Patch Management Solution

I noticed that systems were never getting some updates in policies. when i opened some policies containing those updates I saw that they weren't enabled. My assumption is that all updates should be enabled by default at policy creation using the method "distribute updates". What can I check to troubleshoot this issue?

Hi shafiq1, Could you please clarify - do you see disabled updates in Distribution Wizard when new SWU policy is creating or in Advanced Tab of SWU policy when you open existing SWU policy? In the second case, probably it is caused by disabling superseded software updates that occurs during Patch Data import task. If you have enabled checkbox "Disable all superseded Software Updates" in Import Patch Data for windows settings, then it is expected - all superseded updates will be disabled in existing SWU policies. Thank you, Roman

Roman, take a look at my attachments. several months ago i had patch management configured to disable superceded updates. so there were possibly some existing policies affected by that config. but i turned that setting off several months ago. so any policies that would've been affected by that should have revised themselves after the recurring patch import jobs, right? Notice also that i have enabled patching Excel 2010, but some of the updates associated with it are not enabled in the policy. thanks.

Hi shafiq1, Thank you for the provided screenshots. Enabled 'Disable all superseded Software Updates' checkbox in Import Patch Data for Windows settings invokes execution of task, that should disable superseded software updates from existing SWU policies during PM Import. If this checkbox is disabled, then task is not executed, but it does not mean that superseded updates will be automatically enabled back. I would recommend to create new policies with superseding updates. Thanks, Roman

I went through the policies and enabled the ones that weren't enabeled and am keeping an eye out for changes.

In addition to the setting detailed by Roman: The process to refresh packages for revised updates will take place if the 'Automatically revise Software Update policies after importing patch data' setting is enabled; however, if you do not have the setting 'Enable distribution of newly added software updates' enabled on the 'Import Patch Data for Windows' policy, then the process will leave the advertisements for those revised updates disabled on the Software Update Policy.

The setting is detailed further on KM: TECH40390

Hope this helps,

Joshua

Hi Shafiq1,

I am seeing the same thing in my environment and I created a forum posting here: https://www-secure.symantec.com/connect/forums/random-patches-disabled-patch-policies I am linking just so we can keep an eye on each others posts, as it seems we're having the same issue.

 

I have all three options selected:

Automatically revise Software Update policies after importing patch data

Enable distribution of newly added Software Updates

Disable all superseded Software Updates

And I am finding a lot of disabled patches in my policies, and most examples I have found have not been superseded. I think there is a larger issue going on, but I have not had any luck getting help on this.

There is no chance the patches get disabled if they arent used for a period of time, correct?

I was also wondering about them getting disabled after some time. From what I can tell this can only be configured to occur for package servers. In my test environment I had some disabled, but I am starting to wonder if it was because nothing in the environment was applicable for that patch. I would be curious to to know if that may be why we see some disabled.

Patch Management will clean up packages for updates no longer in use as follows:

• The Software Bulletin is disabled on the PRC
• The Software Update Policy is deleted (Note: be sure to disable the SUP, and then ensure the targeted clients have updated configuration to receive status change, before deleting)

In my experience; PM will disable advertisements for the following reasons:

• Software Update was superseded and 'Disable all superseded Software Updates' is enabled on PMImport
   
• Software Update was revised and the 'Enable distribution of newly added Software Updates' was not enabled on the PMImport
   
• XML codebase for the update is no longer present in database due to corruption; detailed on KM: TECH46342

You may check the SMP Logs to see if the error calling the stored procedure, as detailed in this KM article, are present.

• If so; work through the KM article to resolve.

There may be some other warnings / errors detailed in the SMP Log Viewer that will help isolate why this is happening.

I had a case going with Symantec and they just admitted they were wrong... Enabling the 'Enable distribution of newly added Software Updates' option after the patch policy was created, will not go back and enable the old revised patches. So I think Roman is correct in what he is saying.

Their suggestion to fix was to disable all our patch policies, wait 7-10 days, delete the patch policies and recreate them after. Alternatively we could go into every policy and enable any KB that should be enabled (which would take longer than option 1, imo). Both crazy solutions...

Anyone know of an easy way to disable policies in the database? You cant highlight mulitple policies to disable or delete, so this is going to take a while if there is no way through the database.

I followed Roman's suggestion and went through the policies and enabled the disabled updates. I'm sure there probably is a way to do it in the database, but i'd rather rely on Symantec to produce some sql to do it.

In the next iteration of PM symantec should code a checkbox that allows to "enable all updates in policies."

Wow. Very helpful stuff Joshua. I appreciate you taking the time to write the SQL scripts, and replying to these posts! Thank you.

Hello J,

     It is possible you spoke with a technician who did not fully understand the process. To clarify further; the process regarding the 'Enable distribution of newly added Software Updates' is working as designed, for it will only affect the Software Update Policies created after the check box is enabled on the PMImport moving forward.

     This process is not retroactive, for it will not go back and enable any disabled revised ("newly added") Software Updates advertisements for existing Software Update Policies created prior to the check box being enabled.

     Regarding existing Software Update Policies; there are the two options you detailed above, and in review of requests for SQL scripts made on this post; I updated KM: TECH40390 with the following assist for each method:

1. Manually work through each Software Update Policy > Advanced tab and re-enable each advertisement that is still needed to be pushed out in the environment.

• Added a SQL Report, which can be imported into the console, and viewed to see which Software Update Policies have disabled advertisements, so the Admin is able to quickly view which policies have advertisements to be manually re-enabled.

2. Disable the SUP for 3-5 days and then it can be deleted. This is to ensure you do not get every targeted client throwing an error 'Item not found' in the SMP Logs. Once all targeted clients confirm the change in status for the disabled policy; the SUP can be deleted.

• Added a preliminary SQL script to display all Software Update Policies, with their respective Guid, and a secondary SQL script to disable the Software Update Policies by inputting their respective Guid, returned from the preliminary script, and running against the database.

CAUTION: ensure there is a current backup of the database in place before running any SQL scripts that modify the product in this manner.

Please view the KM article, or the added Connect Link, to obtain the scripts that assist with working through this product limitation. Feel free to post any concerns or feedback and I will be happy to help.