Skip to main content
All CollectionsEndpoint Protection
Feature overview: Patch Management
Feature overview: Patch Management

Overview of how the Patch Management module works in the Defense.com Endpoint Protection agent.

Daniel Sampson avatar
Written by Daniel Sampson
Updated over a year ago

The Defense.com Patch Management add-on module for Endpoint Protection helps you keep your operating systems and software applications up-to-date. Your Defense.com representative can set up and configure your Patch Management.


Compatibility

The Defense.com Patch Management module is compatible with:

  • Windows for workstations

  • Windows for servers

  • The following Linux distributions: CentOS, RHEL, and SLE

Note: Patch Management is only available if you have deployed the Defense.com Endpoint Protection agent. The setup and configuration of the Patch Management module is managed via your Defense.com representative.


Capabilities

Defense.com Patch Management enables you to carry out the following tasks:

  • Scan for patches

    The agent scans the endpoint for missing patches and reports them back to Defense.com.

  • Apply patches

    Defense.com sends the agent a list of patches you want to install. The endpoint downloads the patches from the Patch Caching Server and then installs them. You can also choose what type of patches to be installed on the endpoints:

    • Security patches - include fixes for vulnerabilities / CVEs.

    • Non-security patches - include bug fixes and new features for third-party applications.


Scheduling patches

There are different scheduling options available:

  • Smart scan for patches when new applications are installed. When a new application is installed on the endpoint, the agent automatically installs all discovered OS and application updates, regardless of any planned scan and installation tasks (not available on Linux devices).

  • Use the same schedule for all targeted operations. The agent scans for patches and then installs them on the endpoint as soon as possible,

Your Defense.com representative will work with you to configure when the desired action (patch scanning or patch installation) should take place, with the following maintenance window configuration options available:

  • Immediately (only for patch installation) - the security agent will install patches as soon as possible after finishing a patch scanning.

  • Weekly - the security agent scans for patches and installs them during the week as follows:

    • On certain weeks of the month (every one, two, three, or four weeks).

    • On specific days (any selection from Monday to Sunday).

    • Starting with a specific date.

    • Between certain hours (any selection from 00:00 to 23:59).

  • Monthly - the security agent scans for patches and installs them during the month as follows:

    • On certain months of the year (every one, two, three and so on, up to every twelve months).

    • On specific days (any selection from the first to the last day of the month or during specific days of the week)

    • Starting with a specific date.

    • Between certain hours (any selection from 00:00 to 23:59).

Examples:

  • For a weekly schedule, you can set a patch scan task to take place every three weeks, on Monday, Wednesday and Friday, starting 18 September 2023, between 18:00 and 19:30.

  • For a monthly schedule, you can set a patch scan task to take place every two months, on the third Wednesday of the month, starting 18 September 2023, between 10:00 and 10:59.

Note: if you have chosen the scan to take place on the 31st day of the month, the task will be skipped in months with 30 days or less.

For various reasons, an endpoint may be offline when patch installation is scheduled to run. In these cases, it is possible to configure your Patch Management policy to install the patches immediately after the endpoint comes back online.


Reboot preferences

You can choose your endpoint reboot preferences when patches are ready to be installed. The following options are available:

  • Users postpone the system restart until a more convenient time

    This allows endpoint users to restart their system whenever they want, without enforcing a time limit.

    On the endpoint, the security agent will display a dialogue window where users can restart the system immediately, postpone the restart alert, or pick a more convenient time.

  • Users postpone the system restart only within a specific interval

    This enforces a time limit for when endpoint users must restart their systems. You can also specify:

    • An additional number of minutes if the interval is missed.

    • A custom message for the endpoint to display before the restart.

    On the endpoint, the security agent will display a dialogue window where users can restart the system immediately, postpone the restart alert, or pick a more convenient time. An interface message will inform them when the restart is schedule to take place, according to the configuration made by your Defense.com representative. The custom message will appear before the restart as a Windows message.

Example:

If you have set the interval between 16:30 and 17:30, with additional 10 minutes for missed interval, users can postpone the restart within that hour. Starting at 17:30, they will have only 10 minutes left until the automatic restart of the system, regardless of their actions.

  • System restarts automatically after a specific number of minutes.

    This option enforces an automatic restart on the endpoints, after a specific time. In this case, endpoint users cannot postpone or pick a time for restart. For this option you can also define a custom message to be displayed before the restart.

Note: Patch Management currently does not support reboot on Linux endpoints.


Your Defense.com representative can configure your preferences for you and assist with applying different policies for specific users or departments if required.

Did this answer your question?