Use > Server patching > Patch management for Windows > SA integration > Windows server patch management support

Windows server patch management support

SA Windows Server patch management support is compatible with a mixed-version multimaster mesh (where both patched and unpatched cores co-exist). Windows platform patch management includes the following supported functions:

  • Windows Server patches appear under Library after the patch database is imported.
  • Select the specific Windows Server version under Administration > Windows Patch Downloads > Patch Products to specify whether to import Windows Server patch metadata.
  • To manage Windows Server patches you can:

    • Invoke a patch browser to edit patch properties, descriptions, and reboot/install/uninstall flags.
    • See the following patch views when a Windows Server server is selected.

      • Patches Needed
      • Patches Recommended By Vendor
      • Patches with Policies or Exceptions
      • Patches Installed
      • Patches with Exceptions
      • All Patches
  • You can import patch binaries from the vendor using the SA Client or from a file.
  • You can attach Windows Server patch policies to servers and server groups.
  • You can define patch policy exceptions for Windows Server patches on servers and server groups.

SA patching modes

To patch your Windows managed servers with applicable Microsoft updates, SA requires access to the Microsoft patching database. You can access this database either by importing Microsoft's offline catalog of patches or by connecting SA to a WSUS server in your network.

Depending on your available network infrastructure, enable one of the available SA patching modes:

  • Offline Catalog - imports the wsusscn2.cab file from the SA Client or from the populate-opsware-update-library script. The wsusscn2.file contains only security updates. HPE can provide missing non-security updates via HPELN.
  • WSUS - connects to a WSUS server to retrieve Microsoft patches from a custom Windows patching repository. Unlike the Offline Catalog mode, WSUS patching requires access only to the WSUS server on your network from where it can retrieve both security and non-security updates.

The populate-opsware-update-library script

The populate-opsware-update-library script automates the download of the Microsoft's offline catalog of patches and the import of these patches into SA. The populate-opsware-update-library downloads the wsusscn2.cab file and imports its contents (hotfixes, service packs, and update rollups) into SA.

The populate-opsware-update-library script is specific to Microsoft Offline Catalog patching and does not run in WSUS patching mode.

For more information about running the script and the available options, see Download the Microsoft Offline patch catalog from the command line

Policies and exceptions for Windows server patches

SA provides a recommended patch policy for Windows Servers. You can also define additional custom patch policies in the same way as described in Application Deployment in the SA 10.51 Developer section.

Remediate and ad-hoc install/uninstall

You can remediate Windows Server patch policies and perform ad-hoc Windows Server patch installations and uninstallations. Windows Server patches can be remediated in software policies and ad-hoc installations using install/uninstall software. However, software compliance does not account for applicability.

Patch compliance

You can perform patch compliance scans on Windows Server servers to determine compliance relative to attached policies and exceptions. Patch compliance is based on patch applicability on the selected server(s).

The Compliance view in the SA Client displays compliance details for Windows Server servers.

Known limitations

  • The Install/Uninstall Patch window typically allows you to specify install/uninstall flags when a patch is selected for installation/uninstallation. The patch must be in an .EXE file format. Microsoft delivers Windows Server patches in both .EXE and .CAB format. In SA, if a patch is in .CAB file format, you cannot specify install/uninstall flags in the Patch, Install Patch, and/or Uninstall Patch windows because command-line arguments are not supported for .CAB format patches.
  • If you add install or uninstall flags using the Windows patch browser, any flags that SA would otherwise have used are overwritten.

    Therefore, if you must use additional flags in a Windows patch browser, you must specify the -q flag with your additional flags. For example, if you want to log the install/uninstall process and do not want to override the default flags, specify the following:

    /log:c:\mylog.txt /q /z

Note
Overriding the -q flag (if the patch supports -q) will cause the patch installation to fail. This type of installation can take as long as one hour to time out.