ITarian Help

Find the desired product help

IT Endpoint Manager

IT Endpoint Manager

Endpoint Manager Administrator Guide 6.43

English

Print Help Download Help
Applications > Patch Management > Manage OS Patches On Windows Endpoints
  • Introduction To Endpoint Manager
    • Key Concepts
    • Best Practices
    • Quick Start
    • Sign Up For An ITarian Account
    • Login Into The Admin Console
  • The Admin Console
  • The Dashboard
  • Devices And Device Groups
    • Manage Device Groups
      • Create Device Groups
      • Edit A Device Group
      • Assign Configuration Profiles To A Device Group
      • Remove A Device Group
      • Run Procedures On Customer Groups
    • Manage Devices
      • Add New Devices
      • Manage Windows Devices
        • View And Edit Device Name
        • View Summary Information
        • View Hardware Information
        • View Network Information
        • View Maintenance Windows Associated With Device
        • View And Manage Profiles Associated With A Device
        • View And Manage Applications Installed On A Device
        • View The Files On A Device
        • View Exported Configurations And Import Profiles
        • View MSI Files Installed On A Device Through Endpoint Manager
        • View And Manage Patches For Windows And 3rd Party Applications
        • View Antivirus Scan History
        • View And Manage Device Group Memberships
        • View Device Logs
      • Manage Mac OS Devices
        • View And Edit Mac OS Device Name
        • Summary Information Of Mac Device
        • View Installed Applications
        • View Quarantined Files
        • View And Manage Profiles Associated With A Device
        • View Mac OS Packages Installed On A Device Through Endpoint Manager
        • View And Manage Device Group Memberships
        • View Mac Device Logs
      • Manage Linux Devices
        • View And Edit Linux Device Name
        • Summary Information Of Linux Device
        • View Network Information Of A Linux Device
        • View And Manage Profiles Associated With A Linux Device
        • View Linux Packages Installed On A Device Through Endpoint Manager
        • View And Manage Device Group Memberships
      • Manage Android Devices
        • View And Edit Device Name
        • View Summary Information
        • Manage Installed Applications
        • View And Manage Profiles Associated With A Device
        • View Sneak Peek Pictures To Locate Lost Devices
        • View The Location Of The Device
        • View And Manage Device Group Memberships
      • Manage IOS Devices
        • View Summary Information Of An IOS Device
        • View And Edit Device Name Of An IOS Device
        • View Applications Installed On An IOS Device
        • View And Manage Profiles Associated With An IOS Device
        • View The Location Of An IOS Device
        • View And Manage Group Memberships Of An IOS Device
      • View User Information
      • Remove A Device
      • Remote Management Of Windows And Mac OS Devices
        • Transfer Items To / From The Remote Computer
      • Remotely Manage Folders And Files On Windows Devices
      • Manage Processes On Remote Windows Devices
      • Manage Services On Remote Windows Devices
      • Use The Command Prompt On Remote Windows Devices
      • Apply Procedures To Windows And Mac Devices
      • Remotely Install And Manage Packages On Windows Devices
      • Remotely Install Packages On Mac OS Devices
      • Remotely Install Packages On Linux Devices
      • Send Enrollment Link To IOS Devices
      • Install Apps On Android/iOS Devices
      • Generate An Alarm On Android Devices
      • Remotely Lock Mobile And Mac OS Devices
      • Wipe Selected Mobile And Mac Devices
      • Assign Configuration Profiles To Selected Devices
      • Set / Reset Screen Lock Password For Mobile Devices
      • Update Device Information
      • Send Text Messages To Mobile Devices
      • Restart Selected Windows Devices
      • Shutdown Windows Devices
      • Wake Offline Device
      • Change A Devices Owner
      • Change The Ownership Status Of A Device
      • Add Custom Notes And Tags On Devices
      • Generate Device List Report
    • Bulk Enrollment Of Devices
      • Enroll Windows, Mac OS And Linux Devices By Installing The Communication Client
        • Enroll Windows Devices Via AD Group Policy
        • Enroll Windows, Mac OS And Linux Devices By Offline Installation Of Agent
        • Enroll Windows Devices Using Auto Discovery And Deployment Tool
      • Enroll The Android And IOS Devices Of AD Users
    • Download And Install The Remote Control Tool
  • Users And User Groups
    • Manage Users
      • Create New User Accounts
        • Manually Add Users
        • Import Users From A CSV File
      • Enroll User Devices For Management
        • Enroll Android Devices
        • Enroll IOS Devices
        • Enroll Windows Endpoints
        • Enroll Mac OS Endpoints
        • Enroll Linux OS Endpoints
      • View User Details
        • Update The Details Of A User
      • Assign Configuration Profiles To User Devices
      • Remove A User
      • Generate New Password For A User
      • Reset Two Factor Authentication Token For A User
      • Run Procedures On User Devices
    • Manage User Groups
      • Create A New User Group
      • Edit A User Group
      • Assign Configuration Profiles To A User Group
      • Remove A User Group
      • Run Procedures On Group Devices
    • Configure Role Based Access Control For Users
      • Create A New Role
      • Manage Permissions And Users Assigned To A Role
      • Remove A Role
      • Manage Roles Assigned To A User
  • Configuration Templates
    • Create Configuration Profiles
      • Profiles For Android Devices
      • Profiles For IOS Devices
      • Profiles For Windows Devices
        • Create Windows Profiles
          • Associated Devices Settings
          • Remote Control Settings
          • Client Access Control
          • Client Proxy Settings
          • Communication Client Update Settings
          • Client UI Settings
          • Remote Tools Settings
          • Monitors
          • Procedure Settings
          • Patch Management Settings
          • Maintenance Window Settings
          • Global Proxy Settings
          • Communication Client Rebranding
          • Client Logging Settings
          • Antivirus Settings
          • Firewall Settings
          • HIPS Settings
          • File Rating Settings
          • Containment Settings
          • VirusScope Settings
          • Xcitium Verdict Cloud
          • Agent Discovery Settings
          • External Devices Control Settings
          • Miscellaneous Settings
          • Script Analysis Settings
          • Data Loss Prevention Settings
          • Xcitium Client Security Access Control
          • XCS Updates
          • Xcitium Client Security UI Settings
          • XCS Logging Settings
          • Thumbnails Settings
          • Performance Settings
          • Chat Settings
        • Import Windows Profiles
      • Profiles For Mac OS Devices
        • Create A Mac OS Profile
          • Antivirus Settings For Mac OS Profile
          • Certificate Settings For Mac OS Profile
          • Restrictions Settings For Mac OS Profile
          • VPN Settings For Mac OS Profile
          • Wi-Fi Settings For Mac OS Profile
          • Remote Control Settings For Mac OS Profile
          • External Device Control Settings For Mac OS Profile
          • Valkyrie Settings For MacOS Profile
          • Procedure Settings For Mac Profiles
          • Monitor Settings For Mac OS Profile
      • Profiles For Linux Devices
        • Create A Linux Profile
          • Antivirus Settings For Linux Profile
          • Communication Client And Comodo Client - Security Application Update Settings For Linux Profile
          • User Interface Settings For Linux Profile
          • Logging Settings For Linux Profile
          • Clients Access Control Settings For Linux Profile
          • Valkyrie Settings For Linux Profile
    • View And Manage Profiles
      • Export And Import Configuration Profiles
      • Clone A Profile
    • Edit Configuration Profiles
    • Manage Default Profiles
    • Manage Alerts
      • Create A New Alert
      • Edit / Delete An Alert
    • Manage Procedures
      • View And Manage Procedures
      • Create A Custom Procedure
      • Combine Procedures To Build Broader Procedures
      • Review / Approve / Decline New Procedures
      • Add A Procedure To A Profile / Procedure Schedules
      • Import / Export / Clone Procedures
      • Change Alert Settings
      • Apply Procedures To Devices
      • Edit / Delete Procedures
      • View Procedure Results
    • Manage Monitors
      • Create Monitors And Add Them To Profiles
        • Monitors For Windows Devices
        • Monitors For Mac OS Devices
      • View And Edit Monitors
    • Data Loss Prevention Rules
      • Create DLP Discovery Rules And Add Them To Profiles
      • View And Edit DLP Discovery Rules
      • Create DLP Monitoring Rules And Add Them To Profiles
      • View And Edit DLP Monitoring Rules
  • Security Systems
    • Security Dashboards
      • View Security Events By Time
      • View Security Events By Files
      • View Security Events By Device
    • View Contained Applications
    • Manage File Trust Ratings On Windows Devices
      • File Ratings Explained
    • View List Of Valkyrie Analyzed Files
    • Antivirus And File Rating Scans
      • Run Antivirus And/or File Rating Scans On Devices
      • Handle Malware On Scanned Devices
      • Update Virus Signature Database On Windows, Mac OS And Linux Devices
    • View And Manage Identified Malware
    • View And Manage Quarantined Items
    • View Android Threat History
    • View And Manage Autorun Items
    • View History Of External Device Connection Attempts
    • Data Loss Prevention Scans
      • DLP Logs
      • DLP Quarantined Files
  • Network Management
    • Create And Run Network Discovery Tasks
    • Manage Profiles For Network SNMP Devices
    • Manage Network Devices
      • Manage SNMP Devices
        • SNMP Device Details Interface
      • Discovered Devices
    • Manage Network Monitors
  • Application Store
    • IOS Apps
      • Add IOS Apps And Install Them On Devices
      • Manage IOS Apps
    • Android Apps
      • Add Android Apps And Install Them On Devices
      • Manage Android Apps
    • Windows Apps
      • Install Windows Apps On Devices
  • Applications
    • View Applications Installed On Android And IOS Devices
      • Blacklist And Whitelist Applications
    • Patch Management
      • Manage OS Patches On Windows Endpoints
      • Install 3rd Party Application Patches On Windows Endpoints
        • EM Supported 3rd Party Applications
    • View And Manage Applications Installed On Windows Devices
      • Uninstall A Windows Application From Selected Devices
      • Uninstall A Windows Application From All Devices
    • Vulnerability Management
  • License Management
    • Manage Your Licenses
    • Manage License Allocation
    • Bill Forecast
  • Configure Endpoint Manager
    • Email Notifications, Templates And Custom Variables
      • Configure Email Templates
      • Configure Email Notifications
      • Create And Manage Custom Variables
      • Create And Manage Registry Groups
      • Create And Manage COM Groups
      • Create And Manage File Groups
      • View And Manage Pattern Variables
      • View And Manage Keyword Groups
    • Endpoint Manager Portal Configuration
      • Import User Groups From LDAP
      • Configure Communication And Security Client Settings
        • Configure The EM Android Client
          • Configure Android Client General Settings
          • Configure Android Client Antivirus Settings
          • Add Google Cloud Messaging (GCM) Token
        • Add Apple Push Notification Certificate
        • Configure Windows Clients
          • Configure Communication Client Settings
          • Configure Client Security Settings
      • Manage Endpoint Manager Extensions
      • Configure Endpoint Manager Reports
      • Device Removal Settings
      • Account Security Settings
      • Set-up Administrators Time Zone And Language
      • Configure Audit Log Settings
    • Integrate Apple DEP With Endpoint Manager
      • Link Endpoint Manager With Apple DEP
      • Manage Apple DEP Devices
      • Manage Apple DEP Profiles
      • Configure Apple DEP Notifications
    • View Version And Support Information
  • Appendix 1a - Endpoint Manager Services - IP Nos, Host Names And Port Details - EU Customers
  • Appendix 1b - Endpoint Manager Services - IP Nos, Host Names And Port Details - US Customers
  • Appendix 2 – Endpoint Manager License Types
  • Appendix 3 - Pre-configured Profiles
  • About ITarian

Manage OS Patches on Windows Endpoints


Click 'Applications' > 'Patch Management' > 'Operating System' tab

  • The operating system tab lets you deploy and manage OS updates on Windows devices.
  • Endpoint Manager checks Microsoft update servers for available Windows patches and lists them in the interface. You can deploy patches to devices as required. You can also uninstall patches from devices if required.
  • Patches need to be approved for deployment. You can choose to decline / approve patches. By default, patches are automatically approved.
  • The interface shows details about each patch, including patch classification, the Windows component to which it applies, release date, severity, previous versions, Microsoft bulletins and number of endpoints which require the patch.
  • You can filter patches by company and device group.
  • You can hide patches if you do not want to deploy them. Hidden patches will not be available for deployment in the 'Device Management' screen and will not be executed if added to a patch procedure.
  • You can also create procedures to deploy operating system and 3rd party application patches. The procedures can be added to profiles to automatically install any new patches.
    • You can also generate a report of the current patch statuses of your Windows devices.

    Manage operating system patches

    • Click 'Applications' > 'Patch Management'
    • Select the 'Operating System' tab
    • Select a company or group to view updates for that entity's devices
    Or
    • Select 'Show all' to view every available Windows update



     

    'Operating System' Patch Management - Column Descriptions

    Column Heading

    Description

    Title

     The descriptive name of the patch.

    • Click the name to view patch details'. See View Patch Details for more details.

    KB

     The knowledgebase article number that describes the patch.

    • Click the number to view the Microsoft Knowledgebase article on the patch.

    Bulletin

     The Microsoft Bulletin number that contains details about the patch release.

    • Click the number to view the bulletin.

     Classification

    The category of the patch. The possible values are:

    • Update - Fixes a specific non-critical problem, but not a security-related bug.
    • Definition update - Contains updates to a product’s definition database. For example, an update to the virus signature database for Windows Defender.
    • Critical Update - Fixes a specific, critical OS problem or a critical security-related bug.
    • Security update - Fixes a version specific, security related vulnerability. 
    • Update rollup – Contains a collection of hotfixes, security updates, critical updates, and updates packaged together for easy deployment. These updates generally target a specific Windows component. 
    • Driver - Adds software for controlling peripherals or add-on devices that could be connected to the endpoint.
    • Feature pack - Adds new functionality distributed after an OS release.
    • Service pack - Contains a collection of hotfixes, security updates, critical updates, updates, and additional fixes.
    • Tool - Installs a utility or feature for a specific task or a set of tasks.
    • Upgrades - Updates the Windows OS version on the endpoint to the latest build.
    Product

    The Windows component to which the patch applies.
     

    Severity

    		  The criticality of the patch. The possible levels are:
    • Critical
    • Important
    • Moderate 
    • Low 
    • Unspecified

    Status

    Indicates whether the patch is ready for deployment. The statuses are:

    • Auto-Approved - You can install the patch
    • Approved - You can install the patch
       
    • Declined - You cannot deploy the patch
       
       
    • Waiting for approval - You cannot install the patch
       

    Reboot

     Whether or not the endpoint requires a restart for the patch installation to take effect.

    Not Installed

    The number of managed endpoints on which the patch is yet to be installed.

    • Click the number to view the patch details screen at the 'Device List' tab. See the explanation of View Details of a Patch for more details on the 'Patch Details' screen.
    • The 'Device List' tab shows devices to which the patch is relevant. You can deploy the patch to those devices which need it.
    • See Install a patch on selected endpoints for more details.

    Installed

     The number of managed endpoints on which the patch has already been installed.

    • Click the number to view the patch details screen at the 'Device List' tab. See View Details of a Patch for more details on the 'Patch Details' screen.
    • The 'Device List' tab shows devices along with the installation status of the selected patch.
    • You can select devices on which the patch is required and start the installation process. See the explanation of Install a patch on selected endpoints for more details.

    Release Date

    The date on which the patch was released by Microsoft.

    Controls

    Install Patch

    Deploy selected patches to all devices on which they are yet to be installed.


    See Install selected patches on all managed endpoints at once for more details.

    Uninstall Patch(es)

    Remove selected patches from all devices on which they are installed.


    See Uninstall selected patches from all managed endpoints at once for more details.

    Hide Patch(es)

     Conceal selected patches that you do not want to be deployed onto enrolled endpoints.


    Hidden patches will not be visible in the 'Device Management' screen and will not be executed as well if added to a patch procedure.

    Unhide Patch

      Reveal all hidden patches.
     Export

    Generate current patch statuses for the devices. See Generate Patch Statuses Report.

    Create Patch Procedure

    		 Add a new procedure capable of auto-installing patches on your endpoints.

    The procedure can be added to a profile and scheduled to install specific updates at specific times.


    See Manage Procedures for more details.

    Schedule Patch Procedure

    Takes you to the 'Profiles' interface in Endpoint Manager.


    You can add a procedure to a profile which will install your selected updates onto your endpoints. See Procedure Settings in Profiles for Windows Devices for guidance on this.

    Show hidden patch(es)

     Reveal all hidden patches so they can be potentially deployed.

    Approve

    Only permitted patches are installed. See Approve / decline a Windows OS patch for more details.

    Decline

    Unapproved patches are not installed. See Approve / decline a Windows OS patch for more details.

    Auto Approve

    You can set the patches to be automatically approved.

    • Enabled - Newly listed patches are automatically approved
    • Disabled – The status for newly listed patches shows as ‘waiting for approval’. Disable this if you want to evaluate the patch and then approve / decline.


    • Click any column header to sort the items in ascending/descending order of the entries in that column.

    The 'Operating System Patch Management' interface allows you to:

    • View Details of a Patch
    • Hide Patches
    • Restore Hidden Patches
    • Install selected patches on all managed endpoints at once
    • Install a patch on selected endpoints
    • Uninstall selected patches from all managed endpoints at once
    • Create a New Patch Procedure
    • Approve / decline a Windows OS patch
      • Search specific patches in the Patch Management interface
      • Generate Patch Statuses Report

      View Details of a Patch

      • Click 'Applications' > 'Patch Management'
      • Select the 'Operating System' tab
      • Select a company or a group to view the list of patches and Windows updates available for its devices
      Or
      • Select 'Show all' to view a list of all available patches and Windows updates
      • Click the name of a patch to open its patch details screen.


       

      The details of the patch are displayed under six tabs:

      • General - Shows the name and general description, version number, severity as set by the vendor, release date and a link to the knowledgebase (KB) article for the patch release.
      • Vendor - Indicates the publisher of the patch, with a link to the support page for the patch from the vendor
      • Supercedes - Contains information on previous patches that are replaced by this patch
      • Security Patch Info - Contains information on previous patches that are superseded by this patch
      • Bulletin - Contains the Bulletin ID and a short summary of the bulletin published by the vendor for the patch
      • CVE IDs - Displays the Common Vulnerabilities and Exposure (CVE) Identity numbers set for the patch by the vendor
      • Device List - The list of managed Windows endpoints with the installation status of the patch on them. You can install the patch on selected the endpoints from the list. See Install a patch on selected endpoints for more details

      Hide Patches

      • You can hide those patches that you do not want to be rolled out to the endpoints, from the list
      • These patches will also be not available for deployment from the 'Device Management' screen and will not be executed as well if added to a patch procedure
      • You can view the hidden patches by using the 'Show hidden patch(es) toggle button and install these patches onto endpoints

      Hide unwanted patch(es)

      • Click 'Applications' > 'Patch Management'
      • Select the 'Operating System' tab
      • Select a company or a group to view the list of patches and Windows updates available for its devices
      Or
      • Select 'Show all' to view a list of all available patches and Windows updates
      • Select the patch(es) you want to hide and click 'Hide Patch(es)'




      To view the hidden patches again, you have to unhide them.


      Restore Hidden Patches

      • Restored patches will also be available for installation in the Device Management interface and can be added to a patch procedure.

      View hidden patches and restore them

      • Click 'Applications' > 'Patch Management'

      • Select the 'Operating System' tab
      • Select a company or a group to view the list of patches and Windows updates available for its devices
      Or
      • Select 'Show all' to view a list of all available patches and Windows updates
      • Click the funnel icon  on the right, select 'Show hidden patch(es)' and click 'Apply'



      The hidden patches are shown with dark gray background stripe.

      • Select the hidden patch(es) from the list and click 'Unhide Patch(es)'



      A confirmation message is displayed. The patches are re-added to the list.


      Install patch(es) on all managed endpoints at-once

      • Click 'Applications' > 'Patch Management'
      • Select the 'Operating System' tab
      • Select a company or a group to view the list of patches and Windows updates available for its devices
      Or
      • Select 'Show all' to view a list of all available patches and Windows updates
      • Select the patch(es) to be installed and click 'Install Patch(es)'



       

      • Click 'OK' in the confirmation dialog

      The command will be sent and the selected patch(es) will be installed on all endpoint(s) in which the patch is not already installed.


      Install a patch on selected endpoints

      • Click 'Applications' > 'Patch Management'
      • Select the 'Operating System' tab 
      • Select a company or a group to view the list of patches and Windows updates available for its devices 
      Or 
      • Select 'Show all' to view a list of all available patches and Windows updates 
      • Click the number in the 'Not Installed' column of the patch you want to install.




      The 'Patch Details' screen will open at the 'Device List' tab. The screen shows all managed devices to which the patch is relevant. The 'Installed' column tells whether the patch is installed on the device.

      • Select the device(s) on which the patch is to be installed and click 'Install Patch'
      • A confirmation dialog will appear:


       

      The command will be sent to the selected device(s) and a schedule will be created for installation of the selected patch(es) on the devices.

       

      Uninstall selected patches from all managed endpoints at-once

      You can remove unwanted patches and Windows updates from the managed devices. This is useful if you want the managed endpoints to be rolled back to the previous build version of Windows component or the OS itself.

      • Click 'Applications' > 'Patch Management'
      • Select the 'Operating System' tab
      • Select a company or a group to view the list of patches and Windows updates available for its devices
      Or
      • Select 'Show all' to view a list of all available patches and Windows updates
      • Select the patch(es) to be removed from the devices and click 'Uninstall Patch(es)'



      • Click 'OK ' in the confirmation dialog
      • The command will be sent to the selected device(s) and a schedule will be created for uninstallation of the selected patch(es) on the devices.



       

      Create a New Patch Procedure

      • The 'Patch Management' > 'Operating System' interface lets you create a procedure to deploy OS patches.
      • The procedures can be added to profiles and scheduled to run periodically.

      Create a new patch procedure

      • Click 'Applications' > 'Patch Management'
      • Select the 'Operating System' tab
      • Click 'Create Windows Patch Procedure' at the top



      The 'Create Windows Patch Procedure' wizard starts.

      • Create a name and specify the storage folder for the procedure. Select the categories of OS patches you want to install and configure endpoint restart options.
      • See creating an OS patch procedure for more help with the wizard.

      Approve / decline a Windows OS patch


      You can deploy only approved and auto-approved patches on endpoints. You can disapprove a patch so it cannot be deployed, for example, you want to evaluate whether the patch is required or not.

      • Click 'Applications' > 'Patch Management'
      • Select the 'Operating System' tab
      • Select a patch and click ‘Approved’ or ‘Decline’ button at the top


      • Auto Approve – Enable this button so when a new patch is listed here, it is automatically approved. If disabled, the patch shows its status as ‘Waiting for approval’.


      Search specific patches in the Patch Management interface

      • Click the funnel icon  on the right to filter patches by various criteria, including by name, by KB number, by bulletin number, by classification, by severity, and by whether a restart is required for the patches.
      • Start typing the name of a patch in the search field to find a particular patch. Select the patch from the search suggestions and click 'Apply'
      • To display all items again, clear any filters and search criteria and click 'Apply'.
      • EM returns 20 results per page when you perform a search. To increase the number of results displayed per page up to 200, click the arrow next to 'Results per page' drop-down.

      Generate Patch Statuses Report

      • Click 'Applications' > 'Patch Management'
      • Click 'Export' at the top.



       

      • The CSV file will be available in 'Dashboard' > 'Reports'

      • See 'Reports' in 'Dashboard' for how to view and download reports.
      Comodo Help
      • IT Platform:
      • Help
      • Scripts
      • Wiki
      • Forum
      • Developer
      • RMM
      • Patch Management
      • Service Desk
      • ITSM
      • Managed Service Provider
      • Managed Detection and Response
      • Ticketing System
      • Helpdesk
      • ITIL

      Copyright 2024 Itarian