Patch Management does not run in real time; there are hidden steps in deploying patches and updating reports that run on schedules in order to maintain efficiency in large environments. However, these hidden steps can be manually run to accelerate the process. Every step in the process of downloading, installing, and reporting patches is detailed below. Follow these steps to identify where a patch is failing in the process or to quickly check if a new patch will deploy successfully.
1. Run the Import Patch Data for Windows task if the desired software update bulletin is not listed in the Bulletins and Updates catalog yet.
Make sure the necessary Vendors and Software selections are checked.
Run the Windows System Assessment Scan on the client machine (figure 1) if compliance reports do not yet detect that the software updates are applicable and not installed on the client.
Figure 1. Click Windows System Assessment Scan in the Software Delivery tab in the Agent.
2. Create a software update policy to deploy the software update bulletin (figures 2 and 3).
Figure 2. To create a software update policy Right-click on the patch bulletin in the Windows Compliance by Bulletin report or Bulletins and Updates menu then click Distribute Packages.
Figure 3. On Step 2 of the Distribute Software Updates wizard be sure to turn the policy On and then click Distribute software updates.
3. Run a patch filter update (figure 4) to apply the policy to vulnerable computers.
Figure 4. To run a patch filter update open Start>Administrative Tools>Task Scheduler on the SMP (NS) server then go to Task Scheduler Library>NS.Windows Patch Remediation Settings... and run this task by right-clicking it and selecting Run. Keep watch in the History tab that only one NS.Windows Patch Remediation Settings task runs since multiple running tasks could possibly hang, in which case, end them and start again.
4. Update configuration on the client machine (figure 5a and 5b) to receive the new software update policy.
Figure 5a. To update configuration on a 7.1 or 7.6 client click Update in the Settings menu in the Agent. The configuration Changed and Requested times should both update if the patch filter update completed and the software updates will shortly after appear as “Pending” in the Status field.
Figure 5b. To update configuration on a 7.6 or 8.0 client click Update Configuration at the top of the Agent window.
5. Wait for the software update package to download to the client machine.
This may take 10-20 minutes when the software update package must first download to a package server before downloading to the client.
To force a package server to download the software update package open the Agent UI on the package server and update configuration (figure 5a and 5b). The software update package will appear Package Server tab and show download progress.
Wait for the client machine to start its next download attempt (usually five minutes) or restart the Symantec Management Agent service to immediately retry the download. The status of the software updates will change from “Pending” to “Download Required” then “Update Scheduled” in the Software Updates tab of the Agent.
6. Force the software updates to install immediately by starting a software update cycle (figure 6).
Figure 6. To start a software update cycle click Start Software Update Cycle in the Software Updates tab of the Agent. The status will show “Installation in progress…” then “Verification…” then “Installed” in the Software Updates tab of the Agent
7. Run a full Windows System Assessment Scan (figure 7) if compliance reports do not yet show that the software updates are installed on the client machine.
Figure 7. To run a full Windows System Assessment Scan run AeXPatchUtil.exe with the “/i” option in the command line.