A Complete Guide to Easy Windows Patch Management

What is patch management?

Patch management is the process of distributing and applying updates to software, such as operating systems (OS), platforms, and applications. It involves identifying out-dated software within your infrastructure, applying patches to that software, and validating the installation of those patches. These patches are often necessary to fix errors in the software, which are often referred to as vulnerabilities or bugs. 

Why is patch management important?

Patch management is important for three main reasons:

• Security: Patch management fixes vulnerabilities in your software (OS, platform, application) that are susceptible to exploitation. It helps your organization to reduce the risk of cyberattacks.
• Compliance: Organizations are often required by regulators to follow strict guidelines because of the constant increase in cyberattacks. Patch management is a necessary part of complying to certain standards, such as PCI-DSS, HIPAA, SOC2, ISO27001, or BSI. 
• System uptime: Patch management ensures your software is kept up-to-date and running smoothly without errors causing system downtime.

Finding missing patches with Mondoo

As a part of its full-stack security solution, Mondoo identifies what important patches are missing from your systems. For this blog post, I set up some vagrant Linux machines with out-of-date operating systems. I’ll use them to walk through some different ways that Mondoo shows you the patches needed.  

config.vm.define "win2016" do |win2016|

  win2016.vm.box = "gusztavvargadr/windows-server-standard"
 
  win2016.vm.box_version = "1607.0.2108"

  win2016.vm.network "private_network", ip: '192.168.56.252'

 end

config.vm.define "win2019" do |win2019|

  win2019.vm.box = "gusztavvargadr/windows-server"

  win2019.vm.box_version = "1809.0.2112"

  win2019.vm.network "private_network", ip: '192.168.56.230'

 end

config.vm.define "win2022" do |win2022|

  win2022.vm.box = "gusztavvargadr/windows-server"

  win2022.vm.box_version = "2102.0.2112"

  win2022.vm.network :private_network, ip: "192.168.56.236"

 end

config.vm.define "win10" do |win10|

  win10.vm.box = "gusztavvargadr/windows-10"

  win10.vm.network "private_network", ip: '192.168.56.249'

 end

Prerequisite: Please create a free account on console.mondoo.com. 

Mondoo offers different options for scanning a Linux vagrant system:

Option 1: Install Mondoo Client on the Windows system

Option 2: Use vagrant transporter

Option 3: Use SSH transporter

Option 1: Find missing patches with Mondoo

1. Login to the vagrant Windows 2016 system via Remote Desktop Protocol (RDP):

atomic111: ∅> xfreerdp /u:vagrant /v:192.168.56.252:3389 /h:2048 

/w:2048 /p:'vagrant'

Open a Windows PowerShell as an administrator:

2. Install Mondoo Client:

A. Log into your account at console.mondoo.com

B. Go to the Integrations tab and select Windows

C. Set the PowerShell execution policy:

Set-ExecutionPolicy RemoteSigned -scope CurrentUser

D. Copy the CLI commands that Mondoo provides and paste them in the Windows 2016 PowerShell. 

E. After the Mondoo Client installation finishes, add the Mondoo path and type `mondoo status` to verify that Mondoo Client is registered and working. It should look like this:

PS C:\Users\vagrant> $env:Path = 'C:\Program Files\Mondoo\;'
+ $env:Path

PS C:\Users\vagrant> mondoo status

→ loaded configuration from C:\ProgramData\Mondoo\mondoo.yml 
using source default

→ Hostname:     WIN-UO68HGC3S3I

→ IP:           10.0.2.15

→ Platform:     windows

→ Release:      14393

→ Time:         2022-07-29T09:22:09Z

→ Version:      6.8.0 (API Version: 6)

→ API ConnectionConfig: https://us.api.mondoo.com

→ API Status:   SERVING

→ API Time:     2022-07-29T09:22:15Z

→ API Version:  6

→ Space:        //captain.api.mondoo.app/spaces/determined-yonath
-835445

→ Client:       //agents.api.mondoo.app/spaces/determined-yonath
-835445/agents/2Cc0CvGWW9SlxWG2JbqsTxfgmEB

→ Service Account:      //agents.api.mondoo.app/spaces/determined
-yonath-835445/serviceaccounts/2Cc0Ctf346RDy9WwWd6KK9ggM6j

→ client is registered

→ client authenticated successfully

PS C:\Users\vagrant>

After a Windows restart, the installation path is automatically added to the PowerShell path variable.

F. Quickly verify that the following policies are enabled for your space:

• Platform End-of-Life Policy by Mondoo 
• Platform Vulnerability Policy by Mondoo

Your Policy Hub should look like this:

3. Run the Mondoo scan in PowerShell:

mondoo scan local

Mondoo Client connects to the Mondoo backend and downloads the enabled policies. After the scan, Mondoo Client reports results back to the Mondoo backend.

Click the report URL to open the Mondoo Space overview page, which shows the Windows 2016 asset and the top vulnerabilities within the Mondoo Space.

4. Select Fleet and then select the Windows asset to  see the Mondoo asset overview page for the Windows 2016 system.

In the system overview, the Mondoo Dashboard highlights that the Windows 2016 operating system is close to the end-of-life date. By default there is also a Windows Security Baseline enabled. Select Platform Vulnerabilities to see the Advisories and CVE that affect this system. Mondoo shows:

• Which KB you must install to fix the vulnerability 
• How critical the vulnerability is 
• An overview of the advisories and CVEs

Option 2: Scan a Windows vagrant machine via vagrant transporter

1. Install and register Mondoo Client on your host system running the vagrant Windows 2016 system.

2. Run the following command:

Option 3: Scan a Windows system remote via ssh transporter

1. Install and register Mondoo Client on your host system running the vagrant Windows 2016 system.

2. Run the following command:

Scan other operating systems

You can also scan the Windows 2019/2022 and Windows 10/11 systems I set up for this article. Use the installed Mondoo Client, ssh transporter, or vagrant transporter.

Scan via vagrant transporter:

mondoo scan vagrant win 10
mondoo scan vagrant win2019
mondoo scan vagrant win2022

Scan via ssh transporter:

mondoo scan ssh vagrant@192.168.56.249 -p 'vagrant'
mondoo scan ssh vagrant@192.168.56.230 -p 'vagrant'
mondoo scan ssh vagrant@192.168.56.236 -p 'vagrant'

Don’t limit yourself to scanning the machines I set up for this exercise! You can follow the same steps to scan your own infrastructure.

Mondoo’s full-stack security solution identifies vulnerabilities and provides steps to fix the problems. Keep scanning and discover how you can harden your systems. If you have questions, we’d love to help.