Patch Management Solution

I just wanted to say a big THANK YOU for Ludovic's work over the years. Writing and supporting these community tools is largely a thankless task, and I for one have appreciated them immensely.

Kind Regards,
Ian./

This a brilliant piece of work Ludovic. Brilliant.

I think I've resolved my issue now by re-creating the scheduled task that runs the Site Builder using the Global Administrator Account instead of Windows "System". The site is now being re-created nightly and updating as expected. :o)

Hi Ludo (remember setting this up for us a few years back?)

I need some help please...

This was working find for us but since some change (possibly one of our Admins having left and being removed from the console (whome I believe was the ID used to setu the PatchTrending site)..

It's not automatically updating the Site Pages when running the "SiteBuilder" tasks from the scheduled tasks overnight..  The only way to resolve this is to manually run the SiteBuilder-v15.exe on the GNS.

I've re-created the Jobs using the above commands (importexport2 /import "TRENDING Compliance by computer.xml") / etc then created the schedules as shown above but it didn't run last night...

So something fundementally wrong with executing the task through the NS.Scheduler.. Any thoughts?  Attached some Screenshots and Logs.

Thanks, Steve..

I'm not sure this will help you 2 years later, but I'll post it for future readers. If using the non-standard install path with a drive other than C:\, you'll need to modify the RunOnce task to change the drive letter before adding the CD command for your install path. My script was failing after 1 second when I first ran it, but completed successfully after changing it to such:

REM Move to the running folder - by default we run under /Altiris/NS/PatchTrending
D:
cd "D:\Program Files\Altiris\Patch Trending\"
SiteBuilder.exe /install

Hi,

Has anyone installed this on a 7.6 SMP from scratch?  I have an SMP on 7.6 HF7 and when I try to run sitebuilder.exe /install I get the following error:

Unhandled Exception: System.IO.FileNotFoundException: Could not load file or assembly 'Altiris.NS, Version=7.1.8280.0, Culture=neutral, PublicKeyToken=d516cb311cfb6e4f' or one of its dependencies. The system cannot find the file specified. File name: 'Altiris.NS, Version=7.1.8280.0, Culture=neutral, PublicKeyToken=d516cb311cfb6e4f' at Symantec.CWoC.PatchTrending.SiteGenerator.Main(String[] args) WRN: Assembly binding logging is turned OFF. To enable assembly bind failure logging, set the registry value [HKLM\Software\Microsoft\Fusion!EnableLog] (DWORD) to 1. Note: There is some performance penalty associated with assembly bind failure logging. To turn this feature off, remove the registry value [HKLM\Software\Microsoft\Fusion!EnableLog].

Any help would be appreciated.

Thanks

Hi Ludovic,

The charts finally started populating data after a couple of days. I gave up on the custom right click action.

Everyone likes the patch trending portal here.

Thanks,

Tomasz

Hi Ludovic,

After successful implementation in the lab I installed it in the production. However I have the following questions

1. The data is collected but the main page http://localhost/altiris/ns/patchtrending/ does not draw the Compliance by Computer and Inactive Computers charts ?
   
   When I replace manually the index.html file with the index.html from the lab the all 4 charts are displayed, the two bottom graphs are still empty.
   
   After running the 'Run SiteBuilder (Patch Trending)' the file is overwritten and again only the two top charts 'Installed versus Applicable' and Compliance are rendered.
    
2. Our Patching world is divided between clients and servers. Their have different policies. Is it possible to displaytwo separate sites for 2 diffrent filters, that is compliance for servers and compliance for clients ?
    
3. The context menu righ click action for bulletin is not populated. Not sure what I am doing wrong. I checked it 3 times.

Many thanks in adance.

Tomasz

Hi Ludovic,

I am trying to make it up and running, first in lab then in production.

Here is the feedback from my installation.

• Install.bat does not detect installdir path and does not create a new folder. I cannot say why, I disabled echo and still nothing.

I created the folder manually

• If you have a non standard location cd command without /d switch does not work in RunOnce SiteBuilder (Install SQL code) task.

I added /d swith and run the task again with success. My code is as follows:

REM Move to the running folder - by default we run under /Altiris/NS/PatchTrending
cd /d "e:\Program Files\Altiris\Notification Server\Web\PatchTrending\"
SiteBuilder.exe /install
 

•  It fails to import the last item on the list. I do not know why.

AeXImportExport being run with command line:/import Patch Compliance trends
Failed to import folder [Patch Compliance trends]. The folder must have thisFolder.xml file in it.

So I imported it using the context menu into Jobs and Task view.

• I would add info that you need to run the scheduled tasks at least one time otherwise on   http://localhost/altiris/ns/patchtrending/ page you get 403 errror

HTTP Error 403.14 - Forbidden

The Web server is configured to not list the contents of this directory.

• Resetting IIS would not make any harm too.

Apart from that great work.

Thumb up from me !

Tomasz

I have seen those problems with the credentials being used in R7, but that was for the Task Services.

This was because the R7 release introduce a secure package credential store that was not there before, and part of the agents where not able to read this and would fall back to the computer domain account.

Can you confirm that you are on R7? Did you install the agent pointfix for R7 that solves the package access credential problems (7.1_SP2_MP1.1_V7_PF3366024)?

It seems unrelated, but we'll see!

It doesn't, it gives the error :

C:\Windows\system32>REM Move to the running folder - by default we run under /Altiris/NS/PatchTrending
C:\Windows\system32>cd "F:\Program Files\Altiris\Patch Trending\"
C:\Windows\system32>"F:\Program Files\Altiris\Patch Trending\SiteBuilder-v15b.exe"
We cannot execute anything as the prerequisite table TREND_WindowsCompliance_ByUpdate is missing.

I can however run the sitebuilder.exe from a command prompt on the server and that does work.  I'll set up a scheduled task similar to what PHoward had to do.  Thanks for your help!

Here is version 15b for test purposes:

https://www-secure.symantec.com/connect/sites/default/files/SiteBuilder-v15b.zip

Can you check if this helps at all?

I looked in the logs on the SQL server and I'm seeing a "Login failed for user 'DOMAIN\SERVERNAME$'"  I have redacted the actual domain and server name but why is it trying to login with the local system account to the DB?  Our SQL is off box, shouldn't it be attempting to connect using the Altiris application credentials we have configured?

Hello Dgott20,

The probl;em phoward was having related to the security mechanism in place on the tool that check the running account is member of the Symantec Administrator role.

For some strange reason this check fails when running from the Taskon his (and probably your) server. I did a build that removed this check, but he still had issues running from the Task inside the SMP, then because the acocunt couldn't access the database for some more odd reasons.

We ended up running the task from the Windows Scheduler has both he and I couldn't invest too much time looking into this.

I'll fish out the new build for you and will post it here later on today.

What did you do to resolve the issue that PHoward was having?  I'm having the same problem.

You are almost there but not quite ;-).

There's no need to modify the stored procedure. Rather you should modify the SQL task that runs daily on the SMP to add the collection guid.

Here is what the task SQL task should look like now:

exec spTrendPatchCompliancebyComputer

And what you want it to look like:

exec spTrendPatchCompliancebyComputer @collectionguid = '<your collection guid>'

Just make sure the same scope is used in the Compliance by Update procedure as well, so we gather data consistantly.

Ludovic, just to be clear, I need to modify the:

spTrendPatchCompliancebyComputer

And modify the @collectionguid as uniqueidentifier ?

Do I need to modify the other Trend SP's?

Thanks

Thanks, will try today.

Hello cpark,

Thanks for your feedback. It's much appreciated :D.

You sure can change the 'target'. There is an optional parameter named @collection in the trending SQL. Just use the filter guid you want and your patch trending will work for the desired set of computers.

Note that we do work with a filter - not a target there.

This is so awesome...

Any way to change the targetted computers?  Meaning I only want to see the windows 7 endpoints?

Hello PHoward,

It looks like you have not installed the stored procedures into the database, or may be not into the Symantec_CMDB as previously indicated [1].

What do the data gathering task look like? If they worked then we have an issue with sitebuilder not getting to the right database, else it's just a matter of putting the procedures in the right location ;).

PS: If you need hands on help (this is kind of dragging now) please contact me via direct message and we'll work something out.

[1] https://www-secure.symantec.com/connect/articles/adding-patch-trending-your-symantec-management-platform-step-step-guide#comment-9819721

Yes, I started the 3 tasks and the sitebuilder to run this evening.  I will update tomorrow with results.

Yes, you can try. I still doubt it'll work, but we shall see.

PS: did you schedule the data gathering procedures? The tasks that will run the stored procedures against the SQL database.

Done...Did you want me to try and run the "Run Sitebuilder (Patch Trending)" Task?

Hello again phoward74,

I am double checking this. In the mean time what you should to is insert the SQL procedures manually (from the management studio).

They are available in a download:

https://www-secure.symantec.com/connect/downloads/cwoc-patch-trending-stored-procedures

This should get you past Step 1. Once the procedures are in place they should work without problem in the SQL tasks.

However I foresee that the sitebuilder will most likely have the same issues connecting to the database... so you'll be able to get grid based report in your console, but not the full site yet.

But we can work on that whilst data is collected on your server (it takes a few days before the charts get really interesting).

The Service Acct is an SA and we use it to access the DB.  When we set everything up, we the account SA and didnt change it.  If that needs to be changed to owner we can.

Alright. It sounds like your setup is a little specific. Do you use a SA acocunt to access the DB? It's rather strange, because I get the database context from the built-in provider...

I was in the NS and ran than from the service account we have set that is a Symantec Admin.  I tried from my account which is also a Symantec Admin with the same results.  The service account has access to the SQL DB, but mine does not.

Hum... can you check that the task runs under a privileged account (the appid)?

There's no reason for the task context ot to have access to the DB, or the connection to not work.

Hello phoward74,

-1 indicate an error in all cases.

Can you change the task so it captures the output? This will allow you to check the ouput.

Alternatively you can run "site-builder.exe /install" from the command line (as Administrator) and send me the output here.

When I run the "RunOnce Sitebuilder (Install SQL code)" Task, it fails with a Return Code : -1.  It only runs for about 3 seconds, and in the Log Viewer there is no errors.  It states completed.  Is this a false error, or did it really not run?

Hello Vinayak,

You can manage the SMP and other servers via Patch Management, no problems. Just make sure you get some Server licenses first ;).

Hi ,This is good article for  patch managment.

Can you help me with document for patching of  Symantec Notification server  itself ?

Regards 

Vinayak Patil

Thank you for sharing this, very valuable to business to show patch trending

I am trying to update the article with additional information, but it's not workring for now.

In the mean time here is the extra data I wanted to put in:

Installing:

Note! If your SMP is _not_ installed using the default drive and path you'll need to customise the installation directory - see below for the details.

Open an elevated command prompt and go to your package directory to run "install.bat".

The installation process will:

• ...

The destination folder by default is: "C:\Program Files\Altiris\Notification Server\Web\PatchTrending\". This allow you to navigate to the generated site via the link http://localhost/altiris/ns/patchtrending/.

Conclusion:

With the data collection and site builder scheduled to run you should be able to see some results after a couple of nightly execution (the first night should build up the site with empty graphs and the second night will bring in the data required to draw lines).

Here is the link you'll need to use to access the site builder landing page:

http://<your_smp_name>/altiris/ns/patchtrending

Note that if you have configured the IIS to listen to a different port the port number will have to follow the smp host name or fqdn, with a colon delimiter (i.e. http://<your_server>:8080 if you have changed the default port to 8080).