I have owned some time to look into DS 7.6 and it seems like now it is feature complete in comparison to DS 6.9. However, this does not mean that you face some challenges to get it up and running. The main challenge seems to be to have the Symantec Management Agent installed very early in the OS Deployment process in comparison to DS 6.9 where I used to have the SMA as the last step that I do not have any Software Manage Delivery policies interfere with any other installs during the OS deployment process.

It seems like there are two ways to go. One way is to use filters and exclusions to add the computer to the exclusion filter during OS Deployment or the other way is to use applicability rule. It seems like applicability rule is better than filters because you do not need to care about any filter / target / policy updates.

Either way if you have an environment up and running in which you need to do some updates on a large scale you need to have some script to do the job and that is why I have looked into the process of adding a applicability rule to a software release using ASDK.

Here is a test software release and all the packages we use do not have any applicability rule.

I have the inventory rule which I called "IsInDeployment"

And this is what the script does it assigns the existing inventory rule to the software release.

To use this script you have to be locally on your Notification server. The following options are provided.

Running the script "cscript.exe AddApplicabilityRuleToSoftwareRelease.vbs ad140031-5522-4c9c-8914-6c7277b3e5c6 d267d4df-6d8d-4bbb-ab1c-2032e97e45af" will change one software release.

The first parameter stands for the software release guid and the second stands for the inventory rule guid.

The result for this test package looks like this:

Running the script "cscript.exe AddApplicabilityRuleToSoftwareRelease.vbs -f guidsoftwarereleases.txt d267d4df-6d8d-4bbb-ab1c-2032e97e45af" will go through a text file where you can add as many software release guids as you like. The second parameter stands again for the inventory rule guid.

The detection rule previous assigned to the software releases will be retained however, if you have already an applicability rule assigned it will be overwritten.

Hi everyone,

I need to create a report of Top 50 software in my company.

Do you have an idea how to do that?

I need to refresh this report every month.

How can I know if softwares are used by Users or not?

Thank of lot for your help !

Hello,

I am attempting to perform a PXE boot to WinPE from DS 7.6 HF6 using WinPE 4.0 x32.

I also made the firmware configuration changes on the Surface Pro 4 documented in TECH225340.

I have the Surface Pro 4 attached to the new Microsoft Surface "Dock" and the Ethernet cable is plugged into the Dock. 

We do get a response from PXE asking to select what I want to do, either run WinPE 4 AM or boot off next device

I have attached a picture of what happens when I attempt to select my "WinPE 4 AM"

I can perform a PXE boot to WinPE 4 on ALL my HP Elitebook and Elite desktop systems.  It just does not work on the Surface Pro 4.

It must be somthing simple that is missing.

Anyone have any ideas?

Thank you,

Arellia 8.1 is Here

Arellia 8.1 Solutions are built on the standalone Arellia Management Server and can integrate with Symantec Management Platform (Altiris) and Microsoft System Center Configuration Manager (SCCM).

Customers can use Arellia 8.1 solutions to control domain and local user privileges, whitelist approved software, blacklist known or unknown applications, and control all aspects of an application’s privileges.

Arellia 8.1 Privilege Essentials bundle combines the Arellia Application Control Solution and Local Security Solution.

Some of New Features of Arellia 8.1

Application Reputation and Intelligence – Arellia integrates into reputation engines like VirusTotal  and Kaspersky to check the reputation of an application before installing or executing the application.

Integrate into Security Operations Center – Arellia has the ability to send applications alerts from potentially bad applications and disclosure of privileged accounts into the Security Information and Event Management solutions like Splunk and ArcSight to help the security team quickly identify possible Advanced Persistent Threats.

Application Sandboxing– a process in a Job is limited with its ability to interact with other processes, as well as some specific types of interactions with the operation system, such as Shutting down the system

Application Firewall – we have introduced fire-walling based on Application Classifications. i.e. It is possible to limit all (or just allow some) network access for certain classes of applications.

Mobile Application Approval, Reputation and Alert App– get application elevation requests directly on your mobile phone with Arellia Mobile App.  The Arellia mobile app allows you to see application approval requests, check the reputation and approve or deny the application

Mobile Password Disclosure Alerts– Get password disclosure alerts directly on your phone with the Arellia Mobile App

Enhanced Mitigation Toolkit Support (EMET) – strengthen internet facing applications against vulnerabilities in software from being successfully exploited

Enhanced task scheduling – Logon/off, System Start, Session State Change or Windows Event

New AES Encryption Provider

To learn more about Arellia 8.1 Click Here:

Hello everyone,

Does anyone know how to set up an automatic pxe boot in the pxe boot menu?

I have created a boot menu under my pxe server of my workstation.

Not under Shared Configuration.

But the problem is, that my boot menu only appears under my own pxe server, not under the Shared Configuration.

So I can't select a boot option for booting unknown computers. See the picture for this:

So I have selected the option: Wait indefinitely for user selection.That helps a little, but it is not automatic. See the next picture:

Also, the scope of my boot menu is local, not shared.

So, something isn't right.

Who have what useful information for me?

Thanks in advance,

Julian

Titlr says it all, with the automation folder installed, when I reboot the computer, I have a menu to select the OS to boot on. Is there a way to disable that?

Thank you

Hello all,

One of my customers is looking at replacing SSL 3.0 with TLS 1.1 and would like to know if clients will be able to download packages from their PS's if the PS is using TLS 1.1? 

Thanks in advance,

SK.

Hello all,

One of my customers is looking at replacing SSL 3.0 with TLS 1.1 and would like to know if the DS Web Console will work with TLS 1.1? 

Thanks in advance,

SK.

In Client SMP agent i am able to see Task history for last 3 months. Need to get the same result through SQL. 

I tried using evt_task_instances and evt_his_ table but unable to retrieve the data for Unix machines.

Please help me on the query

The attached report shows the following information.

At the top level it will show 

With a drill down to the specifics for any computers involved

To start, I imported a batch file as a deliverable piece of software in the software catalog and then ran a quick delevery task for that software. The only editing I do to the software is on the command line for installation.I keep seeing this error when trying to run a Quick Delivery Task:

Security key for package validation is missing from response. Previously stored key will be used (if exist).

Can anybody help me out? I've tried quick deliveries with one computer, and another with multiple computers. I've also attempted this with different batch files and the downloads do not successfully finish downloading due to the error mentioned above.Could this have something to do with my Package Service on the NS? 

<event date='11/06/2015 13:35:56.6660000 -05:00' severity='4' hostName='COMPUTER5' source='DeliverSoftware_Task::Run' module='smfagent.dll' process='AeXNSAgent.exe' pid='8080' thread='6948' tickCount='20046187'>

  <![CDATA[Starting the New QD task...]]>

</event>

<event date='11/06/2015 13:35:56.6660000 -05:00' severity='4' hostName='COMPUTER5' source='DeliverSoftware_Task::Run' module='smfagent.dll' process='AeXNSAgent.exe' pid='8080' thread='6948' tickCount='20046187'>

  <![CDATA[Waiting for the Quick Delivery lock]]>

</event>

<event date='11/06/2015 13:35:56.6690000 -05:00' severity='4' hostName='COMPUTER5' source='SWDAgent' module='smfagent.dll' process='AeXNSAgent.exe' pid='8080' thread='6948' tickCount='20046187'>

  <![CDATA[Add SWD task Execute PowerComp.bat (PowerComp Test) {95CFE38D-5DD7-4E5C-A9EB-A269FC8883B7} to run queue]]>

</event>

<event date='11/06/2015 13:35:56.6750000 -05:00' severity='4' hostName='COMPUTER5' source='ScheduleEngine' module='AgentScheduler.dll' process='AeXNSAgent.exe' pid='8080' thread='10228' tickCount='20046203'>

  <![CDATA[Schedule  ({8C055B3A-653D-40A0-8666-5C9B604A8872}) has been removed]]>

</event>

<event date='11/06/2015 13:35:56.6770000 -05:00' severity='4' hostName='COMPUTER5' source='ScheduleEngine' module='AgentScheduler.dll' process='AeXNSAgent.exe' pid='8080' thread='10228' tickCount='20046203'>

  <![CDATA[Schedule  ({8C055B3A-653D-40A0-8666-5C9B604A8872}) has been added, check all schedules in a few moments]]>

</event>

<event date='11/06/2015 13:35:56.7020000 -05:00' severity='4' hostName='COMPUTER5' source='PackageDelivery' module='AeXPackageDelivery.dll' process='AeXNSAgent.exe' pid='8080' thread='7648' tickCount='20046218'>

  <![CDATA[Begin download for package: PowerComp Test {78440A6A-D13C-4B57-A411-18B154587FE9}]]>

</event>

<event date='11/06/2015 13:35:56.7030000 -05:00' severity='4' hostName='COMPUTER5' source='SWDAgent' module='smfagent.dll' process='AeXNSAgent.exe' pid='8080' thread='7648' tickCount='20046234'>

  <![CDATA[Begin download for package: {78440A6A-D13C-4B57-A411-18B154587FE9}.]]>

</event>

<event date='11/06/2015 13:35:56.7440000 -05:00' severity='4' hostName='COMPUTER5' source='PackageDownload' module='AeXPackageDelivery.dll' process='AeXNSAgent.exe' pid='8080' thread='7648' tickCount='20046265'>

  <![CDATA[Download package sources from: https://altiris.domain.com:443/Altiris/NS/Agent/Ge... resource="{A6EB7A5A-BF4C-49D5-8C8B-7F30F51F5481}" version="1" type="codebases" compress="1" totalTime="0" totalFailureTime="0">

<packages>

    <package guid="{78440A6A-D13C-4B57-A411-18B154587FE9}"/>

</packages>

<addresses>

    <address ip="147.55.1.3"/>

</addresses>

</request>

]]>

</event>

<event date='11/06/2015 13:35:56.8010000 -05:00' severity='4' hostName='COMPUTER5' source='PackageRequest' module='AeXPackageDelivery.dll' process='AeXNSAgent.exe' pid='8080' thread='7648' tickCount='20046328'>

  <![CDATA[Security key for package validation is missing from response. Previously stored key will be used (if exist).]]>

</event>

<event date='11/06/2015 13:35:56.8010000 -05:00' severity='2' hostName='COMPUTER5' source='PackageDelivery' module='AeXPackageDelivery.dll' process='AeXNSAgent.exe' pid='8080' thread='7648' tickCount='20046328'>

  <![CDATA[Error while downloading package: No package sources returned by server (0x80070490)]]>

</event>

<event date='11/06/2015 13:35:56.8010000 -05:00' severity='4' hostName='COMPUTER5' source='DownloadQueue' module='AeXPackageDelivery.dll' process='AeXNSAgent.exe' pid='8080' thread='7648' tickCount='20046328'>

  <![CDATA[Retry package: id={78440A6A-D13C-4B57-A411-18B154587FE9} delay=180 secs at=11/6/2015 1:38:56 PM causedDelay=1 earliestRetryTime=

]]>

</event>

<event date='11/06/2015 13:35:56.8060000 -05:00' severity='4' hostName='COMPUTER5' source='PackageDelivery' module='AeXPackageDelivery.dll' process='AeXNSAgent.exe' pid='8080' thread='7648' tickCount='20046328'>

  <![CDATA[End download for package: PowerComp Test {78440A6A-D13C-4B57-A411-18B154587FE9}. Status: retrying]]>

</event>

<event date='11/06/2015 13:35:56.8060000 -05:00' severity='4' hostName='COMPUTER5' source='SWDAgent' module='smfagent.dll' process='AeXNSAgent.exe' pid='8080' thread='7648' tickCount='20046328'>

  <![CDATA[End download for package: {78440A6A-D13C-4B57-A411-18B154587FE9}.]]>

</event>

Thanks to all who attended our webcast, "Best Kept Secrets of IT Management Suite" on Wednesday, December 9!

And, extra special thanks to our esteemed customer panel!

• Ian Atkin
• Jeanne Hoffman
• Jason Iloff

To download or play the Webcast recording, click here.

Links shared during the Webcast:

• go.symantec.com/altiris76
• White Paper: What’s New in IT Management Suite 7.6
• 7.6 QuickstartMigration Guides
• 7.6 Upgrade Paths
• 7.6 Installation / Upgrade Guide
• 7.6 Documentation
• 7.6 Upgrade Lessons Learned by Jason Iloff

Finally, I will post the Q & A transcript below (will have it by Monday, check back).

I have just finished installing Ghost Solution Suite 3.0 on a server here (Previously using 11.5) and the Symantec DAgent Service is successfully running on a test machine (Windows 7 Pro (x86) - Client installed using Remote Agent Installer) I tried creating an image using the right click 'Quick Disk Image' option, and the client machine restarts but does not boot into PXE. The NiC is the first option in the boot order on the client. I have read a couple different posts on the subject but nothing with an answer that solves my problem. Any possible fixes or troubleshooting steps to take?

Thanks

In this Article I'm going to show you how to use the Repository in Workflow.

The Repository is a great place to store your workflows, keep a backup and see the changes throughout the process.

When you install Workflow you have an option to configure the SMP. This can be done at a later stage too.

Open Symantec Workflow Explorer

  "[Install Drive]:\Program Files\Symantec\Workflow\Tools\Symantec.Explorer.exe" or

  "[Install Drive]:\Program Files\Symantec\Workflow\Tools\Symantec.Explorer.exe" -page CredentialManager

Set up SMP in the Explorer app, click on the Symantec Management Platform on the left hand side

Click Add

Fill in your details

You can then highlight and click Test

This will now be available in Workflow Manager.

Open Workflow

  "[Install Drive]:\Program Files\Symantec\Workflow\Designer\bin\WorkflowManager.exe"

Expand the Repo(s)

There should be a Projects folder but it'll likely be empty.

Click back onto the Local folder

New - Forms (Web)

Give it a name "POC_Repo_WEB"

Complete your Workflow...

Click the  Check In button in the toolbar or File | Check In Project (Ctrl+Shift+S)

You will received a message

Then choose a location

You have the option to create a new Folder and you can Delete the local copy. This can help with not getting your projects out of sync.

I usually keep this unchecked then move the original into an archive folder locally.

The Project is then closed and the new newly created project is opened.

If you right click on the local Project and select Open Location

You will be taken to

  "[Install Drive]:\Program Files\Symantec\Workflow\WorkflowProjects\POC_Repo_WEB"

If you do the same with Repo version

You will see a different folder location

  "C:\Users\alex.hedley\AppData\Local\Symantec\Workflow\Repository\e8951e09da7f46158b58176da73fa647"

In Workflow Manager you will see two columns, Local Version and Latest Version

These inform you what version you have copied to your machine and which is the latest in the Repo.

It's always best practice to click on the Refresh before you check out a version.

I tend to double click on a Project to open it but you can click Check Out then Open if you want to make sure.

If you are working on a copy and don't wish to use it anymore and want to revert to the last know good copy, open the location, then delete or move this folder elsewhere. Click on Refresh and the Local Version column will not contain a number any more, now when you Check Out and Open you will be back to the latest version you can begin to work on again.

Updating a Workflow.

Make your changes then click on  Check In again.

Refresh the Manager and your version number will have increased

Now if you Right Click on a Project and click View Versions

You will see a nice list of all the notes you've made against versions you've Checked In.

There may come a time when you make changes, check them in then realise they weren't necessary, instead of deleting the components you can roll back to a previous known version.

Close the Project first.

Highlight the version row and click Rollback.

Uploading DLLs.

You may have created a DLL, Integration Component, that you wish to store in the Repo.

Open the Location and check there is a .SymWorkflow file

Now back in WF Manager go to the folder, where the project is, you wish to upload, click on Import

Find the file, click Open

Then wait for it to upload.

You will then see it available in the main screen, if not click Refresh.

Make sure if you create a new Repo Project that you check this, it isn't by default so it will show as version 0 then others can't open it

Backup

Each time you Check In a project a version is created in a Backup Folder

  "[Install Drive]:\Program Files\Symantec\Workflow\WorkflowProjects\Backup"

Task Tray Tool

  "[Install Drive]:\Program Files\Symantec\Workflow\Tools\LogicBase.Local.TaskTray.exe"

Right Click - Shortcuts - Edit Tool Preferences

Under Studio Configuration

Backup

Links

About the Workflow Repository
http://www.symantec.com/docs/HOWTO62234

I cloned the inventory policy and scheduled  to run on client machines. In resource manager policy is showing but not executing.

When i initiate the basic inventory task and full inventory it is completing successfully.

But policy are not executing getting in below errors

  <![CDATA[StartService('AeXNSClient'): Failed to open Service Control Manager, error 0x00000005 (Access is denied)]]>

  <![CDATA[getNewRulesFromWeb() error - HTTP status: 404. Invalid data received in HTTP response. Expected 1245 bytes, received 0]]>

Any suggestions will be great helpful

Most Managers like Dashboards, since they can understand high level summary pretty quickly.

I have investigated on Patch Management Compliance Dashboard, since I did not trust numbers I could see. I am talking about dashboard you can see at:

Home > Patch Management > Compliance and Remediation > Compliance Dashboard

In Use = 14,189

You can look at SW Update Agent reports. I can see 14,166 agents in version 7.5 (latest).

There are about 140 failing upgrade, but I do not think these should be counted.

So that number is close to reality, but not precisely.  

Computers with Software Update Plug-in: 800

That is actually misleading, just look at above picture, that we have 14,166 machines.

That Web part is actually calling report Windows Software Update Plug-in Rollout Status

Symantec should correct that in Dashboard: For correct count look at report mentioned above.

Computers not reporting vulnerability analysis: 0

Zero is not correct value.

Use report Exception Handling > No Scan Data Reported

Dashboard does not display proper data, even the same report is linked.

Excluded software releases: 1950

Not sure how that number was calculated:

I have actually enabled some Adobe and some Microsoft, checked in total 229 items

When I enable all, total is 2,204 items.

I do not think that 1950 and 229 is giving 2204 in total.

*********************

I hope it would get all corrected in next product release.

NOTE ON HIERARCHY

In case you have hierarchy enabled, do not use Compliance Dashboard on Parent, it does not display valid data at all.

You may use individual reports instead, but required data have to be uploaded to Parent first.

Q1: What are the differences between the trial version of GSS 3.0 and the final version?

Q2: Where can I download the final version?

Ok so this works but looking for thoughts if this the best approach..

First I need to give some history on why I am looking at doing it this way. We were on CMS 6.0 R13 a few years back. When we went to 7.1 I ran a similar wisescript that ran aexagentutil /clean from the default folder. This left the Altiris folder behind which I thought was ok but in actuallity it left the Software Delivery folder in the root of the Agent folder. In 7.1 that was moved under \Agents\SoftwareManagement\Software Delivery. I found out later that I should of copied out the aexagentutil to a temp folder then ran.

Anyway moving to today We went to 7.5 and now going to 7.6.
I realize now running AexNSAgent.exe /uninstall totally removes the Altiris Agent folder and this is what I want to do and this works but there is a slight delema. During the uninstall of the agent and the subagent, I am unable to have the script wait for all to finish to then install so I had to use the Pause command in WiseScript. While this works it just makes it longer for the install.

so my script is easy and curious if anyone sees any possible better approaches? (note I am moving the pause up into the If statement so the pause wont happen if altiris is not present. Testing that right now...)

.

I was under the impression that one could have pre-defined FILTERS ready to use, and when one created a "policy" to get a specific patch or set of patches out to computers you could choose to use a predefined filter - and apply to specific computers, or avoid specific computers in that way, otherwise you could create the policy and choose the "targets" on the fly - in each policy that you create.

However, I'm finding out that it's not that simple.   I found a computer I use in IT - has some special things on it and different settings, etc. and can't be rebooted like others or on the same schedule as others, so I exclude it in SOME patch policies. SOME, not all. (otherwise I manually update it when I can find a break and a good time to exit the apps and reboot it)
So I have the thing CRASH on me last evening - explorer went south, all desktop was gone,
This am when I ran the report to see what computers needed to be rebooted, I found that computer on the list -and having received two of the policies I had created days ago.

I went back in and removed that computer AGAIN. This time when I did so and went to back out and save, it warned me that the "targets" were used in 6 other policies. Really? I choose the computers or groups or filters as I create each policy.
So I went into each policy, one at a time and removed that computer AGAIN by using the exclude computers in list choice. When I said OK - it said "this target is used by ..... other policies. Now how can that be when I set up that each time I create a policy, for each policy individually.

Why and how can a group of computers I target be used by policies I created days ago,
but it gets better - when I was all DONE modifying about 4 policies to remove that computer AGAIN, the last one I hit and looked at - then went to back out of, I hit ok and it said "this target is used by 32 other policies".
First, we don't even HAVE 32 policies! Wow, I'm still learning, testing, experimenting, no way there are 32 policies.
And second - if I download a patch, right click and choose to distribute, and choose computers to distribute to, am I not creating a distinct new policy for that patch, and choosing THOSE computers for THAT patch? Apparently not, if I make any change from the default it tells me I'm modifying a bazillion other policies that use the same target. HUH? How can that be?
Is the targeted computers not exclusive to THAT policy?

Why does every policy I create want to use the targets from the last policy I created, and if I modify a group of computers - say developers complain and I need to remove 2 computers from a couple of policies, it forces me to change every single policy I've ever worked on - saying that they all use that target.

Can't I change a policy that pushes a patch or set of patches (say a bulletin or bulletins) to a set of computers and not impact 32 other polices? (which we don't even have - there aren't 32 patch policies on the server)

Rolling out software is a tricky business. Any change, whether a major software release or a security patch, runs the risk of impacting user productivity. In order to manage this risk, IT administrators often choose to expose software changes to their estate in incremental stages.

The number of release stages IT administrators mandate for software rollouts however will often vary, even within one organisation. For example, a critical windows update might move straight to full rollout without even one simple test, whereas a Java update that's required for critical business systems access might be advanced through multiple stages.

To give you an idea of what this can look like, below I've detailed the 4 release stages we often apply to our software rollouts.  

1. Test
   This stage releases the software solely to a few test machines. These machines are usually virtual, and are representative of the most common baseline software configuration. This stage represents the most basic quality control gateway for deploying the package. 
    
2. Initial Pilot
   This stage exposes the software package to small pool of local IT staff. In our environment, this sample represents a fraction of 1% of our computer estate.  The aim here is to catch those initial 'gotchas' using a pool of technically savvy users with 'standard' configurations. The confidence level in a successful rollout is medium. The combination of small sample size and user base however means that the impact of a failed pilot is relatively low and rollback is relatively painless.
    
3. Extended Pilot
   This stage extends the pilot to include machines which are more representative of the target estate. Here the confidence level in a successful rollout is high, and rollback becomes user impacting. In our environment, this sample represents perhaps 5% of our computer estate
    
4. Full Rollout
   All machines are now targeted with the software rollout. The confidence level in a successful rollout is very high, and the impact of rollback in the event of an issue emerging is high.

Over the years this system worked pretty smoothly for us with the exception of one niggle; the management overhead of the Extended Pilot group. Initially this pilot group consisted mostly of volunteers who were selected to be representative of our estate. When our customer base was small, the manual processes in keeping abreast of staff and PC changes was manageable. However as our customer base grew and became increasingly distributed, the process of reinvigorating the group to keep it from going stale became a major painpoint.

Eventually, I realised this pilot group in it's current form was no longer fit for purpose, and a rethink was required.

Extended Pilot Group Criteria

For the re-think, I went back to basics. What was it I ultimately wanted? Well, ideally I'd want a pilot filter which was maintenance-free and full of active computers. This would enable me to reliably pilot managed software deliveries for Java Run-time Environment rollouts, or IE upgrades etc.

This meant my group membership had to follow three basic criteria,

• Psuedo-random - so that it was representative of the computer population
   
• Dynamic - to automatically exclude retired or inactive machines
   
• Scope - to restrict the member total to a percentage of our computer estate

Construction

To figure this out I used the tools available to me; Google and critically the Symantec Connect community.

I decided a straightforward way of picking computers consistently in a pseudo-random manner was to use the computer's GUID. The GUID is randomly assigned to each computer when it first checks in to the SMP. So if I were to create a filter of my computers ordered by GUID, the top 10 would represent a consistent and pseudo-random subset.

Next, to eliminate inactive machines I should restrict membership to computers which were regularly checking in. To obtain recently-checked-in computers within ‘n’ days, I resorted to copying and pasting a chunk from SQL previously written by my colleague Ian Atkin;

SELECT guid FROM  vComputer vc
join resourceupdatesummary rus               
on vc.guid = rus.resourceguid               
AND rus.inventoryclassguid = 'C74002B6-C7B9-47BB-A5D6-3031AF73BB8D'  
WHERE and Datediff(dd,rus.[modifieddate],Getdate()) <= 7

This T-SQL provides the a nice list of computers which have checked-in within the last 7 days.

The question now is how to build in my last criteria -making the membership scale. That initially seemed simple -use the T-SQL 'SELECT TOP' to limit the returned rows to the top 5%.

So testing began, and initially it worked beautifully.  But it seemed there was a bug in the SMP membership update processing which meant that the total returned just grew and grew each time the filter was automatically refreshed as a result of being in a live policy target.  I looked to the Symantec Connect community[1] and being amazing as they are, I got a result: use NTILE

I had never heard of NTILE before, and although ‘ericg2’ had given me sample usage, I needed to read up on what it did to figure out how to crowbar it into my SQL.  If you haven’t seen this before it’s very well explained all over Googleland, but suffice to say it splits the results into ‘n’ percentiles and you can select just one of them.  I wanted about 5% so I selected the first of 20 ‘NTILE’s.

The SQL

Anyway, enough rambling, here is the finished crafted SQL.

select vc.guid from vcomputer vc
join (
select ntile(20) over (order by guid) AS "ntile", guid  from   ----- ntile 20 is about 5%

(SELECT guid FROM  vComputer vc
join resourceupdatesummary rus               
on vc.guid = rus.resourceguid               
AND rus.inventoryclassguid = 'C74002B6-C7B9-47BB-A5D6-3031AF73BB8D'  
WHERE Datediff(dd,rus.[modifieddate],Getdate()) <= 7  ) xxx

) "grp" on vc.Guid=grp.Guid
where

grp.ntile=1

Console View

Variants

It is simple to change the quantity of computers: just change the NTILE number.  We also have another pilot filter that contains 50% of computers that checked in the last 7 days.  The NTILE difference is:

select ntile(2) over (order by guid) AS "ntile", guid  from   ----- ntile 2 is about 50%

It's probably easiest to think in terms of fractions: ntile 2 = 1/2 = a half.  Our 5% is ntile 20 = 1/20 = one twentieth.

Advantages and Disadvantages

Before I leave this, I should point out that whilst this approach resolves most of our previous issues, it isn't perfect. 

Pros

• Maintenance free - as your estate grows so will the number of computers returned by a 5%-active query. You might want to play with this figure in your environment to find a percentage that you are comfortable with.
   
• Fire and forget: any policy with this filter in its target will get a good set of results back.  I have confidence that around 100 computers will definitely check in and get my policy.
   
• Self-renewing: if someone is holiday their computer will drop out of the filter after 7 days. So the filter is always (nearly) full of current computers.
   
• Consistent membership - mostly: because the query sorts by GUID then the top 5% of computers will mostly be predictable providing they keep checking in.

Cons

• Inconsistent membership: clearly this contradicts the last 'pro' above, but it is important to note that this is dynamic and the exact computers will change pretty-much every day.  A few stragglers will drop out and be replaced regularly.  You may get a computer that is targeted by the filter, but it then drops out.  This means that you can be left with a computer but not know it got the update or software etc. because it won't show up in the compliance view for the policy.  As long as this is kept in mind though, there should not be any real surprises about this.  We use central logging for all our deliveries so we can see from there which computers actually got targeted.
   
• Extra work for rollbacks: in the event of requiring a rollback of your pilot, you can't just apply the rollback script to the same target containing the pilot filter because the computers change.  So the target for the rollback policy will have to specifically target the computers based on something that the pilot did, like an inventory item added - for example an add / remove programs entry.

 
Hope this provides some food for thought for you all out there. Happy Piloting!

[1] http://www.symantec.com/connect/forums/altiris-75-filter-sql-very-strange-behaviour

Darren Collins
Applications Packaging and Deployment for IT Services,
Oxford University, UK.