Patch Windows vulnerabilities in bulk or individually
Bulk patch Windows vulnerabilities across product version
In the Products page, if you have a product version selected that is running a Windows operating system, you will see an Apply Windows KBs action link next to the Manage SBOMs drop-down button.
Note: Depending on the degree of completeness of this SBOM, it may be in a draft or interim state, in which you are still applying Windows KBs to the digital twin of your product version in order to stay in sync with what you've already applied to your physical test device. If so, you may be able to apply a KB to resolve this vulnerability to this current version. If you're dealing with an SBOM in a final state or already released, you'll want to make a ticket to apply this KB to the next version of your SBOM, so that your digital and physical device versions stay in sync.
You can assess these KBs on your physical test devices, or you can apply them here to understand which vulnerabilities applying them will fix, before starting the physical testing. This will give you a clearer understanding of your overall current risks and an accurate digital record of your device’s current state, and will enable you to quickly answer the question of whether your business is at risk for a particular vulnerability, as well as to confidently communicate recommended patched for your customers to apply, providing you and your customers a clear understanding of your overall current risks.
To apply KBs:
In the Products (SBOM) page, click the Apply Windows KBs action link next to the Manage SBOMs drop-down button. This will display the Apply Windows KBs modal. This enables you to keep your Windows KB patching in Helm aligned with your internal Windows KB testing and recommendations to your customers.
Copy and paste the KBs into the KBs to apply list box. Make sure all values are separated with a comma. If you’re pasting from a spreadsheet, you can use the JOIN function in Excel or Google Sheets. This uses the Google Sheets example: JOIN(“,”, A2:A20), where cells A2-A20 contain the patch (KB) numbers you want to comma separate. Copy and paste that calculated string directly into the Patches (KB) field. Any patch (KB) number that is comma-separated will automatically be converted into a chip. Note that you do not need to include the “KB” in front of the Windows patch (KB) numbers, but if you do, our system will strip those out.
If there are already KBs applied, they display in the box to the right, KBs already applied. You can remove any erroneously applied KBs from here in order to keep your device version aligned with your ideal patch recommendations to your customers.
Click Apply changes. This will add the new KBs to this product version. If you removed any KBs, they will be removed. We do not do any validation on these KBs beyond numeric value validation, as there could be non-security related KBs that you have applied, or the KB could have been released after we’ve performed a daily sync with the Windows sources we use to extract updated KB information.
After applying KBs, you’ll see a success message letting you know which KBs were applied, as well as how many vulnerabilities they resolved.
Once you've patched Windows vulnerabilities, you'll still need to change their remediation statuses.
Patch individual Windows vulnerabilities
In the Vulnerabilities table, for Windows vulnerabilities, you'll see an update indicator next to the Vuln IDs that can be resolved by applying a Windows KB.
Note: Depending on the degree of completeness of your SBOM, it may be in a draft or interim state, in which you are still applying Windows KBs to the digital twin of your product version in order to stay in sync with what you've already applied to your physical test device. If so, you may be able to apply a KB to resolve this vulnerability to this current version. If you're dealing with an SBOM in a final state or already released, you'll want to make a ticket to apply this KB to the next version of your SBOM, so that your digital and physical device versions stay in sync.
Once you’ve determined which KBs you need to apply to resolve a vulnerability, click the KB indicator next to the Vuln ID. This will display the Resolve panel.
In this panel, you'll see a list of suggested KBs. The top one is the one that is most recently released and contains the most rollups of the subsequent KBs. You can click each KB link to go to the Microsoft MSRC site to determine which KBs matches what you are applying to your physical test device to align your digital digital twin record accordingly.
Click Resolve with selected KB when you've chosen which KB you want to apply. You’ll see a success message letting you know which KB was applied, as well as how many and which vulnerabilities it resolved.
Next to the Vuln ID, the row will be grayed out to indicate that a KB has been applied. You can hover over this to see what KB was applied to resolve this vulnerability.
Once you've patched a Windows vulnerability, you'll still need to change its remediation status.
Manage multiple patch levels across your devices in the field
No matter how accurate and timely the patching recommendations you make to your clients are, some customers won’t patch up to the recommended level.
To manage multiple patch levels:
Export your current SBOM from Helm before you start applying KBs.
Upload your SBOM again, modifying its name slightly, such as SBOM_productname_v1.2 to SBOM_productname_v1.2.1.
In this new version, you can then apply the Windows KB patching that matches what you’re applying to your physical test devices. This will enable you to track your device’s vulnerability level at various patching levels, enabling you to provide the requisite proof to the FDA that you are proactively managing risk levels across all devices.
Last updated