4 Replies Latest reply on Jun 26, 2015 8:14 AM by PhilR

    8.8 patch 5 installation by tag deployment gone slightly wrong

    dominik!

      Hi,

       

      Setup: a whole bunch of win2008r2 agent 4.8.0.1500 systems and the "epol orchestrator" 5.1.1 Build 357.

       

      We tried to install the checked in patch 5 from the "current branch" by setting up a task with a filter by tag, and tagging some systems with it.

      At first only the tagged systems had been updated correctly but the daily update task, which only should update the "engine" and "dat" package types installed the patch 5 on all systems.

      Is there a way to analyse why the "tagged task" did not work respectively why all the systems had been patched by the "virus signature" update task?

       

      We patched some systems beforehand and set up the patch task for a single group with the evaluation branch which worked without a flaw.

       

      Thanks in advance.

       

      Dominik

        • 1. Re: 8.8 patch 5 installation by tag deployment gone slightly wrong
          twenden

          I have never tried using TAGs for patch deployment. However, there are other ways that VSE Patch can be installed by passing ePO controls.

           

          The first is the local auto update task, I believe a fresh install of VSE defaults to daily at 5pm. If that is enabled on the endpoints then Patch 5 will get installed regardless. In ePO, you can configure the option to disable any local update tasks.

           

          Another way that patches bypass ePO controls is if the end user right clicks the VSE shield and selects update. These methods will pull the Patch if it is in the current branch only.

           

          These are something worth checking. Having the patch in the Evaluation Branch stopped the two methods I describe from working.

          • 2. Re: 8.8 patch 5 installation by tag deployment gone slightly wrong
            dominik!

            twenden, thank you for your answer.

             

            Right, that's what I missed, the default "Auto update" on the endpoints is configured to download "other updates" like "service packs, upgrades etc...

            Thanks!

             

            cheers

             

            Dominik

            • 3. Re: 8.8 patch 5 installation by tag deployment gone slightly wrong
              33pc@dm1n

              I had this same issue with patch 4.

               

              Another thing to keep in mind is the McAfee agent policy in ePO is where you configure repository information for the endpoints. By default, the update tab in the McAfee agent general policy will update all pieces of software including DATs, patches and VSE engines from the current branch. So, if you put a VSE patch in the current branch, if you have an update task configured, say for example, to update the DAT file, it will apply the patch as well.

              • 4. Re: 8.8 patch 5 installation by tag deployment gone slightly wrong
                PhilR

                For my Patch 5 test deployments, I have the patch checked in to the evaluation branch, with an update policy to update virusscan from the evaluation branch applied by a tag.

                 

                Simple once you get used to the way ePO works.

                 

                Phil