Tags
Communication Client UI settings Communication Client Tray remove a department ticket submission configure department synchronize department submit ticket distributing Bandwidths client updates device management Bandwidth conservation malware activity virus scope autoruns Proxy servers fallback flag Inactive discovered devices SNMP Apple Device Enrollment Program set up service explorer manually deploy Comodo EDR agent parent process multiple ticket selection selected tickets security events folder transfer discoveries network management remote folder TLS TLS1.2 pci dss pci compliance ITarian Portal Endpoint Manager vdi environment vdi clone environment instant clone documentation vendor notice security dashboard events resolution remote tool partner onboard itarian unknown file hunter TLS Encryption procedure parameters pass profiles history performance metrics real time remote endpoints download browse service URL Security Components system Global Software Inventory 2 minutes Integrate intagrate Active Directory Portable Interception SSL enable reporting Rule Threat Protection Rule Advance spam Customize archived outgoing incoming administrator validate domains add Antispam type PCI data loss Location Network information start software session extensions appoinments resource connection computers Comodo Rescue Disk infected opportunity opportunities custom relationship management quote COMODO-CRM protect mac device email notifications registry COM Quarantined point system restore msi contained applications processes security client events Release date department registration particular os section Two Factor Authentication Login interface dashboard report generate Direct Download Link One drive Google drive HIPS mode cleanup automatic suspicious suspicious certificates shellcode injection detect Elevated Access system user access default charging groups move current malware list store push IP address ip installer acronis auto-remediation server machine icon Product Logos Rebrand backup Device Control data Chromoting WebRTC ports Protocol skip offline manual time entries ticket assignee Help Guide Tour schedule Reschedule appointment unknown application protection virtual desktop Local Verdict server manage calculation cost configuration charging SD contract prepaid hours products classification inventory analyze Device list OS patches global search bar Tool bar Windows Defender Security Center file group white Citrix record SPF work billable time onsite email template template variables emails Gmail SMTP disable Add collaborators admin action Audit logs feature requests submit vote remotely Reset proxy swg secure web gateway dome error disk ticket detail page thread section tickets section internal notes Sub-help topic help topic features Application control white_list Patch Management child parent scheduled customized get to headers columns company restrict customer technician remote access list iOS devices field Reports iOS device APN Certificate MAC OS X options Linux block Comodo Client Communication (CCC) allow Comodo Client Security (CCS) network zones active component tray icon hide show packages additional install block port baseline installation package bulk implement restrict firewall endpoints security and communication global export virus import Database folders files define exclusions change staff admin rating check reassign assign permissions new role create for user of device enroll associated use how profile specific Removing Devices Uninstall windows profile Configuration templates latest version clients comodo file ratings monitoring custom All Devices Ratings Track widgets Agent valkyrie malware files Kill chain report automated establishing endpoint remote session Users prevent Android organization windows assets Mac OS billing identified threats Sort Closed inside Program executed containment service desk remote control Locally runs update scan antivirus SLA Business Hours control CCS Password access Client Auto Specific Device Response Application Third party Status View Logs intended devices alert fails Company Information Configure Verdict Patch Procedures Executable Comodo Internet Security ITSM Analysis Command Line Heuristic Filter Unrecognized Trusted File Rate Malicious Purge Calendar Device Exclusion USB Admin Panel Settings ticket Default system-wide Specific Path Details Monitor Multi Set Currency Connected Who Quick Actions Comparison Version Enterprise Managed Service Provider C1 Portal Remote management Comodo Remote Control ticket management staff panel assign tickets
More

How to install and manage patches on Windows devices

Release Time
02/22/2018
Views
839 times
Category
Patch Management
Tags

Open Endpoint Manager > Click 'Applications' > 'Patch Management'

  • The patch management area lets you install OS updates and patches for 3rd party applications on managed Windows devices.
     
  • You can also uninstall patches if you want to roll back to a previous version. or create procedures to auto-install patches. 
     
  • All available patches are listed by default. You can filter patches by the company and device group.

Use the links below to jump to the task you need help with:

The Patch Management interface

  • Login to ITarian
     
  • Click 'Applications' > 'Endpoint Manager'
     
  • Click 'Applications' > 'Patch Management':


 

The interface has two tabs:

  • Operating System - All OS updates available for your managed Windows devices.
     
    • Each patch has additional details such as classification, the Windows component to which the patch applies, severity, release date, installation status and links to knowledge base articles.
       
    • The interface lets you install or uninstall selected patches on multiple devices. You can also generate a report on overall patch status.
       
    • See Operating System patches for more details.
       
  • Third Party Applications - All patches that are available for 3rd party applications installed on your Windows endpoints.
     

View patches by company / device group

The tree structure on the left shows all enrolled organizations and device groups:


 

  • Type a company or group name in the search field to look for a specific entity
     
  • Click a company name to view patches for all device groups under it
     
  • Click '+' beside a company to view device groups under it
     
  • Click a device group to view patches for devices belonging to that group
     
  • Click 'Show all' to clear any selections and view all patches

Operating System patches

  • Click 'Applications' > 'Patch Management' > 'Operating System' tab
     
  • The 'Operating System' tab lets you deploy and manage OS updates on Windows devices.
     
  • Endpoint Manager checks Microsoft update servers for available patches and lists them here. You can deploy or uninstall patches as required.
     
  • Each patch is accompanied by various details, including patch classification/severity, the Windows component to which it applies, the release date, and the number of endpoints that require the patch.
     
  • You can hide patches if you do not want to deploy them. Hidden patches are not available for deployment in the 'Device Management' screen ('Devices' > 'Device List' > 'Device Management') and are not executed if added to a patch procedure.
     
  • You can create procedures to automatically deploy updates when they become available, and generate reports on the patch status of all devices.

View and Manage operating system patches

  • Click 'Applications' > 'Patch Management'
     
  • Select the 'Operating System' tab
     
    • Select a company or group to view updates for that entity's devices

      Or
       
    • Select 'Show all' to view every available Windows update



 

  • Title - The descriptive name of the patch.
     
    • Click the name to view patch details. See View Patch Details if you want more info on this.
       
  • KB - The knowledgebase article that describes the patch.
     
    • Click the number to view the article.
       
  • Bulletin – The number of the Microsoft bulletin which contains details about the patch release.
     
    • Click the number to view the bulletin.
       
  • Classification - The category of the patch. The possible values are:

                    Update - Fixes a specific non-critical problem, but not a security-related bug.

                    Definition update - Contains updates to a product's definition database. For example, an update to the virus signature database for Windows Defender.

                    Critical Update - Fixes a critical OS problem, or a critical security-related bug

                    Security update - Fixes a version-specific, security-related vulnerability

                    Update rollup - Contains a collection of hotfixes, security updates and other updates packaged together for easy deployment.These updates generally target specific Windows component.

                    Driver - Adds software for controlling peripherals or add-on devices that could be connected to the endpoint

                    Feature pack - Adds new functionality distributed after an OS release.

                    Service pack - Contains a collection of hotfixes, security updates, critical updates, updates, and additional fixes.

                    Tool - Installs a utility or feature for a specific task or a set of tasks.

                    Upgrades - Updates the Windows OS version on the endpoint to the latest build.

  • Product - The Windows component to which the patch applies.
     
  • Severity - The criticality of the patch. The possible levels are:
     
    • Critical
       
    • Important
       
    • Low
       
    • Moderate
       
    • Unspecified
  • Reboot - Whether or not the endpoint requires a restart to complete the patch installation.
     
  • Not Installed - The number of managed endpoints on which the patch is yet to be installed.
     
  • Installed - The number of managed endpoints on which the patch has already been installed.
     
  • Release Date - The date on which the patch was released by Microsoft.

The OS patch interface lets you:

View details of a patch

  • Click 'Applications' > 'Patch Management'
     
  • Select the 'Operating System' tab
     
    • Select a company or a group to view the list of patches and Windows updates available for its devices

      Or
       
    • Select 'Show all' to view a list of all available patches and Windows updates
       
  • Click on the name of a patch to view its details.



 

Patch details are shown in six tabs:

  • General - Name and general description, version number, severity, release date and a link to the knowledge base (KB) article for the patch.
     
  • Vendor - The publisher of the patch, with a link to the patch support page.
     
  • Security Patch Info - Information on previous patches which are superseded by this patch
     
  • Bulletin – The bulletin is a short summary of the patch provided by the patch vendor.
     
  • CVE IDs - Shows the Common Vulnerabilities and Exposure (CVE) items which are addressed by the patch.
     
  • Device List – Shows all Windows endpoints for which the patch is appropriate, and informs you which devices have it installed and which do not. You can install the patch on target endpoints as required. See Install a patch on selected endpoints if you want help with this.

Hide / Restore patches

  • You can hide patches that you do not want to install at this point.
     
  • Hidden patches will not be available for deployment from the 'Device Management' screen, and are not installed by any patch procedures you create.
     
  • You can view hidden patches by enabling 'Show hidden patch(es)’ in the filter menu.

Hide unwanted patches

  • Click 'Applications' > 'Patch Management'
     
  • Select the 'Operating System' tab
     
    • Select a company or a group to view the list of patches and Windows updates available for its devices

      Or
       
    • Select 'Show all' to view a list of all available patches and Windows updates
       
  • Select the patches you want to hide then click 'Hide Patch(es)'



 

View hidden patches and restore them

  • Click 'Applications' > 'Patch Management'
     
  • Select the 'Operating System' tab
     
    • Select a company or a group to view the list of patches and Windows updates available for its devices

      Or
       
    • Select 'Show all' to view a list of all available patches and Windows updates
       
  • Click the funnel icon    on the right, select 'Show hidden patch(es)', then click 'Apply'



 

Hidden patches have a dark gray background.

  • Select the patches you want to reinstate then click 'Unhide Patch(es)'



 

The patches are reinstated to the list.

Install selected patches on all endpoints at once

  • Click 'Applications' > 'Patch Management'
     
  • Select the 'Operating System' tab
     
    • Select a company or a group to view the list of patches and Windows updates available for its devices

      Or
       
    • Select 'Show all' to view a list of all available patches and Windows updates
       
  • Select the patches you want to install then click 'Install Patch(es)'



 

  • Click 'OK' in the confirmation dialog

The command is sent to install the patches on all endpoints that need it.

Install a patch on selected endpoints

  • Click 'Applications' > 'Patch Management'
     
  • Select the 'Operating System' tab
     
    • Select a company or a group to view patches available for its devices

      Or
       
    • Select 'Show all' to view a list of all available patches and Windows updates
       
  • Click the number in the 'Not Installed' column of the patch you want to install.



 

The patch details screen opens at the 'Device List' tab. The screen shows all managed devices to which the patch is relevant. The 'Installed' column tells you whether the patch is installed on the device.

  • Select all devices which you want to patch
     
  • Click 'Install Patch'

The command is immediately sent to all target devices

Uninstall selected patches from all managed endpoints

You can remove unwanted patches and updates from managed devices. This is useful if you want to roll-back to a previous version of the Windows component or the OS itself.

  • Click 'Applications' > 'Patch Management'
     
  • Select the 'Operating System' tab
     
    • Select a company or a group to view patches available for its devices

      Or
       
    • Select 'Show all' to view a list of all available patches and Windows updates
       
  • Select the patches you want to remove then click 'Uninstall Patch(es)'



 

  • Click 'OK ' in the confirmation dialog
  • The uninstall command is immediately sent to target devices.

Create a new patch procedure

Patch procedures let you set up a regular patching schedule for your devices. You first create the procedure then add it to a profile that is active on your devices.

  • Click 'Applications' > 'Patch Management'
     
  • Select the 'Operating System' tab
     
  • Click the 'Create Patch Procedure' button:



 

  • Create a name and specify the folder in which you want to save the procedure.
     
  • Select the categories of OS patches you want to install and configure endpoint restart options.
     
  • See this wiki page for help to create an OS patch procedure.  

Generate a patch status report

Click 'Applications' > 'Patch Management'

  • Select the 'Operating System' tab
     
  • Click the 'Export' button:



 

  • The CSV file is available in 'Dashboard' > 'Reports'
     
  • See this wiki page if you need help to download the report.

Third party application patches

  • Click 'Applications' > 'Patch Management' > 'Third Party Applications'.
     
  • This area lets you apply patches and updates to 3rd party applications on Windows devices.
     
  • The interface lists all available patches and details such as patch category, vendor name, and the number of devices that require the patch.
     
  • You can filter patches by the company and device group.
     
  • You can hide applications that you do not want to update.
     
    • Hidden applications are also not available for update from the 'Device Management' screen ('Devices' > 'Device List' > 'Device Management'). They are also skipped if named in a patch procedure.
       
    • Click 'Show hidden patch(es)' to view hidden items.
       
  • You can also create a procedure to automatically deploy patches for 3rd party applications.

View and manage operating system patches

  • Click 'Applications' > 'Patch Management'
     
  • Select the 'Third Party Applications' tab
     
    • Select a company or a group to view patches for just that entity’s devices

      Or
       
    • Select 'Show all' to view all available patches and updates



 

Each row shows the name of the software that needs updates. It also shows you how many devices have the software installed and how many of those require the update.

  • You can apply updates to all devices or to individual devices:
     
    • Patch All - Use the check-boxes on the left to choose the software you want to patch. Click 'Install Patches' to apply the update to all devices which require patching.
       
    • Patch Individual - Click the number in the 'Upgradable Devices' row > Select the devices you want to update > Click 'Install Patches'

Details:

  • Name - The target application
     
  • Vendor - The software publisher.
     
  • Category - The type of application.
  • Installed Devices - Total number of devices on which the application is installed. This figure includes devices with patched and unpatched versions of the software.
     
  • Upgradable Devices - Number of devices that need updates because they are using an older version of the software.

The 'Patch Management' > 'Third Party Applications' interface lets you:

View details of an application

  • Click 'Applications' > 'Patch Management'
     
  • Select the 'Third Party Applications' tab
     
    • Select a company or a group to view updates for that entity’s devices

      Or
       
    • Select 'Show all' to view a list of all available patches and update
       
  • Click the name of any application to open its details screen:



 

  • Application info - The name, software publisher and the category of the application.
     
  • Device List - The list of devices on which the application is installed. You can update the application on specific devices from this screen.

Hide / Restore Applications

  • You can hide those applications that you do not want to update
     
  • Hidden applications will also disappear from the 'Device Management' screen and are skipped by any patch procedures you create.
     
  • You can reveal hidden applications by using the 'Show hidden patches’ switch

Hide upgradable applications

  • Click 'Applications' > 'Patch Management'
     
  • Select the 'Third Party Applications' tab
     
    • Select a company or a group to view updates for that entity’s devices

      Or
       
    • Select 'Show all' to view a list of all available patches and update
       
  • Select the applications you want hide then click 'Hide Patch(es)'



 

Restore hidden applications

  • Click 'Applications' > 'Patch Management'
     
  • Select the 'Third Party Applications' tab
     
    • Select a company or a group to view updates for that entity’s devices

      Or
       
    • Select 'Show all' to view a list of all available patches and update
       
  • Click the funnel icon   on the right, select 'Show hidden patch(es)' then click 'Apply'
     


 

Hidden applications have a dark gray background.

  • Select the hidden app(s) from the list and click 'Unhide Patch(es)'
     


 

Update selected applications on all devices

  • Click 'Applications' > 'Patch Management'
     
  • Select the 'Third Party Applications' tab
     
    • Select a company or a group to view updates for that entity’s devices

      Or
       
    • Select 'Show all' to view a list of all available patches and update
       
  • Select the applications you want to update, click 'Install Patch(es)' > 'Update to Latest Version'



 

A command is sent to the communication client (CC) on devices to start the update.

  • Once the command is received, CC checks whether the update has already been downloaded by other devices in the network.
     
  • If the update is available, CC establishes a peer-to-peer connection with the device and downloads the patch. This reduces bandwidth as the update is downloaded from the local network.
     
  • If the update is not available on any devices in the local network, CC downloads the update from the EM patch portal.

Update an application on selected devices

  • Click 'Applications' > 'Patch Management'
     
  • Select the 'Third Party Applications' tab
     
    • Select a company or a group to view updates for that entity’s devices

      Or
       
    • Select 'Show all' to view a list of all available patches and update
       
  • Click the number in the 'Upgradable Devices' column:



 

The application details screen shows all devices which require the update.

  • Select your target devices
     
  • Click 'Install patch(es)' > 'Update to Latest Version'

A command is sent to the communication client (CC) on devices to start the update.

  • Once the command is received, CC checks whether the update has already been downloaded by other devices in the network.
     
  • If the update is available, CC establishes a peer-to-peer connection with the device and downloads the patch. This reduces bandwidth as the update is downloaded from the local network.
     
  • If the update is not available on any devices in the local network, CC downloads the update from the EM patch portal.

Create a new 3rd party application patch procedure

  • Click 'Applications' > 'Patch Management'
     
  • Select the 'Third Party Applications' tab
     
  • Click 'Create Patch Procedure':



 

  • The 'Create 3rd Party Patch Procedure' wizard starts.
     
  • Create a name for the procedure, select a save-folder, select the applications you want to update, and configure endpoint restart options.
     
  • See this wiki page for help to create and configure a third-party patch procedure.