To keep security updates current on computers using the Microsoft Windows* operating system, administrators can use Altiris Patch Management Solution. Patch Management utilizes information contained in Microsoft's Security Bulletins to install the appropriate security patches based on the configuration of the target computer.

• Introduction
• Scenario
• Step 1: Create a Report
• Step 2: Create a Collection
• Step 3: Create a Software Delivery Job
• Step 4: Create a Notification Policy
• Final Details
• Conclusion

Introduction

Administrators may find that the Windows update site, www.update.microsoft.com, may suggest other updates that are not included in Microsoft's Security Bulletins. Also, administrators may wish to install software updates found on the Microsoft Web site that fix other specific problems.

Altiris Inventory Solution for Windows and Altiris Software Delivery for Windows can identify computers requiring any Microsoft non-security bulletin software updates, deploy those updates to the computer collection and determine successful installation of those updates.

Scenario

Using Altiris Patch Management Solution an administrator has pushed out all security updates identified in Microsoft's security bulletins. On a client workstation running the Windows XP operating system, he decides to check if the Windows updates are current on this workstation. Browsing to www.update.microsoft.com, he is surprised to see several "Update for Windows XP" entries.

One of the entries is "Update for Windows XP (KB936357)". The administrator reviews the details and determines that this update is needed on all of his Windows XP workstations. He browses to http://support.microsoft.com/kb/936357 to download the 32-bit Windows XP version of the update (a file named WindowsXP-KB936357-x86-ENU.exe) and to get specific installation information. He pays particular attention to the prerequisites (there are none in this case) and to the restart requirement (this update requires a restart).

The administrator now considers how Altiris Notification Server and its Solutions can be utilized to install this update on all Windows XP computers in this environment. The following criteria must be met:

1. The update cannot be installed on workstations that already have this update;
2. The update can only be installed on 32-bit Windows XP workstations;
3. The update should automatically run via a Software Delivery policy on any workstation that might join the network in the future if is not already installed;
4. The results of the installation should be reportable, by workstation, to provide status updates to a supervisor.

Strategy

To accomplish these goals, a combination of Inventory Solution for Windows, Software Delivery for Windows, and a Notification Policy was used. The basic steps were:

• Create an Inventory Solution report to determine if the Microsoft KB936357 update has been installed.
• Create a dynamic collection of computers - based on Inventory Solution data - that need the update to be used in a Software Delivery Solution job.
• Create a Software Delivery Solution job (task/package/program) to install the update.
• Create a Notification Policy to send a daily e-mail reporting on the number of computers needing the update.

Step 1: Create a Report

A report was created to determine the scope of the problem. Information in the vComputer database view was matched with information in the AeX OS Add Remove Programs data class to find:

• The number of computers with the Microsoft KB936357 update installed - count the computers with a row in the inv_aex_os_add_remove_programs table with the name of "Update for Windows XP (KB936357)".
• The number of computers without the Microsoft KB936357 update installed.
• The number of computers not reporting any data in the table inv_aex_os_add_remove_programs table.

The report includes the following three parameters: 1) a collection selector, 2) a domain selector and 3) a computer name mask. Operating System information in vComputer was used to ensure that the report only displayed Windows XP computers. Also, the ability to "drill down" in the report to show which computers were included in the "Number of Computers" count was added.

An export of the report is attached to Altiris Knowledge Base article 36712 : https://kb.altiris.com/article.asp?article=36712&p....

Step 2: Create a Collection

A dynamic collection named "XP Computers Requiring Microsoft KB936357 Update" was created using a SQL query, similar to the query used in part 2 of the report. The database view vComputer was used as a starting point since it contains all active computer resources, including virtual machine resources. Filtering to only computers running the Windows XP operating system, the result was matched against computers who have rows in AeX OS Add Remove Programs. This ensures that only computers where inventory data is available will be included.

Finally, this resultant set of computers was matched against all rows in AeX OS Add Remove Programs having the name of "Update for Windows XP (KB936357)". Only computers that did not have this row were included in the collection.

An export of this collection is is attached to Altiris Knowledge Base article 36712 : https://kb.altiris.com/article.asp?article=36712&p....

The sql query is:

SELECT vComp.[Guid]  
FROM dbo.vComputer vComp  
  JOIN (SELECT DISTINCT _ResourceGuid FROM dbo.Inv_AeX_OS_Add_Remove_Programs) arp1 
    ON arp1.[_ResourceGuid] = vcomp.[guid]  
  LEFT JOIN (SELECT _ResourceGuid FROM dbo.Inv_AeX_OS_Add_Remove_Programs WHERE Name = 'Update for Windows XP (KB936357)') arp2 
    ON arp2.[_ResourceGuid] = vcomp.[guid]  
WHERE vComp.[OS Name] LIKE '%XP%'
AND arp2.[_ResourceGuid] IS NULL

Step 3: Create a Software Delivery Job

The Software Delivery Wizard was used to create the task, package and program needed to push out the Microsoft KB936357 update with the following specifications.

Package

Program

Task

The goal of this Software Delivery job was to hide the install of this software update from the user. No warning is given to the user when the task is started. However, since the update requires a reboot, the messaging functions of the Altiris Agent were employed to warn the user that a reboot is about to occur and allow the user to defer the reboot for 30 minutes. The agent configuration was set to so that the pop-up warning would give a 5-minute countdown to reboot unless the user intervened and initiated the reboot immediately or deferred for a selected period of time.

The schedule was set to run this task on a daily basis. The time of day for this task was chosen to be 1 hour before the Hardware Inventory task (default schedule is 2:00 AM daily). The desired effect would be that even with a 5-minute countdown and a 30 minute delay before reboot, the install would complete several minutes before the Hardware Inventory would run. The Hardware Inventory would then pick up that the Microsoft KB936357 update has been installed and relay that information to the Notification Server. When the Notification Server refreshed the "XP Computers Requiring Microsoft KB936357 Update" collection, the computer would "fall out" of the collection. On the next configuration update, the Altiris Agent would disable the task, preventing it from running again.

An export of the task and package is attached to this article.

Step 4: Create a Notification Policy

Most of the administrator's goals had now been met. The KB936357 update was in the process of being installed, and only on Window XP workstations where it had not already been installed. The install was automated so that when new workstations joined the network, a check was made to determine if the KB936357 update was installed and install it if necessary.

A Notification Policy was created with both an e-mail and a report automated action that was run daily. The source of the trigger for this policy was a query that returned the number of computers where KB936357 was not installed and the number of computers that had not returned any AeX OS Add Remove Programs inventory data. The email action sent these numbers to our administrator while the report action sent an email to our administrator's supervisor with a link to a saved snapshot of the status report.

An export of the Notification Policy is attached to this article.

Final Details

The only task left was to monitor the progress of the install. As the KB update was installed on client workstations, the number of computers where "Inventory data is available and KB 936357 has NOT been installed" decreased. Drilling down into the report gave a listing of these computers and drilling down on one of these computers brought up the resource manager which essentially showed all the information in the database that had been collected for this computer.

In most cases, inspecting the "last configuration requested" field showed that the computer was not communicating with the Notification Server. There were a variety of reasons for this. Some were laptops and had not connected to the local intranet for an extended period, and some did not have the Altiris Agent service started. These problems were corrected one by one until the number of computers in this category was zero.

Attention was then given to the list of computers where inventory data was not available. Similar results were found and similar corrective measures were employed. In addition, it was found that running the "Recreate Full Inventory" populated the AeX OS Add Remove Programs data class and the computer then fell into either the KB 936357 has or KB 936357 has not been installed category.

Conclusion

By combining elements of Inventory Solution for Windows, Software Delivery for Windows and the inherent capabilities of the Notification Server, a robust process was employed that effectively installs a Windows software update on client computers in an enterprise environment. Although an SQL coder who was familiar with the Altiris database was needed to create the queries behind the report and the Notification Policy, the creation of the objects needed for this installation was done simply and quickly. In addition, these objects could be cloned and minor modifications made to them to deploy any Windows KB update.