Manage automated deployment of Windows patches

This document explains how the Patches and Updates feature in Hexnode helps admins perform automated patch management for Windows devices.

Patches and Updates allows IT administrators to monitor and manage all available updates for both the OS and applications on enrolled devices. Updates can be reviewed in detail, and admins can choose to approve or revoke specific updates directly. It serves as a one-stop solution for managing patches and updates across all enrolled devices.

Software management is one of the crucial aspects of device maintenance, as system vulnerabilities can easily be exploited without proper update management. This applies to both the OS and applications. To mitigate potential security risks, it is essential to keep devices up to date. Developers regularly release patches and updates to enhance security, performance, and stability.

While manually deploying updates at scheduled intervals allows IT admins to manage critical updates that require close attention, reviewing and verifying each update individually is unnecessary. Instead, admins can simplify the process by defining pre-defined criteria that an update must meet before being deployed automatically.

With the Deployments feature, IT admins can create such criteria and assign them to device groups. Automating Patches and Updates deployment based on predefined criteria simplifies this process, facilitating timely updates with minimal effort.

Set up automated Patches & Updates management for Windows

Patches & Updates can be automated with the Deployments feature by following these steps:

1. Login to Hexnode UEM.
2. Go to Deploy, click on New Deployment. Alternatively, you can also choose to edit an existing deployment.
3. Choose Windows as the platform.

This process involves five stages.

Stage – 1: Basics

Basic details for the deployment will be configured in this stage. Provide a Name (mandatory) and a suitable Description for the deployment. Verify the chosen Target Platform. Click on Next in the top right corner.

Stage – 2: Actions

This stage provides the type of actions available to set up Windows deployment, the options are,

1. Patches & Updates – Auto
2. Patches & Updates – Manual
3. Bulk Actions

To automate the deployment of patches and updates by creating a comprehensive criterion, choose Patches & Updates – Auto.

Setup the following options by clicking on the Add button adjacent to them,

1. Define criteria for automatic deployment:

   This mandatory option is used to configure certain criteria the updates have to meet to be eligible for deployment.

   A criterion is defined using condition filters, which consist of a data column, a comparator, and a value. The data column represents a specific relevant parameter based on chosen Patches & Updates type (OS or Apps), such as KB number or CVE, while the comparator determines its relation to the assigned value (e.g., greater than or less than). Use these fields in different combinations to create different condition filters and nest them together to define a criterion.
   Here, there are two options presented, Windows (OS Patches & Updates) and Apps (Application Patches & Updates). Based on the option chosen, the relevant data columns will be presented. The available columns for the condition filters for each option are:

   1. Windows

      This option filters patches and updates for the operating system. Define the criteria with the following data columns.

      • CVE
      • KB Number
      • Product
      • Release Date
      • Severity
      • Update Classification
      • Update Name
   2. Apps

      This option filters patches and updates for applications installed on devices. Select the required Patches & Updates from the Available Updates > Recommended/Latest Updates. Use the search bar to quickly find the application update with its name, app identifier, or publisher. To select a patch/update, click on the plus icon adjacent to it. All the chosen patches/updates will be listed under the Selected Updates. After selecting the required updates, click Next. Use the following data columns to define the criteria for the eligibility of the deployment.

      • Release Date
      • Severity

   Nested filters can be added by clicking the ‘+’ icon. You can configure multiple filters at once for the selected option (Windows or Apps) by clicking the +New filter. To remove a filter, click the bin icon next to the ‘+’ icon.

   A nested filter is handled using the AND operator, meaning all conditions within it must be met. Whereas multiple filters can be handled using either the AND or OR operators:

   • AND requires the device to meet both the specified conditions.
   • OR requires the device to meet at least one of the conditions.

   By setting these filters, admins create conditions that patches and updates must meet to be deployed. Tailor the conditions as needed and click Confirm to apply them.

2. Specify updates to ignore (Available only for Windows OS updates and patches)

   Using this option admins can choose to ignore a specific set of updates. These updates will not be deployed to the devices. Select the desired patches & updates from Available Updates > Recommended/Latest Updates. Use the search bar to quickly find the update with its name, GUID, or KB number. To select a patch/update, click on the plus icon adjacent to it. All the chosen patches/updates will be listed under Selected Updates. After selecting the required updates, click Confirm.

3. Configure deployment rules:

   This option consists of a set of rules to be defined for deploying the Patches & Updates to Windows devices.

   1. Require update approval: The updates need to be approved by the administrator to be deployed to the devices.
   2. Install and reboot only during maintenance window: The updates will be installed, and the device will undergo reboot only after the configured Active hours. If no active hours are configured, the default Active hours on the device will be considered.
   3. Configure Notifications: The status of the update’s installation (either running or failed) will be notified to selected technicians on the Hexnode console via email on configuring this option. Following are the options to be configured,
      • Notify installation failures every {Time_Period} hour(s): An email will be sent to the chosen technicians regarding the failures of update installations for the configured time intervals. Allowed values are 1-23.
      • Notify installation status every {Time_Period} hour(s): An email will be sent to the chosen technicians regarding the status of update installations for the configured time intervals. Allowed values are 1-23.
      • Choose technicians to notify: Choose the technicians to receive notifications regarding the update status.

   Once all the criteria are configured, click Next.

   Stage – 3: Settings and Schedule

   The automation of the deployment based on a time-based trigger can be configured in this stage. Following are the settings available to configure,

   1. Trigger: A trigger is an event or a condition that initiates a deployment. In the case of Patches & Updates, Time is used as the factor to trigger the deployment.
   2. Initiate: This setting contains a set of options to set the frequency to trigger the deployment. Following are the options to choose from,
      1. Once, ASAP: The deployment will be triggered` right after the configuration of deployment is done, and the settings configured will be deployed to the devices instantaneously.
      2. Once: The deployment will be triggered at a scheduled time and date in the chosen time zone. The Scheduled Date can be configured in the MM/DD/YYYY format. Scheduled Time can be configured in the 24-hour format including minutes. The available values for hours are 0-23 and for minutes are 0-59. Additionally, the time zone can also be selected from the list of available time zones. To view the time zone, click on the drop-down adjacent to the minutes field.
      3. Repeat at a set schedule: The deployment will be triggered at regular intervals on a scheduled date and time configured using this option. A Scheduled Day can be set as Everyday, Selected Days of a week, or a particular date Monthly. A Scheduled Time can be configured in Hours and Minutes in a 24-hour format on a preferred time zone.

   Once the Settings and Schedule stage is configured move on to the next stage by clicking on Next.

   Stage – 4: Target Filters

   The Patch & Update deployment will be assigned to a pre-existing device/user group or a new dynamic group of devices created with a set of condition filters in this stage. This stage consists of the following options,

   1. Included Groups: Click Add Groups and select a set of custom/dynamic groups from either device groups or user groups for the deployment. The deployment will be applied to the groups selected in this option. This field is mandatory.
   2. Excluded Groups: Click Add Groups and select a set of custom/dynamic groups from either device groups or user groups for the deployment. The deployment will not be applied to the groups selected in this option.
   3. Filters: Configure a criterion for a new dynamic group of devices for which the deployment will be applied. A filter can be created by clicking on +New filter, choosing a subcategory and its respective comparator, and assigning it to a desired value. A comparator differs based on the subcategory chosen. The following table depicts the types of categories available as filters along with their corresponding subcategories.
      

      Main category	Sub- categories
      Device	Apple DEP Asset tag Available internal storage Battery level BitLocker Policy Compliance Department Device ID Device model Device notes Device type Encryption Status Enrolled time Enterprise Management Type Installed RAM Last checked-in time Manufacturer MEID OS name OS version Ownership Platform Processor name Serial number Supervision Total internal storage TPM version UDID Used internal storage
      User	Alternate email Department (AD) Domain name Email Office location (AD) sAMAccountName Title (AD) User type Username
      Network	Bluetooth MAC address Current carrier network SIM 1 Current carrier network SIM 2 Current MCC Current MNC Ethernet IP Address Ethernet MAC address Home carrier Home country ICCID SIM 1 ICCID SIM 2 IMEI SIM 1 IMEI SIM 2 IMSI International data roaming Last connection date Personal Hotspot Phone number SIM 1 Phone number SIM 2 Roaming enabled SIM carrier network Subscriber carrier network (iOS) Subscriber MCC Subscriber MNC Wi-Fi IP Address Wi-Fi MAC address Wi-Fi SSID
      Device Status	Activity status Application compliance status Compliance status Enrollment status Geofence compliance status Jailbroken Kiosk mode Lost mode MDM profile Password compliance status Rooted

      Nested filters can be added by clicking the ‘+’ icon. Multiple filters can be configured at once by clicking +New filter. To remove a filter, click the bin icon next to the ‘+’ icon.

      A nested filter is handled using the AND operator, i.e., all conditions within it must be met. Whereas multiple filters can be handled using either AND or OR operators:

      • AND requires the device to meet both the specified conditions.
      • OR requires the device to meet at least one of the conditions.

      Once the desired groups are selected and the conditions for the dynamic group of devices are tailored as required click Next.

Stage – 5: Review

In this final stage, an overview of all the configured settings in the deployment will be displayed in their respective order. Admins can cross-check and confirm all the configured settings and can choose to make any necessary changes if required by clicking on the Edit option corresponding to the respective stage. Once all the configured settings are confirmed, click Save.