13.3 Patch Management
The Patch Management feature allows scanning of all client machines to determine their patch installation status. It can also automatically deploy patches to client machines as needed, enhancing system security, reducing download costs, and improving network administrators' efficiency.
Patch Scanning, Download, and Installation
The patch downloader runs on the server machine, automatically downloading and updating the patch detection file (wsusscan.cab). After the client is first installed, it automatically downloads the patch detection file from the server. Typically, patch detection on the client occurs about 30 minutes after startup.
If there are no special requirements for patch installation and all clients should automatically install patches, administrators can enable one or both of the following options when first starting the console:
- Automatically install for newly discovered clients
- Automatically install newly discovered patches
Note:
- If these options are set after the client has already completed a patch scan, they will only apply to patches detected in future scans or to newly added clients.
Administrators can view patch installation status on client machines by selecting Asset Management → Patch Management in the console.
If the options above are not configured, administrators must set an automatic installation policy for patches and specify the target client machines. The client machines will then automatically download the patch installation files from the server and install them according to the policy.
Tip
- When setting patch installation policies or assigning target computers, you can use CTRL and SHIFT to select multiple patches or machines simultaneously.
Control Functions
Administrators can issue patch scan commands directly from the console. In the list view, the Command button "
" and the Scope button "
" are located at the top-right corner. Clicking the Command button allows selection of actions such as Download Detection File, Refresh Patch Download Status, and Scan Entire Network for Patches.
| Control Function |
Description |
| Download Detection File |
Select this to have the server immediately download the latest version of the patch detection file. |
| Refresh Patch Download Status |
Select this to have the server immediately download patches that are set with a download policy. |
| Scan Entire Network for Patches |
Select this to immediately scan all client machines for patches. |
| Scan System Patches |
To scan patches on a single client immediately, right-click the client and select Scan System Patches. Only the selected client will be scanned. |
| Select Computer Scope |
Click the Scope button to view patch installation status for a specific computer group or a single client machine. |
13.3.1 Patch Mode View
Patch Log Details
Viewing in Patch Mode allows administrators to see a complete list of patches scanned on client machines. Each patch record includes the following attributes:
| Attribute Name |
Description |
| Severity |
The severity level of the patch, including: Low, Moderate, Important, Critical, and Unknown. |
| Bulletin ID |
Microsoft's bulletin number for the patch. |
| Patch ID |
Unique identifier of the patch. |
| Release Date |
The date the patch was released. |
| Name |
Name of the patch, usually including the Patch ID. |
| Automatic Installation |
Select the patch and right-click to set whether it should be automatically installed.
 indicates that automatic installation is enabled, while an empty field means it is not set.
|
| Forced Installation |
Select the patch and right-click to set whether it should be forced to install.
 indicates that forced installation is enabled, while an empty field means it is not set.
|
| Download Status |
The download status of the patch: Not Downloaded, Downloading, or Downloaded. Hovering over a patch shows its download progress; 100% indicates completion.
- A patch will be downloaded if any of the following conditions are met:
- 1. The patch has an automatic installation policy set.
- 2. The patch has a forced installation policy set.
- 3. The patch is selected for installation on a specified client machine.
|
| Not Installed Count |
Number of client machines requiring the patch but not yet installed. Selecting the patch in the list shows installed and not-installed machines below. |
| Installed Count |
Number of client machines requiring the patch and already installed. |
| Total Machines |
Total number of client machines that require the patch, i.e., the sum of installed and not-installed counts. |
| Installation Success Rate |
The success rate of patch installation, calculated as Installed Count ÷ Total Machines. |
| Details |
Double-click or right-click a patch and select Details to view additional information, including download path, patch size, and description. |
Patch Automatic Installation Policy
For newly released patches, you can configure whether they should be automatically installed. This is done in the console under Tools → Options → Server Settings → Patch Options by enabling "Automatically install newly discovered patches by default".
For patches that were previously not set to auto-install, administrators must manually configure the automatic installation policy. Right-click the patch and choose Auto Install / Do Not Set.
- Auto Install: The patch will be automatically installed on client machines that have an automatic installation policy enabled (in Computer Mode, select the target computer, right-click, and choose Auto Install).
- Do Not Set: The patch will not have an automatic installation policy.
Patch Forced Installation Policy
Right-click the patch and select Force Install / Do Not Set.
- If Force Install is selected, the patch will be installed on all client machines, including those that come online after the setting is applied, regardless of existing installation policies.
- If Do Not Set is selected, the patch will not have a forced installation policy.
Patch Query
In Patch Mode, click the Query button 
at the top-right of the list view to search for specific patches. Query conditions include Severity, Bulletin ID, Patch ID, and Name.
Severity Levels: All, Unknown, Low, Moderate, Important, Critical.
Bulletin ID, Patch ID, Name: Supports wildcards and partial matches.
13.3.2 Viewing by Computer Mode
Computer Log Information
Viewing in Computer Mode allows you to see all client machines and their patch installation status. Computer information includes:
| Attribute |
Description |
| Computer |
The group and name of the client machine. |
| Network Address |
The IP address of the computer. |
| Operating System |
The operating system of the computer. |
| Last Scan Time |
The last time the computer's patches were scanned. |
| Auto Install |
Indicates whether patches are set for automatic installation.
- means enabled; blank means not set.
|
| Not Installed Count |
Number of patches required but not yet installed on this computer. Selecting the computer displays installed and uninstalled patches in the patch list below. |
| Installed Count |
Number of required patches that have already been installed on this computer. |
| Total Patches |
Total number of patches required for this computer, i.e., the sum of installed and not installed patches. |
Computer Auto-Installation Policy
In Patch Management → Computer Mode, the client machine list and patch installation details are displayed. For newly added client machines, you can set whether patches are automatically installed. This can be configured in the console under Tools → Options → Server Settings → Patch Options → Set New Clients to Auto Install by Default.
If this option was not set previously, the administrator must configure it manually.
Manual Auto-Install Setting: Right-click the computer entry and select Auto Install / Do Not Set. Computers set to Auto Install will automatically install patches that have an auto-install policy (in Patch Mode, right-click a patch and select Auto Install). If Do Not Set is selected, the computer will not have an auto-install policy.
Assigning Patch Installation Policy to Specific Computers
Administrators can also assign installation policies for specific patches on individual computers. In the patch detail list for a selected computer, right-click a patch and choose Install / Do Not Install to apply the policy.
13.3.3 Viewing Patch Installation Policies for Computers
The following three policies can cause a patch to be installed on a computer:
- Auto-Install Policy (requires both the patch auto-install policy and the computer auto-install policy)
- Patch Force-Install Policy
- Computer-Specific Patch Installation Policy
When multiple policies apply simultaneously, the priority is as follows:
Computer-Specific Patch Installation Policy > Patch Force-Install Policy > Auto-Install Policy
In Patch Mode, when a patch is selected, the computer list below, or in Computer Mode, when a computer is selected, the patch list below, the Install column in these views shows the currently active installation policy for that patch on the selected computer.
| Icon |
Active Installation Policy |
|
Patch Auto-Install Policy |
|
Patch Force-Install Policy |
 |
Computer-Specific Patch Installation Policy — Install |
 |
Computer-Specific Patch Installation Policy — Do Not Install |
| empty |
No Installation Policy |
Don't see what you're looking for?
