Configure Manual Patch Deployment for Windows

Manual patching in Windows allows administrators to selectively deploy updates for the operating system and applications, helping with a controlled rollout. Whether an update needs to be installed immediately or tested on a specific set of devices before a wider deployment, Hexnode UEM’s manual patching provides an efficient solution.

The Automation feature streamlines the update process by allowing you to handpick, schedule, and define target devices/users for desired updates/patches.

Steps to configure manual patching on Windows devices

1. Log in to Hexnode UEM.
2. Navigate to the Automate tab, click on New Automation, and select Windows as the platform.
Basic

Provide the following details:

• Name: Enter a name for the automation.
• Description: Add a brief description to clarify the automation’s intent or scope (optional).

3. Click Next.
Action

Select Patches and Updates to deploy OS and app updates to Windows devices.

Configuring patches and updates involves three steps:

1. Choose update categories to target

   You can select the type of updates to deploy, either Windows or Apps.

   Windows Updates

   When choosing Windows, you can specify the type of updates to deploy:

   • Quality Updates – Includes security and non-security fixes such as security patches, critical updates, servicing stack updates, and certain driver updates.
   • Feature Updates – Introduces new features and enhancements to the Windows OS.
   • Driver Updates – Covers updates for third-party drivers essential for device functionality.
   • Other Updates – Includes non-critical and non-security updates that help maintain and optimize system performance.

   App Updates

   When selecting Apps, you can define the type of applications to be updated:

   • Store Apps – Updates for applications installed via the Microsoft Store.
     Note:

     For deploying updates to Store apps, the app must already be installed on the device; otherwise, the update automation will fail.

   • Enterprise Apps – Updates for internally developed apps deployed and managed through Hexnode.

2. Select updates to automate

   This section displays available Windows OS updates retrieved from Microsoft servers and app updates retrieved from the Windows Package Manager.

   For Windows updates, you can search using:

   • Update name
   • GUID
   • KB number

   For Apps updates, you can search using:

   • Update name
   • App identifier
   • Publisher

   Additionally, you can choose how updates are applied by selecting one of the following automation actions:

   • Download: Downloads the selected updates for installation at a later time (applicable only to App updates).
   • Install: Installs the selected updates immediately on the target devices.
   • Uninstall: Removes the selected updates from the target devices. (applicable only to Windows updates).

3. Configure Sequence, Success Criteria, and Reboots

   This section allows you to add installation parameters, manage the order of update downloads and installations, set reboot behaviour after installation, and define success criteria for update automation.

   Notes:

   • Success criteria are supported only on devices with the latest Hexnode agent app installed.
   • This section is only applicable if you choose to install the update.

   Installation Parameters

   1. Additional Installation Parameters – Enable this option to specify custom parameters for app installations (e.g., /S for silent installation).
      Notes:

      For EXE applications, adding installation parameters is recommended for a smooth update installation.

   2. Update Sequence

      Arrange the updates in the preferred automation order.

   3. Reboot After Installation

      Choose from the following reboot options:

      • Reboot once after all installations are complete – The device reboots only after all updates have been installed.
      • Reboot once after every successful installation – The device reboots after each update installation.
      • Reboot once after specific update installations – The device reboots after installing selected updates. Multiple updates can be chosen for this option.

   Configuring Success Criteria

   Success criteria define the conditions for determining whether an update was successfully deployed.

   Notes:
   • If an update is incompatible with the device (e.g., a Windows 11 update deployed to Windows 10) or already installed, the installation will fail, but the automation will still be marked as successful since the automation process was completed.
   • Even if the success criteria are not met, the update will install as long as the device is compatible, and the automation will be considered successful once completed.

   Success Criteria for Windows Updates

   • OS Version – Define success by selecting the Windows product (Windows 10 or Windows 11) and specifying the desired OS version.
   • OS Build Number – Define success by specifying the OS build number.
   • Script Output – Execute a script on the target device and use its output to verify update success.
     • Select Script – Choose a script from your script repository.
     • Enter Value – Define the expected output (e.g., OK, TRUE, or the update version number).
     • Enter Arguments – Optional parameters that customize the script’s behaviour without modifying its code.

   Success Criteria for App Updates

   • Script Output – Works similarly to Windows updates, using a script to verify success. This option also includes the same additional attributes for configuring success criteria, as seen in the Windows ‘Script Output’ section.
   • App Identifier –The App Identifier will be auto filled if it is defined under the success criteria while uploading the file (for MSIX/EXE) or from the Apps tab (for MSI).

     This identifier, which can be a GUID or product code from the Windows Installer, or an app publisher’s name (e.g., {56DDDFB8-7F79-4480-89D5-25E1F52AB28F} or HexnodeUEM), is used to determine whether the app is installed on the target device.

     If the App Identifier is not defined yet, you will need to go to the Apps tab and define it there first.

   • File Path – The File Path will be auto filled if it is defined under the success criteria while uploading the file (for MSIX/EXE) or from the Apps tab (for MSI). It verifies app installation by checking for the presence of a specific file on the target device.

     If not auto filled, the file path can be specified here (e.g., C:\Program Files\AppName\FileName.exe). This could be the path of any file that is created upon the successful installation of the app on the device.

   • Registry Path – The Registry Path will be auto filled if it is defined under the success criteria while uploading the file (for MSIX/EXE) or from the Apps tab (for MSI).

     It is the path of a registry key to be checked on the target device. This can be any registry key that is created when the app is successfully installed on the device. For eg: HKEY_LOCAL_MACHINE\SOFTWARE\MyCompany\MyApplication.

     If the Registry Path is not defined yet, you will need to go to the Apps tab and define it there first

4. Once the actions are selected, click Next.
Settings and Schedule

Configure automation scheduling and related settings here.

• Trigger: Defines the condition that initiates the automation. For deploying patches and updates, only the “Time” trigger is available.
• Initiate: Set the automation initiation frequency. Choose from:
  • Once, ASAP – Executes the automation immediately after creation.
  • Once – Runs the automation at a specified date and time.
  • Repeat at a set schedule – Repeats the automation based on a defined frequency.

Scheduling options:

• Scheduled Date (for the Once option) – Select a specific date for automation initiation in MM/DD/YYYY format.
• Scheduled Day (for the Repeat at a set schedule option) – Choose how often the automation repeats:
  • Everyday – Triggers the automation daily.
  • Selected days – Runs on specific days of the week.
  • Monthly – Executes on a specific day each month (e.g., the 10th).
• Scheduled Time (for both Once and Repeat at a set schedule options) – Set the exact time for automation execution in HH:MM format and select the time zone.

5. Once you have configured the Settings and Schedule, click Next. On the following page, you can define the target filters.
Target Filters

Configure target filters in this section. Specify options for Included groups, Excluded groups, and custom filters by selecting the Filters option.

Included groups

Select device or user groups to apply the automation. Click Add Groups to view and choose from the available device and user groups in your Hexnode UEM portal.

Excluded groups

Select device or user groups to exclude from the automation. Click Add Groups to display the available groups for exclusion.

Filters

Create custom filters based on the following categories:

• Device – Attributes specific to the device.
• User – Attributes related to users assigned to the devices.
• Network – Attributes related to the device’s network.
• Device Status – Attributes concerning compliance and operational status.

Configuring Filters

Set the following fields to define filter conditions:

• Select Column – Choose a category for filtering. Relevant sub-categories appear based on your selection.
• Select Comparator – Define the comparison method.
• Select Value – Specify the filtering criteria.

Below is a list of available filter categories and their corresponding sub-categories:

Main category	Sub- categories
Device	Apple DEP Asset tag Available internal storage Battery level BitLocker Policy Compliance Department Device ID Device model Device notes Device type Encryption Status Enrolled time Enterprise Management Type Installed RAM Last checked-in time Manufacturer MEID OS name OS version Ownership Platform Processor name Serial number Supervision Total internal storage TPM version UDID Used internal storage
User	Alternate email Department (AD) Domain name Email Office location (AD) sAMAccountName Title (AD) User type Username
Network	Bluetooth MAC address Current carrier network SIM 1 Current carrier network SIM 2 Current MCC Current MNC Ethernet IP Address Ethernet MAC address Home carrier Home country ICCID SIM 1 ICCID SIM 2 IMEI SIM 1 IMEI SIM 2 IMSI International data roaming Last connection date Personal Hotspot Phone number SIM 1 Phone number SIM 2 Roaming enabled SIM carrier network Subscriber carrier network (iOS) Subscriber MCC Subscriber MNC Wi-Fi IP Address Wi-Fi MAC address Wi-Fi SSID
Device Status	Activity status Application compliance status Compliance status Enrollment status Geofence compliance status Jailbroken Kiosk mode Lost mode MDM profile Password compliance status Rooted

1. After selecting the desired sub-category, a comparator must be chosen.
2. After selecting the comparator, the value for comparison must be chosen or entered.
   Notes:

   • You can add nested filters using the ‘+’ icon along with the AND operator. To remove a filter, click the trash icon next to the ‘+’ icon.
   • When using multiple filters, you can choose between two operators: AND and OR.
     • AND: The device must meet all the conditions set by the filters.
     • OR: The automation will apply to devices that meet at least one of the filter conditions.

6. After setting the filters, click Next.
7. Review the configured automation settings. Click Edit to modify any section if needed.
8. Once you have reviewed the automation, click Save.

Once the Manual patching is deployed, you can track its status and make modifications if needed from the Automations subtab under the Patches and Updates tab.