Heimdal Security Assistance and Support Help Center home page

Articles in this section

Haven't Tried Heimdal Yet?

Start Free Trial 30-day Free Trial. Offer valid only for companies.

Operating System Updates

Last updated

In this article, you will learn everything you need to know about the Patch & Asset Management - Operating System module.

1. Description
2. How do Operating System Updates work?
3. HEIMDAL Agent - Operating System Updates
4. Operating System Updates view
5. Operating System Updates settings

DESCRIPTION

With Patch and Asset Management you can install Operating System Updates to the Windows/Linux computers in your company’s environment. The Patch & Asset Management – Operating System Updates module allows the management of these patches, select which ones to deploy on the computers under the respective Group Policy, delete or hide them, select to suppress the reboot of the endpoints (on updates that require a reboot to complete installation), as well as schedule when the computers to be restarted.

HOW DO OPERATING SYSTEM UPDATES WORK?

The Operating System Updates module checks the installed and the available Operating System Updates on an endpoint and reports them to the HEIMDAL Dashboard. The Administrator can deploy and install available Windows Updates with two methods:
A. Manual deployment and installation of Windows Updates means that the HEIMDAL Dashboard Administrator can manually select the available update(s) to be deployed right from the HEIMDAL Dashboard -> Products -> Patch & Asset Management -> Operating System Updates.
B. Automatic deployment and installation of Operating System Updates means that the HEIMDAL Dashboard Administrator can configure the automatic deployment and installation of available Operating System Updates through the HEIMDAL Agent. 
Windows Updates are available for installation when they are made available on the Server Source (e.g. WSUS Server or the Microsoft API). 

  • Change scheduler settings (allows the HEIMDAL Agent to bypass the Windows settings in order to control the restart mechanism if Microsoft Update Reboot Schedule is enabled in the Group Policy)

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate - ActiveHoursEnd
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate - ActiveHoursStart
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate - SetActiveHours

  • Change automatic updates settings (allows the HEIMDAL Agent to deactivate the automatic Windows Updates)

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU - AllowMUUpdateService (0 or 1)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU - AUOptions (2)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU - NoAutoUpdate (1)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU - ScheduledInstallDay (0)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU - ScheduledInstallTime (0)

  • Set delivery optimization (enable/disable Windows Updates delivery optimization feature)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config - DODownloadMode (1)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config -DownloadMode_BackCompat (1)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings - DownloadMode (1)
When the OS Updates product is disabled, the HEIMDAL Agent will restore the registry keys to the previous settings. 

HEIMDAL Agent - Windows Updates 

The HEIMDAL Agent displays information about the Installed Updates, the Available Updates, and the Pending Updates.
patches_asset_management.JPG
The HEIMDAL Agent allows the end-user to see the installed Windows Updates that were installed on a computer.
wu.JPG

OPERATING SYSTEM UPDATES view

The Patch & Asset Management - Operating System Updates view displays all the information collected by the HEIMDAL Agent that is running on the endpoints in your organization. The collected information refers to the Operating System Updates that are available or installed by the HEIMDAL Agent and is divided between the Windows Updates installed on Windows endpoints and the Linux Updates installed on Linux endpoints.

Windows OS

On the top, you see a statistic regarding the number of Installed updates and the number of Available/Pending updates.

mu_statistics.JPG

The collected information is placed in the following views: InstalledPending, Available, Updates per Endpoint, and Compliance view.

  • Installed
    This view displays a table with Windows Updates that are installed on the endpoints in your organization with the following details: Title, KB, Severity, Endpoints, Servers, CVE, CVSS, Products, and Categories
    installed.JPG
    In the Installed view, you are allowed to select one or multiple entries and Hide them from the view using the Hide Updates button from the dropdown menu. You can also use the Select GP dropdown menu to list the installed Windows Updates for the selected Group Policy.  The Show Hidden Updates radio button allows you to display all the hidden Windows Updates.
  • Pending
    This view displays a table with Windows Updates that are pending to complete the installation on the endpoints in your organization with the following details: Title, KB, Severity, Endpoints, Servers, Reboot, CVE, CVSS, Products, and Categories
    pending.JPG
    In the Pending view, you are allowed to select one or multiple entries and Remove or Hide them from the view using the Remove or Hide Updates buttons from the dropdown menu. You can also use the Select GP dropdown menu to list the pending Windows Updates for the selected Group Policy.  The Show Hidden Updates radio button allows you to display all the hidden Windows Updates.
  • Available
    This view displays a table with Windows Updates that are available for installation on the endpoints in your organization with the following details: Title, KB, Severity, Endpoints, Servers, Reboot, CVE, CVSS, Products, and Categories
    installed.JPGIn the Available view, you are allowed to select one or multiple entries and Install or Hide them from the view using the Install or Hide Updates buttons from the dropdown menu. You can also use the Select GP dropdown menu to list the pending Windows Updates for the selected Group Policy.  The Show Hidden Updates radio button allows you to display all the hidden Windows Updates.
  • Updates per Endpoint
    This view displays a table with Windows Updates per Endpoint with the following details: Hostname, Username, and Updates per Endpoint
    updates_per_endpoint.JPG
  • Compliance view
    This view displays a table with the compliant and non-compliant endpoints (in terms of installed Windows Updates) with the following days: Hostname, Username, Number of Updates, Highest Severity, Operating System, Oldest patch date, Last Seen, and Status.
    compliance_view.JPG

Linux OS

On the top, you see a statistic regarding the number of Installed updates and the number of Available/Pending updates.

mu_statistics.JPG

The collected information is placed in the following views: InstalledPending, Available and Updates per Endpoint.

  • Installed
    This view displays a table with Linux Updates that are installed on the endpoints in your organization with the following details: Application, Package, Version, Endpoints, Servers, Category, and Distribution
    installed.JPG
  • Pending
    This view displays a table with Linux Updates that are pending to complete the installation on the endpoints in your organization with the following details: Application, Package, Version, Endpoints, Servers, Category, and Distribution
    pending.JPG
  • Available
    This view displays a table with Linux Updates that are available for installation on the endpoints in your organization with the following details: Application, Package, Version, Endpoints, Servers, Category, and Distribution
    available.JPG
  • Updates per Endpoint
    This view displays a table with the Updates per Endpoint with the following details: Hostname, Username, and Updates per Endpoint. updates_per_endpoint.JPG

OPERATING SYSTEM UPDATES settings

The Patch & Asset Management - Operating System Updates module allows the HEIMDAL Dashboard Administrator(s) to view, download and deploy available Operating System Updates that are specific to any endpoint in your environment. Patch & Assets allows you to select which ones to deploy on the computers that are applying the current Group Policy, to delete or hide them and select to suppress the reboot of the endpoints after completing the Operating System Updates installation or to schedule when the endpoints will reboot (to complete the installation of the Operating System Update). 

Windows OS

mceclip29.png
Operating System Updates - turn ON/OFF the Operating System Updates product;
Microsoft Vulnerability reporting only - will only display the Windows Updates available for the endpoints (in the Microsoft Updates view) in your environment without applying them.

General Settings

Install no restart required updates only - allows you to enable/disable the automatic download and install of all the available Windows Updates that do NOT require a reboot to complete the installation process;
Suppress and install everything - allows you to enable/disable the automatic download and installation of all the available Windows Updates (those that require a reboot the complete the installation process and also those that do not require a reboot) when they are released by Microsoft on the Microsoft API. The reboot is performed when the Windows Update is installed (if the OS Updates Reboot Schedule is disabled) after receiving the Reboot Required warning or according to the OS Updates Reboot Schedule
Installation of optional updates - allows you to enable/disable the automatic download and installation of optional updates (like Microsoft Feature Updates);
Prevent Windows 11 auto-upgrade - allows you to prevent the computers from installing the Upgrade to Windows 11;
Enhanced reboot detection - the HEIMDAL Agent will perform another check to see if a reboot is required to complete the installation of a Windows Update. This feature may put the endpoint(s) in a continuously reboot state;
Installation by category - allows you to enable/disable the automatic download and installation of specified Microsoft Updates categories. Categories can be selected from the drop-down menu:

mceclip30.png
Installation of other Microsoft products - allows you to enable/disable the automatic download and install Microsoft Updates for other Microsoft products like Microsoft 365, Microsoft Office, Microsoft Teams, OneDrive, OneNote, Microsoft Edge;
Agent notifications for reboot - allows you to enable/disable the Reboot Required notification that is displayed by the HEIMDAL Agent on the end-user computer when a reboot is necessary to finish the installation of a Windows Update;
Server Source - allows the HEIMDAL Agent to download the available Windows Updates from the servers you chose. If Default is selected the Windows Updates will be downloaded from the source configured on the machine (WSUS or any other 3rd Party Server), while if Windows Updates is selected, WSUS or any other 3rd Party Server will be bypassed so that the Windows Updates are fetched from Microsoft Servers;

The section below allows you to hide or delete specific Windows Updates that are manually set for installation:
mceclip0.png

Check interval - allows you to set the time interval when the HEIMDAL Agent checks for new Available Windows Updates:
mceclip35.png
Delayed OS Interval (days) - allows you to postpone the installation of the Windows Updates for a number of days after their release. This setting will override the customization of the scheduler:
mceclip31.png OS Schedule - allows you to configure the interval(s) when the deployment of available Windows Updates takes place. You can select a day/multiple days during the week or during the month (and a timeframe that applies to the selected day/s).  Choosing a week of the month will make the HEIMDAL Agent apply the same options for all selected days of the week. The scheduler can be made Active during the time selection or Inactive during the time selection. This feature is designed to allow you to schedule when the download and installation of Windows Updates take place to minimize the impact on the workflow in your environment;

mceclip33.png  

OS Reboot Scheduler - allows you to configure the interval(s) when an endpoint can reboot in order to complete the installation of available Windows Updates Updates that require a reboot. You can select a day/multiple days during the week or during the month (and a timeframe that applies to the selected day/s).  Choosing a week of the month will make the HEIMDAL Agent apply the same options for all selected days of the week. The scheduler can be made Active during the time selection or Inactive during the time selection. This feature is designed to allow you to schedule when an endpoint can reboot in order to complete the installation of Windows Updates that require a reboot to minimize the impact on the workflow in your environment;

mceclip34.pngOS Reboot Delay - allows you to configure a reboot delay interval and a number of postpones to grant the end-user the possibility of preparing for a scheduled reboot required to complete the installation of a Windows Update. The two sliders will allow you to set the number of minutes the user can delay a reboot and how many times a reboot can be delayed:

mceclip36.png

Linux OS

linux_gp.JPGOperating System Updates - turn ON/OFF the Operating System Updates product;

General Settings

Suppress and install everything - allows you to enable/disable the automatic download and installation of all the available Linux Updates (those that require a reboot the complete the installation process and also those that do not require a reboot);
Installation by category - allows you to enable/disable the automatic download and installation of specified Linux Updates categories. Categories can be selected from the drop-down menu:
os_category_update.JPG

Check interval - allows you to set the time interval when the HEIMDAL Agent checks for new available Linux Updates:
mceclip35.png
OS Schedule - allows you to configure the deployment of the available Linux Updates by selecting a day/multiple days during the week or during the month (and a timeframe that applies to the selected day(s)).  Choosing a week of the month will make the HEIMDAL Agent will apply the same functionality for all selected days of the week. The scheduler can be made Active during the time selection or Inactive during the time selection:

os_schedule.JPG

Haven't Tried Heimdal Yet?

Start Free Trial 30-day Free Trial. Offer valid only for companies.