General workflow

Cytomic Patch is a comprehensive tool for patching and updating the operating systems and all programs installed on the computers on your network. To effectively reduce the attack surface of your computers, follow these steps:

  • Make sure Cytomic Patch works correctly on the protected computers on your network.

  • Make sure that all published patches are installed.

  • Isolate computers with unpatched known vulnerabilities.

  • Install the selected patches.

  • Uninstall any patches that are causing malfunction problems (rollback).

  • Exclude patches for all or certain computers.

  • Make sure the programs installed on your computers are not in EOL (End-Of-Life) stage.

  • Regularly check the history of patch and update installations.

  • Regularly check the patch status of those computers where incidents have been recorded.

Make sure that Cytomic Patch works correctly

Follow these steps:

  • Make sure that all computers on your network have a Cytomic Patch license assigned and the module is installed and running. Use the Patch management status widget.

  • Make sure that all computers with a Cytomic Patch license assigned can communicate with the Cytomic cloud. Use the Time since last check widget.

  • Make sure the computers that are to receive the patches have the Windows Update service running with automatic updates disabled.

Enable the Disable Windows Update on computers toggle in the patch management settings profile for Advanced EDR to manage the service correctly. For more information, see General options.
On devices running Windows 10 and higher, the operating system enables you to defer quality updates but not disable them. Therefore, these updates will be applied after 30 days despite you select Disable Windows Update on computers.

Make sure that all published patches are installed

As software vendors discover flaws in their products, they publish updates and patches that must be installed on the affected systems in order to fix them. These patches have a criticality level and type associated to them:

  • To view missing patches by type and criticality level, use the Patch criticality widget.

  • To view details of the patches that are missing on a computer or computer group:

    • Go to the computer tree (top menu Computers, My organization tab in the side panel). Click the context menu of the computer group. Select View available patches. The Available patches list opens, filtered by the relevant group.

    Or,

    • Go to the computer list (top menu Computers). Click a computer’s context menu. Select View available patches. The Available patches list opens, filtered by the relevant computer.

  • To get an overview of all missing patches:

    • Go to Status in the top menu. Click Add in the My lists section of the side panel. Select the Available patches list.

    • Use the filter tool to narrow your search.

  • To find computers that do not have a specific patch installed:

    • Go to Status in the top menu. Click Add in the My lists section of the side panel. Select the Available patches list.

    • Use the filter tool to narrow your search.

    • Click the context menu of the specific computer-patch you want to look for and select the option View which computers have the patch available.

Isolate computers with unpatched known vulnerabilities

To find and isolate computers that have not yet received published patches that fix known vulnerabilities, follow these steps:

  • Go to Status in the top menu. Click Add in the My lists section of the side panel. Select the Available patches list.

  • Click the context menu of a patch in the list and select Isolate computer.