Skip to main content
Matrix42 Self-Service Help Center

UEM Patch and Vulnerabilities

UEM Patch & Vulnerabilities 

Patch Management information from Empirum is greatly enhanced and allows users to easily get the information they need based on the great data navigation and dashboard capabilities of the ESM platform.

More information on Patch and Vulnerability can be found in a dedicated knowledge base article

Features

  • Updated Patch Management Dashboard based on the new Dashboarding capabilities of the ESMP
  • Automatically synchronize the Patch catalog with patch details, associated bulletins and CVE numbers
  • List of all patches, service Packs and bulletins
  • List of patch state of computers
  • Update of the computer patch state with every patch scan and fix run sent from Empirum
  • Detect if the connected Empirum system has a valid Patch Management license

Activating Patch & Vulnerabilities

The import of patches is deactivated by default and needs to be enabled if you want to use feature to its full extent.

UUX for UEM

  • The synchronization of the patch catalog is only performed if the attached Empirum system has a valid Patch Management license and is 25.0.0 or newer. You can check this in the node information in Administration -> Integration -> Enterprise Service Bus -> Nodes -> Empirum node
  • Empirum Node Patch License
  • To enable the initial catalog sync and a daily update the engine activation needs to be activated:
    • Go to Administration -> Services & Processes -> Engine Activations
    • Select "Edit" on the preview of "UEM Device Patch Management Synchronizer Activation"
    • Activate the engine by un-checking "Disable entire Activation"

The initial synchronization will take long as the amount of data is big. Subsequent synchronizations will be performed by using the delta and will not impact the performance.

Empirum Patch Data Sync 

Empirum sends from version 25.4 onwards the patch status details via Enterprise Service Bus (ESB). Earlier versions just sent base information without any details on the installed or missing patches. See the section Deactivating the extended Patch Status Messages from Empirum if you want to stick with the overview patch information to reduce load and data transfer.

Automated Patch Catalog Download

When activated the patch catalog is imported on a nightly schedule. Please adjust the schedule so the system is not performing a lot of parallel imports from other systems at the same time. The synchronization of the patch catalog is only performed if the attached Empirum system has a valid Patch Management license and is 25.0.0 or newer (see UUX for UEM).  The initial synchronization will take long as the amount of data is big. Subsequent synchronizations will be performed by using the delta and will not impact the performance.

Patch & Vulnerabilities Dashboard

The new dashboard provides an initial overview on the patch state. Based on the dashboard capabilities of the ESMP it can be configured and new widgets can be added.

It is possible to switch back to the original Patch Management dashboard by using the option "Switch to Classic Dashboard"

Select in the UEM Extension: Patch & Vulnerabilities

Patch_and_vuln.png

patch_and_vuln2.png

List of all patches and bulletins

The list shows all available Bulletins. The preview allows to drill down to the associated patches and the vendor information (external link)

Using the grouping feature on Vendor, Family and Version provides a hierarchical view which is easy to navigate.

patch list with grouping.png

Patch_Insights_Bulletins.png

Patches use an internal KB number for reference. This number is not the same KB Number provided by Microsoft but is related to it for Microsoft patches.

To search for a KB Number provided by Microsoft use the internal KB Number and replace the Q with the numbers of the MS KB Article.

List of patch state of computers

The List shows all available patches. The preview allows to drill down to the associated bulletin and eventually related CVE information (external link).

Patch_Insights_Patches.png

List of patch state of computers

The patch state of computers is sent from Empirum with every patch can or fix run. It uses the Enterprise Service Bus. The list shows all patch states as individual entries with the state (Missing or Installed) and if it is assigned in Empirum via a patch group to the computer. The preview allows the drill down to the patch or computer.

Patch_Insights_Status.png

 

Deactivating the extended Patch Status Messages from Empirum

In Empirum 25.0.0 and 25.0.1 the extended status messages are disabled by default. From Empirum 25.4 onwards the extended messages are enabled by default.

  • To de-activate sending of the Empirum patch status messages via Service Bus the feature need to be enabled in the database:
    • Run on the Empirum DB "update Options set EmpValue = 1 where EmpOption = 'UemDevicePmScanResultSkipActivated'"
    • Customers using the Matrix42 Cloud offering need to send an inquiry to enable the preview to Matrix42 support.
  • Was this article helpful?