Page 1
Altiris™ Patch Management
Solution for Windows from
Symantec User Guide
Version 7.0 SP2
Page 2
Altiris™ Patch Management Solution for Windows from
Symantec User Guide
The software described in this book is furnished under a license agreement and may be used
only in accordance with the terms of the agreement.
Legal Notice
Copyright © 2010 Symantec Corporation. All rights reserved.
Symantec, the Symantec Logo, Altiris, and any Altiris or Symantec trademarks used in the
product are trademarks or registered trademarks of Symantec Corporation or its affiliates
in the U.S. and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use,
copying, distribution, and decompilation/reverse engineering. No part of this document
may be reproduced in any form by any means without prior written authorization of
Symantec Corporation and its licensors, if any.
THE DOCUMENTATION ISPROVIDED"AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,
ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO
BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL
OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,
PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED
IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software
as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19
"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in
Commercial Computer Software or Commercial Computer Software Documentation", as
applicable, and any successor regulations. Any use, modification, reproduction release,
performance, display or disclosure of the Licensed Software and Documentation by the U.S.
Government shall be solely in accordance with the terms of this Agreement.
Symantec Corporation
350 Ellis Street
Mountain View, CA 94043
http://www.symantec.com
Page 3
Technical Support
Symantec Technical Support maintains support centers globally. Technical
Support’s primary role is to respond to specific queries about product features
and functionality. The Technical Support group also creates content for our online
Knowledge Base. The Technical Support group works collaboratively with the
other functional areas within Symantec to answer your questions in a timely
fashion. For example, the Technical Support group workswith Product Engineering
and Symantec Security Response to provide alerting services and virus definition
updates.
Symantec’s support offerings include the following:
■ A range of support options that give you the flexibility to select the right
amount of service for any size organization
■ Telephone and/or web-based support that provides rapid response and
up-to-the-minute information
■ Upgrade assurance that delivers software upgrades
■ Global support purchased on a regional business hours or 24 hours a day, 7
days a week basis
■ Premium service offerings that include Account Management Services
For information about Symantec’s support offerings, you can visit our web site
at the following URL:
www.symantec.com/business/support/
All support services will be delivered in accordance with your support agreement
and the then-current enterprise technical support policy.
Contacting Technical Support
Customers with a current support agreement may access Technical Support
information at the following URL:
www.symantec.com/business/support/
Before contacting Technical Support, make sure you have satisfied the system
requirements that are listed in your product documentation. Also, you should be
at the computer on which the problem occurred, incase it is necessaryto replicate
the problem.
When you contact Technical Support, please have the following information
available:
■ Product release level
Page 4
■ Hardware information
■ Available memory, disk space, and NIC information
■ Operating system
■ Version and patch level
■ Network topology
■ Router, gateway, and IP address information
■ Problem description:
■ Error messages and log files
■ Troubleshooting that was performed before contacting Symantec
■ Recent software configuration changes and network changes
Licensing and registration
If your Symantec product requires registration or a license key, access our technical
support web page at the following URL:
www.symantec.com/business/support/
Customer service
Customer service information is available at the following URL:
www.symantec.com/business/support/
Customer Service is available to assist with non-technical questions, such as the
following types of issues:
■ Questions regarding product licensing or serialization
■ Product registration updates, such as address or name changes
■ General product information (features, language availability, local dealers)
■ Latest information about product updates and upgrades
■ Information about upgrade assurance and support contracts
■ Information about the Symantec Buying Programs
■ Advice about Symantec's technical support options
■ Nontechnical presales questions
■ Issues that are related to CD-ROMs or manuals
Page 5
Support agreement resources
If you want to contact Symantec regarding an existing support agreement, please
contact the support agreement administration team for your region as follows:
customercare_apac@symantec.comAsia-Pacific and Japan
semea@symantec.comEurope, Middle-East, and Africa
supportsolutions@symantec.comNorth America and Latin America
Additional enterprise services
Symantec offers a comprehensive set of services that allow you to maximize your
investment in Symantec products and to develop your knowledge, expertise, and
global insight, which enable you to manage your business risks proactively.
Enterprise services that are available include the following:
Managed Services remove the burden of managing and monitoring security
devices and events, ensuring rapid response to real threats.
Managed Services
Symantec Consulting Services provide on-site technical expertise from
Symantec and its trusted partners. Symantec Consulting Services offer a variety
of prepackaged and customizable options that include assessment, design,
implementation, monitoring, and management capabilities. Each is focused on
establishing and maintaining the integrity and availability of your IT resources.
Consulting Services
Education Services provide a full array of technical training, security education,
security certification, and awareness communication programs.
Education Services
To access more information about enterprise services, please visit our web site
at the following URL:
www.symantec.com/business/services/
Select your country or language from the site index.
Page 6
Page 7
Technical Support .... . . . .............. . . .............. . . . .............. . . . .............. . . .............. . . . ..... 3
Chapter 1 Introducing Patch Management Solution for
Windows .. . . .............. . . . .............. . . . .............. . . .............. . . . ... 11
About Patch Management Solution for Windows .... . . . .............. . . . ....... 11
How Patch Management Solution for Windows works .. . .............. . . . ..... 12
Where to get more information .. . .............. . . .............. . . . .............. . . . .. 13
Chapter 2 Implementing Patch Management Solution for
Windows .. . . .............. . . . .............. . . . .............. . . .............. . . . ... 15
Implementing Patch Management Solution for Windows . . . .............. . . . . 15
Chapter 3 Installing Patch Management Solution for
Windows .. . . .............. . . . .............. . . . .............. . . .............. . . . ... 17
Prerequisites for Patch Management Solution for Windows ... . . . ........... 17
Installing Patch Management Solution for Windows .. .............. . . . ........ 18
Upgrading Patch Management Solution for Windows . . . . .............. . . . .... 18
Migrating from Patch Management Solution for Windows 6.2 to
7.x ......... . . .............. . . . .............. . . . ............. . . . .............. . . . ......... 18
Uninstalling Patch Management Solution for Windows ........... . . .......... 21
Licensing ....... . . . .............. . . . .............. . . .............. . . . .............. . . . ....... 21
Chapter 4 Installing the Software Update Plug-in .... . . .............. . . . ... 23
About the Software Update Plug-in ... . . . . ............. . . . .............. . . . ......... 23
Installing the Software Update Plug-in ............ . . . .............. . . . ............. 24
Upgrading the Software Update Plug-in . . .............. . . . .............. . . . ....... 24
Uninstalling the Software Update Plug-in ........ . . . .............. . . .............. 25
About the Software Update Plug-in user interface .. . . . ............. . . . ......... 25
Chapter 5 Configuring Patch Management Solution for
Windows .. . . .............. . . . .............. . . . .............. . . .............. . . . ... 29
Configuring patch management Core Services settings .. .............. . . . .... 29
Customizing severity levels . . . ............. . . . .............. . . . .............. . . . . ...... 30
Contents
Page 8
Configuring vendor settings .............. . . . ............. . . . .............. . . . ......... 31
Configuring software updates installation settings . .............. . . ........... 31
Configuring inventory and vulnerabilities checking interval ........ . . . ..... 32
Core Services page ............. . . . ............. . . . .............. . . . .............. . . . ..... 33
Patch management vendor settings page .... . . . .............. . . . ............. . . . .. 33
Default Software Update Plug-in Policy page ............ . . . .............. . . . ..... 35
Chapter 6 Configuring Patch Management server tasks ........ . . . .... 39
About Patch Management server tasks ....... . . . ............. . . . .............. . . . .. 39
Downloading software updates catalog .. .............. . . . .............. . . . ........ 40
Downloading QChain ............ . . .............. . . . .............. . . . .............. . . .... 41
Checking Software Update packages integrity .. . ............. . . . .............. . 42
Patch Management Import page ... . . . .............. . . . .............. . . . ............. 42
Download QChain page . . . .............. . . . ............. . . . .............. . . . ............ 43
Chapter 7 Staging and distributing software bulletins and
software updates .......... . . . .............. . . . ............. . . . ............. 45
About software updates and software bulletins ..... . . . .............. . . . ......... 45
About staging and distributing software bulletins ....... . . . .............. . . .... 46
Staging software bulletins ... . . . .............. . . . .............. . . . ............. . . . ..... 47
Distributing software updates ... . . . .............. . . . ............. . . . .............. . . . 48
Viewing the software update delivery summary report . . . . .............. . . ... 49
About Software Update policies and maintenance windows ........... . . . ... 49
Patch Remediation Center page . . .............. . . . ............. . . . .............. . . . .. 49
Software Update Policy Wizard pages ......... . . .............. . . . .............. . . . . 51
Chapter 8 Using Patch Management reports .. ............. . . . .............. . . . 53
About Patch Management Solution for Windows reports ...... . . . ............ 53
About compliance reports .. . .............. . . . .............. . . .............. . . . ......... 54
About diagnostic reports ........ . . . .............. . . . .............. . . . ............. . . . .. 55
About remediation status reports . .............. . . . .............. . . .............. . . . . 55
About software bulletin reports ........... . . . .............. . . . ............. . . . ...... 55
About the Patch Management home page ... . . . . ............. . . . .............. . . . . 55
Viewing Patch Management reports ........... . . .............. . . . .............. . . . . 56
Chapter 9 Replicating Patch Management data in
hierarchy ... . . . . ............. . . . .............. . . . .............. . . . . ............. . . 59
About replicating Patch Management data ............. . . .............. . . . ........ 59
About Patch Management Language Alert rule ........ . . . .............. . . ....... 60
Replicating Patch Management language alerts ........... . . . ............. . . . ... 60
Contents8
Page 9
About Patch Management software update catalog replication .......... . . . 61
Replicating Patch Management import data . . .............. . . . .............. . . . .. 61
About Software Update policy replication .. . . . .............. . . .............. . . . ... 62
Replicating Software Update policies ............. . . . .............. . . . ............. . 62
Appendix A Technical reference . .............. . . . ............. . . . .............. . . . ......... 65
About hierarchy and data replication direction ..... . . . .............. . . . ......... 65
About Patch Management security roles .......... . . . ............. . . . .............. 66
Index ....... . . .............. . . . .............. . . . .............. . . .............. . . . .............. . . . .............. . . ....... 69
9Contents
Page 10
Contents10
Page 11
Introducing Patch
Management Solution for
Windows
This chapter includes the following topics:
■ About Patch Management Solution for Windows
■ How Patch Management Solution for Windows works
■ Where to get more information
About Patch Management Solution for Windows
Patch Management Solution for Windows takesinventory of managed computers
to determine the operating system and software updates (patches) they require.
The solution then downloads the required patches and provides wizards to help
you deploy patches. The solution enables you to set up a patch update schedule
to ensure that managed computers are kept up-to-date with the latest vendor
security updates. Managed computers are then protected on an on-going basis.
Key features include a comprehensive software repository that automates the
downloads from the vendor site before distribution without administrator
intervention. The repository provides comprehensive data on software bulletins,
software updates, inventory rules, such as technical details, severity ratings, and
number of executables. The process of populating the information repository
from the Microsoft Patch Management Import files can be started after installation
is complete.
To reduce labor, the Software Update Plug-in automatically analyses managed
computer. The Software Update Plug-in gathers Patch-specific inventory on
1
Chapter
Page 12
supported operating systems, applications, and the associated service pack level.
The inventory data is used to determine whether a patch is required or not.
Inventory results populate predefined filters. The Software Update Policy Wizard
then automatically assigns software updates to relevant filters. The wizard also
simplifies the management of distribution. Instead of creating a policy for each
individual software update, you create a single policy for the relevant software
bulletin. For example, if three software bulletins with seven software updates
address various operating systems in various languages, you onlyhave to manage
three distribution policies. If you want to, you can modify any default settings
and command-line options in a Software Update policy.
Integration with Notification Server 7.0 includes features such as hierarchy and
maintenance windows. Hierarchy lets you configure features and settings for a
parent Notification Server, then pass the settings down to child Notification
Servers . Further on integration, Patch Management Solution for Windows can
be used with other Altiris solutions from Symantec such as Altiris® Recovery
Solution from Symantec. After Recovery Solution is installed, Patch Management
Solution for Windows provides an agent option to automatically create a snapshot
before patch installations. Snapshots allow for rollback when a patch causes a
problem.
How Patch Management Solution for Windows works
This section provides an overview of how inventory information is used to decide
which software update packages to distribute. From software update packages,
you create the Software Update policies that send the associated packages to
managed computers and install the appropriate software update programs.
After Patch Management Solution for Windows is installed, it downloads complete
software bulletin information from the Altiris Web site. Information includes the
severity of each software bulletin, details on its software updates, and where they
can be downloaded from Microsoft or Adobe. This information also includes rules
for creating filters and rules on how to verify that a software update is installed.
Patch Management Solution for Windows deploys the Software Update Plug-in
to managed computers, which gathers inventory including software vendor,
software release, and service pack information. From this inventory, Patch
Management Solution for Windows creates specific filters to target only the
computers requiring individual software updates.
See “About the Software Update Plug-in” on page 23.
You must stage software bulletins to download software updates and create
packages. When a software bulletin is staged, each associated software update
executable is downloaded from Microsoft or Adobe to the Notification Server
computer. From the information in software bulletin executables, Patch
Introducing Patch Management Solution for Windows
How Patch Management Solution for Windows works
12
Page 13
Management Solution for Windows then creates a software update package for
each software update. From the staged software bulletins , you must create
Software Update policies to distribute software update packages to the appropriate
computer filters (previously known as collections). When a managed computer
receives a Software Update policy, it verifies that the update is needed, then
downloads the software update package from the Notification Server computer.
The managed computer then installs the update. At an interval, the Software
Update policy is re-evaluated and software updates are reinstalled if needed. For
example, if an operation removes a software update, it is reinstalled. Or if a vendor
revises a software update, it is reinstalled.
After the Software Update Plug-in distributes software updates, it sends results
of patch deployment to the Notification Server computer. This information can
be viewed through reports and the dashboard. You can configure part or all of
Patch Management Solution for Windows to automatically download and install
future software updates. When configuring the solution you should consider
possible effects on your network environment. Distribute new updates to a test
environment first.
Where to get more information
Use the following documentation resources to learn and use this product.
Table 1-1
Documentation resources
LocationDescriptionDocument
http://kb.altiris.com/
You can search for the product name under
Release Notes.
Information about new features and
important issues.
This information is available as an article in
the knowledge base.
Release Notes
■ The Documentation Library, which is
available in the Symantec Management
Console on the Help menu.
■ The Product Support page, which is
available at the following URL:
http://www.symantec.com/business
/support/all_products.jsp
When you open your product’s support
page, look for the Documentation link
on the right side of the page.
Information about how to use this product,
including detailed technical information and
instructions for performing common tasks.
This information is available in PDF format.
User Guide
13Introducing Patch Management Solution for Windows
Where to get more information
Page 14
Table 1-1
Documentation resources (continued)
LocationDescriptionDocument
The Documentation Library, which is
available in the Symantec Management
Console on the Help menu.
Context-sensitive help is available for most
screens in the Symantec Management
Console.
You can open context-sensitive help in the
following ways:
■ The F1 key
■ The Context command, which is available
in the Symantec Management Console
on the Help menu.
Information about how to use this product,
including detailed technical information and
instructions for performing common tasks.
Help is available at the solution level and at
the suite level.
This information is available in HTML help
format.
Help
In addition to the product documentation, you can use the following resources to
learn about Altiris products.
Table 1-2
Altiris information resources
LocationDescriptionResource
http://kb.altiris.com/Articles, incidents, and issues about Altiris
products.
Knowledge base
http://www.symantec.com/connect
/endpoint-management-virtualization
An online magazine that contains best
practices, tips, tricks, forums, and articles
for users of this product.
Symantec Connect
(formerly Altiris Juice)
Introducing Patch Management Solution for Windows
Where to get more information
14
Page 15
Implementing Patch
Management Solution for
Windows
This chapter includes the following topics:
■ Implementing Patch Management Solution for Windows
Implementing Patch Management Solution for
Windows
Patch Management Solution for Windows requires some components to be
configured or enabled before others function correctly. When initially completing
each task you can also configure it for future automation. Automation is a key
feature of Patch Management Solution for Windows as it reduces system
administration workload and enhances overall security.
To implement Patch Management Solution for Windows
1
Install the solution.
See “Installing Patch Management Solution for Windows” on page 18.
2
Install or upgrade the Altiris Agent 7.0 on every computer to which you want
to send patches.
For more information, see topics about installing the Altiris Agent in the
Symantec Management Platform User Guide.
2
Chapter
Page 16
3
Install or upgrade the Software Update Plug-in.
See “Installing the Software Update Plug-in” on page 24.
See “Upgrading the Software Update Plug-in” on page 24.
4
Configure the Patch Management Solution core settings.
See “Configuring patch management Core Services settings” on page 29.
5
Configure the Software Updates installation settings.
See “Configuring software updates installation settings ” on page 31.
6
Configure the vulnerabilities check interval.
See “Configuring inventory and vulnerabilities checking interval” on page 32.
7
Download Adobe software updates catalog, Microsoft software updates catalog
and QChain.
See “Downloading software updates catalog” on page 40.
See “Downloading QChain” on page 41.
8
View which software updates you need to install and stage software bulletins.
See “Staging software bulletins” on page 47.
9
Create Software Update policies to distribute software updates.
See “Distributing software updates” on page 48.
10
Evaluate the results by running the Software Update Delivery Summary
report and revisiting compliance reports.
See “Viewing the software update delivery summary report ” on page 49.
See “Viewing Patch Management reports” on page 56.
Implementing Patch Management Solution for Windows
Implementing Patch Management Solution for Windows
16
Page 17
Installing Patch
Management Solution for
Windows
This chapter includes the following topics:
■ Prerequisites for Patch Management Solution for Windows
■ Installing Patch Management Solution for Windows
■ Upgrading Patch Management Solution for Windows
■ Migrating from Patch Management Solution for Windows 6.2 to 7.x
■ Uninstalling Patch Management Solution for Windows
■ Licensing
Prerequisites for Patch Management Solution for
Windows
Patch Management Solution for Windows requires the following:
■ Symantec Management Platform 7.0 SP4.
For more information, see topics about system requirements for Symantec
Management Platform in the Symantec Management Platform Installation
Guide.
When you install or upgrade Patch Management Solution for Windows through
the Symantec Installation Manager, Symantec Management Platform is installed
or upgraded automatically.
3
Chapter
Page 18
See “Installing Patch Management Solution for Windows” on page 18.
Installing Patch Management Solution for Windows
You install Patch Management Solution for Windows through the Symantec
Installation Manager as part of the Altiris™ Client Management Suite or Altiris™
Server Management Suite.
You can also install Patch Management Solution for Windows separately from
other suite components.
See “Prerequisites for Patch Management Solution for Windows” on page 17.
To install Patch Management Solution for Windows
1
Do one of the following:
■ Download and run the Altiris Client Management Suite or Altiris Server
Management Suite installation file from the Symantec Web site
(www.symatec.com).
■ If you already have the Symantec Installation Manager installed, click
Start > All Programs > Altiris > Symantec Installation Manager >
Symantec Installation Manager.
2
In the Symantec Installation Manager, click Install New Products.
3
In the Filter by box, click None.
4
In the list of available products, select Altiris Patch Management Solution
for Windows.
5
Follow the installation wizard through to completion.
Upgrading Patch Management Solution for Windows
Use the Symantec Installation Manager to upgrade the product.
Migrating from Patch Management Solution for
Windows 6.2 to 7.x
Migrating, or upgrading, from Patch Management Solution for Windows 6.2 to
7.x is handled through the Symantec Installation Manager.
If you want to install 7.x to a new computer, the upgrade process is as follows:
■ Installing the Symantec Installation Manager on the Notification Server
computer with Patch Management Solution for Windows 6.2.
Installing Patch Management Solution for Windows
Installing Patch Management Solution for Windows
18
Page 19
See “To install the Symantec Installation Manager on a 6.x Notification Server”
on page 19.
■ Running the Symantec Installation Manager migration wizard on the 6.2 to
export data.
See “To export data from Patch Management Solution for Windows 6.2 ”
on page 19.
■ Running the Patch Management Import task on the 7.x.
See “Downloading software updates catalog” on page 40.
■ Running the Symantec Installation Manager migration wizard on the 7.x to
import the 6.2 data.
See “To import 6.2 data into Patch Management Solution for Windows 7.x”
on page 20.
To install the Symantec Installation Manager on a 6.x Notification Server
1
Install Patch Management Solution for Windows 7.x.
See “Installing Patch Management Solution for Windows” on page 18.
2
Open Windows Explorer on the computer with Patch Management Solution
for Windows 7.x installed.
3
Navigate to C:\Program Files\Altiris\Symantec Installation
Manager\Installs\Altiris.
4
Select and copy the following files, and move them to the computer with
Patch Management Solution for Windows 6.2 installed:
■ altiris_nsupgrade_7_0_x86.msi
■ pmcoreupgrade_7_0.msi
■ pmwindowsupgrade_7_0.msi
5
On the computer with 6.2, run the files in the following order:
■ altiris_nsupgrade_7_0_x86.msi
■ pmcoreupgrade_7_0.msi
■ pmwindowsupgrade_7_0.msi
Running the three .msi files builds the migration structure on the 6.2
computer.
To export data from Patch Management Solution for Windows 6.2
1
Open Windows Explorer on the computer with Patch Management Solution
for Windows 6.2 installed.
2
Navigate to C:\Program Files\Altiris\Upgrade.
19Installing Patch Management Solution for Windows
Migrating from Patch Management Solution for Windows 6.2 to 7.x
Page 20
3
Double-click the file NSUpgradeWizard.exe.
4
To start migration, on the first page of the wizard, click Next.
5
On the Export / Import Task Selection page of the wizard, click Export data
from an Altiris Notification Server to a file store.
6
In the Data store box, leave the default location or specify a different location,
and click Next.
7
On the Products section of the Exporter Configuration page of the wizard,
ensure Patch ManagementCore Solution and Patch Management Solution
are selected.
8
Make any wanted changes to the Exporters list, and click Next.
9
Review the product readiness check, and click Next.
10
Once the data export has completed, click Finish.
The data file is now ready to copy across to the 7.x computer from the location
that was specified in step 6.
Note: Custom locations for 6.2 Microsoft Patch Management Import files cannot
migrate to 7.x.
To import 6.2 data into Patch Management Solution for Windows 7.x
1
Copy the .adb data file exported from Patch Management Solution 6.2 to the
computer with Patch Management Solution 7.x installed.
2
Navigate to C:\Program Files\Altiris\Upgrade.
3
Double-click the file NSUpgradeWizard.exe.
4
To start migration, on the first page of the wizard, click Next.
5
On the Export / Import Task Selection page of the wizard, click Import data
from a file store into an Altiris Notification Server, and click Next.
6
In the Data store box, navigate to and select the 6.2 data file.
7
On the Importer Configuration page of the wizard, under Products, ensure
Patch Management Core Solution and Patch Management Solution are
selected.
8
Make any wanted changes to the Importers list, and click Next.
9
Review the product readiness check, and click Next.
10
Once the data import has completed, click Finish.
Migration from Patch Management Solution 6.2 to 7.x is now completed.
Installing Patch Management Solution for Windows
Migrating from Patch Management Solution for Windows 6.2 to 7.x
20
Page 21
Uninstalling Patch Management Solution for Windows
Use the Symantec Installation Manager to uninstall the product.
Licensing
Each Symantec product comes with a seven-day trial license that is installed by
default. You can register and obtain a 30-day evaluation license through our Web
site at www.altiris.com or purchase a full product license.
Use the Symantec Installation Manager to install licenses.
Note: Automatic Upgrade Protection (AUP) is required for ongoing use of Patch
Management Solution for Windows. Without current AUP, you cannot download
and use new Microsoft Patch Management Import files. However, you can continue
to use Microsoft Patch Management Import files that were downloaded before
the expiration of AUP.
21Installing Patch Management Solution for Windows
Uninstalling Patch Management Solution for Windows
Page 22
Installing Patch Management Solution for Windows
Licensing
22
Page 23
Installing the Software
Update Plug-in
This chapter includes the following topics:
■ About the Software Update Plug-in
■ Installing the Software Update Plug-in
■ Upgrading the Software Update Plug-in
■ Uninstalling the Software Update Plug-in
■ About the Software Update Plug-in user interface
About the Software Update Plug-in
The Software Update Plug-in manages all of the Patch Management Solution for
Windows functionality on a managed computer. When the Inventory Rule Plug-in
(distributed by default by Notification Server) reports that a certain software
update is required for a managed computer, the update is sent to the Software
Update Plug-in. The Software Update Plug-in ensures that the update is applicable
and not already installed, then installs it.
After you install the Software Update Plug-in on a managed computer, a new tab,
Software Updates, appears in the Altiris Agent window. This tab displays the
status software updates for that computer. To open the Altiris Agent window,
click the Altiris Agent icon in the system tray of the managed computer.
See “About the Software Update Plug-in user interface” on page 25.
See “Installing the Software Update Plug-in” on page 24.
4
Chapter
Page 24
Installing the Software Update Plug-in
The Software Update Plug-in manages all of the Patch Management Solution for
Windows functionality on a managed computer.
See “About the Software Update Plug-in” on page 23.
Note: If you have a large number of computers to install the Software Update
Plug-in to, consider deploying it during off-peak hours to minimize network traffic.
Deploying the Software Update Plug-in can take some time, depending on the
number of managed computers and the Altiris Agent settings.
To install the Software Update Plug-in
1
In the Symantec Management Console, on the Settings menu, click
Agents/Plug-ins > All Agents/Plug-ins.
2
In the left pane, click Agents/Plug-ins > Software > Patch Management >
Windows > Software Update Plug-in Install.
3
(Optional) In the right pane, make any wanted changes.
For help, press F1 or click Help > Context.
4
Turn on the policy.
5
Click Save changes.
Upgrading the Software Update Plug-in
If you upgraded Patch Management Solutionfor Windows from a previous version,
you must also upgrade the Software Update Plug-ins that are installed on the
target computers to the latest version.
See “About the Software Update Plug-in” on page 23.
To upgrade the Software Update Plug-in
1
In the Symantec Management Console, on the Settings menu, click
Agents/Plug-ins > All Agents/Plug-ins.
2
In the left pane, click Agents/Plug-ins > Software > Patch Management >
Windows > Software Update Plug-in Upgrade.
3
(Optional) In the right pane, make any wanted changes.
For help, press F1 or click Help > Context.
Installing the Software Update Plug-in
Installing the Software Update Plug-in
24
Page 25
4
Turn on the policy.
5
Click Save changes.
Uninstalling the Software Update Plug-in
You can uninstall the Software Update Plug-in if there is an extended period of
time when you do not want to use the patch management features on a managed
computer and you want to eliminate any overhead that is caused by the plug-in.
See “About the Software Update Plug-in” on page 23.
Note: Ensure that the Software Update Plug-in Install policy is turned off before
uninstalling the Software Update Plug-in.
See “Installing the Software Update Plug-in” on page 24.
To uninstall the Software Update Plug-in
1
In the Symantec Management Console, on the Settings menu, click
Agents/Plug-ins > All Agents/Plug-ins.
2
In the left pane, click Agents/Plug-ins > Software > Patch Management >
Windows > Software Update Plug-in Uninstall.
3
(Optional) In the right pane, make any wanted changes.
For help, press F1 or click Help > Context.
4
Turn on the policy.
5
Click Save changes.
About the Software Update Plug-in user interface
When the Software Update Plug-in is installed on a managed computer, a Software
Updates tab appears in the Altiris Agent. From this tab, users can view the software
updates that are applicable to their computer. They can view the status of all
received software updates, both those that have been scheduled to be installed
and those that have been installed.
See “About the Software Update Plug-in” on page 23.
25Installing the Software Update Plug-in
Uninstalling the Software Update Plug-in
Page 26
Table 4-1
Items in the Software Update Plug-in user interface
DescriptionItem
This pane lists all scheduled activities for the Software Update
Plug-in.
Schedules
By checking or unchecking boxes, you can choose to show or hide
software updates with the status listed next to each box.
For example, uncheck Not Currently Applicable to hide any
software updates not applicable to the managed computer.
Show Updates
Click StartSoftware UpdateCycle to manually start the installation
of software updates rather than wait for scheduled times.
This option is only for the updates that are set to run on the default
schedule. This option is available only if Allow user to run is
checked on the Default Software Update Plug-in Policy page.
Tasks
Displays the software updates that are applicable to this computer.Softwareupdates for
this computer
■ A red error icon indicates that the maximum application retries
for a failed software update have been exceeded.
■ A yellow warning icon indicates that the software update has
failed to be applied at least once, but has not exceeded the
maximum application retries. It is reapplied.
■ The green tick icon indicates that the Applicable rule is TRUE
and the IsInstalled rule indicates that the update was installed.
■ A clock icon indicates that the Applicable rule is true and the
IsInstalled rule is FALSE. The software update is scheduled for
installation.
■ An information icon indicates that the Applicable rule has
evaluated false. This means that the software update does not
apply to this computer. You can also configure the agent not to
display the software updates that do not apply by clearing the
NotCurrently Applicable check box in the Show Updates pane.
■ A user icon indicates that a user installed the update.
■ A download icon indicates that the plug-in is downloading or
attempting to download a software update package.
■ A superseded icon indicates that the update was superseded by
a later update and will not be installed.
Icons in the Status
column
Installing the Software Update Plug-in
About the Software Update Plug-in user interface
26
Page 27
Table 4-1
Items in the Software Update Plug-in user interface (continued)
DescriptionItem
■ Failed to Install – The maximum application retries for a failed
software update has been exceeded.
■ Installation Failed – Rescheduled – The software update has
failed to be applied at least once but has not exceeded the
maximum application retries. It will be reapplied.
■ Installed – The Applicable rule is TRUE and the IsInstalled rule
indicates that it is already installed. If the Last Applied date is
not empty, it means that the agent has installed the update.
■ Installation Scheduled – The Applicable rule is true and the
IsInstalled rule is FALSE. The software update is scheduled for
installation.
■ Not Applicable – The Applicable rule has evaluated false. This
means that the software update does not apply to this computer.
■ Pending – The Applicable and IsInstalled rules have not yet been
evaluated.
■ Download required – The rules have been evaluated and the
update package needs to be downloaded to the agent.
■ Retry – An attempt download the package has failed and the
agent is trying to download the package again.
Text labels in the
Status column
The name of the bulletin containing the software update.Bulletin Name
The name of the individual software update.Software Update
Name
The date and time of the last applied download. The last install time
is displayed only if the Software Update Plug-in installs the software
update. If the software update is already installed (another source
installed the software update) when the Software Update Plug-in
goes to install it the first time, this field will display “Never”.
Last Applied
Time of schedule means this software update has been scheduled
to be installed. Not scheduled means this software update has not
been scheduled to be installed.
Schedule
27Installing the Software Update Plug-in
About the Software Update Plug-in user interface
Page 28
Installing the Software Update Plug-in
About the Software Update Plug-in user interface
28
Page 29
Configuring Patch
Management Solution for
Windows
This chapter includes the following topics:
■ Configuring patch management Core Services settings
■ Customizing severity levels
■ Configuring vendor settings
■ Configuring software updates installation settings
■ Configuring inventory and vulnerabilities checking interval
■ Core Services page
■ Patch management vendor settings page
■ Default Software Update Plug-in Policy page
Configuring patch management Core Services settings
You can configure where the software updates should be downloaded.
The Core Services settings apply to all Altiris™ Patch Management Solutions.
5
Chapter
Page 30
To configure patch management Core Services settings
1
In the Symantec Management Console, on the Settings menu, click All
Settings.
2
In the left pane, click Settings > Software > Patch Management > Core
Services.
3
In the right pane, make any wanted changes.
See “Core Services page” on page 33.
4
Click Save Changes.
Customizing severity levels
A software update deemed critical may not necessarily be critical in your
environment. You can create your own custom severity levels and assign them to
software bulletins. You first create custom severity levels, and then assign them
to bulletins. You cannot alter the vendor-specified severity levels, only custom
severity levels.
See “About software updates and software bulletins” on page 45.
To create a custom severity level
1
In the Symantec Management Console, on the Settings menu, click All
Settings.
2
In the left pane, click Settings > Software > Patch Management > Core
Services.
3
In the right pane, click the Custom Severity tab.
4
In the Severity Level box, type the name that you want to give the custom
severity level. For example, "Install right away!"
5
Click Add.
6
Click Move Up or Move Down to position custom severity levels in the list.
7
Click Save Changes.
To assign a custom severity level to a software bulletin
1
In the Symantec Management Console, on the Manage menu, click Policies.
2
In the left pane, click Policies > Software > Patch Management > Patch
Remediation Center.
3
In the Software Bulletin list, right-click on a software bulletin, and then click
Custom Severity.
Configuring Patch Management Solution for Windows
Customizing severity levels
30
Page 31
4
Click a severity level.
5
Click Refresh to view the new Custom Severity column.
Configuring vendor settings
You can set up how you want Microsoft or Adobe software updates distributed.
You can exclude Microsoft software updates that you do not use in your
organization. Excluding software releases ensures that unnecessary files are not
downloaded.
See “About software updates and software bulletins” on page 45.
To configure vendor settings
1
In the Symantec Management Console, on the Settings menu, click All
Settings.
2
In the left pane, click Settings > Software > Patch Management.
3
Do one of the following:
■ Click Microsoft Settings > Microsoft.
■ Click Adobe Settings > Adobe.
4
In the right pane, make any wanted changes.
See “Patch management vendor settings page” on page 33.
5
Click Save changes.
Configuring software updates installation settings
The Default Software Update Plug-inPolicy lets you configure when the Software
Update Plug-in can install software updates and restart the target computer.
See “About the Software Update Plug-in” on page 23.
To configure the software updates installation settings
1
In the Symantec Management Console, on the Settings menu, click
Agents/Plug-ins > All Agents/Plug-ins.
2
In the left pane, click Agents/Plug-ins > Software > Patch Management >
Windows > Default Software Update Plug-in Policy.
3
In the right pane, make any wanted changes.
See “Default Software Update Plug-in Policy page” on page 35.
4
Click Save changes.
31Configuring Patch Management Solution for Windows
Configuring vendor settings
Page 32
Configuring inventory and vulnerabilities checking
interval
Vulnerability analysis let you periodically inventory operating systems,
applications, and installed patches on managed computers with the Software
Update Plug-in installed. For example, the Microsoft Vulnerability Analysis
policy detects vulnerabilities to known Microsoft security problems. Vulnerability
information is then used to determine which software updates the managed
computer requires. Also, based on this information, filters are automatically
created to assist with the targeting of Software Update policies.
The Microsoft Vulnerability Analysis policy now incorporates four policies that
were included in Patch Management Solution for Windows for Windows 6.2.
The policies are as follows:
■ Default Windows OS Inventory Policy
■ Default Windows Software Release Inventory Policy
■ Default Microsoft Inventory Policy
■ Default Microsoft Vulnerability Analysis Policy
You can configure how often do you want to check for vulnerabilities.
To alter vulnerability analysis settings
1
In the Symantec Management Console, on the Settings menu, click All
Settings.
2
In the left pane, click Settings > Software > Patch Management
3
Click Microsoft Settings > Microsoft Vulnerability Analysis or Adobe
Settings > Adobe Vulnerability Analysis.
4
In the right pane, in the Scan interval box, specify how often to report back
inventory on the vulnerability of managed computers.
5
Click Only if Changed (set by default) if you want to report inventory only if
it has changed, or click Always.
6
If you want to send a log of the results back to Notification Server, check Send
inventory summary .
7
Do not change the targeted filterfrom All Windows Computerswith Software
Update Plug-in Installed Target unless you have a specific reason to do so.
8
Click Save changes.
Configuring Patch Management Solution for Windows
Configuring inventory and vulnerabilities checking interval
32
Page 33
Core Services page
The CoreServices page lets you configure where the software updates should be
downloaded. You can also create custom severity levels to apply to software
updates.
(Patch Management Solution for Windows only) You can select any additional
languages that you want to download with the Patch Management Import task.
The settings that are defined on this page apply to all Altiris™ Patch Management
Solutions.
See “About software updates and software bulletins” on page 45.
See “Configuring patch management Core Services settings” on page 29.
See “Customizing severity levels” on page 30.
Table 5-1
Options on the Core Services page
DescriptionOption
(Patch Management Solution for Windows only)
Specifies the languages that you want to download.
Managed Language
Specifies the location to which you want to download the
software update packages.
The default location is C:\Program Files\Altiris\Patch
Management\Packages\Updates.
If you change the location and you want to relocate existing
software update packages, use the Check Software Update
Package Integrity task.
See “Checking Software Update packages integrity ” on page 42.
To Location
(Patch Management Solution for Windows only)
Specifies the location to download packages from if you want
to download them from a cache in a different location.
For this functionality to work, the file structure in that location
must be exactly the same as the folder structure under
C:\Program Files\Altiris\Patch Management\Packages\Updates.
Download from staging
location
Patch management vendor settings page
This page lets you set up how you want vendor software updates distributed.
See “Configuring vendor settings” on page 31.
33Configuring Patch Management Solution for Windows
Core Services page
Page 34
Some of these settings are used as default values in the Software Update Policy
Wizard . All new vendor software updates that are downloaded have these settings
by default. If you change the settings, existing Software Update policies and
packages are not updated with these defaults. You can force them to update by
re-creating packages from the Patch Remediation Center page.
See “Distributing software updates” on page 48.
See “Patch Remediation Center page ” on page 49.
Table 5-2
Options on the Software Update Options tab of the vendor policies
DescriptionOption
Specifies when to update the target filters for all Software
Updates.
By default, the filter update is performed every 30
minutes.
Patch Filter Update Interval
(Microsoft vendor policy only)
Lets you select the software releases to exclude from
download.
For example, you can exclude the software releases that
are not used in your organization. Excluding software
releases ensures that unnecessary files are not
downloaded.
Resource Exclusions
The table shows the filter that the policy targets.
The default target is All Windows Computers with
Software Update Plug-in Installed Target.
Software Update Distribution
Options
Table 5-3
Options on the Policy and Package Settings tab of the vendor
policies
DescriptionOption
Lets you specify when to delete software update
packages that are no longer needed.
Default: 1 week.
Delete packages after
Check if you want to use multicast when distributing
software update packages.
For more information on multicasting, see the
Symantec Management Platform User Guide.
Use multicast when the Altiris
Agent'smulticast optionis enabled
Configuring Patch Management Solution for Windows
Patch management vendor settings page
34
Page 35
Table 5-3
Options on the Policy and Package Settings tab of the vendor
policies (continued)
DescriptionOption
This option is checked by default to ensure that
package servers process software update packages.
For more information on package servers, see the
Symantec Management Platform User Guide.
AllowPackage Server distribution
Lets you select the package distribution method.
For more information on assigning packages to
package servers, see the Symantec Management
Platform User Guide.
Assign package to
Lets you specify a different location on a package
server to which to download packages.
Usealternate download location on
Package Server
Lets you specify a different location on the managed
computers to which to download packages.
Usealternate download location on
client
Table 5-4
Options on the Programs tab of the vendor policies
DescriptionOption
Lets you specify a time after which to terminate a running software
update program.
Terminate after
Lets you specify which account to use to run the program. If you select
the Specified User, you must specify user domain information.
Run with rights
Lets you specify the conditions in which the program can run.Program can run
Sends relevant events from managed computers to Notification Server.Agent Events
Default Software Update Plug-in Policy page
This page lets you specify settings (including install and restart options) for the
Software Update Plug-in to use when installing software updates on managed
computers.
The default resource target for the policy is designed to find any agents that do
not have another Software Update Plug-in configuration policy applied to them.
For this reason, the default resource target cannot be changed. If you want to
change the default resource target, you must clone the policy and alter the resource
target on the clone.
35Configuring Patch Management Solution for Windows
Default Software Update Plug-in Policy page
Page 36
By default, the settings specified on this page apply to all Windows computers
that have the Software Update Plug-in installed.
See “About the Software Update Plug-in” on page 23.
See “Configuring software updates installation settings ” on page 31.
Table 5-5
Options on the Installation Schedules tab of the Default Software
Update Plug-in Policy page
DescriptionOption
Lets you configure a schedule when software updates get
installed on the managed computer .
This schedule appears on the Software Updates tab of the
Altiris Agent on the target computer.
Schedule
Lets you set the number of times Patch Management should
attempt to reinstall a software update if the initial install
attempt fails.
Default: 3 times.
Reinstallationattempts after
task failure
Lets users initiate software update installation from the
Altiris Agent by clicking Start Software Update in the
Altiris Agent user interface.
Allow user to run
Lets you specify when the managed computer gets restarted
after software updates are installed
Allow restart after
installation
Do not automatically restart the target computer after a
software update installation.
Never
Restart the computer on a specific schedule.
Choose this option if, for example, you do not want to affect
user productivity with repeated restarts during work hours,
so you create an after hours restart schedule.
We recommend that you do not set your restart schedule
too soon after the Software Update Installation schedule.
This schedule appears on the Software Updatestab of the
Altiris Agent on the target computer.
Scheduled
Select this option to restart after all updates in a single
update cycle have been installed.
At end of software update
cycle
Configuring Patch Management Solution for Windows
Default Software Update Plug-in Policy page
36
Page 37
Table 5-5
Options on the Installation Schedules tab of the Default Software
Update Plug-in Policy page (continued)
DescriptionOption
Check if you want to use the install and restart options that
you specified in this policy. Uncheck to abide by
maintenance windows that are specified in Notification
Server configuration policies.
Override maintenance
windows settings
Table 5-6
Options on the Notification tab of the Default Software Update
Plug-in Policy page
DescriptionOptions
Check if you want to send a message to the users of the
computer where a Patch Management task is about to run.
Specify for how long the message should be displayed before a
task is run.
You can type a custom message, for example, “Software updates
will install on your computer in 10 minutes. Please ensure that
all work is saved”.
When the message appears, the user can choose to install the
updates immediately or close the dialog box.
Notify user
Lets you choose to show users a dialog box indicating the
progress of software update installations.
Show progress message
Lets you choose to warn user of a pending restart. The time you
select represents how soon before the pending restart the user
is warned.
The user can choose to restart immediately.
Show pending message
Lets you choose to notify a user that a restart is required. You
can specify a schedule on which to display the notification.
The user can choose to restart later, or restart immediately.
If the user does not manually restart, the restart occurs
according to your settings on the Installation Schedules tab.
Show reminder message
Lets you choose to warn a user of a pending restart. Specify for
how long the user can defer the restart.
The user can choose to restart immediately, or defer the restart.
Allow user to defer
37Configuring Patch Management Solution for Windows
Default Software Update Plug-in Policy page
Page 38
Configuring Patch Management Solution for Windows
Default Software Update Plug-in Policy page
38
Page 39
Configuring Patch
Management server tasks
This chapter includes the following topics:
■ About Patch Management server tasks
■ Downloading software updates catalog
■ Downloading QChain
■ Checking Software Update packages integrity
■ Patch Management Import page
■ Download QChain page
About Patch Management server tasks
You must configure server tasks (previously known as background actions) to run
automatically at regular intervals.
Examples of server tasks include Microsoft Patch Management Import, Adobe
Patch Management Import, and Download QChain. Automated server tasks
ensure you have the latest, most accurate data, and your software update tasks
are kept up to date. To configure a task to run automatically, set a schedule for
it.
The Microsoft Patch Management Import, Adobe Patch Management Import,
and Download QChain tasks must successfully run before you can stage or
distribute any software updates.
See “Implementing Patch Management Solution for Windows” on page 15.
6
Chapter
Page 40
The Microsoft Patch Management Import task downloads Microsoft software
updates catalog files and imports all software management resources from these
files into the CMDB. The Adobe Patch Management Import task does the same
for Adobe software updates. The Microsoft QChain task chains the Microsoft
software updates together before they are distributed to managed computers.
Other server tasks ensure data integrity or assist in automating software update
distribution processes.
See “Downloading software updates catalog” on page 40.
See “Downloading QChain” on page 41.
Downloading software updates catalog
You must download the Microsoft or Adobe software updates catalog files before
you can stage software updates or create Software Update policies.
See “Implementing Patch Management Solution for Windows” on page 15.
Note: If the Altiris Log Viewer is open, close it before you perform this task. By
closing the viewer, you can improve the task’s performance by as much as 50
percent.
You may want to create a schedule for this task as well. This ensures that you
have the latest, most accurate data, and your software update tasks are kept up
to date.
To download software updates catalog immediately
1
In the Symantec Management Console, on the Manage menu, click Jobs and
Tasks.
2
In the left pane, click Jobs and Tasks > System Jobs and Tasks > Software >
Patch Management.
3
Click one of the following:
■ Microsoft Patch Management Import
■ Adobe Patch Management Import
4
(Optional) In the right pane, make any wanted changes and then click Save
changes.
See “Patch Management Import page” on page 42.
5
Under Task Status, click New Schedule.
6
In the New Schedule dialog box, click Now, and then click Schedule.
Configuring Patch Management server tasks
Downloading software updates catalog
40
Page 41
To download software updates catalog on a schedule
1
On the Microsoft Patch Management Import or Adobe Patch Management
Import page, under Task Status, click New Schedule.
2
In the New Schedule dialog box, click Schedule, and then configure a schedule
on which to run this task.
We recommend that you configure the task to run daily.
3
Click Schedule.
Downloading QChain
QChain groups software updates together before you distribute them to managed
computers. You must download QChain after you run the Microsoft Patch
Management Import task and before you distribute software updates.
See “Implementing Patch Management Solution for Windows” on page 15.
QChain is downloaded once automatically after you install the solution through
the Symantec Installation Manager.
You may want to create a schedule for this task as well. This ensures that you
have the latest, most accurate data, and your software update tasks are kept up
to date.
To download QChain
1
In the Symantec Management Console, on the Manage menu, click Jobs and
Tasks.
2
In the left pane, click Jobs and Tasks > System Jobs and Tasks > Software >
Patch Management > Download QChain.
3
(Optional) In the right pane, make any wanted changes and then click Save
changes.
See “Download QChain page” on page 43.
4
Under Task Status, click New Schedule.
5
In the New Schedule dialog box, click Now, and then click Schedule.
To download QChain on a schedule
1
On the Download QChain page, under Task Status, click New Schedule.
2
In the New Schedule dialog box, click Schedule, and then configure a schedule
on which to run this task.
We recommend that you configure the task to run daily.
3
Click Schedule.
41Configuring Patch Management server tasks
Downloading QChain
Page 42
Checking Software Update packages integrity
You can verify that software update packages in software update tasks have the
correct global server settings applied. If you changed settings in a vendor policy,
run the Check Software Update Package Integrity task to check that all software
update packages have the correct new settings and values.
See “Configuring vendor settings” on page 31.
The task also relocates the software update packages in case if you changed the
default package location on the Core Services page.
See “Configuring patch management Core Services settings” on page 29.
To check Software Update package integrity
1
In the Symantec Management Console, on the Manage menu, click Jobs and
Tasks.
2
In the left pane, click Jobs and Tasks > System Jobs and Tasks > Software >
Patch Management > Check Software Update Package Integrity.
3
If you want to delete downloaded updates that are not part of any software
update policy or belong to a superseded bulletin, check Delete updates from
file system that are no longer in use.
4
If you want to relocate downloaded updates if the Software Update Package
Location has changed, check Relocate existing packages if default Software
Update Package location has changed.
See “Configuring patch management Core Services settings” on page 29.
5
Under Task Status, click New Schedule and specify a schedule to run the
task.
Patch Management Import page
This background action downloads the software update catalog files and imports
all software management resources from these files into the CMDB. These
resources are necessary for populating the Patch Remediation Center and
updating patches to managed computers. When you download the software update
catalog files, you automatically import all software management resources.
See “Downloading software updates catalog” on page 40.
Configuring Patch Management server tasks
Checking Software Update packages integrity
42
Page 43
Table 6-1
Options on the Patch Management Import page
DescriptionOption
The default location from which the Patch
Management Import files are downloaded.
Default Location
Lets you specify a custom location to download Patch
Management Import files from.
Alternative Location
Ensures that only updated files are downloaded, thus
avoiding unnecessary downloads.
Only download if modified
(Microsoft only)
Automatically updates Software Update policies with
the latest Microsoft Patch Management Import data.
Each download of the Patch Management Import
files may contain data and fixes for existing software
updates. Checking this option lets you use the new
data to resolve any known issues with software
updates.
Automatically revise software
update policies after Patch
Management Import
(Microsoft only)
Enables the distribution of the software update
packages that were added to the software bulletin.
Enabledistribution ofnewly added
software updates
(Microsoft only)
This option disables the rollout of any software
update tasks containing superseded software
updates.
Disable all Superseded Software
Updates
Download QChain page
QChain groups software updates together before you distribute them to managed
computers. You must download QChain after you run the Microsoft Patch
Management Import task and before you distribute software updates.
See “Downloading QChain” on page 41.
Table 6-2
Options on the Download QChain page
DescriptionOption
The location from which the QChain files are downloaded.Location
43Configuring Patch Management server tasks
Download QChain page
Page 44
Table 6-2
Options on the Download QChain page (continued)
DescriptionOption
Ensures that only updated files are downloaded, thus avoiding
unnecessary downloads.
Only download if modified
The number of times to retry downloading QChain fails before
the task fails.
Retry failed downloads
Configuring Patch Management server tasks
Download QChain page
44
Page 45
Staging and distributing
software bulletins and
software updates
This chapter includes the following topics:
■ About software updates and software bulletins
■ About staging and distributing software bulletins
■ Staging software bulletins
■ Distributing software updates
■ Viewing the software update delivery summary report
■ About Software Update policies and maintenance windows
■ Patch Remediation Center page
■ Software Update Policy Wizard pages
About software updates and software bulletins
A software update or patch is any update or hotfix that is used to improve or fix
a software product. A software bulletin is a bundle of software updates that are
released together.
Patch Management Solution for Windows uses targeted deployments. Updates
are not deployed to a computer unless that computer specifically needs that
software update. If a managed computer meets the prerequisites of a software
update, it falls into a targeted filter. The prerequisites are matched against data
7
Chapter
Page 46
which is sent to Notification Server by the Software Update Plug-in. For example,
Internet Explorer version and OS version. Software updates are then installed
according to Microsoft specifications. For example, if Microsoft requires a restart,
then the computer is restarted after the update is installed. Restarts on managed
computers are minimized because the updates that do not require a restart are
installed before the software updates that do.
When a software update has been superseded and rendered obsolete by another
update or updates, the later update is installed.
Microsoft assigns severity levels to software updates, but you can also create a
custom severity level.
See “Customizing severity levels” on page 30.
Caution: Microsoft provides the software updates that Patch Management Solution
for Windows distributes for Microsoft products. You must ensure that each
software update works correctly in your environment before deploying it. We
recommend that you first distribute any required software update in a test
environment before deploying it to your production environment.
About staging and distributing software bulletins
You stage software bulletins from the PatchRemediation Center page, where all
available software updates are listed.
When you stage a software bulletin, all associated updates are downloaded to the
Notification Server computer.
When the number in the Updates column equals the number in the Downloaded
column, all updates for the software bulletin have been downloaded. Also, the
value in the Staged column changes to True.
See “Staging software bulletins” on page 47.
After the bulletin is staged, you can create Software Update policies to distribute
the software update to managed computers.
Sometimes not all software updates can be downloaded for a software bulletin
because Microsoft may stop hosting the bulletin or relocate it. You cannot create
a Software Update policy unless all updates for a particular software bulletin or
update have been downloaded.
See “Distributing software updates” on page 48.
Staging and distributing software bulletins and software updates
About staging and distributing software bulletins
46
Page 47
Staging software bulletins
You can stage a software bulletin to download associated updates.
See “About staging and distributing software bulletins” on page 46.
You can stage all software bulletins ifyou want. Butwe recommend that you stage
only the bulletins that are required by the target computers. On the Patch
Remediation Center page, in the compliance reports, you can view how many
computers require an update.
After the updates are downloaded, you must create a Software Update policy to
distribute the updates to managed computers.
See “Distributing software updates” on page 48.
When you stage a software bulletin, a task is created that downloads the software
updates. You can view the status of this task to troubleshoot downloading of
software updates.
To stage a software bulletin
1
In the Symantec Management Console, on the Actions menu, click Software
> Patch Remediation Center.
2
In the right pane, in the Show drop down box, click Microsoft Compliance
by Bulletin or Adobe Compliance by Bulletin, and then click the Refresh
symbol.
These reports let you see which updates the target computers require.
3
Click the bulletins that you want to stage.
For example, click the bulletins that have a high number in the Vulnerable
column.
4
Right-click the selected bulletins, and then click Stage.
If the Stage option is not available, the bulletin is being staged. If there is a
Software Update Policy Wizard option available in the menu, the bulletin is
staged and ready to be distributed.
See “Distributing software updates” on page 48.
To view the status of a software bulletin download
1
In the Symantec Management Console, on the Manage menu, click Jobs and
Tasks.
2
In the left pane, click Jobs and Tasks > System Jobs and Tasks > Software >
Patch Management > Download Software Update Package.
3
In the right pane, view the status of download tasks.
47Staging and distributing software bulletins and software updates
Staging software bulletins
Page 48
Distributing software updates
After you stage software bulletins and download the associated software updates,
you must create Software Update policies that deploy software updates to the
appropriate computers.
See “Staging software bulletins” on page 47.
The Software Update Policy Wizard lets you create Software Update policies.
The policies that you create are stored in the Manage > Policies > Software >
Patch Management > Software Update Policies folder. You can view the details
of the policy and change settings if necessary.
To distribute software updates
1
In the Symantec Management Console, on the Actions menu, click Software
> Patch Remediation Center.
2
In the right pane, in the Show drop down box, click Microsoft Compliance
by Bulletin or Adobe Compliance by Bulletin, and then click the Refresh
symbol.
These reports let you see which updates the target computers require.
3
Click the bulletins that you want to distribute.
For example, click the bulletins that have a high number in the Vulnerable
column.
4
Right-click the selected bulletins, and then click Software Update Policy
Wizard.
If the Software Update Policy Wizard option is not available, the bulletin is
not staged. You must first stage the bulletin.
See “Staging software bulletins” on page 47.
5
(Optional) Configure the settings as needed.
See “Software Update Policy Wizard pages” on page 51.
6
Click Next.
7
(Optional) On the second page of the wizard, check the updates that you want
to distribute.
8
If you want to activate the new Software Update policy, turn on the policy.
To turn on the policy, click on the colored circle and then click On.
You can also turn on the policy later.
9
Click Distribute software updates.
Staging and distributing software bulletins and software updates
Distributing software updates
48
Page 49
Viewing the software update delivery summary report
The Windows Software Update Delivery Summary report summarizes the results
of all scheduled Microsoft Software Update policies. It tells you which computers
the software update tasks target, and if the updates have been successfully
installed. The report also tells you if any software update tasks failed, or if they
have not yet completed.
Patch Management Solution for Windows also provides other reports that you
can view.
See “About Patch Management Solution for Windows reports” on page 53.
To view the software update delivery summary report
1
In the Symantec Management Console, on the Reports menu, click All
Reports.
2
In the left pane, click Reports > Software> PatchManagement >Remediation
Status > Windows Software Update Delivery Summary.
3
In the right pane, leave the default settings, and then click Refresh.
About Software Update policies and maintenance
windows
Maintenance windows are time periods in which maintenance tasks, including
the installation of software updates, are performed. To ensure Software Update
policies abide by maintenance windows, leave the OverrideMaintenanceWindow
Settings check box unchecked in the first page of the Software Update Policy
Wizard. If the box is checked, the Software Update Plug-in ignores maintenance
windows and installs the updates as instructed otherwise by the Software Update
policy.
See “Software Update Policy Wizard pages” on page 51.
Installing a software update may take longer than a specified maintenance window.
In this case, the installation of the updates completes, but any required restarts
are deferred until the next maintenance window.
Patch Remediation Center page
This page lets you view, stage, and distribute all software updates that are provided
by software update catalog files.
See “About staging and distributing software bulletins” on page 46.
49Staging and distributing software bulletins and software updates
Viewing the software update delivery summary report
Page 50
See “About software updates and software bulletins” on page 45.
Table 7-1
Items on the Patch Remediation Center page
DescriptionItem
The bulletin's number, as supplied by the vendor.Bulletin
The bulletin's vendor-specified severity level.Severity
The bulletin's user-defined severity level.Custom Severity
Indicates if the bulletin has been set to download included software
updates. If all updates have been downloaded the result is True, or
False if otherwise.
Staged
The number of Software Update policies that have been created from
the bulletin.
Policies
The number of software updates that are included in the bulletin.Updates
The number of software updates currently downloaded.Downloaded
The date the bulletin was released.Released
The date the bulletin was revised.Revised
A description of the vulnerabilities that the software bulletin addresses.Description
Table 7-2
Right-click actions on the Patch Remediation Center page
DescriptionItem
Displays the computers that the Software Update Policy
containing this bulletin is targeting.
You must create a Software Update Policy to view targeted
computers.
View Targeted Computers
Displays the computers to which the selected bulletin
applies.
View Applicable Computers
Displays the computers on which the selected bulletin is
installed.
View Installed Computers
Displays the computers that do not have the selected
bulletin installed.
View Vulnerable Computers
Staging and distributing software bulletins and software updates
Patch Remediation Center page
50
Page 51
Software Update Policy Wizard pages
The Software Update Policy Wizard creates Software Update policies that
distribute software updates to managed computers. A Software Update policy
that is created from a software bulletin includes every software update that is in
the bulletin.
See “Distributing software updates” on page 48.
Table 7-3
Options on the first page of the Software Update Policy Wizard
DescriptionOption
The names of each software update that is included in
the bulletin.
Software Updates
The name of the bulletin or bulletins you have chosen
to make policies for. You cannot edit the software
bulletins through the Software Update Policy Wizard .
You can click a software bulletin to open the Resource
Manager to view detailed information on the software
bulletin.
You can only select a software bulletin that has been
previously staged.
Software Bulletins
The name of the policies you have chosen from the
policies window. This field is populated automatically if
only one policy is listed in the Tasks field.
Name
The vendor description of the bulletin.Description
(Patch Management Solution for Windows only)
Enables multicast features.
Use Multicast when the Altiris
Agent’s multicast option is
enabled
Runs the software updates installation at a different time
to the time that is specified in the Software Update
Plug-in settings.
See “Configuring software updates installation settings
” on page 31.
Run (other than agent default)
Runs the software updates installation as soon as the
software update policy arrives to the target computer.
As soon as possible
(Patch Management Solution for Windows only)
Attempts to turn on the computer before installing
software updates.
Power on computer (Wake on
LAN)
51Staging and distributing software bulletins and software updates
Software Update Policy Wizard pages
Page 52
Table 7-3
Options on the first page of the Software Update Policy Wizard
(continued)
DescriptionOption
Runs the software updates installation on a schedule.On schedule
Overrides specified maintenance windows settings.
See “About Software Update policies and maintenance
windows” on page 49.
Override Maintenance
Windows settings
Lets you specify the target collection or collections to
which the Software Update policy applies.
If you use the Software Update Policy Wizard, the correct
resource target for the selected software bulletin is
automatically applied.
Apply to computers
Table 7-4
Options on second page of the Software Update Policy Wizard
DescriptionOptions
Lets you select enable or disable the Software Update policy for the
software bulletin and included software updates.
Click On if you want the policy to become active after you complete
the wizard.
You can also turn on the policy later. The policies that you create are
located at Manage > Policies > Software > Patch Management >
Software Update Policies.
On/Off
The name of the software bulletin.Software Bulletin
The name of each software update executable. If Enable is selected,
all of the executables are enabled. Click the hyperlink to open the
Resource Manager page for the software update.
Update Names
The language and culture of the software update.Culture
The software package that is associated with the update. Click the
hyperlink to open the package’s Resource Manager .
Package
The command line to be run against the package. Click the hyperlink
to open the command-line options dialog to change the recommended
options.
Command Line
Staging and distributing software bulletins and software updates
Software Update Policy Wizard pages
52
Page 53
Using Patch Management
reports
This chapter includes the following topics:
■ About Patch Management Solution for Windows reports
■ About compliance reports
■ About diagnostic reports
■ About remediation status reports
■ About software bulletin reports
■ About the Patch Management home page
■ Viewing Patch Management reports
About Patch Management Solution for Windows
reports
You can view and manage your Patch Management data through reports. These
reports give you information specific to Patch Management Solution for Windows.
For example, you can use compliance reports to determine how many urgent
software updates your managed computers require.
Reports let you view information in various ways. You can see your information
in tables or graphically in charts. You can also drill down on specific items in a
report to obtain additional information.
You can stage or distribute software updates directly from reports by right-clicking
on the update name in the report.
8
Chapter
Page 54
Patch Management Solution for Windows provides the following reports:
■ Compliance reports
See “About compliance reports” on page 54.
■ Diagnostic reports
See “About diagnostic reports” on page 55.
■ Remediation status reports
See “About remediation status reports” on page 55.
■ Software bulletin reports
See “About software bulletin reports ” on page 55.
See “Viewing Patch Management reports” on page 56.
Patch Management Solution for Windows also has a Patch Management home
page. This is a portal page that is comprised of a number of Web parts displaying
results from commonly used reports.
See “About the Patch Management home page” on page 55.
About compliance reports
Compliance reports are the key to quickly determining what software updates
your managed computers require. Compliance reports are used to determine if
computers are up to date with the latest software updates, and also to check if a
particular software bulletin or update is installed on your managed computers.
This is useful if a specific security issue affects your network environment and a
certain update addresses the problem.
When viewing compliance reports from the Patch Remediation Center page, you
can start distributing software updates directly from report results. For example,
if you want to quickly distribute all critical updates, you would sort the report
results by Severity. Then, right-click allcritical updates and click Stage. Then you
can distribute the updates.
See “About staging and distributing software bulletins” on page 46.
You can find the compliance reports in the Symantec Management Console under
Reports > All Reports > Software > Patch Management > Compliance.
Compliance reports are also featured in the Patch Management home page for
easy access.
See “About the Patch Management home page” on page 55.
See “About Patch Management Solution for Windows reports” on page 53.
Using Patch Management reports
About compliance reports
54
Page 55
About diagnostic reports
The diagnostics reports display vulnerability summary and Software Update
Plug-in installation information.
You can find the diagnostics reports in the Symantec Management Console under
Reports > All Reports > Software > Patch Management > Diagnostics.
See “About Patch Management Solution for Windows reports” on page 53.
About remediation status reports
The remediation status reports summarize and detail software update associations
and activities.
You can find the remediation status reports in the Symantec Management Console
under Reports > All Reports > Software > Patch Management > Remediation
Status.
See “About Patch Management Solution for Windows reports” on page 53.
About software bulletin reports
The software bulletins reports summarize and detail software bulletin activity
and status.
You can find the remediation status reports in the Symantec Management Console
under Reports > All Reports > Software > Patch Management > Software
Bulletins.
See “About Patch Management Solution for Windows reports” on page 53.
About the Patch Management home page
The home page is a portal page providing patch managementsummary information
at a glance. The page is comprised of a number of Web parts displaying results
from commonly used reports.
See “About Patch Management Solution for Windows reports” on page 53.
You cannot customize the portal page directly. If you want, you can add patch
management Web parts to other configurable portal pages. For example, the My
Portal page.
You can access the home page by clicking Home > Software> PatchManagement,
and then, under Microsoft, click Updates.
55Using Patch Management reports
About diagnostic reports
Page 56
Only Windows Compliance home page is available. There is no home page with
the information that is related to Adobe.
Table 8-1
Web parts on the Patch Management home page
DescriptionWeb part
Reports on the number of Patch Management licenses
in use, their status, and expiration date.
Microsoft License Status
Reports on the number of Microsoft vulnerabilities
that need to be addressed.
This Web part is also available in a graph form.
Microsoft Vulnerabilities
Reports on the number of patches that were executed
in the past 30 days and how many succeeded or did
not complete.
This Web part is also available in a graph form.
Microsoft Software Update
Delivery Summary
Reports on the number of software bulletins available,
staged, tasks created, and new bulletins in the last 30
days.
This Web part is also available in a graph form.
Microsoft Software Bulletin
Summary
An overall configuration summary, including
computers with the Software Update Plug-in,
computers not reporting inventory, Microsoft Patch
Management and QChain downloads, and so on.
Microsoft Configuration
Summary
Viewing Patch Management reports
Patch Management Solution for Windows provides reports that let you view
detailed information about the updates.
See “About Patch Management Solution for Windows reports” on page 53.
To view Patch Management reports
1
In the Symantec Management Console, on the Reports menu, click All
Reports.
2
In the left pane, click Reports > Software > Patch Management.
3
Click the report that you want to view.
For example, click Compliance > Microsoft Compliance by Bulletin.
Using Patch Management reports
Viewing Patch Management reports
56
Page 57
4
In the right pane, leave the default settings, and click Refresh.
5
If you want to view more information about an update, right-click on any
update, and click Resource Manager. Each type of compliance report opens
a different Resource Manager , depending on the type of results. For example,
Microsoft Compliance by Computer opens a computer type Resource Manager.
At the bottom of the Summaries tab, under Additional Information, click
the hyperlink to the Microsoft TechNet article on the bulletin.
57Using Patch Management reports
Viewing Patch Management reports
Page 58
Using Patch Management reports
Viewing Patch Management reports
58
Page 59
Replicating Patch
Management data in
hierarchy
This chapter includes the following topics:
■ About replicating Patch Management data
■ About Patch Management Language Alert rule
■ Replicating Patch Management language alerts
■ About Patch Management software update catalog replication
■ Replicating Patch Management import data
■ About Software Update policy replication
■ Replicating Software Update policies
About replicating Patch Management data
Downloading Microsoft and Adobe Patch Management Import files to multiple
Notification Servers can consume considerable network resources and time.
Notification Server hierarchy features remove the need to download Patch
Management Import files individually. You can download the files onceto a single
parent Notification Server and then, with Patch Management replication rules,
send the relevant data to anynumber of child Notification Servers. The replicated
data on the child Notification Servers is identical to the data on the parent.
See “About hierarchy and data replication direction” on page 65.
9
Chapter
Page 60
Before you can replicate data, you must run the Patch Management Language
Alerting rule.
See “Replicating Patch Management language alerts” on page 60.
About Patch Management Language Alert rule
Different Notification Servers within a hierarchy may manage different Patch
Management language resources. The Patch Management Language Alerting
replication rule ensures that child Notification Servers only receive data and
Software Update policies for their managed languages. This rule replicates
information about the managed languages of the child Notification Server up to
the parent. You must run this rule on a child before any attempt is made to
replicate patch management data or Software Update policies. The rule can be
run on a custom schedule or to the standard replication schedules. A parent
Notification Server must manage all of the languages that are required by its
children.
See “Replicating Patch Management language alerts” on page 60.
Replicating Patch Management language alerts
You must run the Patch Management Language Alerting rule on a child before
any attempt is made to replicate patch management data or Software Update
policies.
See “About Patch Management Language Alert rule” on page 60.
To replicate Patch Management language alerts
1
In the Symantec Management Console, on the Settings menu, click
Notification Server > Hierarchy.
2
In the left pane, click Hierarchy > Hierarchy Management.
3
In the right pane, click the Replication tab.
4
Expand the Resources section.
5
Click Patch Management Language Alerting.
6
Click the Edit symbol.
7
Set a schedule to run before running other Patch Management replication
functions.
Replicating Patch Management data in hierarchy
About Patch Management Language Alert rule
60
Page 61
About Patch Management software update catalog
replication
Downloading Microsoft or Adobe Patch Management software update catalog
files to multiple Notification Servers can consume considerable network resources.
Notification Server hierarchy features remove the need to download Patch
Management software update catalog files individually. You can download the
files once to a single parent Notification Server and then, using the Patch
Management Import Data Replication for Microsoft and Patch Management
Import Data Replication for Adobe rules, send the relevant data to any number
of child Notification Servers . The replicated data on the child Notification Servers
is identical to the data on the parent, depending on managed languages.
See “Replicating Patch Management import data” on page 61.
Replicating Patch Management import data
After downloading Microsoft or Adobe Patch Managementsoftware update catalog
files and importing data to a parent Notification Server, you can replicate the data
to any number of child Notification Servers .
See “About Patch Management software update catalog replication” on page 61.
Warning: Before you replicate update catalogs, ensure that the Patch Management
Language Alerting rule has run.
See “About Patch Management Language Alert rule” on page 60.
To replicate Patch Management software update catalog
1
In the Symantec Management Console, on the Settings menu, click
Notification Server > Hierarchy.
2
In the left pane, select Hierarchy > Hierarchy Management.
3
In the right pane, click the Replication tab.
4
Expand the Resources section.
5
Click Patch Management Import Data Replication for Microsoft or Patch
Management Import Data Replication for Adobe.
6
Click the Edit symbol.
7
Under Replicate, select Differential if you want to only replicate changed or
new data. Select Complete to send all Microsoft Patch Management software
update catalog files to child Notification Servers each time the task runs.
61Replicating Patch Management data in hierarchy
About Patch Management software update catalog replication
Page 62
8
Under Schedule, create a custom schedule or select the standard replication
schedule.
9
Under Data Verification, specify a percentage of data to be verified during
each replication, and check Verify data integrity if wanted.
10
Turn on the rule.
11
Click Save changes.
About Software Update policy replication
Software Update policies distribute software updates to the target computers.
See “Distributing software updates” on page 48.
The Patch Management Software Distribution Replication For Microsoft and
Patch Management Software Distribution Replication For Adobe replication
rules use Notification Server hierarchy features to replicate Software Update
policies to child Notification Servers . You only need to create Software Update
policies once on a parent Notification Server, and then replicate them to child
Notification Servers .
Replicating Software Update policies does not replicate the actual software update
files. Child Notification Servers download the needed Software Update files from
the vendor.
See “Replicating Software Update policies” on page 62.
Replicating Software Update policies
You can save time and resources by replicating existing Software Update policies
to child Notification Servers.
See “About Software Update policy replication” on page 62.
Warning: Before you replicate Software Update policies, ensure that the Patch
Management Language Alerting rule and the Patch Management Import Data
Replication rule have run.
See “About Patch Management Language Alert rule” on page 60.
See “About Patch Management software update catalog replication” on page 61.
Replicating Patch Management data in hierarchy
About Software Update policy replication
62
Page 63
To replicate Software Update policies
1
In the Symantec Management Console, on the Settings menu, click
Notification Server > Hierarchy.
2
In the left pane, click Hierarchy > Hierarchy Management.
3
In the right pane, click the Replication tab.
4
Expand the Resources section.
5
Click Patch Management Software Distribution Replication for Microsoft
or Patch Management Software Distribution Replication for Adobe.
6
Click the Edit symbol.
7
Under Replicate, select one or more Software Update policies to be replicated.
8
Select Differential to only replicate changed or new policies, or Complete to
send all Software Update policies to child Notification Servers each time the
task runs.
9
Under Schedule, create a custom schedule or select the standard replication
schedule.
10
Under Data Verification, specify a percentage of data to be verified during
each replication, and check Enable data verification if wanted.
11
Turn on the rule.
12
Click Save changes.
63Replicating Patch Management data in hierarchy
Replicating Software Update policies
Page 64
Replicating Patch Management data in hierarchy
Replicating Software Update policies
64
Page 65
Technical reference
This appendix includes the following topics:
■ About hierarchy and data replication direction
■ About Patch Management security roles
About hierarchy and data replication direction
Patch Management Solution for Windows supports the hierarchy and replication
features of the Symantec Management Platform. These features let you create
settings, schedules, and other data at the top-level Notification Server computer
and replicate them to child-level Notification Server computers.
See “About replicating Patch Management data” on page 59.
Table A-1
Items that are replicated by the default Notification Server
replication schedule with no custom replication rules
Replication directionItem
DownAll the server tasks settings and schedules
(Download QChain, Check Software Update
Package Integrity, Microsoft/Adobe Patch
Management Import)
DownMicrosoft/Adobe Vulnerability Analysis policy
settings
DownMicrosoft and Adobe vendor settings
DownDefault Software Update Plug-in Policy settings
DownSoftware Update Plug-in install, upgrade, and
uninstall policy settings
A
Appendix
Page 66
Table A-1
Items that are replicated by the default Notification Server
replication schedule with no custom replication rules (continued)
Replication directionItem
DownAutomation policy settings
UpSoftware Update policies execution details
Table A-2
Items that are replicated with custom replication rules
DescriptionReplication directionItem
This information is replicated when the Patch
ManagementLanguage Alerting rule is enabled.
UpLanguage
support
information
This information is replicated when the Patch
ManagementSoftware Distribution Replication
for Microsoft/Adobe rule is enabled.
If a child Notification Server computer provided
the language support info before, then the
software update policies on the child only
include the updates that are related to the
supported operating system languages.
DownSoftware
Update policies
This information is replicated when the Patch
Management Import Data Replication for
Adobe/Microsoft rule is enabled.
Only the updates and bulletins that are
associated with the child computer's supported
languages are replicated
DownPatch
Management
Import data
This information is replicated when the
Compliance summary replication rule is
enabled.
The vulnerability analysis is replicated up as a
summary.
UpMicrosoft
Compliance
summary
This
information is
not available
for Adobe.
About Patch Management security roles
You can assign the following security roles to Symantec Management Console
users:
Technical reference
About Patch Management security roles
66
Page 67
■ Patch Management Administrators
■ Patch Management Rollout
Users with Patch Management Administrators role have full access to Patch
Management Solution functionality, but no access to the rest of the Symantec
Management Console.
Users with Patch Management Rollout role have limited access to the following
Patch Management Solution functionality:
■ Software Update policies
■ Reports
■ Patch Remediation Center page
Users with Patch Management Rollout role can perform the following actions:
■ Enable, disable, and change settings in the software update policies.
■ View reports.
67Technical reference
About Patch Management security roles
Page 68
Technical reference
About Patch Management security roles
68
Page 69
A
Adobe Patch Management Import task
about 42
Adobe vendor settings page
about 33
Adobe Vulnerability Analysis page
about 32
analyzing vurnelabilities 32
B
bulletins
about 45
C
Check Software Update Package Integrity task
about 42
checking package integrity 42
compliance analysis
configuring 32
configuring
Adobe settings 31
Microsoft settings 31
Patch Management core settings 29
severity levels 30
updates installation settings 31
vendor settings 31
context-sensitive help 13
Core Services policy
about 33
configuring 29
D
Default Software Update Plug-in Policy
about 35
distributing software bulletins 48
about 46
viewing update summary reports 49
documentation 13
download location 29
Download QChain task
about 43
downloading
QChain 41
software updates catalog 40
downloading software updates. See staging
H
help
context-sensitive 13
hierarchy
replicating data 60–62
home page 55
I
installing
Patch Management Solution for Windows 18
prerequisites 17
Software Update Plug-in 24
inventory
collecting 32
L
licensing
about 21
M
maintenance windows
about 49
Microsoft Patch Management Import task
about 42
Microsoft vendor settings page
about 33
Microsoft Vulnerability Analysis page
about 32
P
pages
Adobe Patch Management Import 42
Index
Page 70
pages (continued)
Adobe settings page 33
Default Software Update Plug-in Policy 35
Download QChain 43
Microsoft Patch Management Import 42
Microsoft settings page 33
Patch Remediation Center 49
Software Update policy wizard 51
Patch Management Import Data Replication rule
about 61
configuring 61
Patch Management Language Alert rule
about 60
configuring 60
Patch Management server tasks
about 39
Patch Management Software Distribution Replication
rule
about 62
configuring 62
Patch Management Solution for Windows
about 11
implementing 15
installing 18
licensing 21
overview 12
recommended workflow 15
upgrading 18
Patch Remediation Center page
about 49
patching
recommended workflow 15
portal page 55
Q
QChain
downloading 41
R
Release Notes 13
relocating packages 42
replicating data in hierarchy 60–62
replication direction 65
reports 53
compliance 54
diagnostic 55
patch management home page 55
remediation status 55
reports (continued)
software bulletin 55
viewing 56
S
security roles 66
severity levels
assigning 30
customizing 30
software bulletins
about 45
configuring installation settings 31
distributing 48
viewing update summary reports 49
Software Update Plug-in
about 23
installing 24
uninstalling 25
upgrading 24
user interface 25
Software Update policy wizard
about 51
software updates
about 45
staging 47
software updates catalog
downloading 40
staging software bulletins
about 46
staging software updates 47
U
uninstalling
Software Update Plug-in 25
updates
about 45
upgrading
migrating data 18
Patch Management Solution for Windows 18
Software Update Plug-in 24
V
vendor settings
configuring 31
vulnerability analysis
configuring 32
Index70
Loading...