1 2 Previous Next 14 Replies Latest reply on Jan 4, 2013 4:44 AM by a13xchan

    How to control VSE Patch deployment?

    a13xchan

      I seem to have been faced with a problem with the way epolicy deploys patches. I have a separate update task, this task is selected to only update DAT, extraDAT only this is globally assigned to ensure machines are updated.

      I have around 30000 machines managed in epolicy, this contains a mixture of Windows,Mac desktops/ servers. From searching the internet, mcafee forums etc there does not seem to be a way to control patch roll out. I first assumed that creating an update task and not selecting patches, service packs etc in the task options would automatically prevent the patch roll out of a VSE however it does not.

       

       

      With further investigation and countless clicking there does not seem to be a policy or option within epolicy that allows you to untick the box to stop them deploying patches/ service packs which can be found on the client update task options. I do not plan to go around to 30000 and manually creating an update task just to avoid patch deployment.

       

       

      Global updating is disabled in epolicy and checking the patches into evaluation and then moving to current does not stop thousands of machines getting it as soon as it is checked into current. It is also impossible to run the patch through testing due to the number of machines managed by epo. If it managed a few hundred that would be fine and even though the desktop is managed and a standard image the type of apps, data on each machine makes a lot of them uniquie so testing is essential. This would delay the deployment of the patch as while some machines are in test others may have passed testing and ok to deploy.

       

       

      TAGGING does not work, this totally disables the auto update task managed by epo and nothing updates

       

       

      A separate EPO is not really an option this has been tried and you end up at the same point as above.

       

       

      Creating a separate repo and checking patches in manually does work to a point but then there is an issue with repo management if i wish to stay/ deploy and keeping everything in sync.

       

      I opened up a SR with mcafee support, spent two hours on text support and a further one hour on the phone with next tier support along with a exchange of emails. I am unsure where to go with this as the mcafee solution to fix this of "delete or disable the update task" is not really an option.

       

      Testing is required as you will always get a few pockets of a few hundred that always run into different 'known' patch issues

       

      on 26/11/12 03:11:13 CST
        • 1. Re: How to control VSE Patch deployment?

          Is your McAfee Agent / General policy setup to check for updates in the Current branch, and did you check-in the patch in the Evaluation branch?

          • 2. Re: How to control VSE Patch deployment?
            a13xchan

            yes general update is set to look in current no evaluation on main machines. a few test it is evaluation but as soon as you move patch from eval to current everything gets the update which is no controlled at all.

            • 3. Re: How to control VSE Patch deployment?

              Duplicate your default McAfee Agent / General policy and set it up to look in the "Evaluation" branch for updates. Assign this policy to your systems that you want to update. After all systems have been updated move the patch to "Current" and remove the evaluation policy.

              • 4. Re: How to control VSE Patch deployment?
                a13xchan

                Thanks for the suggestion but as soon as i move the patch from eval to current how do i control deployment, for example machines in eval or current, how do i control who gets the patch update? There is no second level of control only, mass deploy or not.

                 

                Eval and Current are the same, say i have 15000 in each, how do i control which 15000 get that update?

                • 5. Re: How to control VSE Patch deployment?

                  I would setup all systems to look in Current branch for updates, and selectively assign the Evaluation branch policy to systems.

                   

                  In your case maybe you can (mis)use the Previous branch for this purpose.

                  • 6. Re: How to control VSE Patch deployment?
                    a13xchan

                    This is what i thought but you still end up with the same problem as i originally asked, how do you control patch deployment in the current branch. Even if i use the previous branch i will still be in the same situation. How do i control deployment at another level, there is an option on client machines to do this but nothing within epolicy itself.

                     

                    There has to be a way to do this as i do not see how other enterprise(s) deploy patches/ updates unless they go all or nothing?

                    • 7. Re: How to control VSE Patch deployment?

                      I have 21.000+ systems in my ePO, and this is how I control deployment:

                       

                      Duplicate your default McAfee Agent / General policy and set it up to look in the "Evaluation" branch for updates. Assign this policy to your systems that you want to update. After all systems have been updated move the patch to "Current" and remove the evaluation policy.

                       

                      By default all my systems look in the Current branch for updates. If I have an update I check it in to the Evaluation branch and duplicate my default policy and configure it to look in the Evaluation branch for updates.

                       

                      My first deployment phase is assign the Evaluation policy to individual systems (by tag) to test the update, second phase is to assign the Evaluation policy to sub-groups, third phase is to assign the policy to top-level groups. After that all systems (should) have the update and I move the update to the current branch and remove the evaluation policy.

                      • 8. Re: How to control VSE Patch deployment?
                        a13xchan

                        How do you create sub groups in evaluation using tags because if you updated and virus definitions the patch will come down. if you create no task to update definitions you get AVs out of date?

                         

                        I mentioned this to mcafee and it is currently not possible to create sub groups within the AV as its all or nothing. From the epo admins i have been speaking too they all assumed that tags and sub groups was possible by not selecting the boxes in epo. However not selecting the options does not prevent the patch from coming down.

                         

                        I am still wondering if epo is broke as in, if you select DO NOT deploy patches why do the patches still deploy? but McAfee have yet to acknowledge this and are unsure if the product update and unselecting patches/ service packs etc is really supposed to prevent the product update or if it is meant to do something else.

                        • 9. Re: How to control VSE Patch deployment?
                          a13xchan

                          mcafee_epo.jpg

                          ONLY if you could manage this option within EPO on the VSE update task.... any product update task will have this selected and greyed out.

                           

                          mcafee_epo2.jpg

                          It makes you wonder WHAT exactly is this supposed to do in EPO as it clearly doesnt stop patch or service pack deployment.

                           

                          Message was edited by: a13xchan on 26/11/12 05:10:07 CST
                          1 2 Previous Next