NAVIGATION Modules > Patch Management
SECURITY Patch > Edit Policy
Pulseway's Patch Management module enables you to create policies capable of delivering OS updates and third-party applications to your managed endpoints.
This article describes the process to deploy software to a managed system.
Overview
To manage system updates and third-party software on your systems, you'll first need to create a patch policy. Then, you'll assign your policy to a specific system, scope, agent or tag group.
How to...
Create a patch policy
In Pulseway, navigate to Modules > Patch Management > Policies.
Click Create Policy.
On the General tab, complete the policy's Name and Description fields.
Depending on the type of policy you're creating, click the Windows settings tab. You'll see the following configuration options.
Windows settings
The Settings and OS Rules tabs control the way Pulseway manages updates to your endpoint's operating system. The 3rd Party Software Rules tab contains the workflows required to deploy software contained in the catalog to managed systems.
Settings
The Settings tab controls the way that target systems will handle the download and installation of Windows Updates. From this location, you can customize the following behaviors.
Windows automatic updates configuration
Setting | Definition |
Notify before downloading and installing any updates | Informs the user of available Windows Updates and provide the option to download and install them |
Automatically download updates and let a user choose when to install | When Windows Updates are available, downloads them and then prompts the user to install them |
Automatically download and install updates | Downloads and installs Windows Updates without user interaction |
Turn off automatic updates | Disables automatic Windows Updates |
Options
Setting | Definition |
Prevent end users from executing and configuring Windows Update | Disallows user access to the Windows Update application on managed endpoints |
Create Restore Point before installing updates | Automatically creates a Windows Restore Point before installing any Windows Update |
Notify the logged in users 5 minutes before reboot | Surfaces a notification to all active users that the system will reboot; this option is not available when Let the operating system choose the reboot time is selected in Reboot options. |
Randomize update interval | Prevents all systems from updating at the same time; divides systems into multiple sets and begins patching for each set at a different point in time (up to 30 minutes from the scheduled execution time) |
Start patching as soon as possible if the scheduled execution was missed | If the scheduled execution was missed, starts execution when the agent is back online |
Configure active hours start and duration | Defines the maximum number of hours from the start time that users can set their active hours; Windows will not reboot a device for updates during these hours NOTE This feature is only supported by Windows Server 2016, Windows 10, and above. |
Defer quality updates X days | Defines when Windows should download and install quality updates NOTE This feature is only supported by Windows Server 2016, Windows 10, and above. |
Defer feature updates X days | Specifies when Windows should download and install Feature Updates. NOTE This feature is only supported by Windows Server 2016, Windows 10, and above. |
Do not include driver updates | Excludes driver updates from Windows Updates |
Deployment schedule
Setting | Definition |
Set schedule | Schedules the policy to run daily, weekly, monthly or any other customized frequency of your choice; you must specify the first day of execution of the policy NOTE Scheduled date and time represents the local system's date and time. |
Use an additional dedicated schedule for 3rd party patch management | Creates an additional dedicated schedule specifically for third-party patch management; the schedule you set here overrides the overall schedule |
Reboot schedule
Setting | Definition |
Let the operating system choose the reboot time | Windows schedules the reboot according to working hours configuration and internal logic |
Reboot immediately if it is required | As required, immediately reboots the system after installing updates |
Schedule the reboot if it is required | Allows the user to pick a preferred time for the system to reboot |
OS Rules
The OS Rules tab enables you to define rules for how Pulseway determines whether or not it should download and install a particular Windows Update.
You can configure Pulseway to take specific actions based on the following criteria:
Severity (Critical, Important, Optional)
Name
Description of the update
Category
Days since release
CVE code
CVSS score
When an update matches a defined rule, Pulseway can take the following actions:
Approve and Install
Reject and Hide
Skip and Review
You can add any number of update rules. Pulseway will evaluate them in a top-down order; the system will check the rules from the top of the list, and when a rule matches the update, the evaluation will stop and that rule's action will apply. You can click the Move Up, Move Down, Move First, or Move Last buttons in the Actions menu to change the rules' sequence.
Good to know
It's important to keep in mind the following limitations about OS rules:
We recommend turning off automatic updates to have full control over deployment and reboot procedures.
Choosing to not install an update is effective only under the following circumstances:
Within the limited duration of time (between release of the update and forcing of the update) when Microsoft still keeps the update optional; and
On specific versions of Windows where all updates are optional.
We do not endorse using scripts to block updates, as doing so can damage your endpoint. They conflict with limitations specifically implemented by Microsoft to ensure that systems cannot automatically block Windows updates.
While you can script the uninstallation of Windows updates, the updates will be re-installed on the next forced update event, which can cause the cyclical uninstallation and re-installation of system updates.
3rd Party Software Rules
The 3rd Party Software Rules tab contains the catalog of all third-party applications supported by Pulseway and deployment options for each program.
NOTE We manually maintain and continuously update this catalog independently from VSA's product releases. To learn about our update process, refer to Pulseway
software catalog update process and SLAs.
To create a rule for a particular application, in the Software column, locate the name of the program you'd like to manage and select the corresponding radio button for the action you'd like to take. The following features and fields are available:
Feature or field | Definition |
Software | Name of the deployable application |
Version | Current build of the program available from the catalog |
Install and keep up to date | Installs the software and all updates as they become available |
Keep up to date | Do not install the software if it is not already present on the system; installs all updates as they become available if it is present |
Uninstall | Removes the software from any system where it is present |
Do nothing | Takes no action and deactivates the rule |
Once you've selected the software and the actions you'd like to take, click Save.
Assign the patch policy
Once the policy is created, it will appear in the table on the Policies page.
Move your mouse over the policy to reveal the following options:
View
Run
Edit
Clone
Delete
Before you can use it to manage software, you'll need to assign the policy to a system. To do so, perform the following steps.
In Pulseway, navigate to Modules > Patch Management > Agent Status.
Filter the Agent Status list to the system or systems you'd like to manage.
To apply a policy to an individual endpoint, move your mouse over its entry in the list and click the or icons next to its name. To apply a policy to multiple systems, click Actions > Assign Policy or Actions > Change Policy.
In the Agent Status modal that opens, select a policy to assign from the drop-down menu. Then, click Assign Policy or Apply Policy Update. You can also assign policies directly to organizations, sites, and agent groups at Administration > Configuration > Organizations.
The selected policy will appear in the Policy column for all selected systems on the Agent Status page.
Once the policy is applied, the status of the selected systems will change to Active.
To run the policy for an individual system, move your mouse over the selected endpoint's entry in the list and click the icon. To run the policy for multiple systems, click Actions > Run Policy.
Monitoring policy execution
You can monitor the outcome of policy executions at Modules > Patch Management > History. Click any entry in the list to see detailed information about each job.
Third-party patch management trial
If you don't currently have a third-party patch management license, you can begin a trial at Modules > Patch Management > License. Click the Activate Trial option to gain access. Allow a few minutes for your VSA subscription to update after doing so.