management > Software Update Task > Microsoft. 3 Select the task in the treeview pane and modify the properties in the content pane. 4 Click Apply to save changes. Altiris Patch Management Solution Help 42 Chapter 3: Using Patch Management Solution Software Update Agent Software Update Agent Patch Management Solution includes a Software Update Agent that must be deployed on Altirisenabled computers on which you want to use the Patch Management Solution features. The Software Update Agent manages all of the Patch Management Solution functionality on the Altiris-enabled computer. It inventories programs that are installed on the Altiris-enabled computer and sends this data to the Notification Server. It then uses this information to track applications that are installed on the Altiris-enabled computer and matches them with packages that are defined by the Notification Server. You can use this information in deciding which applications to send to which Altiris-enabled computers. Finally, it installs the software updates that you push out to the Altiris-enabled computer. Note: When the Software Update Agent is installed, the Inventory Rule Agent and the Package Agent are automatically installed also. IMPORTANT: If you have a large number of computers to which you want to deploy the Software Update Agent, consider deploying the agent during off-peak hours to minimize network traffic at peak times. To deploy the Software Update Agent IMPORTANT: Before deploying the Software Update Agent on a computer, the Altiris Agent must already be installed on that computer. 1 In the Altiris Console, click the Configuration tab. 2 In the treeview pane, navigate to Configuration > Solutions Settings > Software Management > Patch Management > Windows > Software Update Agent Rollout. 3 Select the Software Update Agent Install policy. 4 In the content pane, make any desired changes. We recommend accepting the defaults. By default, the Software Update Agent is deployed as soon as possible after the policy is enabled to computers in the All Windows Computers without Software Update Agent Installed collection. 5 Select the Enable check box. 6 Click the Apply button. By default, a new Software Updates tab will appear in the Altiris Agent console which shows software updates for that computer. Note: This can take some time depending on how many Altiris-enabled computers you have and on your Altiris Agent settings. Quick Links • “Software Update Agent Configuration Policies” on page 43 • “Software Update Agent User Interface” on page 44 • “Upgrading the Software Update Agent” on page 46 • “Uninstalling the Software Update Agent” on page 46 Software Update Agent Configuration Policies Software Update Agent configuration policies help you configure the Software Update Agent on Altiris-enabled computers. They are set up so that only one configuration policy will go to a particular computer. You can clone these configuration policies and change them to fit your needs. You can also change the collections that they get sent to. However, it is important that each Altirisenabled computer only receive one configuration policy. By default, there are three Software Update Agent configuration policies: one policy for NT 4.0 and Pre-Windows 2000 SP2 computers, one policy for Post-Windows 2000 SP2 computers, and one policy for Windows 98 and ME computers. Altiris Patch Management Solution Help 43 Chapter 3: Using Patch Management Solution Software Update Agent The reason that there is a distinction between Pre and Post Windows SP2 is that Post Windows SP2 computers do not require patches to be reapplied because Windows guarantees that the newer system files will not be replaced. To modify a Software Update Agent configuration policy 1 In the treeview pane, select Configuration > Software Management > Patch Management > Windows > Software Update Agent Configuration > Microsoft. 2 In the content pane, click the General tab. 3 Modify the properties you want. 4 Make sure the policy is enabled (Software Update Agent configuration policies are enabled by default). 5 Click the Apply button. See Also • “Software Update Agent Configuration” on page 31 Software Update Agent User Interface When the Software Update Agent is installed on an Altiris-enabled computer, a Software Updates tab appears on the Altiris Agent console. From this tab, computer users can view the software updates that have been downloaded to their computer. They can view all received software updates, both those that have been scheduled to be installed and those that have been installed. Column Description Name The name of the software update. Schedule Yes = This software update has been scheduled to be installed. No = This software update has not been scheduled to be installed. Altiris Patch Management Solution Help 44 Chapter 3: Using Patch Management Solution Software Update Agent Column Description Last Applied The date/time of the last applied download. The last install time is displayed only if the Software Update Agent installs the software update. If the software update is already installed (another source installed the software update) when the Software Update Agent goes to install it the first time, this field will display “Never”. Status Displays the installation status of the software update. The following are the possible status icons or text found in this field. Note: The Applicable and IsInstalled rules mentioned below are rules found in the PMImport.cab files. Not all updates have an IsInstalled rule. There is a lesser degree of IsInstalled rules for older and non-English updates. ICONS • red error icon - The maximum reapplication retries for a failed software update has been exceeded. • yellow warning icon - The software update has failed to be applied at least once, but has not exceeded the maximum reapplication retries. It will be reapplied. • green tick icon - The Applicable rule is TRUE and the IsInstalled rule indicates that the update is already installed. It may not have actually been installed by the agent; if this is the case, then the Last Applied date will be empty. • clock icon - The Applicable rule is true and the IsInstalled rule is FALSE. The software update will be scheduled for installation. • icon info - The Applicable rule has evaluated false. This means the software update does not apply to this computer. It is also possible to configure the agent NOT to display software updates which do not apply. • blank - This usually means the rules for the software update have not yet been evaluated. TEXT • “Failed to Install” - The maximum reapplication retries for a failed software update has been exceeded. • “Installation Failed - Rescheduled” - The software update has failed to be applied at least once but has not exceeded the maximum reapplication retries. It will be reapplied. • “Installed” - The Applicable rule is TRUE and the IsInstalled rule indicates that it is already installed. If the Last Applied date is not empty, it means that the agent has installed the update. • “Installation Scheduled” - The Applicable rule is true and the IsInstalled rule is FALSE. The software update will be scheduled for installation. • “Not Applicable” - The Applicable rule has evaluated false. This means the software update does not apply to this computer. • “Pending” - The Applicable and IsInstalled rules have not yet been evaluated. Note: The agent uses the IsInstalled rule to check the applicability of a software update before installing it. If there is no IsInstalled rule for the software update, the software update will be installed if it has not been previously installed by the Software Update Agent (the Last Applied date is not empty). Depending on the Software Update Agent configuration settings, the computer user can initiate software updates installation by clicking the Start Software Update button. For more information, see “Software Update Agent Configuration” on page 31. Altiris Patch Management Solution Help 45 Chapter 3: Using Patch Management Solution Notification Policies and Reports Upgrading the Software Update Agent The Software Update Agent Upgrade policy is used to upgrade the Software Update Agent. If the Software Agent Upgrade policy is enabled, Patch Management Solution automatically upgrades older versions of the Software Update Agent on Altiris-enabled computers when a newer agent is available from the Notification Server. Newer versions of the Software Update Agent are bundled with Patch Management Solution. When you install a newer version of the Patch Management Solution with a newer agent, you will get the latest version of the Software Update Agent available. Uninstalling the Software Update Agent You can uninstall the Software Update Agent if there is an extended period of time when you do not want to use the Patch Management Solution features on an Altiris-enabled computer and you want to eliminate any overhead caused by the agent. Note: After you use the Software Update Agent Uninstall policy once to uninstall the agent from an Altiris-enabled computer, you cannot use the same policy to uninstall the agent from that computer using the Run this task 'As Soon As Possible' option. To use the policy again, set a schedule for running the policy. To uninstall the Software Update Agent 1 In the Altiris Console, click the Configuration tab. 2 In the treeview pane, click Configuration > Solution Settings > Software Management > Patch Management > Windows > Software Update Agent Rollout > Software Update Agent Install. 3 In the content pane, clear the Enable check box. 4 In the treeview pane, select Configuration > Solution Settings > Software Management > Patch Management > Windows > Software Update Agent Uninstall > Software Update Agent Uninstall. 5 In the content pane, ensure that the correct collection is selected in the Applies to Collections field. 6 Select whether or not you want to disable download via multicast. 7 Specify the scheduling options. 8 Select the Enable check box. 9 Click the Apply button. 10 Restart the managed computer after the Software Update Agent has been uninstalled. The Software Update Agent will be removed from the managed computers as soon as possible after the policy is enabled. If at a later time you want to reinstall the Software Update Agent, make sure you disable this Software Update Agent Uninstall policy. Notification Policies and Reports This section shows you how to view Notification Policies and default reports provided with Patch Management Solution. See Also • “Reports Tab View” on page 24 • “Notification Policies” on page 16 Viewing Notification Policies Patch Management Solution includes the predefined Notification Policies that alert you of important events, such as when there are new software bulletins. Altiris Patch Management Solution Help 46 Chapter 3: Using Patch Management Solution Resource Manager To view Patch Management Notification Policies 1 In the Altiris Console, click the Tasks tab. 2 In the treeview pane, select Tasks > Software Management > Patch Management > Notification Policies > Global. 3 To enable a policy, select the policy, then select Enable in the content pane. Viewing Reports To run and view a report 1 In the Altiris Console, click the Reports tab. 2 In the treeview pane, click on Reports > Software Management > Patch Management. 3 A list of available report categories appears in the content pane. Click on a particular category and choose a report. 4 In the content pane, click on Run this Report. The report will generate in the content pane. 5 To save the report for future use, click on the Save toolbar item. In the pop-up dialog, provide a name for the report, and click OK. 6 To verify the report has been saved, click on the Home toolbar item, and then select View Saved A list of saved reports will display. Double-click any saved item to recall the report. Reports. Resource Manager Patch Management adds several useful items to the Resource Manager. These items are described in the following sections. Quick Links • “Software Update Summary” on page 47 • “Inventory Data Classes” on page 47 Software Update Summary Patch Management provides a software update summary page on the Resource Manager. This lets you view software update information on a specific computer, such as how many software updates have run or failed. To view this summary information 1 2 Click the Configuration tab. In the treeview pane, navigate to Configuration > Resource Settings > Resource Types > Asset Types > IT > Computer. 3 In the content pane, click the List Resources tab. 4 Find the computer you want in the list. 5 Right-click on the computer name and select Resource Manager. 6 Click the Summaries tab. 7 In the treeview pane, navigate to Resource Manager > Software Update Summary. Inventory Data Classes Patch Management provides inventory data class information on the Resource Manager. This lets you see what software is installed on a computer without viewing a report. Altiris Patch Management Solution Help 47 Chapter 3: Using Patch Management Solution Reporting on Patch Management Data in a Hierarchy To view inventory data class information 1 2 Click the Configuration tab. In the treeview pane, navigate to Configuration > Resource Settings > Resource Types > Asset Types > IT > Computer. 3 In the content pane, click the List Resources tab. 4 Find the computer you want in the list. 5 Right-click on the computer name and select Resource Manager. 6 Click the Inventory tab. 7 In the treeview pane, navigate to Data Classes > Software Management > Patch Management. You can double-click on some items to view drill-down information. Reporting on Patch Management Data in a Hierarchy If you have multiple Notification Servers reporting up to one central Notification Server, you can view update compliance reports for your entire organization from a single console. The Software Update Agent sends update data from the computer to a Notification Server. This update data is inventory data. You can configure any Notification Server to forward inventory data to a parent Notification Server. Patch Management Solution for Windows needs to be installed on the parent Notification Server so you can run reports provided by Patch Management Solution for Windows. When you run Patch Management Solution-specific reports on the parent Notification Server, you are able to view your entire organization’s update data. Note: From the parent Notification Server, you can run all reports based upon inventory classes. Troubleshooting This section lists a common troubleshooting problem and gives a probable resolution. Quick Link • “Software Updates Not Downloading” on page 48 • “Reboot on a Schedule not Working Properly” on page 49 • “Agent Reboot Warning and Snooze Option does not Appear to a User Remotely Connected via Terminal Service” on page 49 • “Windows Update Error Codes” on page 49 Software Updates Not Downloading Sometimes, during the software update download process, the software updates stop downloading. This can happen if the PMImport.cab files get re-imported while the software updates are downloading. If this happens, you need to do one of the following so that the software updates can finish downloading: • • Enable another software bulletin. This will add it to the queue and reattempt to download software update files again. (This works for disabling an existing one and re-enabling.) Navigate to the Download Software Update Packages Background Task, right-click and select Start Task. The Download Software Update Packages Background Task is found on the Configuration tab by navigating to Configuration > Solutions Settings > Software Management > Patch Management > Server Settings > Global Settings. Altiris Patch Management Solution Help 48 Chapter 3: Using Patch Management Solution Troubleshooting Reboot on a Schedule not Working Properly Problem: You set up to reboot the Altiris-enabled computer on a schedule (on the Patch Management Agent Settings page), but the computer does not reboot at the scheduled time. Solution: You do not need to do anything. The computer will reboot as soon as it can after the scheduled time. The agent may take a few minutes to process the scheduled event because the agent can only perform one action at a time. Agent Reboot Warning and Snooze Option does not Appear to a User Remotely Connected via Terminal Service This is working as designed. Because these notifications require responses from the user, they will only be sent to the user of the primary session. Windows Update Error Codes After a successful Windows update, one of the error codes described in the following table are returned. All other error codes that are returned by a Windows update are failure error codes. For information on these error codes, search for “List of error codes and error messages for Windows Installer processes” on the Microsoft Web site. Value Error Code Description 0 ERROR_SUCCESS Action completed successfully. 1604 ERROR_INSTALL_SUSPEND Installation suspended, incomplete. 1641 ERROR_SUCCESS_REBOOT_I The installation has started a reboot. NITIATED 3010 ERROR_SUCCESS_REBOOT_ A reboot is required to complete the install. REQUIRED 3011 ERROR_SUCCESS_RESTART A restart is required to complete the install. _REQUIRED Altiris Patch Management Solution Help 49 Index A actions background 37 agent inventory rule 23 software update 31, 34 software update interface 44 B background actions 37 bulletin information 22 bulletins 20, 39 C configuration 25 copyright 2 creation date of document 2 D distribute software update wizard 35, 41 document print date 2 H hierarchy reporting in 48 I installed software update 45 inventory software 30 inventory rule agent 8, 9, 13, 23, 30, 34, 43 L legal notice 2 licensing 11 licensing 11 uninstalling 11 using 12 patent 2 product version 2 W wizard distribute software update 35, 41 R reboot add after installation of update 19 not working according to settings 49 recovery solution 33 integration 6 report right-click 22 reports 24, 46 resource manager 39 detailed bulletin information 22 resource types 38 resources 23, 38 right-click report 22 S security 35 shortcut 22 software bulletins 20, 39 software inventory 30 software resources 38 software update installed 45 software update agent 31, 34 uninstalling 46 upgrading 46 software update summary 47 software update task 17 software updates 40 summary of software updates 47 T M menu items 22 N notice 2 notification policies 16, 46 Notification Servers viewing reports when using multiple 48 P tasks 16 trademark 2 U uninstalling 11 uninstalling software update agent 46 upgrading software update agent 46 using 12 V version 2 Patch Management Solution Altiris Patch Management Solution Help 50

Altiris Patch Management Solution for Windows Help

Products

Support

Altiris Patch Management Solution for Windows Help

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib