7.2 View Patch Details

Using the Patches page you can view the details of all patches that are applicable to the zone and you can also view information about all patches that are applicable for a specific device.

7.2.1 Zone-Level Patches

This page can be accessed by clicking the Security tab in the left navigation menu and then clicking the Patches tab. This page displays a list of all patches that are applicable to the zone and it provides the following information:

Patch Name

The Patch Name is the name that identifies a patch. This name typically includes the vendor or manufacturer of the patch, the specific application, and version information.

An example of a patch name is shown as follows. It indicates that Adobe is the vendor, Adobe Flash Player is the application, and 21.0.0.242 is the version information:

Microsoft Patches:

All Microsoft security patches are titled with their Microsoft Security Bulletin number in the format MS0x-yyy, where 0x indicates the year the patch was released and yyy indicates the sequential number of the released patch. These patches are critical and must be installed as soon as possible.
Names of all Microsoft non-security patches include the Knowledge Base (KB) article number. These patches can be installed at your discretion.
The names of Microsoft service packs and third-party patches do not usually contain a KB number and never a Microsoft Security Bulletin number. Test these service packs thoroughly to ensure that they have the expected results.

For more information on the naming conventions for patches, refer to Comprehensive Patches and Exposures (CVE), which is a list of standardized names for patches and other information exposures. Another useful resource is the National Patch Database, which is the U.S. government repository of standards-based patch management data.

The patches shown in the Patches page have different icons indicating their current status. The following table describes the icons for each patch:

Patch Icon	Significance
	Indicates that the patch is disabled. Disabled patches are hidden by default. Use the Include Disabled filter in the Search panel to show these items.
	Indicates that only the fingerprint information for the patch has been brought down from the ZENworks Patch Subscription Network. This icon represents the patches that are neither cached nor pre-fetched.
	Indicates that a download or pre-fetch process for the patch bundles associated with the selected patch is pending.
	Indicates that a download or pre-fetch process for the patch bundles associated with the selected patch has started. This process caches or pre-fetches those patch bundles on your ZENworks Server.
	Indicates that the fingerprints and remediation patch bundles necessary to address the patch have been cached in the system. This icon represents the patches that are cached or pre-fetched and ready for deployment.
	Indicates that an error has occurred while trying to download or pre-fetch the patch bundle associated with the selected patch.
	Indicates that pre-fetching and caching is not applicable for the patch. This status is assigned to patches for which the ZENworks content system does not download and store the patch content. Instead, managed devices download the content directly from the patch vendor. Examples of these types of patches include vendor-channel delivered patches (SUSE, RHEL,Microsoft 365, Microsoft Office 2021) and macOS patches larger than 1GB in size.

Total Patches Available

The total number of patches that are available for deployment is displayed in the bottom-left corner of the Patches panel. In the following figure, the total number of available patches is 106:

Patch Impact

Each software vendor has their own way of classifying the level of need for an endpoint to have content deployed and installed. Vendors use labels such as Critical, Important, and Moderate to help describe how crucial their content is for securing the environment. But what if each vendor has a different definition of Critical or Important? It can be challenging to evaluate an environment's security posture accurately if you are relying on labels that vary from vendor to vendor.

To address this confusion, ZENworks Patch Management replaces the vendor classification labels with our own. We call these labels content types and apply them to content from all vendors. Standardizing classification systems helps you to quickly identify the most crucial content needed to secure your endpoints, without having to look up each vendor's label individually.

For up-to-date information about our classification mappings, see the Patch Content Types and Mapping section in the ZENworks Patch Management Content Report.

Patched

The Patched column displays a link indicating the total number of devices to which the corresponding patch has been applied.

Click a link to display the Devices that are patched with the selected patch.

Not Patched

Displays a link indicating the total number of devices to which the corresponding patch has not been applied.Click a link to display the Devices on which the patch has not been applied as yet. You can deploy the patch to these devices by using the Deploy Remediation option.

Patch Release Date

The date the patch was released by the vendor is displayed in the right column under Released On. Click the Released On column to sort patches by their release date. All the patches released in the last 30 days are displayed in bold font.

Search Patches

The Search panel on the Patches page offers extensive search and data filtering options that allow you to search for specific patches and filter result sets based on the status and impact of the patches. Searching and filtering can be performed independently of each other or can be combined to provide extensive drill-down capabilities.

To search for a patch:

Type all or part of the patch name in the Patch Name text box.
Select applicable filter options; the CVE identifier must be typed.
Click Search.

To filter from all existing patches:

Leave the Patch Name text box empty.
Select applicable filter options.
Click Search.

NOTE:Click Reset to return to the default settings.

The following table describes the result of selecting each filter option under Status:

Status Filter	Result
Patched	Search results include all the patches in the patch list that have been applied to one or more devices.
Not Patched	Search results include all the patches in the patch list that have not been applied to any device.
Not Applicable	Search results include all the patches in the patch list that do not apply to the device.
Include Disabled	Search results include all the patches in the patch list that have been disabled by the administrator.

The following table describes the result of selecting each filter option under Impact (Impact Filters in Search):

Impact Filter	Result
Critical	Search results include all the patches in the patch list that are classified as Critical by ZENworks.
Recommended	Search results include all the patches in the patch list that are classified as Recommended by ZENworks.
Software Installers	Search results include all the patches in the patch list that are classified as Software Installers by ZENworks.

The following table describes the remaining filter options on the Search panel:

Filter	Result
Platform	Search results include all the patches relevant to the operating system in the patch list.
Vendor	Search results include all the patches relevant to the vendor in the patch list.
Cache Status	Search results include all the patches relevant to their cache status on the local server.
CVE Identifier	Search results include all the patches that have the common vulnerabilities and exposures ID that you type.
Relationships NOTE:This filter is only applicable to the Patches page on a selected patch policy.	Search results include patches for devices assigned to a patch policy, according to the option selected in the filter menu. For more information, see Understanding the Relationships Filter.

Understanding the Relationships Filter

The Search feature on the Patches page for a patch policy differs from the Search feature on the global Patches page by omitting the Platform filter and adding the Relationships filter. The Relationships filter enables you to limit and define the reporting of patch status according to the devices assigned to the patch policy as described below:

First 500 Devices

This is the default setting. It displays patch status for the first 500 devices assigned under the Relationships tab of a selected patch policy. If the policy is assigned to more than 500 devices, the complete list of devices can be viewed under Patched and Not Patched column values.

Test Devices

This option displays patch status for patches on designated test devices assigned to the selected patch policy.

Specific devices

Specific devices, device folders, or device groups will be listed under the Test devices option. For example, <computer name>, Workstations, Windows 10 Workstations and so forth can be assigned as a relationship to the patch policy.

When you filter on one of these relationship types, patch status will only be displayed for device patches that fall within that device criteria.

IMPORTANT:Due to the complexity of returning Patched and Not Patched results and the variables involved, a hundred percent accuracy for device counts in patch status is uncommon with large organizations. For example, if your organization has more than 500 devices assigned to a patch policy and you open the Patches page on that policy, the aggregate number of devices in the Patched and Not Patched columns is unlikely to reach 500 with the Relationships.

7.2.2 Device Patches

Using the Device Patches Page you can view information related to all patches, patch policies and remediation bundles assigned to the selected device. You can also perform actions for particular patches and refresh the assignments made to the device. The Device Patches page includes the following panels:

Patches

Figure 7-1

This panel lists all the patches that are applicable to the device and provides the following information for each patch:

Patch Name

The Patch Name is the name that identifies a patch. This name typically includes the vendor or manufacturer of the patch, the specific application, and version information.

An example of a patch name is shown as follows. It indicates that Adobe is the vendor, Adobe Flash Player is the application, and 21.0.0.242 is the version information:

Microsoft Patches:

All Microsoft security patches are titled with their Microsoft Security Bulletin number in the format MS0x-yyy, where 0x indicates the year the patch was released and yyy indicates the sequential number of the released patch. These patches are critical and must be installed as soon as possible.
Names of all Microsoft non-security patches include the Knowledge Base (KB) article number. These patches can be installed at your discretion.
The names of Microsoft service packs and third-party patches do not usually contain a KB number and never a Microsoft Security Bulletin number. Test these service packs thoroughly to ensure that they have the expected results.

When you click the patch name link, the Patch Details Page page is displayed.

Patch Impact

The Impact is the type of patch defined on the basis of the severity of the patch; the type can be Critical, Recommended, or Software Installers. Each impact is described as follows:

Critical: ZENworks has determined that this type of patch is critical, and should be installed as soon as possible. Most of the recent security updates fall in this category.
Recommended: ZENworks has determined that this patch, although not critical or security related, is useful and should be applied to maintain the health of your computers. You should install patches that fall into this category.
Software Installers: These types of patches are software applications. Typically, this includes software installers. The patches show Not Patched if the application has not been installed on a machine.

Patch Management impact terminology for its patch subscription service closely follows the vendor impact terminology for patch criticality. Each operating system has a vendor-specific impact rating and that impact is mapped to a ZENworks rating as described in this section. Patch Management, following the recommendations of Lumension Security, increases or steps up the severity of the impact rating. For example, Microsoft classifications for Critical, Important, and Moderate patches are all classified as Critical by ZENworks.

The following table lists the mapping between ZENworks and Microsoft patch classification terminology:

Table 7-1 ZENworks and Microsoft Patch Impact Mapping

ZENworks Patch Impacts	Windows	Other
Critical	Critical Security Important Moderate	NA
Recommended	Recommended Low Example: Microsoft Outlook 2003 Junk E-mail Filter Update	NA
Software Installers	Software Distribution Example: Microsoft Windows Malicious Software Removal Tool (Virus Removal)	Adobe 8.1 software installer

ZENworks Patch Impacts

Windows

Other

Critical

Critical Security

Important

Moderate

Recommended

Low

Example: Microsoft Outlook 2003 Junk E-mail Filter Update

Software Installers

Software Distribution

Example: Microsoft Windows Malicious Software Removal Tool (Virus Removal)

Adobe 8.1 software installer

Patched

The Patched column indicates if the patch has been applied on the device or not. shows the relationship between a specific patch and the total number of devices (or groups) within ZENworks Server that meet a specific status. The patch statistics appear in two columns on the far right side of the Patches page. Each column status is described as follows:

The patches shown in the Patches page have different icons indicating their current status. The following table describes the icons for each patch:

Patch Icon	Significance
	Indicates that the patch is disabled. Disabled patches are hidden by default. Use the Include Disabled filter in the Search panel to show these items.
	Indicates that only the fingerprint information for the patch has been brought down from the ZENworks Patch Subscription Network. This icon represents the patches that are neither cached nor pre-fetched.
	Indicates that a download or pre-fetch process for the patch bundles associated with the selected patch is pending.
	Indicates that a download or pre-fetch process for the patch bundles associated with the selected patch has started. This process caches or pre-fetches those patch bundles on your ZENworks Server.
	Indicates that the fingerprints and remediation patch bundles necessary to address the patch have been cached in the system. This icon represents the patches that are cached or pre-fetched and ready for deployment.
	Indicates that an error has occurred while trying to download or pre-fetch the patch bundle associated with the selected patch.

NOTE:If you choose a patch that does not have cached remediation patch bundles, the deployment process might fail until the cache download is complete. You should download the files from the patch subscription and they must be packaged by ZENworks Configuration Management. Then the icon turns blue. To initiate an immediate download of these packages, select the Update Cache/Patch Pre-fetch Content option from the Action menu.

Assignments

The name of the patch remediation bundle or policy assignment that includes the signature and is assigned to the device, is displayed in this column. When you click on the Assignment link, the Bundle or Policy Details page is displayed.

Release Date

Installed On

The date on which the patch signature was installed on the device, either through a remediation bundle, or through a patch policy. If the patch was not installed by ZENworks, this field will be empty.

Installed By

The name of the user who installed the patch on the device. If the patch was installed by ZENworks, then the value will be ZENworks. Else, if the patch was installed manually, for example, a Windows update, then the value will be Other.

The total number of patches that are available for deployment is displayed in the bottom-left corner of the Patches panel. In the following figure, the total number of available patches is 106:

NOTE:The total number of patches that are available for deployment is displayed in the bottom-left corner of the Patches panel.

Assigned Patch Policies

The Assigned Patch Policies panel displays all the enabled patch policies that are assigned to the device. This panel includes the following information:

Policy Name

The names of the enabled patch policies that are assigned to the device.

Version

The published version of the patch policy.

Enforcement Schedule

The schedule of when the policy is enforced on the device.

Source

Links to the source of the assignment, either the Device object's Summary page, the Device Group object's Summary page, or the Device Folder's Summary page. When you click the source, the object's Summary page is displayed. If there are multiple sources, they are displayed as an expandable hierarchy.

Assigned Remediation Deployments

This panel displays all the patch bundles that are assigned to the device. This panel includes the following information:

Deployment Name

The remediation deployment name. When you click this link, the Bundle Summary page is displayed.

Folder

The path to the folder in which the bundle is saved.

Created On

The date on which the bundle assignment was created.

Enforcement Schedule

The schedule of when the deployment is enforced on the device. For example, Every Sun, Mon, Tue.