I seem to have been faced with a problem with the way epolicy deploys patches. I have a separate update task, this task is selected to only update DAT, extraDAT only this is globally assigned to ensure machines are updated.
I have around 30000 machines managed in epolicy, this contains a mixture of Windows,Mac desktops/ servers. From searching the internet, mcafee forums etc there does not seem to be a way to control patch roll out. I first assumed that creating an update task and not selecting patches, service packs etc in the task options would automatically prevent the patch roll out of a VSE however it does not.
With further investigation and countless clicking there does not seem to be a policy or option within epolicy that allows you to untick the box to stop them deploying patches/ service packs which can be found on the client update task options. I do not plan to go around to 30000 and manually creating an update task just to avoid patch deployment.
Global updating is disabled in epolicy and checking the patches into evaluation and then moving to current does not stop thousands of machines getting it as soon as it is checked into current. It is also impossible to run the patch through testing due to the number of machines managed by epo. If it managed a few hundred that would be fine and even though the desktop is managed and a standard image the type of apps, data on each machine makes a lot of them uniquie so testing is essential. This would delay the deployment of the patch as while some machines are in test others may have passed testing and ok to deploy.
TAGGING does not work, this totally disables the auto update task managed by epo and nothing updates
A separate EPO is not really an option this has been tried and you end up at the same point as above.
Creating a separate repo and checking patches in manually does work to a point but then there is an issue with repo management if i wish to stay/ deploy and keeping everything in sync.
I opened up a SR with mcafee support, spent two hours on text support and a further one hour on the phone with next tier support along with a exchange of emails. I am unsure where to go with this as the mcafee solution to fix this of "delete or disable the update task" is not really an option.
Testing is required as you will always get a few pockets of a few hundred that always run into different 'known' patch issues
on 26/11/12 03:11:13 CST