Pulseway's Patch Management module enables you to create policies capable of delivering OS updates and third-party applications to your managed endpoints.
This article describes the process of deploying software to a managed device.
Patch Management overview
Patch Management is a strategy for managing patches or upgrades for software applications and technologies. A patch is software designed to update a computer program or its supporting data to fix or improve it. This includes fixing security vulnerabilities and other bugs and improving the usability or performance.
Effective patch management helps protect devices against known vulnerabilities that attackers could exploit, and it's an essential component of any cybersecurity strategy.
Patch Management brings the following benefits to a customer's IT environment:
Security: Patch Management is vital for correcting security flaws. Many patches address vulnerabilities that could be exploited by hackers to gain unauthorized access to devices. By promptly applying these patches, a customer can significantly reduce the risk of a security breach.
Compliance: Many industries are governed by regulatory standards that require companies to maintain certain levels of cybersecurity. Patch Management ensures that devices are up to date and compliant with these regulations.
Performance improvements: Aside from security updates, patches can also bring enhancements that improve the performance of software and devices, leading to better efficiency and user experience.
Access to new features: Software updates can deliver new features and improvements that are not available in earlier versions, allowing users to take advantage of the latest functionalities.
Patch Management is a systematic process involving several steps to ensure that software updates and patches are consistently applied to computers and network equipment. The following is a general outline of how it works:
Inventory: The first step is to assess the inventory of the current software and devices to understand what applications and versions are in use. This helps in identifying which patches are applicable.
Patch discovery: Regularly check for new patches and updates released by software vendors. This can be done manually or automatically with patch management tools.
Risk assessment: Evaluate the patches to determine the urgency of applying them based on the severity of the issues they address. This might involve understanding the vulnerabilities and the potential impact on the business.
Prioritization: Decide which patches to apply first, often based on the risk assessment. Critical security patches are usually prioritized over routine updates.
Testing: Before deploying a patch widely, it is typically tested in a controlled environment to ensure it does not cause issues with existing devices or applications.
Approval: After testing, patches must be approved for deployment. In some organizations, this step requires a sign-off from IT management or compliance officers.
Deployment: Roll out the patches to the relevant devices. This can be done manually but is often automated using patch management software. The deployment may be staged across different parts of the network or done all at once, depending on the organization's size and structure.
Verification and monitoring: After deployment, it’s essential to verify that patches have been applied correctly and monitor devices for any unexpected behavior that might indicate a problem with the patch.
Documentation and reporting: Keep records of all patch management activities, including what was patched, when, and the outcome. This documentation is crucial for audits, compliance, and troubleshooting future issues.
Maintenance: Continuous monitoring for new patches and updates is necessary, as is maintaining the tools and devices used for patch management.
To manage device updates and third-party software on your devices using Pulseway, you'll first need to create a patch policy. Then, you'll assign your policy to a specific device, scope, agent, or tag group.
How to:
Create a patch management policy
From the left navigation menu in Pulseway, navigate to Patch Management > Policies.
Click Create Policy.
On the General tab, complete the policy's Name and Description fields.
Depending on the type of policy you're creating, click the Windows settings or macOS settings tab. You'll see the following configuration options.
Windows settings
The Settings and OS Rules tabs control the way Pulseway manages updates to your endpoint's operating system. The 3rd Party Software Rules tab contains the workflows required to deploy software contained in the catalog to managed devices.
Settings
Settings
The Settings tab controls the way that target devices will handle the download and installation of Windows Updates. From this location, you can customize the following behaviors.
Windows automatic updates configuration
Setting | Definition |
Notify before downloading and installing any updates | Informs the user of available Windows Updates and provide the option to download and install them. |
Automatically download updates and let a user choose when to install | When Windows Updates are available, downloads them and then prompts the user to install them. |
Automatically download and install updates | Downloads and installs Windows Updates without user interaction. |
Turn off automatic updates | Disables automatic Windows Updates. |
Delivery Optimization configuration
Setting | Definition |
Enabled | Enables Windows Delivery Optimization and allows configuration of the following parameters:
|
Disabled | Disables Windows Delivery Optimization |
Do not change local settings (default option) | Does not enable, disable, or change any locally configured Windows Delivery Optimization settings. |
WSUS configuration
Setting | Definition |
Enabled | Configures WSUS with the following parameters:
|
Disabled | Disables WSUS. |
Do not change local settings (default option) | Does not enable, disable, or change any locally configured WSUS settings. |
Options
Setting | Definition |
Prevent end users from executing and configuring Windows Update | Disallows user access to the Windows Update application on managed endpoints. |
Create Restore Point before installing updates | Automatically creates a Windows Restore Point before installing any Windows Update. |
Notify the logged in users 5 minutes before reboot | Surfaces a notification to all active users that the device will reboot; this option is not available when Let the operating system choose the reboot time is selected in Reboot options. |
Randomize update interval | Prevents all devices from updating at the same time; divides devices into multiple sets and begins patching for each set at a different point in time (up to 30 minutes from the scheduled execution time). |
Start patching as soon as possible if the scheduled execution was missed | If the scheduled execution was missed, starts execution when the agent is back online. |
Configure active hours start and duration | Defines the maximum number of hours from the start time that users can set their active hours; Windows will not reboot a device for updates during these hours. NOTE This feature is only supported by Windows Server 2016, Windows 10, and above. |
Defer quality updates X days | Defines when Windows should download and install quality updates. NOTE This feature is only supported by Windows Server 2016, Windows 10, and above. |
Defer feature updates X days | Specifies when Windows should download and install Feature Updates. NOTE This feature is only supported by Windows Server 2016, Windows 10, and above. |
Do not include driver updates | Excludes driver updates from Windows Updates. |
Deployment schedule
Setting | Definition |
Edit schedule | Schedules the policy to run daily, weekly, monthly or any other customized frequency of your choice; you must specify the first day of execution of the policy. NOTE Scheduled date and time represents the local device's date and time. |
Use an additional dedicated schedule for 3rd party patch management | Creates an additional dedicated schedule specifically for third-party patch management; the schedule you set here overrides the overall schedule. |
Distribute deployment start within a 30-minute window | Enabling this option adds a random delay (max 30 minutes) to the scheduled execution time. |
Start deployment as soon as possible if the scheduled execution is missed | If the device misses the scheduled start time, then it will start as soon as the agent comes back online.Reboot schedule |
Reboot Schedule
The Reboot Schedule section allows you to schedule when any post patching reboots, if required, take place.
Setting | Definition |
Let the operating system choose the reboot time | Windows schedules the reboot according to working hours configuration and internal logic. If an update requires a restart, Windows will attempt to schedule the restart outside the device's active hours. The system will notify the user about the pending restart and may give the option to postpone or schedule it manually. If the user does not take any action, Windows will restart the system automatically after a grace period, typically within a few days. The exact timing depends on the urgency of the update. If the Windows Automatic Updates are disabled by the policy via Turn off automatic updates, the system will notify user after installation of the update requiring reboot, but the reboot will not occur automatically. You can also choose to configure active hours for devices using this policy by checking the Configure active hours start and duration option. |
Reboot immediately if it is required | As required, immediately reboots the device after installing updates. If you want to notify any logged in users that their devices are going to reboot, check the Notify a logged in user 5 minutes before the reboot option. |
Schedule the reboot if it is required | As required, reboots the device on a specific day or days of the week after installing updates. If you want to notify any logged in users that their devices are going to reboot, check the Notify a logged in user before the reboot option, and set how many hours before the reboot is scheduled that you would like logged in users to be alerted. NOTE Notifications scheduled to go out before patch deployment will only trigger after deployment has finished. NOTE Users will be able to snooze the reboot message or choose to reboot their device immediately, but they cannot delay the scheduled reboot. NOTE If the reboot message occurs within 30 minutes of the scheduled reboot time, users will only be able to choose Restart Now, and will not be able to snooze the message further. If you want to make sure the device just reboots after a certain point at any time, and not just at the specific scheduled time, you can check the Reboot as soon as possible if the reboot deadline is missed option. |
Notifications
Setting | Definition |
Send a notification when...updates are found and require review with priority... | Select the check box to trigger a notification of Low, Normal, Elevated, or Critical priority when patch updates with a severity level of Critical only, either Critical or Important, or Optional are detected. |
Send a notification upon error during OS patching with priority... | Select the check box to trigger a notification of Low, Normal, Elevated, or Critical priority when an error occurs during the operating system patching process. |
Send a notification upon error during Software patching with priority... | Select the check box to trigger a notification of Low, Normal, Elevated, or Critical priority when an error occurs during the software patching process. |
Using the Set Schedule button, you can configure how often and when Patch Management notifications will be sent to the account.
OS Rules
The OS Rules tab enables you to define rules for how Pulseway determines whether or not it should download and install a particular Windows Update.
You can configure Pulseway to take specific actions based on the following criteria:
Severity (Critical, Important, Optional)
Name
Description of the update
Category
Days since release
CVE code
CVSS score
When an update matches a defined rule, Pulseway can take the following actions:
Approve and Install
Reject and Hide
Skip and Review
You can add any number of update rules. Pulseway will evaluate them in a top-down order; the system will check the rules from the top of the list, and when a rule matches the update, the evaluation will stop and that rule's action will apply. You can click the Move Up, Move Down, Move First, or Move Last buttons in the Actions menu to change the rules' sequence.
Good to know
It's important to keep in mind the following limitations about OS rules:
We recommend turning off automatic updates to have full control over deployment and reboot procedures.
Choosing to not install an update is effective only under the following circumstances:
Within the limited duration of time (between release of the update and forcing of the update) when Microsoft still keeps the update optional; and
On specific versions of Windows where all updates are optional.
We do not endorse using scripts to block updates, as doing so can damage your endpoint. They conflict with limitations specifically implemented by Microsoft to ensure that devices cannot automatically block Windows updates.
While you can script the uninstallation of Windows updates, the updates will be re-installed on the next forced update event, which can cause the cyclical uninstallation and re-installation of system updates.
3rd Party Software Rules
The 3rd Party Software Rules tab contains the catalog of all third-party applications supported by Pulseway and the deployment options for each program.
To create a rule for a particular application, in the Software column, locate the name of the program you'd like to manage and select the corresponding radio button for the action you'd like to take. The following features and fields are available:
Feature or field | Definition |
Software | Name of the deployable application. |
Version | Current build of the program available from the catalog. |
Install and keep up to date | Installs the software and all updates as they become available. |
Keep up to date | Do not install the software if it is not already present on the device; installs all updates as they become available if it is present. |
Uninstall | Removes the software from any device where it is present. |
Do nothing | Takes no action and deactivates the rule. |
Once you've selected the software and the actions you'd like to take, click Save.
macOS Settings
The macOS settings are only supported for devices enrolled through MDM. The following configuration options are available.
Software Update configuration
Setting | Definition |
Check for updates | Allow checking for available updates on macOS devices. Checking this enables Download new updates when available. |
Download new updates when available | Allows download of new updates either immediately or deferred depending on your settings in Options. Checking this enables Install macOS updates and Install application updates from the App Store. |
Install macOS updates | Allows install of macOS operating system updates. |
Install application updates from the App Store | Allows install of application updates for any installed applications from the App Store. |
Install Security Responses and system files | Allows install of Rapid Security Responses and system file updates. This can be enabled independently of macOS and App Store updates. |
Options
Setting | Definition |
Defer major updates X days | Defines when macOS should download and install major updates. |
Defer minor updates X days | Defines when macOS should download and install minor updates. |
Once you've selected the software and the actions you'd like to take, click Save.
Assign the patch policy
Once the policy is created, it will appear in the table on the Policies page.
Move your mouse over the policy to reveal the following options:
View
Run
Edit
Clone
Delete
Before you can use it to manage software, you'll need to assign the policy to a device. To do so, perform the following steps.
From the left navigation menu in Pulseway, navigate to Patch Management > Agent Status.
Filter the Agent Status list to the device or devices you'd like to manage.
To apply a policy to an individual endpoint, move your mouse over its entry in the list and click the
or 
icons next to its name. To apply a policy to multiple devices, click Actions > Assign Policy or Actions > Change Policy.In the Agent Status modal that opens, select a policy to assign from the drop-down menu. Then, click Assign Policy or Apply Policy Update. You can also assign policies directly to organizations, sites, and agent groups via Configuration > Organizations.
The selected policy will appear in the Policy column for all selected devices on the Agent Status page.
Once the policy is applied, the status of the selected devices will change to Active.
To run the policy for an individual device, move your mouse over the selected endpoint's entry in the list and click the
icon. To run the policy for multiple devices, click Actions > Run Policy.
Monitoring policy execution
You can monitor the outcome of policy executions via Patch Management > History. Click any entry in the list to see detailed information about each job.
Third-party patch management trial
If you don't currently have a third-party patch management license, you can begin a trial via Patch Management > License. Click the Activate Trial option to gain access. Allow a few minutes for your Pulseway subscription to update after doing so.