With Windows XP going EOL and having 3000 machines still to upgrade, I was tasked with a process to patch these machines as we are paying for one year patch support. Patch Solution does many things that you do not realize and easily. During my process I had to overcome these obstacles and figure out ways to utilize Software Delivery Solution to deliver patches. Yes that part is easy but what about Reboots, targeting machines that need the patches, IE not inventoried in Add/Remove programs and a few others. There may be a better way but this is working for me at this moment and in the next month or two I will be going with this process for all XP patching in our company. There may be ways to do this more efficiently but I couldn’t find any other way to do it on a short notice so thought I would share with everyone so if someone else has the need they have something to check out.
Prerequisite:
It is easy to create a dynamic filter for a patch target looking at the AddRemove table for the operating system but Internet Explorer does not show up. First link will take you to setup a custom inventory on getting IE inventoried into your environment.
We do not force reboots or power down machines as we are in a business when Scientists maybe doing a run that takes a day/week or months so an auto reboot would not be considered wise. Currently we utilize Patch Solution to display a message every two hrs if they postpone it. Patch gets the reboot status from Patch Solution installing patches and keeping track of this in Patch tables so I had to figure out a way to identify XP machines needing a reboot after a patch install via SWD which is done in link two.
Custom Inventory for IE Version - https://www-secure.symantec.com/connect/downloads/custom-inventory-ie-version
Custom Inventory for XP Reboot Pending After Manual Patching - https://www-secure.symantec.com/connect/downloads/custom-inventory-xp-reboot-pending-after-manual-patching
Patch Reboot Popup and Force Reboot on OK Push – to be documented soon as it is functioning
Note:
This Article will utilize MS14-011 for IE8 and MS14-015 for XP for examples. I have already patched using this method so my screenshots will not show any targets. Upon next month cycle I will update this with current month targets for reference.
Software Patch KB in Software Catalog
Import in your software into the Software Catalog and setup switches
Filters:
Patch Solution targeted and distributed by the IS Assessment so now we need a way to target machine. I prefer to do dynamic filters so you set it and forget it. I used SQL code in NS6 and it works in NS7 so I utilize that format.
You need to just have the KB number and modify the following SQL:
select Guid from vResource where ResourceTypeGuid in
(select ResourceTypeGuid from ResourceTypeHierarchy
where BaseResourceTypeGuid='493435f7-3b17-4c4c-b07f-c23e7ab7781f')
and GUID IN
(
select t1._ResourceGuid
from inv_aex_os_Internet_Explorer t0
join Inv_AeX_AC_Identification t1 on t0._ResourceGuid = t1._ResourceGuid
Where t0.Version like '8.%' and t1.[OS Name] like '%xp%'
and t1.[_ResourceGuid] NOT IN
(
select t1._ResourceGuid
from [Inv_AddRemoveProgram] t1
where t1.DisplayName like '%(KB2909210)%'))
XP was easier as you target the canned filter Windows XP Computers
Policies:
This will take place of the Default Software Update Plug-in Policy. We currently utilize 2 cloned copies of Default Software Update Plug-in Policy to target our pilot group and servers leaving the default policy to target our remaining enterprise. Thus you can do one of two things with policies. You can create a policy to target each environment or manually edit each policy after your deployment phase. I can tell you first hand that when I started where I am not they had me setup each patch as an individual patch then edit the policy and add each group after the other finished. I had one month where we had 8 patches x 4 distribution groups means 8x4=32 edits. Not to mention you have to remember to go add them in on the dates. I have forgotten some distributions!!!!!
I will be creating 3 policies for each patch. 2 of them target specific filters and will be filtered at the policy level where the enterprise deployment will target the dynamic filter. Here is the setup for the dynamic policy.
That is it... Nice and Easy!
Hope that helps you with patching your XP systems outside of Patch Solution!