Creating/editing Patch Management policies
NAVIGATION Modules > Patch Management
SECURITY Patch > Edit Policy
VSA 10's Patch Management module enables you to create policies capable of delivering OS updates and third-party applications to your managed endpoints.
This article describes the process to deploy software to a managed device.
NOTE For comprehensive information about how policies work, refer to Policies overview. To learn how to automate your patch review process, consult Automating patch review. For details about managing software on a mobile device, review VSA 10 MDM: Apple MDM profiles.
Patch Management overview
Patch Management is a strategy for managing patches or upgrades for software applications and technologies. A patch is software designed to update a computer program or its supporting data to fix or improve it. This includes fixing security vulnerabilities and other bugs and improving the usability or performance.
Effective patch management helps protect devices against known vulnerabilities that attackers could exploit, and it's an essential component of any cybersecurity strategy.
Patch Management brings the following benefits to a customer's IT environment:
- Security: Patch Management is vital for correcting security flaws. Many patches address vulnerabilities that could be exploited by hackers to gain unauthorized access to devices. By promptly applying these patches, a customer can significantly reduce the risk of a security breach.
- Compliance: Many industries are governed by regulatory standards that require companies to maintain certain levels of cybersecurity. Patch Management ensures that devices are up to date and compliant with these regulations.
- Performance improvements: Aside from security updates, patches can also bring enhancements that improve the performance of software and devices, leading to better efficiency and user experience.
- Access to new features: Software updates can deliver new features and improvements that are not available in earlier versions, allowing users to take advantage of the latest functionalities.
Patch Management is a systematic process involving several steps to ensure that software updates and patches are consistently applied to computers and network equipment. As follows is a general outline of how it works:
- Inventory: The first step is to assess inventory of the current software and devices to understand what applications and versions are in use. This helps in identifying which patches are applicable.
- Patch discovery: Regularly check for new patches and updates released by software vendors. This can be done manually or automatically with patch management tools.
- Risk assessment: Evaluate the patches to determine the urgency of applying them based on the severity of the issues they address. This might involve understanding the vulnerabilities and the potential impact on the business.
- Prioritization: Decide which patches to apply first, often based on the risk assessment. Critical security patches are usually prioritized over routine updates.
- Testing: Before deploying a patch widely, it is typically tested in a controlled environment to ensure it does not cause issues with existing devices or applications.
- Approval: After testing, patches must be approved for deployment. In some organizations, this step requires sign-off from IT management or compliance officers.
- Deployment: Roll out the patches to the relevant devices. This can be done manually but is often automated using patch management software. The deployment may be staged across different parts of the network or done all at once, depending on the organization's size and structure.
- Verification and monitoring: After deployment, it’s essential to verify that patches have been applied correctly and monitor devices for any unexpected behavior that might indicate a problem with the patch.
- Documentation and reporting: Keep records of all patch management activities, including what was patched, when, and the outcome. This documentation is crucial for audits, compliance, and troubleshooting future issues.
- Maintenance: Continuous monitoring for new patches and updates is necessary, as is maintaining the tools and devices used for patch management.
To manage device updates and third-party software on your devices using VSA 10, you'll first need to create a patch policy. Then, you'll assign your policy to a specific device, scope, agent or tag group.
How to...
Create a patch management policy
- From the left navigation menu in VSA 10, navigate to Patch Management > Policies.
- Click Create Policy.
- On the General tab, complete the policy's Name and Description fields.
- Depending on the type of policy you're creating, click the Windows settings or macOS settings tab. You'll see the following configuration options.
Windows settings
The Settings and OS Rules tabs control the way VSA 10 manages updates to your endpoint's operating system. The 3rd Party Software Rules tab contains the workflows required to deploy software contained in the catalog to managed devices. Select a topic to continue.
Settings
The Settings tab controls the way that target devices will handle the download and installation of Windows Updates. From this location, you can customize the following behaviors.
Windows automatic updates configuration
| Setting | Definition |
| Notify before downloading and installing any updates | Informs the user of available Windows Updates and provide the option to download and install them. |
| Automatically download updates and let a user choose when to install | When Windows Updates are available, downloads them and then prompts the user to install them. |
| Automatically download and install updates | Downloads and installs Windows Updates without user interaction. |
| Turn off automatic updates | Disables automatic Windows Updates. |
Delivery Optimization configuration
| Setting | Definition |
| Enabled |
Enables Windows Delivery Optimization and allows configuration of the following parameters:
|
| Disabled | Disables Windows Delivery Optimization |
| Do not change local settings (default option) | Does not enable, disable, or change any locally configured Windows Delivery Optimization settings. |
WSUS configuration
| Setting | Definition |
| Enabled |
Configures WSUS with the following parameters:
|
| Disabled | Disables WSUS. |
| Do not change local settings (default option) | Does not enable, disable, or change any locally configured WSUS settings. |
Options
| Setting | Definition |
| Prevent end users from executing and configuring Windows Update | Disallows user access to the Windows Update application on managed endpoints. |
| Create Restore Point before installing updates | Automatically creates a Windows Restore Point before installing any Windows Update. |
| Notify the logged in users 5 minutes before reboot | Surfaces a notification to all active users that the device will reboot; this option is not available when Let the operating system choose the reboot time is selected in Reboot options. |
| Randomize update interval | Prevents all devices from updating at the same time; divides devices into multiple sets and begins patching for each set at a different point in time (up to 30 minutes from the scheduled execution time). |
| Start patching as soon as possible if the scheduled execution was missed | If the scheduled execution was missed, starts execution when the agent is back online. |
| Configure active hours start and duration | Defines the maximum number of hours from the start time that users can set their active hours; Windows will not reboot a device for updates during these hours. NOTE This feature is only supported by Windows Server 2016, Windows 10, and above. |
| Defer quality updates X days | Defines when Windows should download and install quality updates. NOTE This feature is only supported by Windows Server 2016, Windows 10, and above. |
| Defer feature updates X days | Specifies when Windows should download and install Feature Updates. NOTE This feature is only supported by Windows Server 2016, Windows 10, and above. |
| Do not include driver updates | Excludes driver updates from Windows Updates. |
Deployment schedule
| Setting | Definition |
| Edit schedule | Schedules the policy to run daily, weekly, monthly or any other customized frequency of your choice; you must specify the first day of execution of the policy. NOTE Scheduled date and time represents the local device's date and time. |
| Use an additional dedicated schedule for 3rd party patch management | Creates an additional dedicated schedule specifically for third-party patch management; the schedule you set here overrides the overall schedule. |
| Distribute deployment start within a 30-minute window | Enabling this option adds a random delay (max 30 minutes) to the scheduled execution time. |
| Start deployment as soon as possible if the scheduled execution is missed | If the device misses the scheduled start time, then it will start as soon as the agent comes back online. |
Reboot schedule
The Reboot Schedule section allows you to schedule when any post patching reboots, if required, take place.
| Setting | Definition |
| Let the operating system choose the reboot time |
Windows schedules the reboot according to working hours configuration and internal logic. You can also choose to configure active hours for devices using this policy by checking the Configure active hours start and duration option. |
| Reboot immediately if it is required |
As required, immediately reboots the device after installing updates. If you want to notify any logged in users that their devices are going to reboot, check the Notify a logged in user 5 minutes before the reboot option. |
| Schedule the reboot if it is required |
As required, reboots the device on a specific day or days of the week after installing updates. If you want to notify any logged in users that their devices are going to reboot, check the Notify a logged in user before the reboot option, and set how many hours before the reboot is scheduled that you would like logged in users to be alerted. NOTE Users will be able to snooze the reboot message or choose to reboot their device immediately, but they cannot delay the scheduled reboot. If you want to make sure the device just reboots after a certain point at any time, and not just at the specific scheduled time, you can check the Reboot as soon as possible if the reboot deadline is missed option. |
Notifications
| Setting | Definition |
| Send a notification when...updates are found and require review with priority... | Select the check box to trigger a notification of Low, Normal, Elevated, or Critical priority when patch updates with a severity level of Critical only, either Critical or Important, or Optional are detected. Refer to OS Rules and Device notifications. |
| Send a notification upon error during OS patching with priority... | Select the check box to trigger a notification of Low, Normal, Elevated, or Critical priority when an error occurs during the operating system patching process. Refer to OS Rules and Device notifications. |
| Send a notification upon error during Software patching with priority... | Select the check box to trigger a notification of Low, Normal, Elevated, or Critical priority when an error occurs during the software patching process. Refer to 3rd Party Software Rules and Device notifications. |
Using the Set Schedule button, you can configure how often and when Patch Management notifications will be sent to the account.
OS Rules
The OS Rules tab enables you to define rules for how VSA 10 determines whether or not it should download and install a particular Windows Update.
You can configure VSA 10 to take specific actions based on the following criteria:
- Severity (Critical, Important, Optional)
- Name
- Description of the update
- Category
- Days since release
- CVE code
- CVSS score
When an update matches a defined rule, VSA 10 can take the following actions:
- Approve and Install
- Reject and Hide
- Skip and Review
You can add any number of update rules. VSA 10 will evaluate them in a top-down order; the system will check the rules from the top of the list, and when a rule matches the update, the evaluation will stop and that rule's action will apply. You can click the Move Up, Move Down, Move First, or Move Last buttons in the Actions menu to change the rules' sequence.
Good to know
It's important to keep in mind the following limitations about OS rules:
- We recommend turning off automatic updates to have full control over deployment and reboot procedures.
- Choosing to not install an update is effective only under the following circumstances:
- Within the limited duration of time (between release of the update and forcing of the update) when Microsoft still keeps the update optional; and
- On specific versions of Windows where all updates are optional.
- We do not endorse using scripts to block updates, as doing so can damage your endpoint. They conflict with limitations specifically implemented by Microsoft to ensure that devices cannot automatically block Windows updates.
- While you can script the uninstallation of Windows updates, the updates will be re-installed on the next forced update event, which can cause the cyclical uninstallation and re-installation of system updates.
3rd Party Software Rules
The 3rd Party Software Rules tab contains the catalog of all third-party applications supported by VSA 10 and deployment options for each program.
NOTE We manually maintain and continuously update this catalog independently from VSA 10's product releases. To learn about our update process, refer to VSA 10 software application catalog update process and SLAs. For the complete list of supported software applications, refer to VSA 10 software application catalog.
To create a rule for a particular application, in the Software column, locate the name of the program you'd like to manage and select the corresponding radio button for the action you'd like to take. The following features and fields are available:
| Feature or field | Definition |
| Software | Name of the deployable application. |
| Version | Current build of the program available from the catalog. |
| Install and keep up to date | Installs the software and all updates as they become available. |
| Keep up to date | Do not install the software if it is not already present on the device; installs all updates as they become available if it is present. |
| Uninstall | Removes the software from any device where it is present. |
| Do nothing | Takes no action and deactivates the rule. |
Once you've selected the software and the actions you'd like to take, click Save. Then, proceed to the Assign the patch policy section of this article.
macOS settings
The macOS settings are only supported for devices enrolled through MDM. The following configuration options are available.
Software Update configuration
| Setting | Definition |
| Check for updates | Allow checking for available updates on macOS devices. Checking this enables Download new updates when available. |
| Download new updates when available | Allows download of new updates either immediately or deferred depending on your settings in Options. Checking this enables Install macOS updates and Install application updates from the App Store. |
| Install macOS updates | Allows install of macOS operating system updates. |
| Install application updates from the App Store | Allows install of application updates for any installed applications from the App Store. |
| Install Security Responses and system files | Allows install of Rapid Security Responses and system file updates. This can be enabled independently of macOS and App Store updates. |
Options
| Setting | Definition |
| Defer major updates X days | Defines when macOS should download and install major updates. |
| Defer minor updates X days | Defines when macOS should download and install minor updates. |
Once you've selected the software and the actions you'd like to take, click Save. Then, proceed to the Assign the patch policy section of this article.
Assign the patch policy
Once the policy is created, it will appear in the table on the Policies page.
Move your mouse over the policy to reveal the following options:
- View
- Run
- Edit
- Clone
- Delete
Before you can use it to manage software, you'll need to assign the policy to a device. To do so, perform the following steps.
- From the left navigation menu in VSA 10, navigate to Patch Management > Agent Status.
- Filter the Agent Status list to the device or devices you'd like to manage.
- To apply a policy to an individual endpoint, move your mouse over its entry in the list and click the
or 
icons next to its name. To apply a policy to multiple devices, click Actions > Assign Policy or Actions > Change Policy. - In the Agent Status modal that opens, select a policy to assign from the drop-down menu. Then, click Assign Policy or Apply Policy Update. You can also assign policies directly to organizations, sites, and agent groups via Configuration > Organizations.
- The selected policy will appear in the Policy column for all selected devices on the Agent Status page.
- Once the policy is applied, the status of the selected devices will change to Active.
- To run the policy for an individual device, move your mouse over the selected endpoint's entry in the list and click the
icon. To run the policy for multiple devices, click Actions > Run Policy.
Monitoring policy execution
You can monitor the outcome of policy executions via Patch Management > History. Click any entry in the list to see detailed information about each job.
Third-party patch management trial
If you don't currently have a third-party patch management license, you can begin a trial via Patch Management > License. Click the Activate Trial option to gain access. Allow a few minutes for your VSA subscription to update after doing so.
