I recently upgraded one of our Trend Micro OfficeScan management servers to the latest ‘XG’ (v12) version. Typically once the server side software has been upgraded it automatically begins to push out the new program version to all OfficeScan agents. Sometimes you want this, for example you might just be applying a minor hotfix or update which you want all clients to receive ASAP. When it comes to a major upgrade I prefer to deploy to a small subset of clients for testing and gradually roll out to more departments over a period of time.
In this post I will quickly cover how to disable the OfficeScan management server pushing automatic agent upgrades.
Firstly we must consider the following BEFORE upgrading the server side – changes made on the server side will take time to propagate throughout the network. I strongly recommend you make these changes and then allow a sensible amount of time for all agents to detect the change. If you try and rush ahead with the server side upgrade you may have agents which are running an old policy allowing them to upgrade.
Right on to the actual configuration…
Firstly we need to logon to the OfficeScan web management console and modify our agent policy. To do this select the ‘Agents’ menu and then chooose ‘Agent Management.
Next we need to highlight the root OfficeScan object in the agent tree to ensure all clients receive the policy. As I can’t know what your policy layout is you may actually need to carry out this step differetly but I am going to assume a setup where the policy is being applied at the root level and inherited by all sub-clients.
Now that we have the root object selected we can start configuring our policy options. Click the ‘Settings’ option and then select ‘Privileges and Other Settings’.
A new browser window should open allowing us access to these configuration options. Click the ‘Other Settings’ tab, the option we need to configure is highlighted.
‘OfficeScan agents can update components but not upgrade the agent program or deploy hot fixes‘
Select the tick box next to this option and then click to ‘Apply to All Agents’.
Now all we need to do is allow time for the policy change to progagate throughout the network to all OfficeScan agents. This of course will depend on your setup – in my case I allowed a week. Those clients you do wish to run the latest version can be manually upgraded.
Once you are happy to deploy to all clients you just need to un-tick this option and apply the changes.