Windows patches are managed by linking to WSUS. The following diagram shows the overall flow of Windows patch management.
Figure 1.1 Overview of Windows patch management
Download patches [processing by WSUS]
Use the WSUS function to synchronize with the Microsoft Update site and obtain the latest patch information.
Send email notifications to the infrastructure administrator [processing by WSUS]
By setting up the WSUS email notification function, a synchronized message about new patches will be sent to the infrastructure administrator from WSUS via email.
Authorize new patches [operation by the infrastructure administrator]
The infrastructure administrator performs authorization processing for the new patches using WSUS.
Obtain patch information [processing by Systemwalker Software Configuration Manager]
Systemwalker Software Configuration Manager extracts information about new patches from WSUS and the management information on WSUS, and stores both sets of information in the CMDB.
Patch information can be acquired either automatically or manually (using a command).
Send a new patch application request [processing by Systemwalker Software Configuration Manager]
When a new patch is authorized on WSUS, an email is automatically sent to each tenant user and each tenant administrator requesting that they apply the new patch.
Execute patch application [operation by the infrastructure administrator, the tenant user or the tenant administrator]
Either the tenant user or the tenant administrator logs in to the management console and applies the new patch.
The infrastructure administrator and dual-role administrator can execute the patch application using the command on the admin server.
Point
Patches are distributed by WSUS. Once patch application completes, application information is sent to WSUS.
Even if a new patch is displayed in the management console, a notification about the new patch may not have been sent to business servers, or the patch may not have been downloaded to business servers, depending on the schedule settings for WSUS. Check the schedule settings for WSUS.
Check execution status [operation by the infrastructure administrator, the tenant administrator, or the tenant user]
Check the patch application status using the management console or the command on the admin server.
Obtain patch application information [processing by Systemwalker Software Configuration Manager]
Systemwalker Software Configuration Manager extracts patch application information from WSUS and stores it in the CMDB.
Look up patch application status
The infrastructure administrator, dual-role administrator, tenant administrator and tenant user log in to the management console and check the patch application status.The infrastructure administrator and dual-role administrator can also check the patch application status using the command on the admin server.
The following table explains the operation flow for each role:
Operation flow | User roles | Reference | ||||
|---|---|---|---|---|---|---|
Infrastructure administrator | Dual-role administrator | Tenant administrator | Tenant user | |||
1 | Download patches | Y | Y | - | - | Refer to the WSUS manuals. |
2 | Send email notifications to infrastructure administrators | - | - | - | - | Refer to the WSUS manuals. |
3 | Authorize new patches | Y | Y | - | - | Refer to the WSUS manuals. |
4 | Obtain patch information | Y | Y | - | - | "Patch Information Update Command" in the Reference Guide |
5 | Send new patch application requests | - | - | - | - | An email is sent automatically when a new patch is acquired. If email transmission fails, either an infrastructure administrator or a dual-role administrator must resend the email using the email resend command as described in the Reference Guide. |
6 | Execute patch application | Y(*1) | Y | Y | Y | "Patch Application Wizard" under "Patch Management" in the Operator's Guide "Patch Application Command" in the Reference Guide |
7 | Check execution status | Y | Y | Y(*2) | Y(*2) | "Job Management" in the Operator's Guide "Job Information Management Command" in the Reference Guide |
8 | Obtain patch application information | Y | Y | - | - | "Patch Information Update Command" in the Reference Guide |
9 | Reference patch application status | Y | Y | Y(*2) | Y(*2) | "Patch Management" in the Operator's Guide "Patch Information Output Command" in the Reference Guide |
Y: Implement the task.
-: Do not implement the task
*1: Only the command can be operated.
*2: Only the management console can be operated.
Note
Notes on linking to WSUS
Immediately after WSUS linkage is set up on a business server
To perform patch management, register the business servers subject to patch management as the computers managed by WSUS. WSUS can only start managing a business server once it has been notified of the software configuration information from the business server. If discovery is performed before WSUS is notified about the business server information, it will not be possible for WSUS to collect information for that business server because information about the business server has not yet been registered with WSUS. If the business server is displayed in the All Computers group in the WSUS console window and a time is displayed in the Last Status Report column, the software configuration information for the business server has finished being notified to WSUS. Do not perform discovery until the software configuration information for the business server has been notified to WSUS. Perform discovery by executing the swcfmg_patch_updateinfo command.
If this command is not executed, discovery will be executed at the next scheduled regular discovery.
Example:
swcfmg_patch_updateinfo.exe -repository |
If a business server has been added or removed as the computer managed by WSUS
If a business server has been added or removed as the computer managed by WSUS, or if a business server that is already under the management of one WSUS service is moved to a location under the management of another WSUS service, do not perform discovery until the changes to the WSUS operation environment have completed and the software configuration information for the business server has been notified to WSUS. (If the business server is displayed in the All Computers group in the WSUS console window and a time is displayed in the Last Status Report column, the software configuration information for the business server has finished being notified to WSUS). Perform discovery by executing the swcfmg_patch_updateinfo command.
If this command is not executed, discovery will be executed at the next scheduled regular discovery.
Example:
swcfmg_patch_updateinfo.exe -repository |
If WSUS server cleanup has been performed
If the disk used by the WSUS service is full, redundant patches and patch information managed by WSUS can be deleted using a WSUS server cleanup. If a server cleanup has been performed, execute the swcfmg_patch_updateinfo command with the "-cleanup" option specified.
Example:
swcfmg_patch_updateinfo.exe -repository -cleanup |
