Client Management Suite

Looking for input about what to do when all my PC's have been patched by a software policy. Do you just delete the policy? Or do you disable and then delete? And when I delete the policy, does it remove the stored files from the server? If not, how do I reclaim that space? Appreciate any input.

Tommy 

Becasue our environment is always changing, new PC's on the network, old ones getting reloaded etc, we have decided to leave all security updates enabled for 1 year after they were initially rolled out. This covers us in the event of a new system entering the network that maybe didn't get a patch installed during it's initial setup. Each month while I stage the new round of patches I also disable the ones that have reached thier year end and then delete the task. 

Shannon

Thanks for the reply Shannon. So I guess my question would be is when you delete the task/policy, does that also delete the file off the server? Or do I need to go somewere in my file structure to reclaim that space? Thanks again for the info.

Tommy

I may be wrong here, and one of the Altiris guys could correct me, but to thebest of my knowledge the packages are not deleted from th server immediately. They are however "retired" so they will not get updated, used, or pushed to package servers any longer and the clock will begin to tick away on how long they atay out on the server. All packages have a time limit on them for how long they stay on the drive and it's set by adjusting the "delete unused packages after:" setting. We currently have that set to 1 year, because that is how long patches are left active in our environment, but occasionally I set that to 1 day, allow it to clear out all the old stuff, and then re-download any packages that may have been deleted that we wanted to keep around.

Hope that helps.

Thanks Shannon. That does help. I'll check my setting and try to see if old stuff is going away automatically. Appreciate your time.

I just went through the "how do I delete unused patch's from server automatically" process with support this week.

It seems like under jobs/tasks - patch - integrity check, if you have the box checked for 

"Delete the updates that are no longer in use from the file system"

Then once a patch is not used in a policy (i.e. the policy is deleted), and if you go to the superseeded report in the remediation center and right click on the superseeded bulletin and click "disable" then the patch does get removed from the server the next time you have your integrity job scheduled to run (I think default is 1x a week).

If you disable a bulletin in the superseeded report, but leave it in an active policy (even if it's unchecked in the policy), it doesn't seem to delete in my testing.  I have some patch policies that have several patches in them is how this came up, some were superseeded, others weren't.

In my site server settings, package service, "Delete package files if they are unused for" is completely unchecked for me, and those patches do delete.  I have a lot of packages (not patches) that don't necessarily get used often so I didn't want to check box.. I think.  Still trying to figure things out myself.

If anyone has anything to add regarding best practices here, please feel free to share.  Thanks.

Appreciate the help. I had my "delete the updates that are no longer in use" checked and my "Policy and Package Settings" under settings>software>patch management>windows setings, set for deletion at one year. So it sounds like to me, once I disable and delete the policy, it will remove the software from the server after it runs the integrity check. Or if the policy is still in use, it will delete it after one year.

My package integrity schedule had been changed, so I set it back to one week. Lots of options when it comes to this program. Thanks again for the help. I hope I have it right now.

I've unlocked this thread just in case some additional comments need to be made.

Thanks,
Cheryl