All Collections
Patch Management
Managing system software
Managing system software
Tara Bennet avatar
Written by Tara Bennet
Updated over a week ago

NAVIGATION Modules > Patch Management

SECURITY Patch > Edit Policy

Pulseway's Patch Management module enables you to create policies capable of delivering OS updates and third-party applications to your managed endpoints.

This article describes the process to deploy software to a managed system.


To manage system updates and third-party software on your systems, you'll first need to create a patch policy. Then, you'll assign your policy to a specific system, scope, agent or tag group.

How to...

Create a patch policy

  1. In Pulseway, navigate to Modules > Patch Management > Policies.

  2. Click Create Policy.

  3. On the General tab, complete the policy's Name and Description fields.

  4. Depending on the type of policy you're creating, click the Windows settings tab. You'll see the following configuration options.

    Windows settings

    The Settings and OS Rules tabs control the way Pulseway manages updates to your endpoint's operating system. The 3rd Party Software Rules tab contains the workflows required to deploy software contained in the catalog to managed systems.


    The Settings tab controls the way that target systems will handle the download and installation of Windows Updates. From this location, you can customize the following behaviors.

    Windows automatic updates configuration



Notify before downloading and installing any updates

Informs the user of available Windows Updates and provide the option to download and install them

Automatically download updates and let a user choose when to install

When Windows Updates are available, downloads them and then prompts the user to install them

Automatically download and install updates

Downloads and installs Windows Updates without user interaction

Turn off automatic updates

Disables automatic Windows Updates




Prevent end users from executing and configuring Windows Update

Disallows user access to the Windows Update application on managed endpoints

Create Restore Point before installing updates

Automatically creates a Windows Restore Point before installing any Windows Update

Notify the logged in users 5 minutes before reboot

Surfaces a notification to all active users that the system will reboot; this option is not available when Let the operating system choose the reboot time is selected in Reboot options.

Randomize update interval

Prevents all systems from updating at the same time; divides systems into multiple sets and begins patching for each set at a different point in time (up to 30 minutes from the scheduled execution time)

Start patching as soon as possible if the scheduled execution was missed

If the scheduled execution was missed, starts execution when the agent is back online

Configure active hours start and duration

Defines the maximum number of hours from the start time that users can set their active hours; Windows will not reboot a device for updates during these hours

NOTE This feature is only supported by Windows Server 2016, Windows 10, and above.

Defer quality updates X days

Defines when Windows should download and install quality updates

NOTE This feature is only supported by Windows Server 2016, Windows 10, and above.

Defer feature updates X days

Specifies when Windows should download and install Feature Updates.

NOTE This feature is only supported by Windows Server 2016, Windows 10, and above.

Do not include driver updates

Excludes driver updates from Windows Updates

Deployment schedule



Set schedule

Schedules the policy to run daily, weekly, monthly or any other customized frequency of your choice; you must specify the first day of execution of the policy

NOTE Scheduled date and time represents the local system's date and time.

Use an additional dedicated schedule for 3rd party patch management

Creates an additional dedicated schedule specifically for third-party patch management; the schedule you set here overrides the overall schedule

Reboot schedule



Let the operating system choose the reboot time

Windows schedules the reboot according to working hours configuration and internal logic

Reboot immediately if it is required

As required, immediately reboots the system after installing updates

Schedule the reboot if it is required

Allows the user to pick a preferred time for the system to reboot

OS Rules

The OS Rules tab enables you to define rules for how Pulseway determines whether or not it should download and install a particular Windows Update.

You can configure Pulseway to take specific actions based on the following criteria:

  • Severity (Critical, Important, Optional)

  • Name

  • Description of the update

  • Category

  • Days since release

  • CVE code

  • CVSS score

When an update matches a defined rule, Pulseway can take the following actions:

  • Approve and Install

  • Reject and Hide

  • Skip and Review

You can add any number of update rules. Pulseway will evaluate them in a top-down order; the system will check the rules from the top of the list, and when a rule matches the update, the evaluation will stop and that rule's action will apply. You can click the Move Up, Move Down, Move First, or Move Last buttons in the Actions menu to change the rules' sequence.

Good to know

It's important to keep in mind the following limitations about OS rules:

  • We recommend turning off automatic updates to have full control over deployment and reboot procedures.

  • Choosing to not install an update is effective only under the following circumstances:

    1. Within the limited duration of time (between release of the update and forcing of the update) when Microsoft still keeps the update optional; and

    2. On specific versions of Windows where all updates are optional.

  • We do not endorse using scripts to block updates, as doing so can damage your endpoint. They conflict with limitations specifically implemented by Microsoft to ensure that systems cannot automatically block Windows updates.

  • While you can script the uninstallation of Windows updates, the updates will be re-installed on the next forced update event, which can cause the cyclical uninstallation and re-installation of system updates.

3rd Party Software Rules

The 3rd Party Software Rules tab contains the catalog of all third-party applications supported by Pulseway and deployment options for each program.

NOTE We manually maintain and continuously update this catalog independently from VSA's product releases. To learn about our update process, refer to Pulseway

To create a rule for a particular application, in the Software column, locate the name of the program you'd like to manage and select the corresponding radio button for the action you'd like to take. The following features and fields are available:

Feature or field



Name of the deployable application


Current build of the program available from the catalog

Install and keep up to date

Installs the software and all updates as they become available

Keep up to date

Do not install the software if it is not already present on the system; installs all updates as they become available if it is present


Removes the software from any system where it is present

Do nothing

Takes no action and deactivates the rule

Once you've selected the software and the actions you'd like to take, click Save.

Assign the patch policy

Once the policy is created, it will appear in the table on the Policies page.

Move your mouse over the policy to reveal the following options:

  • View

  • Run

  • Edit

  • Clone

  • Delete

Before you can use it to manage software, you'll need to assign the policy to a system. To do so, perform the following steps.

  1. In Pulseway, navigate to Modules > Patch Management > Agent Status.

  2. Filter the Agent Status list to the system or systems you'd like to manage.

  3. To apply a policy to an individual endpoint, move your mouse over its entry in the list and click the or icons next to its name. To apply a policy to multiple systems, click Actions > Assign Policy or Actions > Change Policy.

  4. In the Agent Status modal that opens, select a policy to assign from the drop-down menu. Then, click Assign Policy or Apply Policy Update. You can also assign policies directly to organizations, sites, and agent groups at Administration > Configuration > Organizations.

  5. The selected policy will appear in the Policy column for all selected systems on the Agent Status page.

  6. Once the policy is applied, the status of the selected systems will change to Active.

  7. To run the policy for an individual system, move your mouse over the selected endpoint's entry in the list and click the icon. To run the policy for multiple systems, click Actions > Run Policy.

    Monitoring policy execution

    You can monitor the outcome of policy executions at Modules > Patch Management > History. Click any entry in the list to see detailed information about each job.


Third-party patch management trial

If you don't currently have a third-party patch management license, you can begin a trial at Modules > Patch Management > License. Click the Activate Trial option to gain access. Allow a few minutes for your VSA subscription to update after doing so.

Did this answer your question?