(All of this information (and more) is located in the Protect 9.2 Upgrade Guide. We highly recommend all customers review the changes detailed in this guide.)
The purpose of this document is to inform our customer base of major Scan Template and Patch Group changes after upgrading to Protect 9.2.4988 release 11/5/2015.
There are three issues/changes to consider in these areas:
- Patch Scan Templates: The Filtering tab on the Patch Scan Template dialog has been updated to allow for more precision when scanning. While the upgrade process will automatically convert your existing patch scan templates to the new style, you should double-check your templates to verify the changes.
- Patch Groups: Patch groups are no longer defined using a separate dialog; rather, they are now created and managed from within Patch View. While the upgrade process will automatically convert your existing patch groups to the new convention, you should double-check your groups to verify the changes. Your patch groups may be smaller.
- Modified and Auto-Generated Patch Groups: In order to preserve the behavior of your patch scan templates, one or more of your existing patch groups may be modified during the upgrade process and one or more new patch groups may be automatically generated.
- Modified Patch Groups: If you reference a patch group within the Patch filter settings section of your 9.0 or 9.1 patch scan template and Scan selected is enabled, any patches that do not meet the criteria defined by the scan template filters will be removed from the group. Here’s why: In Protect 9.0 and 9.1, the scan template filters can mask the fact that your patch group may contain patch types that you never intended to actually scan for or deploy. In Protect 9.2, when the patch group is used as a baseline, the scan template filters will not be applied and inaccuracies in your patch groups may be revealed. If the upgrade process detects this situation, it will automatically modify the patch group in order to preserve the intended interaction between the scan template and the patch group.
Example: Assume your 9.1 patch group contains a mix of Security, Non-security and Software Distribution patches. In the scan template that references this patch group, the Patch filter settings section is set to Scan selected and the Patch Properties section is set to detect only Security patches. In this configuration, the Patch Properties filter will be honored and only Security patches will be detected (despite the fact that the patch group contains Non-security and Software Distribution patches).
After upgrading to 9.2, the scan template will define the patch group as a Baseline filter and all other scan template filters will be ignored. If the patch group is not modified, Non-security and Software Distribution patches will now be detected (and deployed, if you enable the Auto-deploy patches after scan check box when performing a scan). The upgrade process will recognize this discrepancy and will remove the Non-security and Software Distribution patches from the patch group.
Going forward, be careful to properly manage your patch groups by not adding unnecessary or unwanted patches or patch types. This is especially important when adding Software Distribution type patches into the Patch Group. This will deploy products to the target machines.
- Auto-Generated Patch Groups: A copy of an existing patch group will be automatically generated by the upgrade process if all of the following conditions are met:
- If the patch group is referenced within the Patch filter settings section of a patch scan template and Scan selected is enabled, and
- If the patch group is referenced by an agent policy or by a second scan template that contains different filter definitions, and
- If the patch group must be modified by the upgrade process to maintain compatibility (see above)
In this situation, a copy of the patch group will be generated and then modified as described above. The name of the new patch group will be *<patch group name> -generated for <scan template name>. The scan template(s) that reference the patch group will be updated to use the new patch group name. The original patch group is preserved so that references to it from your agent policies or other scan templates are maintained.
You should review the changes and, if desired, rename the auto-generated patch group to a more friendly or meaningful name.