Well, in order to deploy the patch to machines that already have patch 3, you have to check the patch into the current branch. Once that is done, you can use the a patch updater client task to deploy the patch. Once the software is checked in, you just enable the task on any OUs that you want to deploy the software to, and disable it anywhere esle. However, please note that anyone that clicks 'update now' will download the patch along with DATs.
Also note that the patch is different from the reposted full install. If you send them a deploy task with the full install, they will ignore it because they already have VSE 8.7 installed. The task doesn't differentiate between patch levels.
That's fine if you have an well structured system tree to allow controlled roll outs of software. In larger or less structured enviornments (say built out of pre-exiting AD structure that wasn't designed for this sort of thing), it becomes complicated to the point of ridiculousness due to the nature of the agent control of patching. If you want to utilize the evaluation or previous banches to deploy a pilot run of the patch in a controlled manner, you have to modify the agent policy to repoint machines to the correct branch, than utilize the same method as before to push it with a client task. However, that adds a level of complexity, and increases the difficulty in targetting specific machines in an OU for piloting. It also limits the usefulness of tagging because of the difficulty in assigning agent policy by tag.
All and all, if you can deal with the first method, it's probably the best choice. But if your change manangement requires tighter controls, or you have a requirement for limited, controled pilots on specific machines inside a pre-existing OU structure, it's painful.
For the life of me, I don't understand why the client task designed for patching didn't simply have a field for each package that allowed you to select the branch you wanted to use. And after speaking with McAfee repeatedly about this, I've learned that ePO 4.6 will have the same framework and will pose the same challenges.
Thanks for that Slingo, i will probably go for creating a client task on a OU as that was what i was trying to do originally.
By default i only have two client tasks, update agent and update antivirus so if go to create a new client task i cant see a deploy patch type the only software relevant options i can see is product deployment and product update which ive tried previously and neither did the job of updating to SP4. Is there something i need to add to make it appear in the client task drop down?
Use a Product Update task. On the 2nd page, Configuration, make sure VirusScan Enterprise 8.7.0 is checked in the "Patches and Service Packs" section. Once you create the task in ePO, make sure your clients get the task by sending the agents a wake-up or waiting for the ASCI to occur.
thanks! i will give that a go now and see how i get on
Its been over a day since i created the product update task and the 5 machines i have put into that sub group, none of those machines have been upgraded from sp3 to sp4 even though i have done a wake up on all of their agents.
Any other ideas?
I'm having the same issue with deploying sp4 for testing; but I think I understand the problem...just not how to fix it.
1. The McAfee Agent POLICY (Updates tab) only allows us to specify which branch to use for DAT, ENGINE, and HIP Content updates. It doesn't offer an option for service packs.
2. The Product Deployment TASK allows us to specify which branch to use for the FULL product install. It doesn't specify service packs/patches.
3. The Product Update TASK allows us to specify which patches and service packs to run, but we can't specify which branch to run from.
Currently, I have 8.7 FULL and SP2 checked in to CURRENT branch.
I have the 8.7 SP4 patch (only) checked in to the EVAL branch.
I have a Product Update task running on a single system to test but it fails to install the SP4 patch.
I think since the Product Deployment task is using the CURRENT branch for the full install, it also defaults to using the CURRENT branch for any patches. Therefore, it doesn't "see" my SP4 patch in EVAL.
I tried checking in the SP4 version of the FULL install into the EVAL branch as well, but the version number is the same so when the Product Deployment task runs against the EVAL branch it doesn't detect a different version than what is already installed. We can always check in the SP4 patch to the CURRENT branch, but that kinda defeats the purpose of having an EVAL branch? ????
I don't have any solutions, but I can throw a log onto the "me too" fire and encourage you to take advantage of your support agreement and open a case with McAfee.
Though, I can't guarantee success with that either, as I spent about an hour and 15 minutes on the phone with support on this matter and lost faith in my engineer when he said that I had to entirely delete and recreate my client deployment task for this to work.
Some background though:
We're at 8.7p3 in our current branch. Was trying to include p4 in our next push where we'll also upgrade to agent 4.5 (from 4.0) and add another product to the endpoint mix.
I checked all packages into the Evaluation branch (after enabling the ability to do so somewhere in server settings). I installed the patch4 repost of 8.7 in (which confusingly has the exact same size and minor version of our existing p3 package that's current, as well as the patch 4 itself (on the direction of the mcafee tech). Also, apparently I had initially neglected to install a pair of updated server extensions for my products, so be sure to install those from the patch 4 readme.
I picked a fresh test machine to deploy to, broke inheritance on its daily product installation task that makes sure the client has our support version of Agent and VSE on it, and changed that installation task for that machine to have it install 8.7 from the evaluation branch. And, as you all have experienced, that didn't trigger an installation of p4.
The last engineer I spoke with on that 1hr15min call insisted that my next step was to delete my product deployment task and recreate it entirely because I was missing the appropriate server extensions when I had created the task. Unfortunately I wasn't willing to do that since a) the install task is production/current for us for other machines up the tree, and b) even moving my test machine to a new subgroup off of our organization and creating a brand new task for this failed to get patch 4 on the test machine.
So... to make a long story short, I think others here are 100% accurate in surmising that there's an issue here with Agent either ignoring the task thinking 8.7 is already installed and not willing to do it again even if there's a new patch behind the scenes, or failing to connect the dots somehow that when I tell it we want 8.7 from teh evaluation branch, that if fails to put patch 4 into it for some reason.
I also agree with the assertion that ePO is definitely not making our lives easier here and by being broken in this regard, is not making an "evaluation" branch as useful as it could be if you have to promote patch 4 to current to get it to actually install something.
Any further insights anyone can lend, even if it's not a full solution, I'm personally all ears.
Found the solution to my issue.
You absolutely require the latest McAfee Agent 4.5 EXTENSIONS checked in to ePO. The new extension (version 188.8.131.52) is found in the EPOAGENTMETA.zip file. This file can be downloaded from the ePO software downloads section; not the McAfee Agent downloads section.
Anyways, once I checked in the newer extension for the Agent, the McAfee Agent policy (Upgrades tab) now has a new section specific to service packs and upgrades. I've included a screencap from that section of the policy and highlighted the section that was added with the new extensions.
thanks off_road we are all ready running 184.108.40.2060 of the agent on all our clients but i went and imported the latest patch for the agent (220.127.116.119) created a new client task and tried it on a test machine. In the status monitor i could see the new task was added and i even got the update in progress box pop up but still it didnt upgrade from sp3 to sp4.
I know the package for sp4 works fine as it has installed on machines that had vscan 8 and 8.5 with the old agent. I feel like we're getting closer (and the install of the new agent might help me with out another problem that ive been having where a handful of machines slow down to a halt while doing a daily update every day after 5, so thanks for the tip off about the new agent)