Tags
analysis tool UFH check policy test policy Virtual Appliances DNS Resolver register invite graphs Dynamic IP Dome shield Integration O365 Comodo Office 365 removal tool CCS removal tool Comodo Secure Email Gateway subscriptions service Dome Antispam Valkyrie report info web Comodo SWG tutorial policy DLP PAC file iboss Bluecoat Websense Comodo Dome ICAP Dome Agent traffic URL C1 account SWG portal SSL Encrypted Traffic Dome Cloud enable widget chart endpoint dashboard file groups Rules exceptions Wi-Fi networks Wi-Fi setup security restrictions iCloud auto containment containment settings virtual file system sandbox environment client access control local configuration Comodo Client Security Rebranding Communication Client Rebranding security client re-brand Comodo Clients application rules global rules Portsets port sets Firewall ruleset rule set rulesets global proxy server global proxy antivirus settings Client Proxy remote control tool Firewall protection firewall settings configuration file export profile PowerShell VBS script Windows Standard Account Endpoint Manager Client Communication (EMCC) server security clients updates vulnerable security patches installed Client Communication Communication Client (CC) submission Communication Client tray icon script OS Patch Third Party Patch Installation Uninstallation Discovery additional package External Device Control external ITarian remote Windows device apps signed-in logged-in identify License wizard on-boarding local Comodo Client Security Mac devices Linux devices MSP customers EM profile Mac OS profile MAC OS X device user device configuration profile copy invoice enrollment Logging Settings SIEM tool external server Account Security mobile console EM device owners ownership remove MAC third party application remote uninstallation software inventory duplicate Name Master Image Golden Image Bulk Installation Package Windows Operating Systems summary information local time External IP address OS summary Devices list MDM profile iOS push certificate create APNs Apple account portal APN Apple Push Notification search bar filter options customer device group group membership managed device trust rating old duplicates removal device name MAC address MSP (Managed Service Provider) Versions Marketing & Sales Customer Relationship Management (CRM) Enroll New Device New Ticket quick actions bar release notes security status activity status profile status Sales funnel Secure Internet Gateway application launch Two factor Time zone Language Lockout time Change Password tokens device enrollment User Groups Manage Profiles User List Management customer report customer assessment customers End-User forms auto response attachments time entry address support User Directory scripts Knowledgebase canned Banlist announcements Hostname mail delivery CommandLine Power Shell PowerShell interface File Explorer Commands Interface Remote devices Remote Tools Paranoid Mode Training Mode Custom Ruleset Safe Mode The charging flow edit contracts Charging Flowchart Global Asset Rates Charging Plans Contracts charges calculated Remove role Edit a role staff interface Exclusions data loss prevention (DLP) network discoveries ITarian Remote Access Tool Tarian Remote Access Tool inactive devices Device removal settings Portal Set-up Malware File Name Security Sub-System communication client UI settings Communication Client Tray remove a department ticket submission configure department synchronize department submit ticket distributing Bandwidths client updates device management Bandwidth conservation malware activity virus scope autoruns Proxy servers fallback flag Inactive discovered devices SNMP Apple Device Enrollment Program set up service explorer manually deploy Comodo EDR agent parent process multiple ticket selection selected tickets security events folder transfer discoveries network management remote folder TLS TLS1.2 pci dss pci compliance ITarian Portal Endpoint Manager vdi environment vdi clone environment instant clone documentation vendor notice security dashboard events resolution remote tool partner onboard unknown file hunter TLS Encryption procedure parameters pass profiles history performance metrics real time remote endpoints download browse service URL Security Components system Global Software Inventory 2 minutes Integrate intagrate Active Directory Portable Interception SSL enable reporting Rule Threat Protection Rule Advance spam Customize archived outgoing incoming administrator validate domains add Antispam type PCI data loss Location Network information start software session extensions appoinments resource connection computers Comodo Rescue Disk infected opportunity opportunities custom relationship management quote COMODO-CRM protect mac device email notifications registry COM Quarantined point system restore msi contained applications processes security client events Release date department registration particular os section Two Factor Authentication Login interface dashboard report generate Direct Download Link One drive Google drive HIPS mode cleanup automatic suspicious suspicious certificates shellcode injection detect Elevated Access system user access default charging groups move current malware list store push IP address ip installer acronis auto-remediation server machine icon Product Logos rebrand backup Device Control data Chromoting WebRTC ports Protocol skip offline manual time entries ticket assignee Help Guide Tour schedule Reschedule appointment unknown application protection Virtual Desktop Local Verdict server manage calculation cost configuration charging SD contract prepaid hours products classification inventory analyze Device list OS patches global search bar Tool bar Windows Defender Security Center file group white Citrix record SPF work billable time onsite email template template variables emails Gmail SMTP disable Add collaborators admin action Audit logs feature requests submit vote remotely Reset proxy swg secure web gateway dome error disk ticket detail page thread section tickets section internal notes Sub-help topic help topic features Application control white_list Patch Management child parent scheduled customized get to headers columns company restrict customer technician remote access list iOS devices field Reports iOS device APN Certificate MAC OS X options Linux block Comodo Client Communication (CCC) allow Comodo Client Security (CCS) network zones active component tray icon hide show packages additional install block port baseline installation package bulk implement restrict firewall endpoints security and communication global export virus import Database folders files define exclusions change staff admin rating check reassign assign permissions new role create for user of device enroll associated use how profile specific Removing Devices Uninstall windows profile Configuration templates latest version clients comodo file ratings monitoring custom All Devices Ratings Track widgets Agent valkyrie malware files Kill chain report automated establishing endpoint remote session Users prevent Android organization windows assets Mac OS billing identified threats Sort Closed inside Program executed containment service desk remote control Locally runs update scan antivirus SLA Business Hours control CCS Password access Client Auto Specific Device Response Application Third party Status View Logs intended devices alert fails Company Information Configure Verdict Patch Procedures Executable Comodo Internet Security ITSM Analysis Command Line Heuristic Filter Unrecognized Trusted File Rate Malicious Purge Calendar Device Exclusion USB Admin Panel Settings ticket Default system-wide Specific Path Details Monitor Multi Set Currency Connected Who Quick Actions Comparison Version Enterprise Managed Service Provider C1 Portal Remote management Comodo Remote Control ticket management staff panel assign tickets
More

How to install and manage patches on Windows devices

Open Endpoint Manager > Click 'Applications' > 'Patch Management'

  • The patch management area lets you install OS updates and patches for 3rd party applications on managed Windows devices.
     
  • You can also uninstall patches if you want to roll back to a previous version. or create procedures to auto-install patches. 
     
  • All available patches are listed by default. You can filter patches by the company and device group.

Use the links below to jump to the task you need help with:

The Patch Management interface

  • Login to ITarian
     
  • Click 'Applications' > 'Endpoint Manager'
     
  • Click 'Applications' > 'Patch Management':


The interface has two tabs:

  • Operating System - All OS updates available for your managed Windows devices.
     
    • Each patch has additional details such as classification, the Windows component to which the patch applies, severity, release date, installation status and links to knowledge base articles.
       
    • The interface lets you install or uninstall selected patches on multiple devices. You can also generate a report on overall patch status.
       
    • See Operating System patches for more details.
       
  • Third Party Applications - All patches that are available for 3rd party applications installed on your Windows endpoints.
     

View patches by company / device group

The tree structure on the left shows all enrolled organizations and device groups:


 

  • Type a company or group name in the search field to look for a specific entity
     
  • Click a company name to view patches for all device groups under it
     
  • Click '+' beside a company to view device groups under it
     
  • Click a device group to view patches for devices belonging to that group
     
  • Click 'Show all' to clear any selections and view all patches

Operating System patches

  • Click 'Applications' > 'Patch Management' > 'Operating System' tab
     
  • The 'Operating System' tab lets you deploy and manage OS updates on Windows devices.
     
  • Endpoint Manager checks Microsoft update servers for available patches and lists them here. You can deploy or uninstall patches as required.
     
  • Each patch is accompanied by various details, including patch classification/severity, the Windows component to which it applies, the release date, and the number of endpoints which require the patch.
     
  • Each patch must be approved before deployment. Unapproved /declined patches cannot be deployed to endpoints either manually or automatically (through scheduled procedures).
     
  • You can hide patches if you do not want to deploy them. Hidden patches are not available for deployment in the 'Device Management' screen ('Devices' > 'Device List' > 'Device Management') and are not executed if added to a patch procedure.
     
  • You can create procedures to automatically deploy updates when they become available, and generate reports on the patch status of all devices.

View and Manage operating system patches

  • Click 'Applications' > 'Patch Management'
     
  • Select the 'Operating System' tab
     
    • Select a company or group to view updates for that entity's devices

      Or
       
    • Select 'Show all' to view every available Windows update


 

  • Title - The descriptive name of the patch.
     
    • Click the name to view patch details. See View Patch Details if you want more info on this.
       
  • KB - The knowledgebase article that describes the patch.
     
    • Click the number to view the article.
       
  • Bulletin – The number of the Microsoft bulletin which contains details about the patch release.
     
    • Click the number to view the bulletin.
       
  • Classification - The category of the patch. The possible values are:

                      Update - Fixes a specific non-critical problem, but not a security-related bug.

                      Definition update - Contains updates to a product's definition database. For example, an update to the virus signature database for Windows Defender.

                      Critical Update - Fixes a critical OS problem, or a critical security-related bug

                      Security update - Fixes a version-specific, security-related vulnerability

                      Update rollup - Contains a collection of hotfixes, security updates and other updates packaged together for easy deployment.These updates generally target specific Windows component.

                      Driver - Adds software for controlling peripherals or add-on devices that could be connected to the endpoint

                      Feature pack - Adds new functionality distributed after an OS release.

                      Service pack - Contains a collection of hotfixes, security updates, critical updates, updates, and additional fixes.

                      Tool - Installs a utility or feature for a specific task or a set of tasks.

                      Upgrades - Updates the Windows OS version on the endpoint to the latest build.

  • Product - The Windows component to which the patch applies.
     
  • Severity - The criticality of the patch. The possible levels are:
     
    • Critical
       
    • Important
       
    • Low
       
    • Moderate
       
    • Unspecified
       
  • Status - Whether the patch is approved for deployment through EM. The possible values are 'Auto-Approved', ''Waiting for Approval', 'Approved' and 'Declined'.
     
    • If the 'Auto-Approve' is enabled, all patches identified are automatically set 'Approved' status. Else the patches are to be manually approved by the admin. See 'Approve / decline patches' for more details.
  • Reboot - Whether or not the endpoint requires a restart to complete the patch installation.
     
  • Not Installed - The number of managed endpoints on which the patch is yet to be installed.
     
  • Installed - The number of managed endpoints on which the patch has already been installed.
     
  • Release Date - The date on which the patch was released by Microsoft.

The OS patch interface lets you:

View details of a patch

  • Click 'Applications' > 'Patch Management'
     
  • Select the 'Operating System' tab
     
    • Select a company or a group to view the list of patches and Windows updates available for its devices

      Or
       
    • Select 'Show all' to view a list of all available patches and Windows updates
       
  • Click on the name of a patch to view its details.


Patch details are shown in six tabs:

  • General - Name and general description, version number, severity, release date and a link to the knowledge base (KB) article for the patch.
     
  • Vendor - The publisher of the patch, with a link to the patch support page.
     
  • Supercedes - Information on previous patches which are superseded by this patch
     
  • Bulletin – The bulletin is a short summary of the patch provided by the patch vendor.
     
  • CVE IDs - Shows the Common Vulnerabilities and Exposure (CVE) items which are addressed by the patch.
     
  • Device List – Shows all Windows endpoints for which the patch is appropriate, and informs you which devices have it installed and which do not. You can install the patch on target endpoints as required. See Install a patch on selected endpoints if you want help with this.

Approve / decline patches

Each patch added to the patch management interface needs to be approved for deployment to endpoints through EM.

Declined patches cannot be installed manually (both from the 'Patch Management' interface and the 'Device Management' screen), or automatically through any patch procedures you create.

There are two ways of approving patches:

Set auto-approval for OS patches

  • Click 'Applications' > 'Patch Management'
     
  • Select the 'Operating System' tab
     
  • Use the 'Auto Approve' switch on the right to enable or disable auto-approval
     
    • Enabled – New patches added are set to 'Auto-Approved' state and can be installed on to devices. However, you can manually decline any auto-approved patch
       
    • Disabled – New patches added are set to 'Waiting for Approval' state. You can manually approve or decline a patch. The patches cannot be deployed until it is approved.

Manually approve or decline a patch

  • Click 'Applications' > 'Patch Management'
     
  • Select the 'Operating System' tab
     
    • Select a company or a group to view the list of patches and Windows updates available for its devices

        Or
       
    • Select 'Show all' to view a list of all available patches and Windows updates

Approve

  • Select the patches you want to approve, in 'Waiting for Approval' or 'Declined' states
     
  • Click 'Approve' from the options on the top or click 'More' and choose 'Approve'

The patches are set to 'Approved' state. These can be deployed manually or through a scheduled procedure.

Decline

  • Select the patches you want not to be installed, in 'Waiting for Approval' , 'Approved' or 'Auto-Approved' states
     
  • Click 'Decline' from the options on the top or click 'More' and choose 'Decline'

The patches are set to 'Declined' state. These cannot be deployed manually or through a scheduled procedure.

Hide / Restore patches

  • You can hide patches that you do not want to install at this point.
     
  • Hidden patches will not be available for deployment from the 'Device Management' screen, and are not installed by any patch procedures you create.
     
  • You can view hidden patches by enabling 'Show hidden patch(es)’ in the filter menu.

Hide unwanted patches

  • Click 'Applications' > 'Patch Management'
     
  • Select the 'Operating System' tab
     
    • Select a company or a group to view the list of patches and Windows updates available for its devices

      Or
       
    • Select 'Show all' to view a list of all available patches and Windows updates
       
  • Select the patches you want to hide then click 'Hide Patch(es)'


View hidden patches and restore them

  • Click 'Applications' > 'Patch Management'
     
  • Select the 'Operating System' tab
     
    • Select a company or a group to view the list of patches and Windows updates available for its devices

      Or
       
    • Select 'Show all' to view a list of all available patches and Windows updates
       
  • Click the funnel icon    on the right, select 'Show hidden patch(es)', then click 'Apply'


Hidden patches have a dark gray background.

  • Select the patches you want to reinstate then click 'Unhide Patch(es)'
     


The patches are reinstated to the list.

Install selected patches on all endpoints at once

Note - Make sure patch management is allowed in the profile active on the devices. See this wiki for more details. 

  • Click 'Applications' > 'Patch Management'
     
  • Select the 'Operating System' tab
     
    • Select a company or a group to view the list of patches and Windows updates available for its devices

      Or
       
    • Select 'Show all' to view a list of all available patches and Windows updates
       
  • Select the patches you want to install then click 'Install Patch(es)'
     
    • Reminder – You can install only approved patches.


 

  • Click 'OK' in the confirmation dialog

The command is sent to install the patches on all endpoints that need it.

Install a patch on selected endpoints

Note - Make sure patch management is allowed in the profile active on the devices. See this wiki for more details. 

  • Click 'Applications' > 'Patch Management'
     
  • Select the 'Operating System' tab
     
    • Select a company or a group to view patches available for its devices

      Or
       
    • Select 'Show all' to view a list of all available patches and Windows updates
       
  • Click the number in the 'Not Installed' column of the patch you want to install.
     
    • Reminder – You can install only approved patches.


The patch details screen opens at the 'Device List' tab. The screen shows all managed devices to which the patch is relevant. The 'Installed' column tells you whether the patch is installed on the device.

  • Select all devices which you want to patch
     
  • Click 'Install Patch'

The command is immediately sent to all target devices

Uninstall selected patches from all managed endpoints

You can remove unwanted patches and updates from managed devices. This is useful if you want to roll-back to a previous version of the Windows component or the OS itself.

Note - Make sure patch management is allowed in the profile active on the devices. See this wiki for more details. 

  • Click 'Applications' > 'Patch Management'
     
  • Select the 'Operating System' tab
     
    • Select a company or a group to view patches available for its devices

      Or
       
    • Select 'Show all' to view a list of all available patches and Windows updates
       
  • Select the patches you want to remove then click 'Uninstall Patch(es)'


 

  • Click 'OK ' in the confirmation dialog
  • The uninstall command is immediately sent to target devices.

Create a new patch procedure

Patch procedures let you set up a regular patching schedule for your devices. You first create the procedure then add it to a profile that is active on your devices.

  • Click 'Applications' > 'Patch Management'
     
  • Select the 'Operating System' tab
     
  • Click the 'Create Patch Procedure' button:


 

  • Create a name and specify the folder in which you want to save the procedure.
     
  • Select the categories of OS patches you want to install and configure endpoint restart options.
     
  • See this wiki page for help to create an OS patch procedure.  

Generate a patch status report

Click 'Applications' > 'Patch Management'

  • Select the 'Operating System' tab
     
  • Click the 'Export' button:


 

  • The CSV file is available in 'Dashboard' > 'Reports'
     
  • See this wiki page if you need help to download the report.

Third party application patches

Click 'Applications' > 'Patch Management' > 'Third Party Applications'

  • The communication client on each endpoint analyzes all  3rd party applications installed on the endpoint.

  • The checked locations include 'C:\Program Files\' and 'C:\Users\{user}\AppData\' folder so as to cover all applications in the endpoint, installed on locations other than their default location.

  • The client reports the applications and their patch status to Endpoint Manager.
     
  • The 'Third Party Applications' tab lists all available patches and updates available for your managed Windows devices and lets you apply patches and updates to them.
     
  • The interface also shows details such as patch category, vendor name, and the number of devices which require the patch.
     
  • You can filter patches by company and device group.
     
  • Each patch must be approved before deployment. Unapproved /declined patches cannot be deployed to endpoints either manually or automatically (through scheduled procedures).
     
  • You can hide applications that you do not want to update.
     
    • Hidden applications are also not available for update from the 'Device Management' screen ('Devices' > 'Device List' > 'Device Management'). They are also skipped if named in a patch procedure.
       
    • Click the funnel icon on the right and enable 'Show hidden patch(es)' to view hidden items.
       
  • You can also create a procedure to automatically deploy patches for 3rd party applications.

View and manage third party application patches 

  • Click 'Applications' > 'Patch Management'
     
  • Select the 'Third Party Applications' tab
     
    • Select a company or a group to view patches for just that entity’s devices

      Or
       
    • Select 'Show all' to view all available patches and updates
       


 

Each row shows the name of the software that needs updates. It also shows you how many devices have the software installed and how many of those require the update.

  • Name - The target application
     
  • Vendor - The software publisher.
     
  • Category - The type of application.
     
  • Status - Whether the patch / update is approved for deployment through EM. The possible values are 'Auto-Approved', ''Waiting for Approval', 'Approved' and 'Declined'.
     
    • If the 'Auto-Approve' is enabled, all patches are automatically set 'Approved' status when they are added. Else the patches are to be manually approved by the admin. See 'Approve / decline application updates' for more details.
  • Installed Devices - Total number of devices on which the application is installed. This figure includes devices with patched and unpatched versions of the software.
     
  • Upgradable Devices - Number of devices that need updates because they are using an older version of the software.

The 'Patch Management' > 'Third Party Applications' interface lets you:

View details of an application

  • Click 'Applications' > 'Patch Management'
     
  • Select the 'Third Party Applications' tab
     
    • Select a company or a group to view updates for that entity’s devices

      Or
       
    • Select 'Show all' to view a list of all available patches and update
       
  • Click the name of any application to open its details screen:


 

  • Application info - The name, software publisher and the category of the application.
     
  • Device List - The list of devices on which the application is installed. You can update the application on specific devices from this screen.

Approve / decline application updates

Each patch or application update added to the patch management interface needs to be approved for deployment to endpoints through EM.

Declined applications cannot be updated manually (both from the 'Patch Management' interface and the 'Device Management' screen), or automatically through any patch procedures you create.

There are two ways of approving patches/updates:

Set auto-approval for third party application updates

  • Click 'Applications' > 'Patch Management'
     
  • Select the 'Third Party Applications' tab
     
  • Use the 'Auto Approve' switch on the right to enable or disable auto-approval
     
    • Enabled - New application updates added are set to 'Auto-Approved' state and can be updated on to devices. However, you can manually decline any auto-approved update
       
    • Disabled - New application updates added are set to 'Waiting for Approval' state. You can manually approve or decline a patch. The patches cannot be deployed until it is approved.

Manually approve or decline an application update

  • Click 'Applications' > 'Patch Management'
     
  • Select the 'Third Party Applications' tab
     
    • Select a company or a group to view updates for that entity’s devices

      Or
       
    • Select 'Show all' to view a list of all available patches and updates

Approve

  • Select the applications you want to approve, in 'Waiting for Approval' or 'Declined' states
     
  • Click 'Approve' from the options on the top or click 'More' and choose 'Approve'

The applications are set to 'Approved' state. These can be updated manually or through a scheduled procedure.

Decline

  • Select the applications you want not to be updated, in 'Waiting for Approval' , 'Approved' or 'Auto-Approved' states
     
  • Click 'Decline' from the options on the top or click 'More' and choose 'Decline'

The applications are set to 'Declined' state. These cannot be updated manually or through a scheduled procedure.

Hide / Restore Applications

  • You can hide those applications that you do not want to update
     
  • Hidden applications will also disappear from the 'Device Management' screen and are skipped by any patch procedures you create.
     
  • You can reveal hidden applications by using the 'Show hidden patches’ switch

Hide upgradable applications

  • Click 'Applications' > 'Patch Management'
     
  • Select the 'Third Party Applications' tab
     
    • Select a company or a group to view updates for that entity’s devices

      Or
       
    • Select 'Show all' to view a list of all available patches and updates
       
  • Select the applications you want hide then click 'Hide Patch(es)'


 

Restore hidden applications

  • Click 'Applications' > 'Patch Management'
     
  • Select the 'Third Party Applications' tab
     
    • Select a company or a group to view updates for that entity’s devices

      Or
       
    • Select 'Show all' to view a list of all available patches and update
       
  • Click the funnel icon   on the right, select 'Show hidden patch(es)' then click 'Apply'


Hidden applications have a dark gray background.

  • Select the hidden app(s) from the list and click 'Unhide Patch(es)'
     


 

Update selected applications on all devices

Note - Make sure third party application patch management is allowed in the profile active on the devices. See this wiki for more details.

  • Click 'Applications' > 'Patch Management'
     
  • Select the 'Third Party Applications' tab
     
    • Select a company or a group to view updates for that entity’s devices

      Or
       
    • Select 'Show all' to view a list of all available patches and update
       
  • Make sure that the application you want to update is approved
     
  • Select the applications you want to update, click 'Install Patch(es)' > 'Update to Latest Version'


A command is sent to the communication client (CC) on devices to start the update.

  • Once the command is received, CC checks whether the update has already been downloaded by other devices in the network.
     
  • If the update is available, CC establishes a peer-to-peer connection with the device and downloads the patch. This reduces bandwidth as the update is downloaded from the local network.
     
  • If the update is not available on any devices in the local network, CC downloads the update from the EM patch portal.

Update an application on selected devices

Note - Make sure third party application patch management is allowed in the profile active on the devices. See this wiki for more details.

  • Click 'Applications' > 'Patch Management'
     
  • Select the 'Third Party Applications' tab
     
    • Select a company or a group to view updates for that entity’s devices

      Or
       
    • Select 'Show all' to view a list of all available patches and update
       
  • Make sure that the application you want to update is approved
     
  • Click the number in the 'Upgradable Devices' column:


 

The application details screen shows all devices which require the update.

  • Select your target devices
     
  • Click 'Install patch(es)' > 'Update to Latest Version'

A command is sent to the communication client (CC) on devices to start the update.

  • Once the command is received, CC checks whether the update has already been downloaded by other devices in the network.
     
  • If the update is available, CC establishes a peer-to-peer connection with the device and downloads the patch. This reduces bandwidth as the update is downloaded from the local network.
     
  • If the update is not available on any devices in the local network, CC downloads the update from the EM patch portal.

Create a new 3rd party application patch procedure

  • Click 'Applications' > 'Patch Management'
     
  • Select the 'Third Party Applications' tab
     
  • Click 'Create Patch Procedure':


 

  • The 'Create 3rd Party Patch Procedure' wizard starts.
     
  • Create a name for the procedure, select a save-folder, select the applications you want to update, and configure endpoint restart options.
     
  • See this wiki page for help to create and configure a third-party patch procedure. 

Further reading

How to add a patch schedule to a Windows profile 

How to configure and run procedures on managed devices