Workflow and ServiceDesk Community

 View Only

Workflow Template - Zero Day Patch 

Oct 25, 2013 11:41 AM

About the Zero Day Patch Template

The Zero Day Patch Workflow Template runs on a schedule to automatically on a schedule to identify, stage and create policies for bulletins/patches that meet a pre-defined set of criteria.  

The above video and attached document will help you download, configure, test and deploy the attached Workflow Template.  Although the template is built to run as is, you can modify the project in workflow to meet the unique process and goals of our organization.

Zero Day Patch Image.jpg

 

 

Statistics
0 Favorited
30 Views
3 Files
0 Shares
14 Downloads
Attachment(s)
package file
Symantec.Patch_.Zero_Day.package   1.21 MB   1 version
Uploaded - Mar 11, 2020
pdf file
Zero_Day_Patch_Install.pdf   3.02 MB   1 version
Uploaded - Feb 25, 2020

Tags and Keywords

Comments

Nov 02, 2018 11:42 AM

There's a new API in SMP SMP 8.5

  • Disable Bulletins

SMP - Patch Management - Disable Bulletins
https://www.symantec.com/connect/articles/smp-patch-management-disable-bulletins

Aug 01, 2017 04:42 AM

@mafoe did you change this in the component itself?

Is this when you run in Debug or Published?

What App Pool is the workflow runnings as?

Aug 01, 2017 04:39 AM

Hi Jason,

 

first of all thanks for the efforts put in creating that workflow.

I hope you are still into this, 'cause I ran into an authentication Problem at the 'spPMCoreReport_SoftwareBulletinSummary' component. It will ignore the user account on the sql-connection string and instead tries to connect to the database with the one out of the NSAuthentication token and that it uses without the domain prefix or tries to connect as an local SQL accoutn - which it isn't.

 

Kind Regards,

Matthias

Jul 21, 2017 07:42 AM

Thank you for this great workflow implementation!

May 18, 2017 03:45 AM

Hi,

i have a question about Policy handling.
i have deploy the workflow with two different option sets.

Workflow 1:
Server 1
Server 2

Workflow 2:
Server 3
Server 4

Now workflow 1 is running and find some bulletins and create a policy with srv1 and 2 as target.
What happens if workflow 2 is running and find the same bulletins. Does the workflow overwrite the policy or add the two server to the existing policy?

Thank you very much!

 

Best Regards,

Stephan

 

May 17, 2017 04:01 AM

-.-

The problem was an empty string in Vendor_Filter array.

 

Thank you!

May 17, 2017 03:55 AM

Hi,

can anyone help me out with this issue.

___runtime_Linked_Model_Flag = True
CurrentVendorGUID = ""
ErrorMessage = " cannot be converted to a Guid"
LastComponent = "sp PMCore Report_ Software Bulletin Summary"
ModelID = "7cf7eb9c-9437-11e2-a847-000c294e9052"
ReportProcessID = "Patch-0Day-000297"
StackTrace = "   at LogicBase.Components.Default.DataTypes.GuidDataHandler.doConvert(Object o)
   at LogicBase.Core.Data.DataTypes.VariableOrValueDataType.GetValue(IData data)
   at spPMCoreReport_SoftwareBulletinSummary.SqlQuery.spPMCoreReport_SoftwareBulletinSummary.Run(IData data)
   at LogicBase.Core.ExecutionEngine.SinglePathProcessComponentExecutionDelegate.Execute(IData data, IOrchestrationComponent comp, String& outputPath, IExecutionEngine engine, TLExecutionContext context)
   at LogicBase.Core.ExecutionEngine.AbstractExecutionEngine.RunComponent(TLExecutionContext context, IData data, IOrchestrationComponent comp)"

I think it can't handle the GUID of the Bulletin.

 

King Regards,

Stephan

May 11, 2017 10:42 AM

May 11, 2017 03:25 AM

Hello,

 

i have some trouble with timeouts at my Workflow.
Has any one Ideas to solve the problem?

 

Error Message: The operation has timed out
Stack Trace: at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request) at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request) at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters) at PatchWorkflowSvcDynamicService.PatchWorkflowSvc.EnsureStaged(String bulletinGuids, Boolean sync) at PatchWorkflowSvcDynamicService.EnsureStaged.Run(IData data) at LogicBase.Core.ExecutionEngine.SinglePathProcessComponentExecutionDelegate.Execute(IData data, IOrchestrationComponent comp, String& outputPath, IExecutionEngine engine, TLExecutionContext context) at LogicBase.Core.ExecutionEngine.AbstractExecutionEngine.RunComponent(TLExecutionContext context, IData data, IOrchestrationComponent comp)
Report Process ID: Patch-0Day-000220
Model ID: 7e82176f-0fe0-11e2-85c7-005056a27acc
Last Component: Ensure Staged

Unbenannt.JPG

 

What i can do?

 

Best Regards,

Stephan

Mar 02, 2017 07:58 AM

Sorry i fix the problem by my self.

Many thanks to everyone :-D

Mar 02, 2017 06:52 AM

Hi Boys and Girls,

 

i have a problem while running zero day in debug mode.

 

___runtime_Linked_Model_Flag = True
CurrentVendorGUID = "00000000-0000-0000-0000-000000000000"
ErrorMessage = "Keyword not supported: 'inital catalog'."
LastComponent = "sp PMCore Report_ Software Bulletin Summary"
ModelID = "7cf7eb9c-9437-11e2-a847-000c294e9052"
ReportProcessID = "Patch-0Day-000107"
StackTrace = "   at System.Data.Common.DbConnectionOptions.ParseInternal(Hashtable parsetable, String connectionString, Boolean buildChain, Hashtable synonyms, Boolean firstKey)
   at System.Data.Common.DbConnectionOptions..ctor(String connectionString, Hashtable synonyms, Boolean useOdbcRules)
   at System.Data.SqlClient.SqlConnectionString..ctor(String connectionString)
   at System.Data.SqlClient.SqlConnectionFactory.CreateConnectionOptions(String connectionString, DbConnectionOptions previous)
   at System.Data.ProviderBase.DbConnectionFactory.GetConnectionPoolGroup(DbConnectionPoolKey key, DbConnectionPoolGroupOptions poolOptions, DbConnectionOptions& userConnectionOptions)
   at System.Data.SqlClient.SqlConnection.ConnectionString_Set(DbConnectionPoolKey key)
   at System.Data.SqlClient.SqlConnection.set_ConnectionString(String value)
   at System.Data.SqlClient.SqlConnection..ctor(String connectionString, SqlCredential credential)
   at spPMCoreReport_SoftwareBulletinSummary.SqlQuery.spPMCoreReport_SoftwareBulletinSummary.GetConnection(IData data)
   at spPMCoreReport_SoftwareBulletinSummary.SqlQuery.spPMCoreReport_SoftwareBulletinSummary.Run(IData data)
   at LogicBase.Core.ExecutionEngine.SinglePathProcessComponentExecutionDelegate.Execute(IData data, IOrchestrationComponent comp, String& outputPath, IExecutionEngine engine, TLExecutionContext context)
   at LogicBase.Core.ExecutionEngine.AbstractExecutionEngine.RunComponent(TLExecutionContext context, IData data, IOrchestrationComponent comp)"

 

Can anybody help me a little?

 

Best Regards,

Stephan

Feb 15, 2015 10:56 PM

Guys Question..

I have my workflow manager installed on my SMP.

Here are my question:

1. I can't determine the basis for bulletin download (is it date released, revised, compliance).

2. Will the superseded bulletins can still be downloaded?

3. How to correctly publish the zero patch template on SMP?

I have schedule for the workflow to run at a certain time. I have downloaded the patch and deleted the created policies but it didnt recreate when the schedule kicks. Also I did not receive that no bulletin is available.

Feb 15, 2015 10:54 PM

Guys Question..

I have my workflow manager installed on my SMP.

Here are my question:

1. I can't determine the basis for bulletin download (is it date released, revised, compliance).

2. Will the superseded bulletins can still be downloaded?

3. How to correctly publish the zero path template on SMP?

I have schedule for the workflow to run at a certain time. I have downloaded the patch and deleted the created policies but it didnt recreate when the schedule kicks. Also I did not receive that no bulletin is available.

Feb 10, 2015 03:47 AM

Just a question.. I am encountering a redownload of patches.. I already have them but whenever the schedule set on workflow kicks I see patches being downloaded on Altiris Log Viewer..

Feb 01, 2015 08:46 PM

I'm already have it recognize the GUID of my filter.

I am inputing the values on process manager portal and not being recognize by workflow hahaha.

My luck, it happened out of my curiosity to click the link of my project on application properties on workflow manager that leads me to correct page on where I should input the values needed.

Thanks guys!!

Jan 30, 2015 09:33 PM

The GUID causes the error?

When I have installed the workflow.. I have installed also the process manager portal and process manager database.. And that's where I have uploaded the application profile for this project and input the GUIDs.. I'm thinking if the data is being process on workflow from the data i have put on service desk portal..

Jan 30, 2015 09:14 PM

if you get a result back, then you're GUID.

Jan 30, 2015 09:08 PM

Thanks guys!!!

Tried accessing http://localhost/itemmanagementservices.asmx and it display The resource cannot be found.

Tried accessing http://localhost/Altiris/ASDK.NS/ItemManagementService.asmx and it redirect me to the ItemManagementService page.

There are two items named GetItemByGuid, the other one has a text on the bottom "MessageName="GetItemsInFolderX". One the first GetItemByGuid, There's a box to test the GUID I think (To test the operation using the HTTP POST protocol, click the 'Invoke' button). I put the GUID that extracted from SQL and I see the name of the filter that I've created.

I think its working? hahaha what to do next?

Jan 30, 2015 04:57 AM

http://localhost/Altiris/ASDK.NS/ItemManagementService.asmx

 is what i assume you're trying to reach.

Jan 30, 2015 04:03 AM

Marilou,

be sure you add the servername in the url (eg. http://localhost/itemmanagementservices.asmx)

Jan 30, 2015 03:58 AM

Hi Nonos,

I've tried typing http://itemmanagementservices.asmx but there's notting to display (Internet Explorer cannot display the web page). Am I doing it right??

It's my first time trying out this process.. I will be grateful if you can help me on troubleshooting steps that i should perform.

Thanks!

Jan 26, 2015 09:04 AM

Hi,

 

Did you try to use the GUID given in the error log on the Web Service itself?

Like you open a web browser and type in the URL to the "itemmanagementservices.asmx" and you'll get a list of all available methods in which you'll find "Get Item By GUID".

When you try that, do you get the item itself or does it crash?

If it crashes, it mainly means that the GUID you are using does not correspond to any item.

Been working a lot on 7.1 SP2 but don't know if things are still out there in 7.5.

Hope this helps.

Regards,

Cédric

 

Jan 26, 2015 12:38 AM

Hi Africo,

I only have 1 Altiris on my lab.. the GUID that i have provided on the project is for my target filter (extracted from SQL)..

I attached the image on the part where the process stops..

Thanks for your comment.. Appreciate your help on this.

 

Jan 25, 2015 10:50 PM

I'm not familiar with that project, but it looks as though you're either mixing two altiris environments (grabbing an item from one database and then trying to save it to another; the GUID may not exist in both places) or the mappings aren't correct somewhere.  That's just a guess though; check any mapping components to ensure you're mapping the item guid properly.

Jan 25, 2015 10:44 PM

I'm getting this error when running the project on debug mode. Can anyone help me pinpoint the problem here?

CurrentResourceGUID = "D27E6007-9A73-4E22-92AE-95BA7AA9A40E"
ErrorMessage = "System.Web.Services.Protocols.SoapException: Server was unable to process request. ---> System.Exception: The specified item guid does not exist.
   at Altiris.ASDK.NS.ItemManagementLib.GetItemByGuid(Guid itemGuid)
   at Altiris.ASDK.NS.Web.ItemManagementService.GetItemByGuid(Guid itemGuid)
   --- End of inner exception stack trace ---"
IteratorPrefix_c487e7b2-9591-11e2-a847-000c294e9052 = 0
LastComponent = "Get Item By Guid Component"
ModelID = "e317bec1-0fe0-11e2-85c7-005056a27acc"
ReportProcessID = "Patch-0Day-000162"
ShortDateString = "1/26/2015"
StackTrace = "   at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
   at Altiris7.WebServices.Item.ItemManagementService.GetItemByGuid(Guid itemGuid)
   at Altiris7.WebServices.Item.GetItemByGuidComponent.Run(IData data)
   at LogicBase.Core.ExecutionEngine.SinglePathProcessComponentExecutionDelegate.Execute(IData data, IOrchestrationComponent comp, String& outputPath, IExecutionEngine engine, TLExecutionContext context)
   at LogicBase.Core.ExecutionEngine.AbstractExecutionEngine.RunComponent(TLExecutionContext context, IData data, IOrchestrationComponent comp)"
Today = 1/26/2015 11:37:00 AM

Jan 23, 2015 02:23 AM

Hello guys,

Please share me a guide on how to do it without Process Manager....

Also, is the process still the same for 7.5 SP1?

Thanks!!

 

May 08, 2014 07:47 AM

Thanks for your comment Harris. Eventually you put me on track with this. It happened to be that the workflow was crashing when it reached the stage where it needed to send the email. As I explained already, I needed to convert the application properties to global properties because we do not have the process manager installed in our environment. It seems that when a workflow is published, for some reason it cannot correctly handle some of the global variables. After I converted the global variables which were related to email to project properties, it started to work.

I will definitely start looking at implenting the process manager as for this purpose I see a lot of benefits there.

Well .... at least for now this is working, but I may need to convert the variables again at some point to application properties smiley

May 07, 2014 10:28 AM

Try putting a "Create Log Entry" component at the very beginning of your Workflow, and set the logging level to "Fatal". Then save/publish the workflow and open your Log Viewer. You will be able to see your log entry component write a fatal error to the logs. This is a great way to confirm whether the Workflow ran or not.

May 07, 2014 04:48 AM

Hello,

Because I wasn't able to install Process Manager on my workflow server, I had to disable the application properties. I have 'converted' the application properties to global properties and that works fine. It's a bit less flexible, but for us still very acceptable. I obviously also changed all the components which were using values from the application properties and when I run the workflow in debugger, I get exactly the result that I expect. Currently the result is that I get an email telling that no bulletins were available and all the variables in the email are filled with correct data.

Now the problem ...... once I publish the workflow, it will not send any emails anymore. Besides, I cannot really check if it has been running on the defined schedule so I have no clue if it has been running on the schedule. That's one of the nice features of Process Manager, but not available for me at this point.

Is there anyone out there who knows why email works when running the workflow in debugger and why it doesn't if it's published?

And then it would be also nice if I could somehow trace if the workflow has been running.

I published the workflow on my workflow server, which is a different one than the SMP server but that shouldn't make a difference, should it?

Any input is very welcome.

Hendrik

Mar 05, 2014 06:35 AM

Hi Pascal,

Keep us updated on how this is going for you, I got this working in my lab and have a few tips to help along the way.

1) When you test the workflow by running the debug, it should run through, enable the policy but then the workflow will start again, This is because the workflow is set to "autorun" and in a live environment this is kicked off at a certain time and will only run once. So be sure to not let the workflow continually run in debug mode or you will have lots of policys and a server slowdown. In fact close it after letting it run through twice and you should have the following as a result.

  • An email stating the patches enabled / a policy with the patches enabled targetting your specific target
  • A second email stating that there were no patches to install from the second run of the workflow (provided you set the setting below)

There is a setting in the config page to "ignore staged policys" or something similar (I dont have access to a console right now to tell you the exact setting wording) so basically it does not duplicate policys.

Hope this helps

 

Rich

 

Mar 05, 2014 06:23 AM

Hello Pascal KOTTE,
 
Any body know what is the Application property "Age_filter"
 
I think it is a number of Days Backward to look for bulletins. In other words only bulletins released during last N days(N is value of Age_Filter) will be used in this process.
 
I also try to switch https to http; same issue... Here the settings I was using.
PatchWorkflowSvcURL http://tms1.itsm.demo/patchmanagementcore/patchworkflowsvc.asmx 
 
It looks like PatchWorkflowSvcURL is mistyped in your settings. I guess http://tms1.itsm.demo/altiris/patchmanagementcore/patchworkflowsvc.asmx should work.
 
Thanks,
Roman
 

Mar 02, 2014 07:24 PM

Must also say; Workflow installed with a domain service account; was needing to change the Application pool Identity for Process Manager to run using "NETWORK SERVICE" for Portal process manager able to open. But NETWORK SERVICE has the right on Patch also, this service account is also the Altiris server service account. I added the rights on windows\temp, and framework folders...

I also try opening with domain admin account; same error.

Mar 02, 2014 07:17 PM

I wanted to verify the workflow able to process only "missing" and "applicable" Bulletins, not "all" including useless ones...

And also: if able to avoid requesting to edit each policy manualy; to add the pilot2 goup; and another time for PROD1 group; and a 3rd time the PROD2 final group in addition. As we must deploy "by wave", for validation steps: It is absolutly required being able to associate all those automated policies, to a single "editable" target, so we can swtich all the policies; to next wave level with a single simple change. NOT needing to edit each 30 to 60 or more policies; to add the additionnal wave targets. If you deploy in 4 waves: this will ask for about 120 to 240 "edit" operations per month on this so "quick answering" Altiris web console (just joking about "quick")...

I feel we will have to create a new "Named target" each month, and edit the GUID inside the DATA/Application properties: "Zero Day Patch settings". So we will be able to edit and change a single "Named target" 4 times, for extending each week; the additionnal targets with the next wave of computers to deploy patches this month... Instead of editing 30 policies or more, 4 times ;-)

Mar 02, 2014 07:03 PM

I also try to switch https to http; same issue... Here the settings I was using.
 
Zero Day Patch Settings        
Category: Not Set 
IsDefault True 
InstanceName Default 
Category: Configuration 
Enable_New_Policy_After_Creation True 
Resource_Targets_To_Apply_To_Policy 25353043-FA7D-4B25-A416-9237EEC2B156
 
Category: Connection 
PatchWorkflowSvcURL http://tms1.itsm.demo/patchmanagementcore/patchworkflowsvc.asmx 
Symantec_CMDB_ConnectionString Data Source=(local);Initial Catalog=Symantec_CMDB;Integrated Security=SSPI; 
Category: Email 
Email_Server 192.168.100.10 
Email_To_Address service.altiris@itsm.demo 
Email_From_Address PatchZeroDay.tms1@itms.demo 
Category: Filter Settings 
Age_Filter 15 
Ignore_Bulletins_With_Policies True 
Ignore_Staged_Bulletins False 
Vendor_Filter 00000000-0000-0000-0000-000000000000
 
Platform_Filter Any 
Severity_Levels_To_Analyze Critical
Important
Unclassified
 
So I will perhaps needing to test if "Symantec support" will support this; or not :)
 
 
 

Mar 02, 2014 06:56 PM

The URL setup is not answering:

http://tms1.itsm.demo/patchmanagementcore/patchworkflowsvc.asmx

Server Error in '/' Application.

--------------------------------------------------------------------------------
 
The resource cannot be found. 
Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable.  Please review the following URL and make sure that it is spelled correctly. 
 
Requested URL: /patchmanagementcore/patchworkflowsvc.asmx/Default.aspx
 
--------------------------------------------------------------------------------
Version Information: Microsoft .NET Framework Version:2.0.50727.5477; ASP.NET Version:2.0.50727.5479 
All the same; the page seems there...
Capture.PNG
 

Mar 02, 2014 06:33 PM

Well: Email notify

Error Message: The request failed with HTTP status 404: Not Found.
 
Stack Trace: at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall) at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters) at PatchWorkflowSvcDynamicService.PatchWorkflowSvc.EnsureStaged(String bulletinGuids, Boolean sync) at PatchWorkflowSvcDynamicService.EnsureStaged.Run(IData data) at LogicBase.Core.ExecutionEngine.SinglePathProcessComponentExecutionDelegate.Execute(IData data, IOrchestrationComponent comp, String& outputPath, IExecutionEngine engine, TLExecutionContext context) at LogicBase.Core.ExecutionEngine.AbstractExecutionEngine.RunComponent(TLExecutionContext context, IData data, IOrchestrationComponent comp)
 
Report Process ID: Patch-0Day-001007
 
Model ID: 7e82176f-0fe0-11e2-85c7-005056a27acc
 
Last Component: Ensure Staged
Workflow logs:
Application Name : Symantec.Patch.Zero_Day
Process ID : 5780
Date :3/3/2014 1:10:50 AM
Log Level :Error
Log Category :LogicBase.ExecutionEngine.Delegates
Machine Name : TMS1
Message : 
the component Setup Process declares that it outputs variable [PolicyName] of typeString but did not.  
followed by:
Application Name : Symantec.Patch.Zero_Day
Process ID : 5780
Date :3/3/2014 1:10:52 AM
Log Level :Error
Log Category :PatchWorkflowSvcDynamicService.EnsureStaged
Machine Name : TMS1
Message : 
Exception at Run method with message :The request failed with HTTP status 404: Not Found.
Finishing with:
Application Name : Symantec.Patch.Zero_Day
Process ID : 5780
Date :3/3/2014 1:10:52 AM
Log Level :Error
Log Category :LogicBase.ExecutionEngine
Machine Name : TMS1
Message : 
Exception was thrown from the exception handling model in project.
 
Does an installed service desk is a requirement ? Because I do not have, and so PDF told about "Tickets" I don't have... 

Mar 02, 2014 03:15 PM

And what about the Ludovic tools ?

and about this more light and simple option ?

was initialy design for 7.0 but perhaps reusable for 7.5? But probably less features :) OK just joking. But... ?

Mar 02, 2014 01:12 PM

Any body know what is the Application property "Age_filter"; with default '15' value not explain in the PDF :(

I guess about 15 days old maximum for activation and processing ? But not sure about :)

If it is; we should extend it for a start; with older bulletin to be auto-activated?

Feb 28, 2014 04:10 PM

Good point, you are very right: If not supported from Symantec support, not "part" the SMS or CMS or Patch Solution support, not an "integrated" supported extension...

But I do not see any disclaimer, or EULA, and this Workflow published accessible from "Workflow Manager", part of the solution. So legaly, they forgot to "exclude" it from support explicitly, and so, it should be part of the solution. Of course; if support refuse the case opening; the support will takes some additional time and cost; to be fulfilled; after a legal pursuit and so on ;)

I will try this, and open a case if I got an issue... We'll see if I got one ;)

Feb 28, 2014 02:14 PM

I guess you are not that much wrong Pascal, as I think this is just a workflow outside of Symantec product release, meaning it might not ( I could be worng here too :) be supported by support. But it gives you a very good start on auomating the patch. 

Feb 28, 2014 01:23 PM

Thanks a lot; I was seeing this feature inside the "What's new under 7.5" but was absolutly not able to find it after installing 7.5, reading all patch doc manuals, or try to find it under Connect, any 7.5 patch area or CMS or SMS, I was not able to find any about this Workflow.

I was not thinking about installing 1st the workflow designer; and latest going a look inside this nice "solution center" I was not know before... That's why I was thinking a false promess of Symantec. Happy to see I was wrong. 

Dec 20, 2013 10:36 AM

Hi Jason, I am not good with workflow, and need some help with this workflow, once policies are created and emial is sent, can we have another approval process that will add the other targets based on the response by applciation owner. 

For example policies are created and tested on the test target, now we want to add other targets but based on which team have tested, how can this be completed. I am hoping the end user can go on a console and click click on check mark next to thier targets and that be added?

Nov 01, 2013 05:36 PM

Very nice Jason - thanks !

Related Entries and Links

No Related Resource entered.