Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Advanced Patch

            Modified on Wed, 12 Nov at 3:39 PM

            TABLE OF CONTENTS


            1. Features


            Advanced Patch simplifies patching operating systems and applications. Seamlessly integrated into the five(9)s Console, it offers
            • Zero-Touch Patch Management
            • Definition of Pilot Groups via Custom Inventory
            • Patch Exclusion Rules for Different Device Groups
            • Patch Management Dashboard to Visualize Active Patch Deployments
            • Role-Based Management to Delegate Responsibilities
            • Approvals for Patch Deployments
            • Vulnerability Insights: Status Overview of All Devices for Each Vulnerability with Troubleshooting


            2. Licensing Advanced Patch

            The Advanced Patch module requires an additional license for your five(9)s Console to appear as a menu entry. Please feel free to contact us at support@five9s.de to request a 30-day trial or your individual license offer. 

            After we adjust your license, simply reactivate the console by clicking the Refresh License button shown below (no password needed).

            3. Setting up Advanced Patch

            3.1. Create Patch Teams

            The first steps of configuring the Advanced Patch module have to be done in the Admin Section on the Patch Settings screen:


            Click on Add Patch Team to create a user group, responsible for patch management of certain device groups. You will see the following dialog:


            Give your team a name and short name, assign a five(9)s Console role and set a minimum pilot device count (either as a total number or a percentage). Only users with the assigned role can view this team’s patch deployments. 

            Also, define the suspension timeout for vulnerabilities; once this time elapses, suspended vulnerabilities are no longer blocked and will be processed in the next patch run. 

            Enabling the Customer Reference feature for the team, lets you assign a ticket ID and a description to certain changes, e.g. when assigning rules to groups.


            Tip: You can have Patch Teams for clients and server in general, clients for specific countries, critical application server and so on. A SecurityAudit role is preconfigured for monitoring purposes.

            3.2. Configure Patch Options

            General patch options can be configured on the Admin page under ‘Patch Settings’ → ‘Advanced Patch - Options’


            You can configure all necessary default values for your patch process on this screen, including Default Patch Groups, the management of Pilot and Patch Groups via the Custom Inventory, administrator and escalation email recipients, the vulnerability types to deploy, and all time intervals or minimum device counts for Patch Groups.

            Hover over the (i) icons to view detailed instructions for each configurable option. 

            Additionally, you can define the schedule for Patch Rollouts here. Patch Rollouts are created by a background worker according to a configurable schedule, which determines how often the worker runs to generate Rollouts for each group. By default, all Rollouts follow the Regular Schedule, but you can define a separate schedule for Fast Track Rollouts. Schedulers can also be configured individually for each Patch Rollout Group (see Chapter 3.4, Configuring Patch Rollout Groups).


            3.3. Patch Rollout Templates

            Proceed with the creation of a Patch Rollout Template by switching to the section via the menu on the left and choosing Add new regular template. Rollout Templates will be used afterwards to define Patch Groups (groups of devices in your company that needs to be handled differently in a patch process). Templates can be used as defaults for all those Patch Groups regarding: 
            1. How many patch steps/pilot phases do I need?
            2. What is the duration of those steps/pilot phases?
            3. Do I need approvals before AutoFix?


            Enter a name for your template and assign it to a Patch Team. Add additional steps as needed, change step durations and decide, which steps need an approval. Save your template with a click on OK.

            3.4. Configuring Patch Rollout Groups

            Patch management often requires handling different groups of devices separately. For example, standard clients may be patched differently from highly critical application servers.

            Patch Rollout Groups can represent the diversity of devices in your company. For example, you might group client machines by division, city, or country, or organize them based on installed applications. 

            Click on Add new group to create new patch group.


            Give your group a name and descrition, choose the assigned Patch Team (who should manage this Patch Group in the five(9)s Console) and pick your formerly created Rollout Template.



            If you want to make changes to your Patch Group later on you can simply edit the group with a click on the pencil icon:


            As you can see, by choosing the Patch Template all settings from the template were inherited to the Patch Group:


            In the schedule tabs (Regular and Fast Track), you can configure individual schedulers that control when the background worker creates Rollouts. By default, the settings from the Admin page are applied (see previous section). 

            3.5. Creating Patch Filter Rules and Assigning Them to Patch Groups

            Patch Filter Rules can be assigned to Patch Groups to decide which patches should and should not be deployed to the group. This can be achieved using blacklist and whitelist rules, or combinations of both can be rules based on lists and their combinations. 

            How Whitelists and Blacklists work:
            1. If no rule is assigned, all patches will be deployed.
            2. If Whitelists are assigned, only patches that are at least on one Whitelist will be deployed.
            3. If Blacklists are assigned, only patches that are NOT on one of the Blacklists will be deployed.
            4. If you combine Whitelists and Blacklists, only patches that are at least on one Whitelist and NOT on one Blacklist will be deployed.

            Create a new rule by clicking on Add new Rule.


            1. Enter a name
            2. Choose a Patch Team that should work with this Patch Filter Rule
            3. Choose your Patch Rule type (Whitelist / Blacklist)
            4. Enter a description
            5. Define your filter condition
            6. Click on Preview, to check which vulnerabilities are effected by your Patch Filter Rule

            Save your Patch Filter Rule by clicking on OK.


            Assign you filter rule to a Patch Group by ticking both objects (1) and (2) and a click on the arrow-left icon in the center (3)


            If you enabled the Customer Reference feature for the patch team while setting it up on the admin page, you will be asked to provide a Ticket ID and a Description.


            After going through this process, the filter rule is now assigned to your Patch Group.



            Info: All changes to a Patch Group like assigned or unassigned Filter Rules can be retraced in the groups history.

            3.6. Assigning devices to Patch Rollout Groups

            Devices can be assigned to a Patch Rollout Group using the Custom Inventory of the five(9)s Console. When you activate Advanced Patch with a license, patch-related CI objects are automatically added to the Custom Inventory. Go to the Home screen, select a device, and click on Custom Inventory. Then pick a Patch Group, and optionally a Pilot Group and a User to notify.



            The values depend on the  settings you made earlier. The following screenshots show the Edit Patch Group dialog we completed earlier. It displays the Patch Rollout Group Patchgroup 59s and its included steps: 
             

            It shows an initialization phase followed by two pilot groups and an autofix step. 

            1. In the Initializing phase, the process is simply waiting and gives the devices some time to make security scans to evaluate which patches are needed on a machine.
            2. In the phases Pilotgroup 1 and Pilotgroup 2 all vulnerabilities defined by your Patch Filter Rules will be installed on the machines that are member of Pilotgroup 1 or Pilotgroup 2. This assignment can be made using the Custom Inventory by selecting them from the Pilot Group Dropdown list:



            Info: The field User to notify gives you the ability to inform the owner of a machine about upcoming patches. This is particularly useful for members of the Pilot Groups, allowing them to check if applications on their devices are functioning correctly. Simply search for the Active Directory account for the user to assign him.

            3. The Autofix phase will set all vulnerabilities defined by your Patch Filter Rules to Autofix for all the devices that are member of the selected Patch Group, independent from the selected Pilot Group.

            Info: If you want a device to be a member of Patchgroup 59s devices but no Pilot Group, you can leave the Pilot Group empty.:

             

            Tip: Mass Actions on the Home screen can be used to assign Patch Groups and Pilot Groups for large device groups with a few clicks.

            1. Choose Custom Inventory
            2. Search for your devices or pick a Scope- or Smart Filter.
            3. Check the box for Patch Inventory
            4. Choose your Patch Group
            5. Choose your Pilot Group
            6. Click on Update Selected

            3.7. Activate Patch Groups

            Now that we assigned devices to our Patch Group it is time to activate it so Advanced Patch can start the patch process for our devices.

            Go to the Patch Rollout Groups section and click on the pencil icon of your desired group:


            Check the Activate box and save your changes with OK.

            4. Working with Advanced Patch

            4.1. Using the Dashboard to Monitor Patch Processes


            If you are logged in to the five(9)s Console with a user that is member of a role included in a patch team, the Advanced Patch Screen will show up in the console menu:



            When you open the Advanced Patch module, the Dashboard is the first screen displayed and also the first item in the submenu. It gives you all the information you need about your running patch deployments like pending or breached approvals, success rates for patch installations or devices that are not covered in one of your patch groups. 

            The dashboard tiles are organized into three sections: potential To-Dos at the top (ToDos), details of ongoing processes in the center (Processes), and overview tiles at the bottom (Overview). Charts below the dashboard provide data on successful patch counts. 

            To see more details about the numbers displayed on a tile, hover over the icons in the bottom-right corner. 



            Hint: Many tiles are interactive. When the cursor changes to a pointing hand as you hover over a tile or a part of it, clicking it will take you to a page with more detailed information.


            4.2. Patch Rollouts

            When the background worker runs and detects new vulnerabilities for machines in a Patch Rollout Group, it creates a Patch Rollout. Click on the rollout to view the associated vulnerabilities:


            Info: As you can see, the Patch Rollout for group Patchgroup 59s devices is in step Initializing and has a vulnerability count of 2.

            4.3. Approvals

            If you configured your patch steps (pilot groups or final Autofix) to need an approval to proceed, all open approvals will be display on the Approval screen.

            Click on Approve for each Patch Rollout.


            Info: There is a timeout for approvals to flag them as breached after the defined time is elapsed. You will be notified by email for pending and breached approvals.

            4.4. Suspended and Excluded Vulnerabilities

            If you encounter issues with patch installations or incompatibilities with your business applications after a system or application update, you can suspend or exclude vulnerabilities from deployment at any time, regardless of the distribution step in which the rollout is currently running.

            Select the vulnerabilities you want to exclude from the rollout and click on Suspend.


            Move to the Excluded or suspended Vulnerabilities screen and make your decision on how to handle these suspended vulnerabilities.


            1. Exclude - Exclude the marked vulnerabilities from the rollout in this Rollout Group. Vulnerabilities will be ignored in the future.
            2. Create Rule - Create an exclusion rule (Blacklist) for the selected vulnerability with a single click. This rule can be used for other Patch Groups as well. 


            3. Reset - This option turns back the actual deployment status of the vulnerability. It will be processed and evaulated again in the next Patch Rollout.
            4. Resume - Reinserts the vulnerability into the active Patch Rollout and resumes it at the step where it was suspended.

            Info: Vulnerabilities cannot be suspended indefinitely. There is a maximum suspension interval setting per  Patch Team. After this timeout, a suspended vulnerability will be resumed.

            4.5. Using Vulnerabiltiy Insights to get a Status Overview and Troubleshooting Tips


            Vulnerability Insights allow you to closely examine the status of your machines managed in the five(9)s Console regarding a specific vulnerability. They also provide targeted information and recommendations to help you take the right steps to remediate issues.

            In the Vulnerability Overview, you can click the magnifying glass icon in the Details column of the vulnerability table to open the Vulnerability Insights for a specific vulnerability.

            That leads you to the Vulnerability Insights dialog:



            At the top left (1) of the Vulnerability Insights view, you will find two tabs for all devices, divided into Scanned and Unscanned. The active Scanned tab (2) shows the statuses of all devices that have already been scanned for the selected vulnerability, while the Unscanned tab shows devices that have not yet been scanned. On the right (3), the Details section displays information relevant to the currently selected node in the tree on the left.


            Every node of the tree represents a specific status regarding the vulnerability. Group nodes (nodes with children) organize the structure, while leaf nodes (nodes without children) show specific categorizations with detailed explanations and troubleshooting guidance.


            Each node shows a status symbol in the top-right corner, indicating its state:

            • Green check mark — These devices are fine.
            • Orange warning sign — These devices may have issues.
            • Red exclamation mark — These devices have issues.
            • Blue question mark — These devices require investigation of their descendants. Technically, this symbol appears on a group node if at least one descendant node is not okay.

             

            If you select a leaf node in a tab, such as Installation failed on the Scanned Tab, a screen like the folllowing will appear:



            The selected node is highlighted on the left (1) and the Details section on the right  shows detailed information  (2) . This details section provides Info and Next Steps relevant to the selected node. You can use the information to resolve potential issues. If you want to analyze the  devices further you can press on Copy devices to copy their names or on Load devices to move to the home screen and filter for them n the home screen and further analyze them.


            Last Modified Date
            12.11.2025

            Verified versions
            five(9)s Console version 5.1


            Tags
            • Patch
            • Advanced Patch
            • Vulnerability Insights

            Disclaimer
            Even though every care has been taken by five(9)s GmbH to ensure that the information contained in this publication is correct and complete, it is possible that this is not the case. five(9)s GmbH provides the publication "as is", without any warranty for its soundness, suitability for a different purpose or otherwise. five(9)s GmbH is not liable for any damage which has occurred or may occur as a result of or in any respect related to the use of this publication. five(9)s GmbH may change or terminate this publication at any time without further notice and shall not be responsible for any consequence(s) arising there from. Subject to this disclaimer, five(9)s GmbH is not responsible for any contributions by third parties to this publication.

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0