IBM Security MaaS360

Getting the most out of new Windows patch management capabilities of MaaS360

By Deepti Swain posted Thu February 11, 2021 06:00 AM


By Deepti Swain, Software Engineer, IBM Security MaaS360 With Watson

IBM Security MaaS360 with Watson provides  Granular Patch and Update Management functionality by default to every customer that needs to manage Windows devices in their organization. These patch management workflow capabilities, described and demonstrated in detail below, are designed to make an IT administrator’s work easier to address device security vulnerabilities.

First, if you have not already enabled the patch management capabilities for your organization please refer to this 2019 Community blog with foundational information to get started.

Now, with the patch management capabilities enabled, let’s explore them in some depth:

  1. Multiple Patch Distribution
  2. Distribution Capabilities
  3. Track Patch Distribution Details
  4. Patch Distribution Status
  5. Refresh
  6. Search & Filter

1. Multiple Patch Distribution:

Now you can select multiple patches at a time and distribute the patch to respective targeted devices as shown below:

2. Distribution Capabilities:

There are many different options available for an admin to distribute, let’s have a look at those:

  • Distribution Settings:

           Distribute To: Administrator can distribute the patch to targeted devices in 3 different levels:

  1. Devices Missing Patch: All those devices which are missing the patches will get the distribution.
  2. Device Group: Distribute the patch to group level (supported on only Device Groups). Any future newly enrolled device falls under this device group also become eligible automatically to get the active patch distribution.
  3. Specific Device: To specific device level distribution.

               Start Date: Select the date by when this current distribution should start rolling out on the selected devices. By default, the current date is used.

               Start Time: Select the time of the day at which the current distribution should start rolling out to the selected devices. The default value is Immediate.

               Distribute Over: To help balance the organization's network load, now an admin can stagger the distribution period to avoid patch installation at the same time on all the device in an organization.

               Action Expiry (in days): Specify the number of days after which the action will expire automatically. (Max 90 days)

    • Restart Settings:

                Some patches require device restart to complete the patch installation process.

                Allow restart deferral: This option lets the end-user defer the restart of the device for a specific duration.

                Deadline for force restart: As the name suggests, this is the total deferral duration at the end of which the device will be forcefully restarted.


    Now once you select all the required options for your organization’s needs, click the  Distribution button for patch distribution. 

    3. Track Patch Distribution Details:

    Once a patch distribution is successful, a record will be created under Distribution Details page, where admin can track patch distribution information such as Distribution Target, Status, Start Date & Time, End Date & Time, Distribute Over, Last updated by etc.

    • Status: This shows the status of the patch distribution details.
    • Active: Patch distribution is still active, and the devices will receive the distributed patch as per the time frame.
    • Scheduled: Patch distribution is currently scheduled for a future date. It becomes active on the mentioned start date.
    • Expired: Patch distribution is no longer active and the devices scheduled for update after patch distribution expiration date will not get the distribution.
    • Stop: Patch distribution is no longer active. If a device has already received the distribution, then the patch installation process will go ahead. Patch distribution status will update as per the patch installation response from those devices. But if the device has not yet received the patch then the device will not get the patch distribution (as distribution is Stopped).
    • Invalid: If a patch is distributed to a Device Group and later the Device group is deleted, the status is Invalid and the distribution will be stopped. If a device has already received the distribution, then the patch installation process will go ahead. Patch distribution status will update as per the patch installation response from those devices. But if the device has not yet received the patch then the device will not get the patch distribution.

        4. Patch Distribution Status:

        When an admin does not have access to all end-user devices, either on-premise or virtually, tracking the status of the patch distribution on the end-user device may not be possible. To tackle this issue MaaS360 provides a separate Patch Distribution Status page for each patch distribution detail where the status can be tracked at the individual device level.

        • Status labels:
        • Received: Device received the patch distribution from MaaS360.
        • Scheduled: MaaS360 Agent scheduled the distributed patch for the installation process.
        • In-Progress: Patch installation process is in progress.
        • Pending Restart: Patch installation is done and, as selected by the admin, restart of the device is required to complete the patch installation process.
        • In-Validation: Patch installation is done, and the MaaS360 agent is evaluating the installation status.
        • Installed: Patch is installed successfully.
        • Failed: Patch installation failed. (Note, MaaS360 retries the patch installation after 24 hours.)


              That completes the detail on how an administrator can perform patch distribution and track the status. Let’s now turn our attention to how MaaS360 provides features like Refresh, Search and Filter options for an easy user experience.

              5. Refresh:

               Clicking on the Refresh button on OS Patches (Windows) page populates the same page with the latest set of missing patches available with MaaS360.

              6. Search and Filter:

              The MaaS360 Portal provides an easier way to search and/or filter the patches by using patch name, kb name, etc. as shown below.

              Security is always going to be a cat-and-mouse game because new vulnerabilities are discovered every day and unpatched systems are one of the easier attack vectors for cybercriminals to exploit. The MaaS360 team is constantly working on giving you the tools and insights to help you maximize the security of your devices, users and data while improving the user experience.

              We wrote this blog to help you get the most out the patch management workflow to secure your devices. If you have any questions or feedback, you can post them in the Comments section, reach out to me at or contact your IBM account representative. As always, we’ll be happy to hear from you and help you get maximized the value of your MaaS360 investment.