Scenario: Updating third-party software

This section provides a scenario for updating third-party software installed on the client devices. The third-party software includes applications from Microsoft and other software vendors. Updates for Microsoft applications are provided by the Windows Update service.

Prerequisites

Administration Server must have a connection to the internet to install updates of third-part software other than Microsoft software.

By default, internet connection is not required for Administration Server to install Microsoft software updates on the managed devices. For example, the managed devices can download the Microsoft software updates directly from Microsoft Update servers or from Windows Server with Microsoft Windows Server Update Services (WSUS) deployed in your organization's network. Administration Server must be connected to the internet when you use Administration Server as WSUS server.

Stages

Updating third-party software proceeds in stages:

  1. Searching for required updates

    To find the third-party software updates required for the managed devices, run the Find vulnerabilities and required updates task. When this task is complete, Kaspersky Security Center receives the lists of detected vulnerabilities and required updates for the third-party software installed on the devices that you specified in the task properties.

    The Find vulnerabilities and required updates task is created automatically by the Administration Server quick start wizard. If you did not run the wizard, create the task or run the quick start wizard now.

    How-to instructions:

  2. Analyzing the list of found updates

    View the Software updates list and decide which updates you want to install. To view detailed information about each update, click the update name in the list. For each update in the list, you can also view the statistics on the update installation on client devices.

    How-to instructions:

  3. Configuring installation of updates

    When Kaspersky Security Center received the list of the third-party software updates, you can install them on client devices by using the Install required updates and fix vulnerabilities task or the Install Windows Update updates task. Create one of these tasks. You can create these tasks on the Tasks tab or by using the Software updates list.

    The Install required updates and fix vulnerabilities task is used to install updates for Microsoft applications, including the updates provided by the Windows Update service, and updates of other vendors' software. Note that this task can be created only if you have the license for the Vulnerability and patch management feature.

    The Install Windows Update updates task does not require a license, but it can be used to install Windows Update updates only.

    To install some software updates you must accept the End User License Agreement (EULA) for the installation software. If you decline the EULA, the software update will not be installed.

    You can start an update installation task by schedule. When specifying the task schedule, make sure that the update installation task starts after the Find vulnerabilities and required updates task is complete.

    How-to instructions:

  4. Scheduling the tasks

    To be sure that the update list is always up-to-date, schedule the Find vulnerabilities and required updates task to run the task automatically from time to time. By default, the Find vulnerabilities and required updates task is set to start manually.

    If you have created the Install required updates and fix vulnerabilities task, you can schedule it to run with the same frequency as the Find vulnerabilities and required updates task or less often. When scheduling the Install Windows Update updates task, note that for this task you must define the list of updates every time before starting this task.

    When scheduling the tasks, make sure that an update installation task starts after the Find vulnerabilities and required updates task is complete.

  5. Approving and declining software updates (optional)

    If you have created the Install required updates and fix vulnerabilities task, you can specify rules for update installation in the task properties. If you have created the Install Windows Update updates task, skip this step.

    For each rule, you can define the updates to install depending on the update status: Undefined, Approved or Declined. For example, you may want to create a specific task for servers and set a rule for this task to allow installation of only Windows Update updates and only those ones that have Approved status. After that you manually set the Approved status for those updates that you want to install. In this case the Windows Update updates that have the Undefined or Declined status will not be installed on the servers that you specified in the task.

    The usage of the Approved status to manage update installation is efficient for a small amount of updates. To install multiple updates, use the rules that you can configure in the Install required updates and fix vulnerabilities task. We recommend that you set the Approved status for only those specific updates that do not meet the criteria specified in the rules. When you manually approve a large amount of updates, performance of Administration Server decreases and may lead to Administration Server overload.

    By default, the downloaded software updates have the Undefined status. You can change the status to Approved or Declined in the Software updates list (OperationsPatch managementSoftware updates).

    How-to instructions:

  6. Configuring Administration Server to work as Windows Server Update Services (WSUS) server (optional)

    By default, Windows Update updates are downloaded to the managed devices from Microsoft servers. You can change this setting to use the Administration Server as WSUS server. In this case, the Administration Server synchronizes the update data with Windows Update at the specified frequency and provides updates in centralized mode to Windows Update on networked devices.

    To use the Administration Server as WSUS server, create the Perform Windows Update synchronization task and select the Use Administration Server as WSUS server check box in the Network Agent policy.

    How-to instructions:

  7. Running an update installation task

    Start the Install required updates and fix vulnerabilities task or the Install Windows Update updates task. When you start these tasks, updates are downloaded and installed on managed devices. After the task is complete, make sure that it has the Completed successfully status in the task list.

  8. Create the report on results of update installation of third-party software (optional)

    To view detailed statistics on the update installation, create the Report on results of installation of third-party software updates.

    How-to instructions:

Results

If you have created and configured the Install required updates and fix vulnerabilities task, the updates are installed on the managed devices automatically. When new updates are downloaded to the Administration Server repository, Kaspersky Security Center checks whether they meet the criteria specified in the update rules. All new updates that meet the criteria will be installed automatically at the next task run.

If you have created the Install Windows Update updates task, only those updates specified in the Install Windows Update updates task properties are installed. In future, if you want to install new updates downloaded to the Administration Server repository, you must add the required updates to the list of updates in the existing task or create a new Install Windows Update updates task.

See also

Viewing information about available updates for third-party applications

Approving and declining software updates

Synchronizing updates from Windows Update with Administration Server

Installing updates on devices manually

Configuring Windows updates in a Network Agent policy

About third-party applications

Page top