Features

SA automates Windows patching by providing the following features and capabilities:

  • A central repository where patches are stored and organized in their native formats
  • A database that stores information about every patch that has been applied
  • Customized scripts that can be run before and after a patch is installed
  • Advanced search abilities that identify servers that require patching
  • Auditing abilities for tracking the deployment of important patches
  • Multibinary patch support that enables you to install Windows multibinary patches
  • All Windows product support for patching any Windows products or operating system

These features and capabilities enable you to browse patches by a certain operating system, schedule patch downloads and installations, set up email notifications, preview a patch installation, use policies and remediation to install patches, and export patch information to a reusable file format.

Types of patch browsing

The SA Client interface organizes Windows patches by operating systems and displays detailed vendor security information about each patch, such as Microsoft Security Bulletins. You can browse patches by the date Microsoft released the patch, by the severity level, Security Bulletin ID, QNumber, and so on. You can also browse all patches that are installed on a server, and view and edit patch metadata.

Scheduling and notifications

In the SA Client, you can separately schedule when you want patches to be imported from Microsoft into Server Automation, either by a schedule or on demand, and when you want these patches to be downloaded to managed servers.

Best Practice: Schedule patch installations for a day and time that minimize disruption to your business operation.

You can also set up email notifications that alert you when the download and installation operations completed, succeeded, or failed. When you schedule a patch installation, you can also specify reboot preferences to adopt, override, postpone, or suppress the vendor’s reboot options.

Patch policies and exceptions

To provide flexibility in how you identify and distribute patches on managed servers or groups of servers, Windows patching allows you to create patch policies that define groups of patches you need to install.

By creating a patch policy and attaching it to a server or a group of servers, you can effectively manage which patches get installed where in your organization. If you want to include or exclude a patch from a patch installation, patch management allows you to deviate from a patch policy by specifying that a certain patch is a patch policy exception.

An additional patch is one that is not already specified in the patch policy and is one that you want to include in (add to) the patch installation. A patch that you want to exclude from a patch installation is one that is already specified in a patch policy and is identified in the patch policy exception as one you do not want installed.

Best Practice: In cases where it is already known that a certain Windows patch may cause a server or application to malfunction, you should create a patch policy exception to exclude it from being installed on that server or on all servers that have that application.

Patch installation preview

While Patch Management allows you to react quickly to newly discovered security vulnerabilities, it also provides support for strict testing and standardization of patch installation.

After you have identified patches to install, Patch Management allows you to simulate (preview) the installation before you actually install a patch. Use the preview process to identify whether the servers that you selected for the patch installation already have that patch installed. In some cases, a server could already have a patch installed if a system administrator had manually installed it.

The preview process provides an up-to-date report of the patch state of servers. The preview process reports on patch dependency and supersedence information, such as patches that require certain Windows products, and patches that supersede other patches or are superseded by other patches.

Patch uninstallation preview

Patch management also provides a solution for remediating servers that are not operating properly due to installed patches. If installed patches cause problems, even after being tested and approved, Windows patching allows you to uninstall patches in a safe and standardized way. You can specify uninstall options that control server reboots and the execution of uninstall commands, and pre-uninstall and post‑uninstall scripts. Similar to previewing a patch installation, you can also preview a patch uninstallation.

Exporting patch data

To help you track the patch state of servers or groups of servers, Patch Management allows you to export this information. This information can be exported in a comma‑separated value (.csv) file and includes details about when a patch was last detected as being installed, when a patch was installed by Server Automation, the patch compliance level, what patch policy exceptions exist, and so on. You can then import this information into a spreadsheet or database to perform a variety of patch analysis tasks.