Deploying software updates with Windows Update patching

book

Article ID: 184969

calendar_today

Updated On:

Products

Patch Management Solution for Windows Patch Management Solution Management Platform (Formerly known as Notification Server) Client Management Suite Server Management Suite

Issue/Introduction

In addition to using the Symantec Management Agent to download and install Microsoft updates (traditional patching), Patch Management Solution for Windows integrates with Windows Update service and lets you deploy updates for a number of Microsoft products using Windows Update Agent (Windows Update patching).

Resolution

You can choose to use only one of the patching methods or both methods together. If both methods are used during the same patch cycle, the traditional patching installs its updates first, and then Windows Update patches are installed. For more information, see the comparison of traditional patching and Windows Update patching methods.

Windows Update patching supports the Express Updates technology that optimizes distribution of some updates for Microsoft products by only downloading the incremental changes that each computer requires. For example, Express Updates include support for monthly quality updates for Windows 7, Windows 8.1, and versions of Windows 10 prior to 1809.

Note: 
Windows Update Agent integration doesn’t support WSUS usage and limited to Windows Update Agent that talks directly to Windows Update [service in Microsoft cloud].

See more limitations under the "Limitations" section below.

 

Windows Update patching is disabled by default. You need to enable the Default Microsoft Update Configuration Policy to make the user interface for Windows Update patching available in the Symantec Management Console.

Patch Management uses Windows Update Agent to perform the following tasks:

  • Download the required Microsoft proprietary metadata directly from Microsoft servers to client computers as soon as the computers receive the Default Microsoft Update Configuration Policy. This procedure ensures that you have the latest and most accurate data for update identification.
  • Download required updates directly from Microsoft servers to client computers.
  • Install required updates to client computers according to the schedule settings of the software update policy that the computers receive.

 

Limitations

The Windows Update patching method has the following limitations:

  • Windows 10 feature updates are not supported.
  • You can enable Windows Update patching on Notification Servers in hierarchy. However, the hierarchy functionality does not work for Windows Update patching. Information about Windows Update Agent updates and software update policies cannot be replicated.
  • If you enable any of the Default Microsoft Update Configuration Policy configuration settings and save the policy, the previously defined Windows Update Agent configuration will be changed.
    If you disable the policy later, Patch Management Solution will stop servicing the computers targeted in the policy. If you disable the policy settings later, Patch Management Solution will keep the current values of the settings on the computers targeted in the policy. Patch Management Solution will not restore the previously defined Windows Update Agent configuration on these computers. You will need to use other methods to perform this action.
  • Notification Server has only the information about the updates that are known to the assessed client computers because it receives this data only from the computers.
  • Windows Update Agent functionality limitations, such as deferral, channels, or pause options.

 

Prerequisites for deploying software updates with Windows Update patching

  1. Install or upgrade Patch Management Solution for Windows.
  2. Install or upgrade the Symantec Management Agent on client computers.
  3. Install or upgrade the software update plug-in on client computers.
  4. Enable and configure the Windows Update service on client computers to make available the installation of software updates.
  5. Enable Internet connection from client computers to Microsoft servers.
  6. (Optional) Configure the time when you want to perform software update installation and computer restarts.

 

To deploy software updates with Windows Update patching

  1. Enable Windows Update patching and configure the system assessment scan interval.
    You need to enable the Default Microsoft Update Configuration Policy to make the user interface for Windows Update patching available in the Symantec Management Console. You can distribute updates with Windows Update Agent only to the computers that are targeted by this enabled policy or its clone.
    The policy performs the Windows Update assessment scan that inventories managed computers for the software updates that they require. On the policy page, you can configure when to run the scan.
  2. Run compliance and vulnerability reports.
    Check your environment for vulnerabilities and evaluate which software updates you need to distribute by viewing the Windows Update-specific reports in the Symantec Management Console, at Home > Patch Management > Windows (Microsoft Data).
    The reports display updates for Microsoft products and include details for compliance and exception handling.
    Note: As the information about updates comes directly from your client computers, the reports display only the updates that are applicable to the computers that are included into the Default Microsoft Update Configuration Policy.
  3. Distribute available software updates.
    Create the software update policies that use the Windows Update Agent to perform the download and installation of available software updates.
    You can access the policies that you have created at Home > Patch Management, in the left pane, under Windows (Microsoft Data), by clicking Windows (Microsoft Data) Policies. In the central pane, you can click the policy that you need, and then view or edit its settings on the policy page that opens in the right pane.
    Note: The Run with rights remediation setting is not applicable to Windows Update patching. Windows Update Agent updates are always installed under System Account.
    Warning: You must ensure that each software update works correctly in your environment before deploying it. Symantec recommends that you first distribute any required software update in a test environment before deploying it to your production environment.
  4. Evaluate the results.
    You can view the Windows Update patching results and deployment information in the Windows Update-specific reports. For example, the Deployments Requiring Attention report lets you view and manage the computers with failed update installations.

 

 

To distribute software updates with Windows Update patching

  1. In the Symantec Management Console, on the Home menu, click Patch Management.
  2. On the Patch Management home page, in the left pane, expand Windows (Microsoft Data), and then under Compliance and Remediation, click the report that you want to view. For example, click Compliance by Update or Compliance by KB.
  3. In the right pane, right-click the required update or the KB that contains the required update, and then click Distribute Packages.
  4. In the Distribute Software Updates wizard, click Step 1, ensure that the settings are configured as needed, and then click Next.
  5. On the second page of the wizard, check the updates that you want to distribute.
  6. Turn on the policy.
    At the upper right of the second wizard page, click the colored circle, and then click On.
  7. Click Distribute software updates.
  8. In the status dialog box, click Close.

 

Comparison of traditional patching and Windows Update patching methods

Criteria Traditional patching Windows Update patching
Method availability. The method is enabled by default.
The user interface for traditional patching is available in the Symantec Management Console by default.

The method is disabled by default.

You need to enable the Default Microsoft Update Configuration Policy to make the user interface for Windows Update patching available in the Symantec Management Console.

Connectivity requirements for client computers. Client computers must have connection to the Symantec Management Platform package servers or Notification Server. Client computers must have Internet connection to Microsoft servers.
Vendors support. The method lets you deploy  software updates for Windows products from  Microsoft and other vendors.

The method supports a smaller number of Microsoft products than the traditional method and does not support updates from other vendors.

For example, with this method you can deploy monthly quality updates for Windows 7, Windows 8.1, and Windows 10.

Note: Microsoft does not publish the full list of products that are supported by the Windows Update Agent.

Metadata for patch assessment and compliance reporting.

The method uses patch management metadata that is published by Microsoft or other vendors.

You must run the Import Patch Data for Windows task to download the metadata to Notification Server before you can download software updates or create software update policies.

As soon as the computers receive the Default Microsoft Update Configuration Policy, the method gathers and sends to Notification Server the required Microsoft proprietary metadata that Windows Update Agent downloads directly from Microsoft servers to client computers.
System assessment scan. The traditional system assessment scan policy is pre-configured, enabled by default, and in most cases runs
automatically on all computers with Software
Update plug-in installed.
The Windows Update assessment scan is disabled by default. You need to enable and configure the Default Microsoft Update Configuration Policy that runs the scan.
Compliance reports. Traditional reports  are located at Home > Patch Management > Windows.

Windows Update-specific reports are located at Home > Patch Management > Windows (Microsoft Data).

Note: Unlike traditional reports, Windows Update-specific reports are not available in the Patch Remediation Center.

Software update policies. Traditional software update policies are located at Home > Patch Management > Windows > Compliance and Remediation. The software update policies that use Windows Update Agent are located at Home > Patch Management > Windows (Microsoft Data) > Compliance and Remediation.
Software update download and distribution. The method downloads software update packages from vendor sites to the Notification Server, and then uses the Symantec Management Agent to distribute the packages from the Symantec Management Platform package servers to client computers.

The method uses Windows Update Agent to download updates from Microsoft servers directly to client computers.

The method supports the Express Updates technology that is built into Windows Update service and  optimizes distribution of some updates for Microsoft products by only downloading the incremental changes that  each computer requires.

For example, Express Updates include support for monthly quality updates for Windows 7, Windows 8.1, and versions of Windows 10 prior to 1809.

Software update delivery optimization.

The method uses the peer-to-peer downloading functionality built into the Symantec Management Agent to minimize the number of computers that need to download content from a remote server.

The peer-to-peer downloading quickly and reliably downloads and distributes updates from other computers on your local network.

The method uses the Windows Update Delivery Optimization capabilities that are designed to serve the similar purpose.

Additionally, when you configure the Default Microsoft Update Configuration Policy, you can let Patch Management Solution control download and installation of Windows updates. In this way you can configure whether Delivery Optimization gets data from computers on your local network only or from computers on the Internet as well.