In Nebula, the Patch Management module allows you to apply an operating system patch by using the Windows API. Security fixes are available through operating system patches, so it is important to keep your devices up to date.
Reboots may be required by Microsoft to complete the installation of operating system patches, so it is recommended to apply patches to your endpoints during nonoperating hours.
TIP - Keep the operating system patch information in Nebula accurate by running or scheduling an Inventory scan. This will ensure that any operating system patches you install from Nebula are the latest. For more information, see Configure Patch Management in Nebula.
There are four different methods to apply and view available operating system patches:
Scheduled patches
Create a schedule that regularly installs operating system patches to ensure your devices stay updated. This schedule applies all Windows operating system patches found at the time the schedule is run. To create a schedule:
- On the left navigation menu, go to Configure > Schedules.
- Click New.
- Enter a schedule name and choose OS Patches for Type.
- Optionally, filter which operating system patches install based on category and severity.
- Configure endpoint reboot settings with the options in the table below.
- Optionally, customize a deployment message and select the duration before the operating system patch automatically installs.
- On the Schedule groups tab, select target groups for the schedule.
- On the Schedule frequency tab, set the frequency, start date, and start time.
- Toggle on Run missed scans as soon as possible to allow the schedule to run if the endpoint was offline during the configured schedule time.
Note: To avoid unexpected updates after a powered-off endpoint comes online, toggle this setting off. - Click Save.
Patch categories are defined using Windows standardized terminology for operating system services. For more information, see Microsoft software updates.
Watch the video below to see how to automatically schedule operating system patches.
| Setting | Description |
|
Don't reboot servers |
Prevent servers from rebooting after an operating system patch. |
| Use existing reboot settings | Follow the policy reboot settings. |
| Override existing reboot settings | Override the policy and customize the reboot settings. |
| Enable pre-deployment message | Allow users to see a custom message before the update is deployed. |
| Message to display when a reboot is required | The message displayed to users if an operating system patch requires a reboot. |
| Reboot automatically after | The time before the endpoint automatically reboots. |
Note: A user can continue to postpone a reboot indefinitely unless the reboot delay time is reached. Subsequent popups will wait for 1 minute for additional postponement otherwise the endpoint will reboot. If a user postpones a reboot, the Events screen shows an Audit event.
Available patches tab
Navigate to the Available patches tab to view the available operating system patches of a specific endpoint. To locate the Available patches tab:
- On the left navigation menu, go to Manage > Endpoints.
- Click an endpoint name to view the endpoint's properties.
- Click Patches, then click Available patches.
To apply a system patch:
- Select all or check specific boxes for system patches you want to install.
- Click Apply patch.
- In the confirmation window, click Patch.
To update software, see Update software with Patch Management in Nebula.
Patch Management page
Navigate to the Patch Management page to view and install available operating system patches across your environment.
- On the left navigation menu, go to Monitor > Patch Management.
- Select all or check specific boxes for system patches you want to install.
- Click Apply patch.
- In the confirmation window, click Patch.
Patch information
View the following information for each available patch:
| Column | Description |
| Patch | Name of the available patch. |
| KB ID | Knowledge base ID of the patch. |
| Description | Short description of the patch. |
| Category | Type of patch. |
| Endpoint | Host name of the endpoint. |
| Identified date | Date the available patch was detected on the endpoint. |
| Size | File size of the patch. |
| Reboot required | Requirement of a reboot to complete the installation of the patch. |
| Severity |
Severity level of the patch determined by the vendor:
Note: Unknown patches are released patches that are not associated with a severity level by the vendor. |
| Vendor | Vendor name for the available patch. |
Endpoints page
On the Endpoints page, add a new column to see how many available patches there are for each endpoint. The following column is available:
- Available patches: Shows the number of available OS patches and 3rd-party software updates. Click the value to go to the Patch Management page filtered by the selected endpoint.
Return to Malwarebytes Patch Management guide.