Distributing OS patches to Windows devices

MaaS360® provides a way to natively find and report missing OS patches for managed Windows 10+ devices. You can distribute and install missing patches on a single device or all devices. This feature is available at no additional charge to all customers who have a valid MaaS360 entitlement for Windows.

Before you begin

  • The Windows Update service must be running on endpoints so that MaaS360 can determine the OS patches that are missing from those endpoints.
  • The endpoints must also have network access to the Windows Update Server.

About this task

The OS Patches (Windows) page lists the operating system patches that are missing from your Windows devices and the devices that currently have an active operating system patch scheduled for distribution to the device.

Procedure

  1. From the IBM® MaaS360 Portal Home page, select Security > OS Patches (Windows).
    A list of the patches that are missing for the Windows operating system is displayed. A patch record is displayed for devices that are missing OS patches.
  2. From the Patch Name list, do one of the following:
    • To distribute a single OS patch, select an OS patch and click the Distribute button.
    • To distribute multiple OS patches, select the check box next to the corresponding OS patch name. A message is displayed at the top of the list that displays the number of OS patches that you want to distribute. Click Distribute to distribute patches to all devices that are selected or click Unselect All to remove OS patches from distribution.
    Missing Patches window
    The Devices Missing Patch column displays the number of devices that are missing a specific patch.
  3. Click on the number that is displayed in the Devices Missing Patch column.
    OS Patches list
    The Devices Missing Patches page displays information about active devices that are missing the patch, including the managed status of those devices.
    Devices Missing page
  4. Click the Distribute link under a patch name and then provide the following information in the Distribute Patches window to schedule patch distribution to those devices that are missing the patch.
    Note: Portal administrators with either the Read-Only access role or the Help Desk access role do not have administrator rights to distribute patches. If a portal administrator with those access roles clicks Distribute, a patch distribution failed error message is displayed in the Portal and patches are not distributed to the device. Only administrators with Administrator Level 2 or MaaS360 Service Administrator access roles can distribute or stop the distribution of patches.
    Option Description
    Distribution settings
    Distribute to Distribute the patch to one of the following:
    • Devices Missing Patches: The list of devices that are missing the respective OS patch.
    • Device Group: The patch is distributed to devices in a specific group that are missing the respective OS patch.
      Note:
      • If a new device is added to a group after a missing patch was distributed to that group, that device automatically receives the patch distribution.
      • Distributions to default device groups can only be scheduled after a group level action is executed on those groups.
    • Specific Device: The patch is distributed to any specific device that is missing the respective OS patch.

    If patch distribution is active and a device is enrolled during the expiration time frame, that device still receives patches.

    Start Date Specify the day that the patch distribution starts on the devices.
    Start time (0-23 Hrs) Select the time that the patch distribution starts on the devices. The values include:
    • Immediately
    • 00 (midnight or 12:00 AM) to 23 (11:00 PM)
    Distribute Over (0-24 Hrs) Forces MaaS360 to space out the distribution of patches over the selected hours to reduce the load on the network. The values include:
    • Immediately
    • 1 to 24 hours
    Action Expiry (in days) The number of days that the patch distribution is active.
    Restart settings
    Prompt the user The restart settings notify the user that their device requires a restart after OS patches are applied to the device. These settings support Windows MDM-enrolled devices only.
    Note: Some patches might automatically restart a device after an OS patch is applied to the device.
    If the Prompt the user option is enabled, the device user is notified that their device requires a restart after an OS patch was applied to that device.
    • Allow restart deferral: Enable this setting to allow the device user to set the specific amount of time in the Deadline for force restart option to defer restarting the device.
    • Deadline for force restart: The amount of time, in minutes, hours, or days, that the restart action waits until the device is forced to restart. The timed options before restarting the device are 5 minutes, 10 minutes, 15 minutes, 30 minutes, 1 hour, 2 hours, 4 hours, 6 hours, 8 hours, 1 day, 2 days, 3 days, 5 days, 7 days, or 15 days.
    Note: The scheduled patch distribution action supports Windows 10+ MDM-enrolled devices only, but not DTM-enrolled devices. For basic patch distribution, only the Distribute to and Action Expiry (in days) options are available for DTM-enrolled devices.
  5. Click Distribution Details under a patch name to view the details about the distribution of OS patches.
    Stop distribution action
    The following details are displayed:
    Column Description
    Distribution Target The specific device name or all the devices that receive OS patches. The following actions are displayed under the device name:
    • Stop: Click Stop to stop active distribution of OS patches on the device.

      If a device has already received the patch distribution, and the administrator stops patch distribution, the patch is still installed on the device. The updated status of the patch distribution for the device is displayed on the Patch Distribution Status window.

      If a user stops patch distribution on a device before the device receives the patch, the next time that the device receives patch distribution information from the MaaS360 agent, the patch is not distributed to the device.

    • Status: Click Status to view the status of the distributed patch in the MaaS360 Portal.
      The Patch Distribution Status window is displayed. For administrators, this page displays how many patches were installed on which devices.
      Patch distribution status
      The following information is displayed in the Portal about the patch distribution:
      Column Description
      Device Name The name of the device or group of devices that received the OS patch.
      Status The status of the OS patch distribution on the device. One of the following statuses is displayed:
      • Failed: The patch was not installed on the device.
      • In Progress: The MaaS360 agent has received the patch installation request and is currently installing the patch on the device.
      • Installed: The patch was installed on the device.
      • Received: The device received the patch distribution information from the MaaS360 Portal.
      • Scheduled: The patch is scheduled to be installed on the device.
      • Validation Pending: The MaaS360 agent is evaluating the patch installation status on the device.
      Distribution Date The day and time that patch distribution was initiated on the target devices.
      Last Update Date The last time that the administrator initiated patch distribution on the target devices.
    Status The status of patch distribution to devices. One of the following statuses is displayed:
    • Active: Patch distribution is still active on the device. If a device is missing a patch, the administrator can still try to apply the patch to the device within the selected time frame.
    • Expired: Patch distribution is no longer active on the device because the time frame to distribute patches on the device has expired.
    • Scheduled: Patch distribution is currently scheduled on the device.
    • Stopped: Patch distribution is no longer active on the device because the patch is no longer needed on the device.
    Start Date and Time The administrator account that last initiated patch distribution on target devices.
    End Date and Time The day and time that patch distribution ended on target devices.
    Distribute Over (0-24 hrs) The amount of time that MaaS360 spaced out the distribution of patches to reduce the load on the network.
    Last Updated By The administrator account that last initiated patch distribution on target devices.