Thanks to all who attended our webcast, "Effective Patch Strategies for Windows 10 and Office 365".
If you missed the webcast, listen to the recording here:
https://www.brighttalk.com/webcast/13361/226913?cid=70138000001BafJAAS
We also had quite a few questions during the webcast. Please find the Q & A transcript below.
Q: Is the peer downloading opt in? I assume we can turn it off if we don't want to use that?
A: Yes this is optional. You have control over this. For example, you could only allow certain computers in a certain location or branch use the peer to peer downloading.
Q: Are these enhancements available with ITMS 8.0 HF4?
A: Many of the enhancements discussed during the webcast are part of HF5 which was released on December 15. Learn more about HF5 here:
https://www.symantec.com/connect/forums/it-management-suite-80-hf5-now-available
Q: Are these enhancements in patch available in 7.5 or is it 7.6 or higher
A: They are (or will be) available on 7.6 and 8.0. If you are on 7.5 today, you will need to upgrade to 7.6 or higher to take advantage of these new capabilities. The hotfix and pointfix released on December 15th includes support for peer to peer on 8.0 and 7.6. There is another update (currently scheduled for January) that will introduce Office 365 support.
Q: What are the scheduling options for win10 feature updates? What are the options to notify users that there computer will be down during the potentially long (40 +minutes) install process?
A: Because Windows 10 feature updates are similar to an image, it does take a little bit of time to get installed and running. We recommend treating these feature updates just like you would for imaging a computer and the processes you follow for that. Please share your feedback with your experiences deploying these feature updates as we are working on some enhancements in this area.
It’s also worth mentioning that there is no Altiris Agent running during feature update installation (as basically new OS is installed during this time) and therefore computer is not able to distribute downloaded feature update image to other computers. So admins need to make sure that there is enough time between computers receive patch policy with feature update and actual installation (so computers would be able to share the image and won’t download from NS/PS individually) – it’s recommended to use the scheduled time for feature update installation and not “Run ASAP”.
As for notification we have improved notification options starting from Patch 8.0 so would suggest customers review and utilize them.
Q: Is this an additional package that needs to be purchased or is it included in my Small Business Endpoint Protection software?
A: The functionality we’re discussing on today’s webcast (Patch management) is included with Symantec Client Management Suite, IT Management Suite or Patch Management Solution and so would not be part of your Small Business Endpoint Protection Suite. If you would like more information on purchasing one of these solutions to add these capabilities, please contact Spencer Tait or your local sales rep.
Q: Hear back from your customers? What is the best method as I have been trying to understand the roadmap and direction with respect to Windows 10 and it has seemed to be an issue through any methods I have tried.
A: For more information regarding the product roadmap, contact your account rep who will arrange a meeting with our Product Management team. If you are not sure who that is, please contact Spencer Tait.
Q: Will clients attempt to discover peers when offsite (CEM active)?
A: The peer to peer functionality does not currently support devices connected via CEM. Such support will be considered for inclusion in a future release.
Q: We have NS version 8.0 but I don't see the option for peer download, what version is this feature in?
A: It is available starting with HF5 released December 15. Learn more here:
https://www.symantec.com/connect/forums/it-management-suite-80-hf5-now-available
Q: Are there routing concerns using peer to peer like with using multicast and broadcasts?
A: It would help to have more specific details to better answer this question. But, the short summary is that our p2p relies both on broadcast traffic inside subnet and unicast traffic to hosts from ARP cache in order to quickly and effectively find peers.
Typical network configuration is that broadcast traffic is allowed inside subnet, but not routed to other networks and unicast is only routed in case port exception is intentionally added to firewall. Also, our implementation doesn’t use any of multicast type traffic.
Q: For Office 365 patches, will the agent automatically download updates from the closest package server or does it require GPO or XML to set download location?
A: With the current implementation, the best package server is identified when policy with Office 365 updates arrives on the client (so situation may change by the time updates will be actually installed). We plan to add the re-evaluation of selected package server right before the updates installation in future updates for Office 365 support.
Q: Any plans to handle feature updates on W10 machines using Language packs? My understanding is that they will be removed during the update of a feature pack. It would be great if they could get automatically re-applied by patch mgmt.
A: The functionality works fine with foreign language versions of Windows 10. Additional research is being conducted to seamlessly handle situations involving language packs.
Q: Can the feature update occur leveraging an Internet Gateway?
A: Feature updates can be distributed to devices connected via the Internet Gateway. The peer to peer package download feature is not currently supported for devices connected via the Internet. Gateway support will be considered for inclusion in a future release.
Q: We had what looks like a win 10 insider patch come down in the patch cycle. Was this a mistake? How can this be avoided in future?
A: IT Management Suite does not include patches that are only available to Windows 10 insiders. ITMS does not currently distinguish between devices that are on the Windows 10 Current Branch and the Windows 10 Current Branch for Business, but customers have full control over when updates are distributed to each and every device. Inventory data can be used to create separate targets for devices on the Current Branch and those on the Current Branch for Business.
Q: How does the peer to peer downloading work related to CEM? We have remote sites running on generic networks (i.e. 192.168.x.x). Will the tool be able to share packages only to the local network, or will it share to anything in an identical subnet?
A: The peer to peer package download feature does not currently support devices connected via CEM. Such support will be considered for inclusion in a future release.
Q: With the comment of automatically deploying patches are you intending on adding support for this that does not require the use of Workflow?
A: We don’t have auto-install feature in our short term plans but there is an automation developed by Ludovic Ferre that can auto-install updates without workflow that you may want to take a look at.
https://www.symantec.com/connect/blogs/cwoc-patchautomation-and-zerodaypatch-builds-80
Q: Peer to Peer: Does a client favor a local PS over local peer with the package?
A: No
Q: With respect to patching other applications, is there any effort going into expanding the applications supported and cleaning up of existing products of no interest anymore. The interface includes things like Skype 1, 2 ancient versions. Others like Adobe Reader 6.0 etc. Suggestion is the ability to "Hide" products not of interest so that new products can be easily identified.
A: Customers are encouraged submit requests to add support for additional applications. Requests will be evaluated based on the overall value provided to the collective customer base.
Q: Can we expect to see the P2P behavior being implemented in Symantec Endpoint Protection product as well to distribute the definition updates?
A: Please direct this question to the SEP product team by contacting your Symantec account rep.
Q: PEER DOWNLOAD - how long does the process take to elect the 'endpoint 1' to be the downloader and then 'endpoint 2' to get the package from 'endpoint 1'
A: The process of electing "endpoint 1" to be the downloader happens instantaneously. The amount of time that it takes for "endpoint 2" to get the package is entirely dependent on the size of the package.
Q: What is different between peer-to-peer and multicasting and where do you recommend using one versus the other?
A: There are several differences between multicasting and peer to peer. One significant difference is that the process of negotiating and creating a multicast session requires more time than the process for identifying peer devices that have a package. In addition, it is not possible for a device to join a multicast session after it has started.
Q: Can you shed some light on how the Symantec product handles 3rd party software patching?
A: Symantec IT Management Suite supports the patching of a large number of commonly used third party Windows applications. From a technology perspective, the process is identical to the process for patching Microsoft products.
Q: Will peer to peer work for other items than just patch? Managed Software Delivery for example.
A: Yes, peer to peer will work for software deliveries. It does not currently support the distribution of Deployment Solution image files.
Q: How is peer to peer different than multicast? And will you be able to control resource utilization?
A: Yes, the peer to peer feature enables you to control resource utilization. There are several differences between multicasting and peer to peer. One significant difference is that the process of negotiating and creating a multicast session requires more time than the process for identifying peer devices that have a package. In addition, it is not possible for a device to join a multicast session after it has started.
Q: Will the peer-to-peer distribution and streaming work the same for Windows 10 security only updates?
A: Yes.
Q: One of the key things that is currently missing in Symantec Patching is the ability that Windows Update has to patch at the Driver level. We have full blown patch management in effect and still to be effective, we often need to run Windows Update on machines to correct issues that have been resolved by Microsoft but relate to driver issues. How can we handle this product gap?
A: Support for driver updates will be considered for inclusion in a future release of IT Management Suite.
Q: Is this for all O365 or just the 2016 bits?
A: Microsoft is ending support for the 2013 version of Office 365 in February, 2017. ITMS' support for Office 365 is limited to the 2016 version.