cancel
Showing results for 
Search instead for 
Did you mean: 

8.8 patch 5 installation by tag deployment gone slightly wrong

Jump to solution

Hi,

Setup: a whole bunch of win2008r2 agent 4.8.0.1500 systems and the "epol orchestrator" 5.1.1 Build 357.

We tried to install the checked in patch 5 from the "current branch" by setting up a task with a filter by tag, and tagging some systems with it.

At first only the tagged systems had been updated correctly but the daily update task, which only should update the "engine" and "dat" package types installed the patch 5 on all systems.

Is there a way to analyse why the "tagged task" did not work respectively why all the systems had been patched by the "virus signature" update task?

We patched some systems beforehand and set up the patch task for a single group with the evaluation branch which worked without a flaw.

Thanks in advance.

Dominik

1 Solution

Accepted Solutions
twenden
Level 13
Report Inappropriate Content
Message 2 of 5

Re: 8.8 patch 5 installation by tag deployment gone slightly wrong

Jump to solution

I have never tried using TAGs for patch deployment. However, there are other ways that VSE Patch can be installed by passing ePO controls.

The first is the local auto update task, I believe a fresh install of VSE defaults to daily at 5pm. If that is enabled on the endpoints then Patch 5 will get installed regardless. In ePO, you can configure the option to disable any local update tasks.

Another way that patches bypass ePO controls is if the end user right clicks the VSE shield and selects update. These methods will pull the Patch if it is in the current branch only.

These are something worth checking. Having the patch in the Evaluation Branch stopped the two methods I describe from working.

4 Replies
twenden
Level 13
Report Inappropriate Content
Message 2 of 5

Re: 8.8 patch 5 installation by tag deployment gone slightly wrong

Jump to solution

I have never tried using TAGs for patch deployment. However, there are other ways that VSE Patch can be installed by passing ePO controls.

The first is the local auto update task, I believe a fresh install of VSE defaults to daily at 5pm. If that is enabled on the endpoints then Patch 5 will get installed regardless. In ePO, you can configure the option to disable any local update tasks.

Another way that patches bypass ePO controls is if the end user right clicks the VSE shield and selects update. These methods will pull the Patch if it is in the current branch only.

These are something worth checking. Having the patch in the Evaluation Branch stopped the two methods I describe from working.

Re: 8.8 patch 5 installation by tag deployment gone slightly wrong

Jump to solution

twenden, thank you for your answer.

Right, that's what I missed, the default "Auto update" on the endpoints is configured to download "other updates" like "service packs, upgrades etc...

Thanks!

cheers

Dominik

Re: 8.8 patch 5 installation by tag deployment gone slightly wrong

Jump to solution

I had this same issue with patch 4.

Another thing to keep in mind is the McAfee agent policy in ePO is where you configure repository information for the endpoints. By default, the update tab in the McAfee agent general policy will update all pieces of software including DATs, patches and VSE engines from the current branch. So, if you put a VSE patch in the current branch, if you have an update task configured, say for example, to update the DAT file, it will apply the patch as well.

PhilR
Level 12
Report Inappropriate Content
Message 5 of 5

Re: 8.8 patch 5 installation by tag deployment gone slightly wrong

Jump to solution

For my Patch 5 test deployments, I have the patch checked in to the evaluation branch, with an update policy to update virusscan from the evaluation branch applied by a tag.

Simple once you get used to the way ePO works.

Phil