In this article, you will learn everything you need to know about the Patch & Asset Management - Microsoft Updates module.
1. Description
2. How do Microsoft Updates work?
3. Microsoft Updates view
4. Microsoft Updates settings
DESCRIPTION
With Patch and Asset Management you can apply Microsoft Updates to the Windows computers in your company’s environment. The Patch & Asset Management – Microsoft Updates module allows the management of these patches, select which ones to deploy on the computers under the respective Group Policy, delete or hide them, select to suppress the reboot of the endpoints (on Windows Updates that require a reboot to complete installation), as well as schedule when the computers to be restarted.
HOW DO MICROSOFT UPDATES WORK?
The Microsoft Updates module checks the installed and the available Windows Updates on an endpoint and reports them to the HEIMDAL Dashboard. The Administrator can deploy and install available Windows Updates with two methods:
A. Manual deployment and installation of Windows Updates means that the HEIMDAL Dashboard Administrator can manually select the available update(s) to be deployed right from the HEIMDAL Dashboard -> Products -> Patch & Asset Management -> Microsoft Updates.
B. Automatic deployment and installation of Windows Updates means that the HEIMDAL Dashboard Administrator can configure the automatic deployment and installation of available Windows Updates through the HEIMDAL Agent.
Windows Updates are available for installation when they are made available on the Server Source (e.g. WSUS Server or the Microsoft API).
- Set delivery optimization (enable/disable Windows Updates delivery optimization feature)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config - DownloadMode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings - DODownloadMode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings -DownloadMode_BackCompat
- Change scheduler settings (allows the HEIMDAL Agent to bypass the Windows settings in order to control the restart mechanism)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\WindowsUpdate - SetActiveHours
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\WindowsUpdate - ActiveHoursStart
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\WindowsUpdate - ActiveHoursEnd
- Change automatic updates settings (allows the HEIMDAL Agent to deactivate the automatic Windows Updates)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\WindowsUpdate\AU - AUOptions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\WindowsUpdate\AU - NoAutoUpdate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\WindowsUpdate\AU - ScheduledInstallDay
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\WindowsUpdate\AU - ScheduledInstallTime
MICROSOFT UPDATES view
The Patch & Asset Management - Microsoft Updates view displays all the information collected by the HEIMDAL Agent that is running on the endpoints in your organization. The collected information refers to the Windows Updates that are available or installed by the HEIMDAL Agent. On the top, you see a statistic regarding the number of Installed Windows updates and the number of Available/Pending Windows Updates.
The collected information is placed in the following views: Installed, Pending, Available, Updates per Endpoint, and Compliance view.
- Installed
This view displays a table with Windows Updates that are installed on the endpoints in your organization with the following details: Title, KB, Severity, Endpoints, Servers, CVE, CVSS, Products, and Categories.
In the Installed view, you are allowed to select one or multiple entries and Hide them from the view using the Hide Updates button from the dropdown menu. You can also use the Select GP dropdown menu to list the installed Windows Updates for the selected Group Policy. The Show Hidden Updates radio button allows you to display all the hidden Windows Updates. - Pending
This view displays a table with Windows Updates that are pending to complete the installation on the endpoints in your organization with the following details: Title, KB, Severity, Endpoints, Servers, Reboot, CVE, CVSS, Products, and Categories.
In the Pending view, you are allowed to select one or multiple entries and Remove or Hide them from the view using the Remove or Hide Updates buttons from the dropdown menu. You can also use the Select GP dropdown menu to list the pending Windows Updates for the selected Group Policy. The Show Hidden Updates radio button allows you to display all the hidden Windows Updates. - Available
This view displays a table with Windows Updates that are available for installation on the endpoints in your organization with the following details: Title, KB, Severity, Endpoints, Servers, Reboot, CVE, CVSS, Products, and Categories.
In the Available view, you are allowed to select one or multiple entries and Install or Hide them from the view using the Install or Hide Updates buttons from the dropdown menu. You can also use the Select GP dropdown menu to list the pending Windows Updates for the selected Group Policy. The Show Hidden Updates radio button allows you to display all the hidden Windows Updates. - Updates per Endpoint
This view displays a table with Windows Updates per Endpoint with the following details: Hostname, Username and Updates per Endpoint.
- Compliance view
This view displays a table with the compliant and non-compliant endpoints (in terms of installed Windows Updates) with the following days: Hostname, Username, Number of Updates, Highest Severity, Operating System, Oldest patch date, Last Seen, and Status.
MICROSOFT UPDATES settings
The Patch & Asset Management - Microsoft Updates module allows the HEIMDAL Dashboard Administrator(s) to view, download and deploy available Windows Updates that are specific to any endpoint in your environment. HEIMDAL Patch & Assets allows you to select which ones to deploy on the computers that are applying the current Group Policy, to delete or hide them and select to suppress the reboot of the endpoints after completing the Windows Updates installation or to schedule when the endpoints will reboot (to complete the installation of the Windows Update).
Microsoft Updates - turn ON/OFF the Microsoft Updates Software module;
Microsoft Vulnerability reporting only - will only display the Windows Updates available for the endpoints (in the Microsoft Updates view) in your environment without applying them. The Available Windows Update will move to the Installed view once they have been installed;
General Settings
Install no restart required updates only - allows you to enable/disable the automatic download and install of all the available Windows Updates that do not require a reboot to complete the installation process;
Suppress and install everything - allows you to enable/disable the automatic download and install of all the available Windows Updates (those that require a reboot the complete the installation process and also those that do not require a reboot). The reboot is performed according to the Microsoft Updates Reboot Schedule or when the user chooses so (if the Microsoft Updates Reboot Schedule is disabled) after receiving the Reboot Required warning;
Installation of optional updates - allows you to enable/disable the automatic download and install of optional updates (like Microsoft Feature Updates);
Installation by category - allows you to enable/disable the automatic download and install of specified Microsoft Updates categories. Categories can be selected from the drop-down menu:
Installation of other Microsoft products - allows you to enable/disable the automatic download and install Microsoft Updates for other Microsoft products like Microsoft 365, Microsoft Office, Microsoft Teams, OneDrive, OneNote, Microsoft Edge;
Agent notifications for reboot - allows you to enable/disable the Reboot Required notification that is displayed by the HEIMDAL Agent on the end-user computer when a reboot is necessary to finish the installation of a Windows Update;
Server Source - allows the HEIMDAL Agent to download the available Windows Updates from the servers you chose. If Default is selected the Windows Updates will be downloaded from the source configured on the machine (WSUS or any other 3rd Party Server), while if Windows Updates is selected, WSUS or any other 3rd Party Server will be bypassed so that the Windows Updates are fetched from Microsoft Servers;
The section below allows you to hide or delete specific Windows Update:
Check interval - allows you to set the time interval when the HEIMDAL Agent checks for new Available Windows Updates:
Delayed Microsoft Updates Interval (days) - allows you to postpone the installation of the Windows Updates for a number of days after their release. This setting will override the customization of the scheduler:
Microsoft Updates Schedule - allows you to configure the deployment of the available Windows Updates by selecting a day/multiple days during the week or during the month (and a timeframe that applies to the selected day(s)). Choosing a week of the month will make the HEIMDAL Agent will apply the same functionality for all selected days of the week. The scheduler can be made Active during the time selection or Inactive during the time selection:
Microsoft Updates Reboot Scheduler - allows you to configure the restart interval for the endpoints that are installing Windows Updates that require a reboot by selecting a day/multiple days during the week or during the month (and a timeframe that applies to the selected day(s)). Choosing a week of the month will make the HEIMDAL Agent will apply the same functionality for all selected days of the week. The scheduler can be made Active during the time selection or Inactive during the time selection:
Microsoft Updates Reboot Delay - allows you to configure a reboot delay interval and a number of postpones to grant the end-user the possibility of preparing for a scheduled reboot required to complete the installation of a Windows Update. The two sliders will allow you to set the number of minutes the user can delay a reboot and how many times a reboot can be delayed:
