In addition to using the Symantec Management Agent to download and install Microsoft updates (traditional patching), Patch Management Solution for Windows integrates with Windows Update service and lets you deploy updates for a number of Microsoft products using Windows Update Agent (Windows Update patching).
You can choose to use only one of the patching methods or both methods together. If both methods are used during the same patch cycle, the traditional patching installs its updates first, and then Windows Update patches are installed. For more information, see the comparison of traditional patching and Windows Update patching methods.
Windows Update patching supports the Express Updates technology that optimizes distribution of some updates for Microsoft products by only downloading the incremental changes that each computer requires. For example, Express Updates include support for monthly quality updates for Windows 7, Windows 8.1, and versions of Windows 10 prior to 1809.
Windows Update Agent integration doesn’t support WSUS usage and limited to Windows Update Agent that talks directly to Windows Update [service in Microsoft cloud].
See more limitations under the "Limitations" section below.
Windows Update patching is disabled by default. You need to enable the Default Microsoft Update Configuration Policy to make the user interface for Windows Update patching available in the Symantec Management Console.
Patch Management uses Windows Update Agent to perform the following tasks:
The Windows Update patching method has the following limitations:
|Criteria||Traditional patching||Windows Update patching|
|Method availability.||The method is enabled by default.
The user interface for traditional patching is available in the Symantec Management Console by default.
The method is disabled by default.
You need to enable the Default Microsoft Update Configuration Policy to make the user interface for Windows Update patching available in the Symantec Management Console.
|Connectivity requirements for client computers.||Client computers must have connection to the Symantec Management Platform package servers or Notification Server.||Client computers must have Internet connection to Microsoft servers.|
|Vendors support.||The method lets you deploy software updates for Windows products from Microsoft and other vendors.||
The method supports a smaller number of Microsoft products than the traditional method and does not support updates from other vendors.
For example, with this method you can deploy monthly quality updates for Windows 7, Windows 8.1, and Windows 10.
Note: Microsoft does not publish the full list of products that are supported by the Windows Update Agent.
|Metadata for patch assessment and compliance reporting.||
The method uses patch management metadata that is published by Microsoft or other vendors.
You must run the Import Patch Data for Windows task to download the metadata to Notification Server before you can download software updates or create software update policies.
|As soon as the computers receive the Default Microsoft Update Configuration Policy, the method gathers and sends to Notification Server the required Microsoft proprietary metadata that Windows Update Agent downloads directly from Microsoft servers to client computers.|
|System assessment scan.||The traditional system assessment scan policy is pre-configured, enabled by default, and in most cases runs
automatically on all computers with Software
Update plug-in installed.
|The Windows Update assessment scan is disabled by default. You need to enable and configure the Default Microsoft Update Configuration Policy that runs the scan.|
|Compliance reports.||Traditional reports are located at Home > Patch Management > Windows.||
Windows Update-specific reports are located at Home > Patch Management > Windows (Microsoft Data).
Note: Unlike traditional reports, Windows Update-specific reports are not available in the Patch Remediation Center.
|Software update policies.||Traditional software update policies are located at Home > Patch Management > Windows > Compliance and Remediation.||The software update policies that use Windows Update Agent are located at Home > Patch Management > Windows (Microsoft Data) > Compliance and Remediation.|
|Software update download and distribution.||The method downloads software update packages from vendor sites to the Notification Server, and then uses the Symantec Management Agent to distribute the packages from the Symantec Management Platform package servers to client computers.||
The method uses Windows Update Agent to download updates from Microsoft servers directly to client computers.
The method supports the Express Updates technology that is built into Windows Update service and optimizes distribution of some updates for Microsoft products by only downloading the incremental changes that each computer requires.
For example, Express Updates include support for monthly quality updates for Windows 7, Windows 8.1, and versions of Windows 10 prior to 1809.
|Software update delivery optimization.||
The method uses the peer-to-peer downloading functionality built into the Symantec Management Agent to minimize the number of computers that need to download content from a remote server.
The peer-to-peer downloading quickly and reliably downloads and distributes updates from other computers on your local network.
The method uses the Windows Update Delivery Optimization capabilities that are designed to serve the similar purpose.
Additionally, when you configure the Default Microsoft Update Configuration Policy, you can let Patch Management Solution control download and installation of Windows updates. In this way you can configure whether Delivery Optimization gets data from computers on your local network only or from computers on the Internet as well.