Altiris ITMS 8.7.3 released

Release 8.7.3 of the IT Management Suite (ITMS 8.7.3) from Broadcom was released at the beginning of November 2024. The release can now be installed via the Symantec Installation Manager (SIM). We will be happy to support you in updating to the new version. Get in contact with us.

These new features were introduced with Release 8.7.3:

New Symantec Management Platform Features

Microsoft Entra Authentication IntegrationThis release includes integration with Microsoft Entra, to ensure a persistent authentication service across Microsoft products.
When Windows authentication is used, the ITMS console now opens without prompting the Administrator for credentials if they did not log out from the previous session and their credentials remain cached by the browser. Shift+click on “Windows Logon Provider” icon can be used to log in as a different user.
For Azure administrators, Entra integration provides a notification before a pre-shared client secret expires (as well as after) is sent to the Symantec Management Agent.
Also for ITMS administrators, you can now map Microsoft Entra groups/roles to NS roles when creating an Import Rule, preventing the need to manually map such groups/roles to NS roles after they are imported.
Limit AD Import to Managed DevicesThis release includes a new Active Directory import option that allows administrators to only import devices within OU groups that have the Symantec Management Agent (SMA) installed. This ensures that policies can be assigned directly to OU groups rather than creating custom filters or targets.
Privilege to Control ASDK AccessWhen developing access policies, this release adds an option to limit new privilege for specified roles to access Administrator Software Development Kit (ASDK) instances.
Azure Client Secret Expiration NotificationAutomation policy Azure Client Secret Expiration Notification and bell alert in Symantec Management Console are added to notify administrator about upcoming Microsoft Entra client secret Expiration.
Non-Admin Permission to Revoke CertificatesAdministrators can now give users who are not assigned to the Symantec Administrator security role the ability to revoke certificates, so that they can off-board devices.
Package Server HealthAdministrators can now see the amount of disk usage and free disk space on each package server within the ITMS console. Previously, this functionality was only available by remotely logging in to each package server to view such information.
Limit Users to One Active SessionITMS administrators can now limit users to one active session in the ITMS console, in order to comply with my organization’s internal security mandate. See KB 377096 for more information.
Basic Inventory provides information whether computer is joined to domain or workgroupA new c32 field flags has been added to the AeX AC Identification dataclass with 1 value meaning that computer is joined to domain and 0 value meaning that computer is a part of workgroup.
Ability to delay automatic start of search in Console global search fieldThis release introduces a new core setting: ConsoleAutoStartSearchTimeout
This setting allows you to enter the number of milliseconds to delay after an input change with default of 750 ms. Setting this to 0 disables the autosearch completely.
For more information, see this KB article: KB 368914

New Symantec Management Agent Features

Streamlined Plug-in Installation ProcessThis feature allows SMA administrators to install the Symantec Management Agent (SMA), plug-ins, and the CEM policy as quickly as possible. No longer is it necessary to wait for the resource membership update process to run on the Notification Server and plug-in packages to be downloaded from package servers before plug-ins get installed.
IsRebootPending COM Object PropertyAdministrators can create custom applicability and detection rules using PowerShell or VBScript without adding complex logic, and determine if a reboot is pending according to the logic used by the Symantec Management Agent.
The new COM Object Property, IsRebootPending, returns 1 if a reboot is pending or 0 if not.

Token-Based Authentication

Symantec Management Agent, Altiris ASDK, and Internet Gateway now support token-based authentication.

For specific information, use the following link to download a white paper about Using ITMS with Token-Based Authentication.

In General, this functionality provides the following benefits:
• Provides agent tokens to be used to access resources on Site Servers and Notification Server, instead of with standard credentials which are prone to expiration and changes.
• Allows the Symantec Management Agent to support token-based authentication to avoid lockouts of ACC account when passwords expire.
• Altiris SDK authenticating with the tokens created on demand in the Altiris Console limits the security concerns over exposure of credentials stored in external systems.
• Internet Gateway reports to the Notification Server, authenticating with the token created on demand in the Altiris Console and does not require the use of the ACC account.

New OS Support
The following operating systems are now supported for the installation of the Symantec Management Agent and solution plug-ins:

Windows 11 24H2
Windows 11 Enterprise LTSC 2024
Windows 11 IoT Enterprise 24H2
Windows 11 IoT Enterprise LTSC 2024
Windows 11 IoT Enterprise Subscription LTSC 2024
Windows 11 IoT Enterprise Subscription 24H2
macOS 15 (Sequoia)
SUSE15 SP5
Ubuntu 24.04 LTS

New Symantec Management Console Features

Limit Users to One Active SessionITMS administrators can now limit users to one active session in the ITMS console, in order to comply with security mandates.
Defined in the Configure Sessions page, administrators can limit accounts or roles to a single session to the ITMS console.
Disable Drag and Drop FunctionalityTo eliminate the possibility that a user will accidentally drag and drop an item from one folder to another without realizing it, ITMS administrators can now disable drag and drop functionality within the Symantec Management Console.
Specify Destination Folder when CloningUsers can now clone items (jobs, tasks, etc) in a reference folder with restricted permissions and save them to other folders to which they have the necessary permission, without making changes to the reference folder.
This is defined in the Extended Console Views UI.
Enhanced Reports User ExperienceSeveral improvements have been made to Reports and Report management in this release:

• Search. This release includes a much-requested feature to the Reports system of ITMS. Search capabilities have been added to reports. A new Reports blade has been added to Extended Console Views (ECV) that includes Search capability.
• Favorites. Administrators can create a Favorites folder that can be used to save shortcuts to their most-used reports. Items remain in their original folders, preserving the existing folder structure. This new functionality is available by right-clicking on an existing report, and selecting Add to Favorites.
• Hide Folders/Reports. ITMS administrators can now hide folders or individual reports to show or hide, to reduce the amount of clutter in the report view, hiding reports that are not used often.
• Simple Report Builder. This release includes a new simplified report builder, available from the right-click context menu in the report view. This new simple report prompts users for the filters and columns to use in a new report, and adds it to the report structure where the right-click was performed.

New Inventory Solution Features


Capture Software Installed Per User
This release now scans the windows registry hives of all users who have logged in to given PC, rather than reviewing the Add/Remove Programs for the system as a whole. This ensures that the inventory scan to detection process now reports on the software installed per user, regardless of which user hive is loaded at the time the scan is performed. This ensures so that administrators are kept aware of any vulnerabilities that may exist on devices.

To maintain the previous behavior, create DWORD registry key named ArpScanLoadUserHives under Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\Altiris Agent\SMFAgent\Inventory\ and set value = “0”
Standalone Inventory Package with support of custom Powershell scriptsAs VBScript is being deprecated by Microsoft, this release supports the ability to use a standalone inventory package to collect data using custom PowerShell scripts.
More information is available in Broadcom Support KB 376499.
Revised reporting of Windows per-user services
Modern Windows operating systems allow unique instances of services for each user. When a user signs in to Windows, the Operating System creates per-user services. These services are stopped and deleted when the user signs out. Each per-user service is generated based on a service template, and each has a unique name (a hash suffix is added to the service template name).
Beginning with ITMS 8.7.3, per-user services are not reported by default to the dataclass “AeX AC NT Services” collected by Basic Inventory and to the dataclass “OS Service Windows” collected by Inventory task or policy.

→ Service templates are still reported to the Basic Inventory dataclass “AeX AC NT Services”.
Collected Inventory Data Updated to Support SMBIOS 3.7.1Resource Manager now properly displays the names of newer memory, processor family and chassis package types. Previous versions of ITMS displayed incorrect, irrelevant, or no data when collecting information for unfamiliar hardware. Specifically, the following dataclasses are updated:
•  HW Chassis
•  HW Processor
•  HW Physical Memory
Additionally, Hardware Inventory now collects Trusted Platform Module (TPM) related information, and includes that data as a part of the hardware inventory dataclass, HW TPM.

New Patch Management Solution Features

KEV Date Added and Date DueThis release adds at-a-glance access to the date that vulnerabilities were added to the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog and the date by which such vulnerabilities must be remediated. This simplifies the act of prioritizing the distribution of associated software updates, as administrators no longer need to dig deeper to determine this information.
Support for Red Hat Hybrid Cloud ConsoleTo support the changes made by Red Hat around product licensing, this release includes support for the Red Hat Hybrid Cloud Console. This support means that Red Hat Enterprise Linux packages and associated errata can be downloaded.

If your organization manages Red Hat clients, this improvement is critical to keeping your Red Hat clients and servers up to date. For more information on the changes Red Hat is making, see this article from RedHat. Broadcom support has also provided further information about this in KB 256664.
Ability to Minimize Notification MessagesThis release provides an ability for end users to minimize the Software Update Installation and Software Update Installation Progress notification messages, so that users are not required to close or move such windows in order to continue to work.
In addition to this change, administrators can optionally reroute such messages to the Windows Action Center using “Show agent notifications in Windows action center” option of User Control agent settings.
New Compliance Report ParametersWindows Compliance reports provide you with the ability to report compliance only against bulletins or updates included in SWU policies using two new Distribution Status parameters: Policy Created and Policy Active.
Ability to Delay Restart After Updates InstallationSome updates may continue updating system components and cause system corruption if a restart is performed immediately after installation. To address this, the new option, PatchDelayBeforeRestart, has been added to this release. The command, when enabled, has a default value of 60 seconds to delay restart following the installation of updates.

New Software Management Features

Support for UWP ApplicationsAdded to this release is support for the distribution and identification of Universal Windows Platform (UWP) apps packaged in the .MSIX format, allowing ITMS to properly manage such apps. Prior to this release, support for these applications was limited and not natively supported.

The following features support this change:
.MSIX packages can be imported.
• Install and uninstall commands for .MSIX packages using PowerShell are automatically generated.
• This support does not include integration with the Microsoft Store or Winget.
• Detection rules using .MSIX Package IDs can be created and included in Managed Delivery or Targeted Inventory policies.
• .MSIX packages can be included in Managed Delivery policies and Quick Delivery tasks Installed under account of current Logged-On User by default Potential Future Enhancement: Register app and then install when session initiated by each user
• .MSIX packages are installed under the account of the current Logged-On user, by default.

.MSIX package dependencies are not automatically detected from manifest files, however, dependencies and updates to applications can be manually defined.
Software Categories in Software PortalThe Software Portal can now display tiles representing categories of items rather than simply grouping items by category. With this change, users can quickly and easily locate items. The Software Portal can now show tiles for categories, and users have the ability to drill down into individual categories, optionally switching between item view and category view.
Administrators can manage this functionality to ensure users only see the applications users and groups should be able to access. Categories can be hidden, color-coded as desired, and custom icons can be defined for categories.
Bulk Update of Software Portal RequestsAs requests for software are submitted by users via the Software Portal, administrators can approve, deny, or add comments to those requests in bulk. New view options have been added to support these changes, including tabs for My RequestsSubordinate Requests, and Subordinates.
Publishing Software to the Software PortalThis release includes a streamlined and consistent user interface to publish and manage software to the Software Portal, so that administrators can efficiently manage such software.
Among the improvements:
• Display Name column added to grid
• User/Group Name column renamed to Account Name
• Approved and Recommended checkboxes added to the grid
Software Portal Added SecurityThis release includes a new UI control that simplifies user and group selection and management introduced for all stages of software delivery and publishing.
Multi-selection functionality in Software PortalUser requests can be multi-selected by the administrator to approve, deny and add comments. Users and user groups can be multi-selected by administrator to add or remove them. Users can multi-select requests to cancel them.

New MDM Features

Support for Windows Update PayloadsModern Device Management (MDM) functionality in ITMS now provides default payloads for Windows Update settings. Previous ITMS releases required administrators to create custom MDM payloads to have Windows manage software update settings.

Four new Windows Update setting payloads added:
• Windows Insider Preview
• Windows Update Experience
• Windows Update Offering
• WSUS Offering
For more details, see this page from Microsoft.
Updated macOS System Extension Policy PayloadBecause macOS 15 gives users the ability to disable or delete system extensions, ITMS 8.7.3 adds support for three additional macOS MDM properties to manage system extensions:
• RemovableSystemExtensions
• NonRemovableSystemExtensions
• NonRemovablefromUISystemExtensions

New Deployment Solution Features

Support NVMe Drives for Linux ImagingThe ITMS Deployment Solution now supports the capture of Linux images from Non-Volatile Memory Express (NVMe) drives and the deployment of Linux images to NVMe drives. This support was previously only available in Windows systems.
ASDK Support for Loading Offline Domain Join DATThe ASDK method to import an Offline Domain Join DAT file is added. See the sample script AddDomainOfflineJoin.vbs
Default Command Line Parameters for Imaging TasksA new option added to the Deployment Solution Global Settings page, allowing you to define the default Ghost image creation and deployment command line. These command line commands are used in newly created Create Image or Deploy Image tasks.
Partition Disk Task – Resizing of EFI PartitionITMS administrators can use the Partition Disk task to resize the GPT partition when using EFI, permitting the creation of boot partitions larger than 100 MB in size. Previous releases did not provide this option and limited the size of boot partitions to 100 MB.
Removal of Deployment Package Server ComponentsStarting with the 8.7.3 release, Deployment Package Server Components are no longer required, as the Package Server now handles the necessary functions. Deployment Package Server Components – Install and Deployment Package Server Components – Upgrade policies are no longer available,  Deployment Package Server Components – Uninstall policy will remain.
Linux OS kernel updated to 5.10.0-28The LinuxPE kernel has been updated to version 5.10.0-28. Download the Linux LinPE from the console and import it manually. For more information, see the following Knowledge Base article: KB 244316: LinPE Support and Access to Files.

ITMS 8.7.3 also addresses various “Fixed Issues” and “Known Issues”, which you can find in the original release notes.

Release Notes and User Guides

The release notes and other useful documents for Altiris can be conveniently found at:

Altiris links & downloads

As with all updates, there are a few things to consider, especially if you are running multiple clients and servers. We have profound experience in this area and would be happy to advise you on updating to the latest version. Feel free to contact us.