In this article, you will learn everything you need to know about the Operating System Updates product.
1. Description
2. How do Operating System Updates work?
3. HEIMDAL Agent - Operating System Updates
4. Operating System Updates view
5. Operating System Updates settings
DESCRIPTION
With Patch and Asset Management you can install Operating System Updates to the Windows/Linux computers in your company’s environment. The Patch & Asset Management – Operating System Updates module allows the management of these patches, select which ones to deploy on the computers under the respective Group Policy, delete or hide them, and select to suppress the reboot of the endpoints (on updates that require a reboot to complete installation), as well as schedule when the computers to be restarted.
HOW DO OPERATING SYSTEM UPDATES WORK?
Operating System Updates checks the installed and the available Operating System Updates on an endpoint and reports them to the HEIMDAL Dashboard.
Windows OS
The Administrator can deploy and install available Windows Updates with two methods:
A. Manual deployment and installation of Windows Updates means that the HEIMDAL Dashboard Administrator can manually select the available update(s) to be deployed right from the HEIMDAL Dashboard -> Products -> Patch & Asset Management -> Operating System Updates.
B. Automatic deployment and installation of Operating System Updates means that the HEIMDAL Dashboard Administrator can configure the automatic deployment and installation of available Operating System Updates through the HEIMDAL Agent.
Windows Updates are available for installation when they are made available on the Server Source (e.g. WSUS Server or the Microsoft API).
- Change scheduler settings (allows the HEIMDAL Agent to bypass the Windows settings in order to control the restart mechanism if Microsoft Update Reboot Schedule is enabled in the Group Policy)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate - ActiveHoursEnd
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate - ActiveHoursStart
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate - SetActiveHours
- Change automatic updates settings (allows the HEIMDAL Agent to deactivate the automatic Windows Updates)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU - AllowMUUpdateService (0 or 1)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU - AUOptions (2)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU - NoAutoUpdate (1)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU - ScheduledInstallDay (0)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU - ScheduledInstallTime (0)
- Set delivery optimization (enable/disable Windows Updates delivery optimization feature)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config - DODownloadMode (1)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config -DownloadMode_BackCompat (1)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings - DownloadMode (1)
When the OS Updates product is disabled, the HEIMDAL Agent will restore the registry keys to the previous settings. If Delivery Optimization is managed through an Active Directory GPO, the HEIMDAL Agent will not be able to set DODownloadMode to 1.
The example above describes a scenario in which the OS Updates Reboot Delay is set with a Reboot Delay of 10 minutes and a number of 2 allowed postpones.
HEIMDAL Agent - Windows Updates
The HEIMDAL Agent displays information about the Installed Updates, the Available Updates, and the Pending Updates.
The HEIMDAL Agent allows the end-user to see the installed Windows Updates that were installed on a computer.
OPERATING SYSTEM UPDATES view
The Patch & Asset Management - Operating System Updates view displays all the information collected by the HEIMDAL Agent that is running on the endpoints in your organization. The collected information refers to the Operating System Updates that are available or installed by the HEIMDAL Agent and is divided between the Windows Updates installed on Windows endpoints and the Linux Updates installed on Linux endpoints.
Windows OS
On the top, you see a statistic regarding the number of Installed updates, the number of Available/Pending updates, and the number of devices with errors.
The collected information is placed in the following views: Installed, Pending, Available, Updates per Endpoint, and Compliance.
- Installed
This view displays a table with Windows Updates that are installed on the endpoints in your organization with the following details: Title, KB, Severity, Endpoints, Servers, CVE, CVSS, Products, and Categories.
In the Installed view, you are allowed to select one or multiple entries and Hide them from the view using the Hide Updates button from the dropdown menu. You can also use the Select GP dropdown menu to list the installed Windows Updates for the selected Group Policy. The Show Hidden Updates radio button allows you to display all the hidden Windows Updates. The updates can be listed per update or per endpoint. - Pending
This view displays a table with Windows Updates that are pending to complete the installation on the endpoints in your organization with the following details: Title, KB, Severity, Endpoints, Servers, Reboot, CVE, CVSS, Products, and Categories.
In the Pending view, you are allowed to select one or multiple entries and Remove or Hide them from the view using the Remove or Hide Updates buttons from the dropdown menu. You can also use the Select GP dropdown menu to list the pending Windows Updates for the selected Group Policy. The Show Hidden Updates radio button allows you to display all the hidden Windows Updates. The updates can be listed per update or per endpoint. - Available
This view displays a table with Windows Updates that are available for installation on the endpoints in your organization with the following details: Title, KB, Severity, Endpoints, Servers, Reboot, CVE, CVSS, Products, and Categories.
In the Available view, you are allowed to select one or multiple entries and Install or Hide them from the view using the Install or Hide Updates buttons from the dropdown menu. You can also use the Select GP dropdown menu to list the pending Windows Updates for the selected Group Policy. The Show Hidden Updates radio button allows you to display all the hidden Windows Updates. The updates can be listed per update or per endpoint. - Error
This view includes a grid with the following columns: Hostname (clickable, will redirect to the OS Updates -> Pending tab), Username, Error code (with a tooltip for the error code's description), and Last Seen. The Reboot required view displays all the endpoints that need to be rebooted in order for their corresponding Windows Updates to be completed. - Assets
This view displays a table with all the Windows Updates that have been installed since the OS installation with the following details: Title, Endpoints, Servers, Client Application ID, and Description. This is a complete audit of the installed Windows Updates, no matter if the Heimdal Agent was installing them or not. - Compliance
This view displays a table with the compliant and non-compliant endpoints (in terms of installed Windows Updates) with the following days: Hostname, Username, Number of Updates, Highest Severity, Operating System, Oldest patch date, Last Seen, and Status.
A Non-Compliant machine is an endpoint that has pending updates before that Specific Date set in the Filter and the Last Seen timestamp (not older than 6 months). The Non-compliant filter doesn't have an interval, as the Specific Date will suffice to show the Non-Compliant endpoints up to that date. The Compliance view considers the Cyber Essentials norms when deeming an endpoint as being compliant or not. The Cyber Essentials compliant view will display all endpoints that do not have any available/pending OS updates with a vintage of more than 14 days or the OS Build version is not End of Life (EOL) or End of Service. The Cyber Essentials non-compliant view will display all endpoints that have at least one available/pending OS update with a release date older than 14 days or the OS Build version is End of Life (EOL) or End of Service.
The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view. (Note: Although the release date for the OS updates is not shown in the Installed, Pending, and Available views, this piece of information is included in the Verbose CSV report, if extracted from the mentioned views).
The Installed, Pending, and Available views, besides the standard Grid view, have an additional view called the Stats view, which can be toggled by switching from the Grid view.
This view contains statistical data regarding the OS Updates that are separated into Pie charts and Matrixes data. The info displayed shows the By severity pie chart graphs and the By release date matrixes.
By clicking the data, you will be redirected to a pre-filtered view (date range and Severity) where you can visualize only the OS Updates that fall under that specific selection.
Linux OS
On the top, you see a statistic regarding the number of Installed updates and the number of Available/Pending updates.
The collected information is placed in the following views: Installed, Pending, Available, and Updates per Endpoint.
- Installed
This view displays a table with Linux Updates that are installed on the endpoints in your organization with the following details: Application, Package, Version, CVE, CVSS, Endpoints, Servers, Category, and Distribution. - Pending
This view displays a table with Linux Updates that are pending to complete the installation on the endpoints in your organization with the following details: Application, Package, Version, Endpoints, Servers, Category, and Distribution. - Available
This view displays a table with Linux Updates that are available for installation on the endpoints in your organization with the following details: Application, Package, Version, Endpoints, Servers, Category, and Distribution. - Updates per Endpoint
This view displays a table with the Updates per Endpoint with the following details: Hostname, Username, and Updates per Endpoint.
macOS
On the top, you see a statistic regarding the number of Installed updates and the number of Available updates.
The collected information is placed in the following views: Installed and Available.
- Installed
This view displays a table with OS Updates that are installed by Heimdal on the endpoints in your organization with the following details: Title, Size (MB), Version, and Endpoints.
You can use the Select GPs dropdown menu to list the installed OS Updates for the selected Group Policy. - Available
This view displays a table with OS Updates that are available for installation on the endpoints in your organization with the following details: Title, Size (MB), Version, and Endpoints.
You can use the Select GPs dropdown menu to list the available OS Updates for the selected Group Policy. -
Assets
This view displays a table with OS Updates that are detected as installed on the endpoints in your organization with the following details: Title, Version, and Endpoints.
The macOS machine view Operating System Updates -> Assets view details grid/ table will show the Title of the update, the Size (MB), its Version, and the Date (timestamp) when the update was detected, for all the macOS Operating System Updates that are currently installed on the machine.
OPERATING SYSTEM UPDATES settings
The Patch & Asset Management - Operating System Updates module allows the HEIMDAL Dashboard Administrator(s) to view, download, and deploy available Operating System Updates that are specific to any endpoint in your environment. Patch & Assets allows you to select which ones to deploy on the computers that are applying the current Group Policy, to delete or hide them, and select to suppress the reboot of the endpoints after completing the Operating System Updates installation or to schedule when the endpoints will reboot (to complete the installation of the Operating System Update).
Windows OS
Operating System Updates - turn ON/OFF the Operating System Updates product;
Microsoft Vulnerability reporting only - will only display the Windows Updates available for the endpoints (in the Microsoft Updates view) in your environment without applying them.
General Settings
Install no restart required updates only - allows you to enable/disable the automatic download and install of all the available Windows Updates that do NOT require a reboot to complete the installation process;
Suppress and install everything - allows you to enable/disable the automatic download and installation of all the available Windows Updates (those that require a reboot the complete the installation process and also those that do not require a reboot) when they are released by Microsoft on the Microsoft API. The computer will not reboot automatically even if an installed update requires a reboot in order to complete. The reboot will be carried out manually by the user/administrator;
Installation of optional updates - allows you to enable/disable the automatic download and installation of optional updates (like Microsoft Feature Updates);
Prevent Windows 11 auto-upgrade - allows you to prevent the computers from installing the Upgrade to Windows 11(the stable release);
Enhanced reboot detection - the HEIMDAL Agent will perform another check to see if a reboot is required to complete the installation of a Windows Update. This feature may put the endpoint(s) in a continuously reboot state;
Installation by category - allows you to enable/disable the automatic download and installation of specified Microsoft Updates categories. Categories can be selected from the drop-down menu:
Installation of other Microsoft products - allows you to enable/disable the automatic download and install Microsoft Updates for other Microsoft products listed here: https://learn.microsoft.com/en-us/windows/deployment/update/update-other-microsoft-products;
Agent notifications for reboot - allows you to enable/disable the Reboot Required notification that is displayed by the HEIMDAL Agent on the end-user computer when a reboot is necessary to finish the installation of a Windows Update;
OS Updates Exclusions - allows you to exclude Windows Updates from being installed by KB or Title. Exclusions will have priority over the installed Windows Updates selected for installation in the Group Policy. The Exclusions section allows you to import a CSV file in case you have multiple KBs or Titles that need to be excluded;
Server Source - allows the HEIMDAL Agent to download the available Windows Updates from the server source you chose.
- Default - searches for updates on the intranet Microsoft update service location (if specified) configured in the Local Group Policy Editor -> Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update, or on the Microsoft Default source (if nothing is specified);
- Windows Updates - searches for updates directly on the Microsoft Update servers (bypassing any specified intranet location).
The section below allows you to hide or delete specific Windows Updates that are manually set for installation:
Check interval - allows you to set the time interval when the HEIMDAL Agent checks for new Available Windows Updates:
Delayed OS Interval (days) - allows you to postpone the installation of the Windows Updates for a number of days after their release. This setting will override the customization of the scheduler:
OS Updates Schedule - allows you to configure the interval(s) when the deployment of available Windows Updates takes place. You can select a day or multiple days during the week or during the month (and a timeframe that applies to the selected day/s). Choosing a day or multiple days (without selecting the weeks) will run the OS Updates on the selected days of every week. Choosing a day or multiple days (by selecting the First Week and the Second Week) will run the OS Updates on the selected days, in the First Week and the Second Week only. The scheduler considers the way the days are distributed within the calendar.
In the example below, the month of September 2022 spans a period of 5 weeks. The First week starts on the 1st of September and this means that the First week includes only 4 days, while the Fifth week includes 5 days. Choosing a combination of Thursday and First Week means that the OS Updates will run on the 1st of September. Choosing a combination of Monday and First Week means that OS Updates will be on the 5th of September (the first day from the second week) because the first Monday of the month happens then. This happens in order to prevent skipping a month if the selected day is out of scope. The other case refers to a combination of Sunday and the Fifth Week, which means that the last Sunday is out of the scope of the Fifth Week. Because the algorithm is adjusted in such a way as not to skip any month, the OS Update scheduler will run on the 25th of September (which is the actual last Sunday of the month).
The scheduler can be made Active during the time selection or Inactive during the time selection. This feature is designed to allow you to schedule when the download and installation of Windows Updates take place to minimize the impact on the workflow in your environment;
OS Updates Reboot Scheduler - allows you to configure the interval(s) when an endpoint can reboot in order to complete the installation of available Windows Updates Updates that require a reboot. You can select a day or multiple days during the week or during the month (and a timeframe that applies to the selected day/s). Choosing a day or multiple days (without selecting the weeks) will run the OS Updates on the selected days of every week. Choosing a day or multiple days (by selecting the First Week and the Second Week) will run the OS Updates on the selected days, in the First Week and the Second Week only. The scheduler considers the way the days are distributed within the calendar.
In the example below, the month of September 2022 spans a period of 5 weeks. The First week starts on the 1st of September and this means that the First week includes only 4 days, while the Fifth week includes 5 days. Choosing a combination of Thursday and the First Week means that the reboot will occur on the 1st of September. Choosing a combination of Monday and the First Week means that the reboot will be on the 5th of September (the first day from the second week) because the first Monday of the month happens then. This happens in order to prevent skipping a month if the selected day is out of scope. The other case refers to a combination of Sunday and the Fifth Week, which means that the last Sunday is out of the scope of the Fifth Week. Because the algorithm is adjusted in such a way as not to skip any month, the OS Reboot scheduler will run on the 25th of September (which is the actual last Sunday of the month).
The scheduler can be made Active during the time selection or Inactive during the time selection. This feature is designed to allow you to schedule when an endpoint can reboot in order to complete the installation of Windows Updates that require a reboot to minimize the impact on the workflow in your environment;
Force reboot during time selection - the PC will reboot no more than once in the selected time interval, even if there are no Microsoft Updates that require a restart.
OS Reboot Delay - allows you to configure a reboot delay interval and a number of postpones to grant the end-user the possibility of preparing for a scheduled reboot required to complete the installation of a Windows Update. The two sliders will allow you to set the number of minutes the user can delay a reboot and how many times a reboot can be delayed:
OS Reboot Delay can allow the user to postpone the reboot event outside the scheduled interval. The reboot delay postpones notifications are being displayed even if Agent notifications for reboot functionality is disabled.
Delivery Optimization - allows you to enable/disable the delivery optimization functionality to reduce bandwidth consumption by sharing the work of downloading packages across multiple devices within the organization;
Limit bandwidth for download - set the maximum foreground and background download bandwidth in MBs/second that the device can use across all concurrent download activities.
IMPORTANT
OS Updates is not designed to support the installation of Windows Updates that are approved via WSUS. Although an endpoint can be pointed to look for updates on a WSUS location, the HEIMDAL Agent is not able to discover the updates approved in WSUS and install them. The recommendation is to allow HEIMDAL's OS Updates to manage them by searching and installing them right from the Microsoft Update servers.
Linux OS
Operating System Updates - turn ON/OFF the Operating System Updates product. The System Updates and Security Updates can be deployed by the module. Other updates can be deployed using the Infinity Management module.
OS Vulnerability reporting only - will only display the updates available for the endpoints in your environment without applying them. This option is enabled by default for new Group Policies.
General Settings
Suppress and install everything - allows you to enable/disable the automatic download and installation of all the available Linux Updates (those that require a reboot the complete the installation process and also those that do not require a reboot);
Installation by category - allows you to enable/disable the automatic download and installation of specified Linux Updates categories. Categories can be selected from the drop-down menu:
Check interval - allows you to set the time interval when the HEIMDAL Agent checks for new available Linux Updates. 6 hours is the default value for newly-created group policies;
OS Schedule - allows you to configure the deployment of the available Linux Updates by selecting a day/multiple days during the week or during the month (and a timeframe that applies to the selected day(s)). Choosing a week of the month will make the HEIMDAL Agent apply the same functionality for all selected days of the week. The scheduler can be made Active during the time selection or Inactive during the time selection:
macOS
Operating System Updates - turn ON/OFF the Operating System Updates product.
General Settings
Download new updates when available - allows you to automatically download (in the background) available updates without installing them;
Install macOS updates - allows you to install available updates automatically (according to Apple's scheduler);
Assets view - allows you to track down and manage all the OS Updates installed on the devices in your organization;
Install Security Responses and system files - allows you to install available security updates and other system files automatically;
Install application updates from the App Store - allows you to update applications installed from the App Store automatically;
Check interval - allows you to set the time interval when the HEIMDAL Agent checks for new Available OS Updates: