Can somebody explain the Software Update philosphy ?

ALE_CISO

Hi,

I don't understand how the Software Updater is supposed to be working (in fact for the moment it doesn't really work).

If I activate automatic updates, let's say for critical updates, then it will install all critical patches, right ? Then what's the point in including anything in the "Include software for automatic installation" menu ?

If on the opposite, activating automatic updates alone doesn't install anything, it means that all updates that I want to install must be included, is it working this way ? It's really not clear in the documentation.

And my current problem is that I activated automatic updates for critical patches for some people, didn't include anything, excluded "Microsoft Corporation" vendor, and one of the user had the latest Windows security patch installed ... I'm lost.

Thanks,

Sébastien

MonikaL

Hi,

Inclusion and exclusion are based on the update installation status reported by managed hosts. For inclusion, updates are checked based on their severity and depending on what is selected in "Install security updates automatically". Then, all updates except for the excluded ones are installed.

When a host starts installing missing updates, it checks for any excluded updates and reports that they were not installed due to exclusion by the administrator. This also means that excluded updates do not immediately disappear from the list on the Software updates tab, because the hosts only report the installation status once they attempt to install the missing update.

To manually enter the details for the software updates that you want to include or exclude, do one of the following:

Under Include software for automatic installation, select Add rule.

Under Exclude software from automatic installation, select Add rule.

For example, In case you include Microsoft Edge update into the setting "Include software for automatic installation", this will include only Microsoft Edge update but exclude everything else including Microsoft Windows update, as well as other third party software update at the same time.

Regarding excluding software from automatic installation, please refer to the below instructions.

Prerequisite: You need to have a non-default profile before you can configure your software updater settings.

You can exclude specific software updates from automatic installation by following these steps:

1. Log in to the PSB Portal
2. Go to the Profiles page
3. Select the profile you want to modify
4. Go to Software updater settings tab
5. Under Exclude software from automatic installation, click Add rule 
6. Select from the Rule drop-down menu one of the following:

Update name contains

Software name contains

Vendor name contains 

Severity equals to

Bulletin ID equals to

Then depending on the rule you've chosen, enter the value to the remaining field. Examples:

Update name contains: Google Chrome 89.0.4389.82

Software name contains: Google Chrome

Vendor name contains: Google Inc.

Severity equals to: Critical Security / Important Security 

Bulletin ID equals to: FSPM-41-64283-4

You can view the update details from the Software Updater page in the PSB Portal.

Note: 

Only one software per exclusion is supported. If you need to add multiple software, click Add rule again.

You can add several conditions in one rule, if you want to combine for example Software name contains and Severity equals to conditions, click Add condition in the rule column.

After the profile has been saved and published, the exclusion will be taken into use on the devices that have this profile assigned. 

If you would like to hide the update completely from being detected as missing by Software Updater, you need to exclude it via the following setting in the PSB Portal profile editor:

Log in to the PSB Portal

Go to the Profiles page

Select the profile you want to modify

Go to Software updater settings tab

Scroll down to the Exclude updates from scan results section.