With Heimdal™ Threat Prevention - Endpoint you can now apply Microsoft Updates to the Windows computers in your company’s environment.
The Heimdal™ Patch & Asset Management – Microsoft Updates feature allows the management of these patches, select which ones to deploy on the computers under the respective GP, delete or hide them, select to suppress the reboot of the machines after the installation is complete, as well as schedule when the computers to be restarted.
Microsoft updates can be done manually or automatically.
1.1 Manual deployment of an update means that you can manually select the available updates to be deployed.
For this process, you will have to log into the Heimdal Dashboard, go to the left panel, select Patch & Asset Management, and then click on the Microsoft Updates tab.
In this view, the Microsoft updates are mainly categorized as follow us:
- Installed – shows a list of updates already installed
- Pending – shows a list of the updates that are in the process of installing
- Available – shows a list of the updates that are available to be installed
- Updates per endpoint – the total of updates (installed + pending + available) per endpoint
- Compliance view - shows a list of all the compliant or non-compliant updates ( in the time-frame preferred by you)
The total number of updates installed or available to install on your machines is displayed on the top page.
To manually deploy an update, go to the Available tab, select one Microsoft Update from the list and click on Install.
Once you will click on Install, a pop-up will show with three options:
- Suppress Reboot – the update will apply without an immediate restart
- Global Install – the update will apply to all group policies for all endpoints
- Custom policy global install – the update will apply globally to specific group policies. For this option, you can select in the bar the specific policy/policies the update to be applied
After you select the preferred option/options please click on YES to apply them.
Also, there is the possibility to arrange the Microsoft Updates after different criteria like title, KB, severity, devices, servers, CVE, and CVSS by clicking on each tab.
Additionally, if you click on a Microsoft Update a new page will open with more technical details.
Even more, for each Microsoft Update, it’s displayed a number of devices for which the update can be installed. If you click on the number, you will be redirected to another page that contains the name or names of the devices.
1.2 Automatic deployment means that you allow the Thor Agent to automatically install and deploy the available updates.
For this type of deployment, you will have to select the first one of the Group Policy created, click on the Heimdal™ Threat Prevention tab, then Vulnerability Mgmt, and choose Microsoft Updates.
In this view, you will have to select Enable Microsoft Updates or you can select just the Microsoft Vulnerability reporting only.
The Microsoft Vulnerability reporting only will only display the updates available but without applying them to the machines, the action described also by the top orange pop-up. Once this option is enabled all the below settings will be greyed out.
However, the updates will be removed from the list once they have been installed on the computers in the Group Policy.
For the case that you select just Enable Microsoft updates, you can move forward with the customization of the below Settings.
The Install no restart required updates only will push automatically all the patches that do not require a restart after completion.
Suppress and install everything will install all Windows updates, no matter if they require a reboot and without restarting the computer automatically unless the reboot schedule is activated.
If Enable Agent notifications for reboot is activated a message will be displayed by the Thor agent on the end user's computer that a restart is necessary to finish the installation.
Server Source allows Heimdal Security to download the updates from the servers you chose. There are two choices available. If Default is selected the updates will be downloaded from the source configured on the machine and if Windows Updates is selected any other 3rd party or WSUS will be bypassed so that the updates are fetched from Microsoft servers.
Enable installation by category helps control which updates you want to install by category.
Also, these updates can be arranged by different criteria like title, KB, severity, release date, Added ON, and Suppress Reboot by clicking on each tab. Additionally, in the Suppress Reboot category, you can individually select which update you want to not reboot.
Windows Updates Check Interval - this option will allow you to control how often should Heimdal check for available Windows Updates. The minimum is 720 min. While the Forced Reboot Delay will allow controlling how much you can delay the forced reboot, up to 60 minutes.
The Enable Delaying Windows Updates option allows postponing the updates for a number of days after their release, selecting from 1 to 31 days. This setting will override the customization of the scheduler.
For the Microsoft Updates the user has control when they should be deployed, being allowed to set a schedule from the Enable Microsoft Updates Schedule
Enable Microsoft Updates Reboot Schedule allows the selection of a timeframe when devices will be restarted after each update that requires a reboot was installed.
Force reboot during time selection will restart the computer no more than once in the selected timeframe even if there were no updates installed requiring a reboot.
Enable Microsoft Updates Reboot Delay allows to delay an automatic reboot after the installation of an update.
You also have the option to choose the interval of the delay and the number of postpones that are allowed for the end user:
After everything has been selected and adjusted, the user must Update Policy for the changes to take effect.
What changes does the Heimdal Thor Agent apply on your machines when Microsoft Updates is enabled?
- Set delivery optimization: (It is used to enable disable win updates delivery optimization feature)
"SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings"
DownloadMode -
"SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config"
DODownloadMode
DownloadMode_BackCompat
----------------------------------------------------------------------------
- Change scheduler settings: (It is used to prevent windows using the scheduler to reboot pc in order Heimdal to control reboot time)
"SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"
SetActiveHours
ActiveHoursStart
ActiveHoursEnd
----------------------------------------------------------------------------
- Change automatic updates settings: (It is used to deactivate windows automatic updates module)
"SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU"
AUOptions
NoAutoUpdate
ScheduledInstallDay
ScheduledInstallTime
Windows Updates with "Vulnerabilities reporting"
A new pop-up is displayed when trying to install Windows Updates for group policies that have “Microsoft Vulnerability reporting only” enabled. Agreeing to continue will disable “Microsoft Vulnerability reporting only” for the selected group policies and install the selected update.
Windows updates - CVE correlation KB
The CVE correlation with the KB code was improved using the Microsoft API. The information displayed in the Windows Updates section is up to date, according to the latest information available from Microsoft.
How Feature Updates are being deployed
Starting with Windows 10, Microsoft introduced a new servicing model known as "Windows as a Service" (WaaS), which means that instead of getting a new version around every three years, you now receive incremental updates that speed up the integration of new features and simplify the process of keeping devices secure and supported.
As a result of this new servicing model, you now have two types of updates: "feature updates" and "quality updates." Both are equally important, but each one delivers a different set of improvements at different times.
On Windows 10, features updates are technically new versions of the OS, which are available twice a year, during the spring and fall time frame. They are also known as "semi-annual" releases, and they're supported for 18 months. After the support cycle ends, you must upgrade to a supported version to continue getting security and non-security patches.
As part of the development process, Microsoft uses telemetry data and feedback from internal testing and participants of the Windows Insider Program to prepare the new version. Once the update passes the testing phases and proves to be reliable, the rollout begins to consumers and then to business customers through Windows Update as an optional update, which users have to install manually. However, devices with an installation nearing the end of service will receive the feature update automatically to maintain the system secure and supported.
Feature updates for Windows 10 are optional, and they shouldn't install automatically as long as the version on your device is still supported. However, if you're running the professional version of Windows 10, you can defer feature updates up to 12 months after their original release date.
0 Comments
Article is closed for comments.