Windows patches are managed by linking to WSUS. The following diagram shows the overall flow of Windows patch management:

Figure 2.4 Overview of Windows patch management

1. Download patches [processing by WSUS]

   Use the WSUS function to synchronize with the Microsoft Update site and obtain the latest patch information.

2. Send email notifications to the infrastructure administrator [processing by WSUS]

   By setting up the WSUS email notification function, an email will be sent from WSUS to the infrastructure administrator, informing him or her that a new patch has been downloaded from the Microsoft Update site.

3. Authorize new patches [operation by the infrastructure administrator]

   The infrastructure administrator performs authorization processing for the new patches using WSUS.

4. Obtain patch information [processing by Systemwalker Software Configuration Manager]

   Systemwalker Software Configuration Manager extracts information about new patches from WSUS and the management information on WSUS, and stores both sets of information in the CMDB.
   Patch information can be obtained either automatically or manually (using a command).

5. Send a new patch application request [processing by Systemwalker Software Configuration Manager]

   When a new patch is authorized on WSUS, an email is automatically sent to each tenant user and each tenant administrator requesting that they apply the new patch.

6. Execute patch application [operation by the infrastructure administrator, the tenant user or the tenant administrator]

   Either the tenant user or the tenant administrator logs in to the management console and applies the new patch.

   Infrastructure administrators can perform patch application using the command on the admin server.

   Point

   • Patches are distributed by WSUS. Once patch application completes, application information is sent to WSUS.

   • Even if a new patch is displayed in the management console, a notification about the new patch may not have been sent to business servers, or the patch may not have been downloaded to business servers, depending on the schedule settings for WSUS. Check the schedule settings for WSUS.

7. Check execution status [operation by the infrastructure administrator, the tenant administrator, or the tenant user]

   Check the patch application status using the management console or the command on the admin server.

8. Obtain patch application information [processing by Systemwalker Software Configuration Manager]

   Systemwalker Software Configuration Manager extracts patch application information from WSUS and stores it in the CMDB.

9. Look up patch application status

   The infrastructure administrator, tenant user, and tenant administrator log in to the management console and check the patch application status. Infrastructure administrators can also check the patch application status using the command on the admin server.