Applies To: WatchGuard Patch Management
In a Patch Management settings profile, you configure settings to specify when WatchGuard Patch Management searches for new patches and software updates, and to specify the types of patches that Patch Management searches for. You can also disable the Windows Update on your computers.
Screen shot of Patch Management settings for a Subscriber account
You can configure these Patch Management settings:
Disable Windows Update on Computers
To make sure that Patch Management manages the updates on your Windows computers, in the Patch Management settings profile, select Disable Windows Update on Computers.
When you enable this option, Patch Management manages updates exclusively for computers on your network. Local Windows Update settings are not used.
On devices that run Windows 10 and higher, the operating system enables you to defer quality updates, but not disable them. These updates are applied after 30 days even when you select Disable Windows Update on Computers.
Automatically Search for Patches
To enable Patch Management to automatically search for available patches, enable Automatically Search for Patches. If this option is not enabled, Patch Management lists do not show missing patches, although you can use patch installation tasks to install missing patches on computers.
Patch Installation (Subscribers only)
Specifies if the patch installs on the devices in a group when the settings profile is assigned. You can also designate computers in the group as test computers for patch installation.
Search Frequency
Specifies how often Patch Management searches the cloud-based patch database to check for missing patches for your computers.
You can search for missing patches every 1, 3, 6, or 12 hours, or once a day. When you change the frequency, the Missing Patches list refreshes automatically.
Patch Criticality
Specifies the importance (or criticality) of the security patches that Patch Management searches for, and whether to search for other non-security patches and service packs. The Other patches category includes patches with bug fixes and feature enhancements for macOS and Linux.
Software vendors define the importance of the security patches they make available to address vulnerabilities. Patch classifications are not universal and vary by vendor.
To determine whether you want to install a patch, we recommend that you review its description, especially for patches that a vendor does not classify as Critical.
To configure Patch Management settings:
- In WatchGuard Cloud, select Configure > Endpoints.
- Select Settings.
- From the left pane, select Patch Management.
- Select an existing security settings profile to edit, copy an existing profile, or in the upper-right corner of the window, click Add to create a new profile.
The Add Settings or Edit Settings page opens. - Enter a Name and Description for the profile, if required.
- To make sure that Patch Management manages Windows updates on your computers, enable the Disable Windows Update on Computers toggle.
- To automatically search for patches, enable Automatically Search for Patches.
- (Subscribers only) Select a Patch Installation option.
- Install patches — Automatically apply patches to the devices in the assigned groups.
- Designate as test computer and install patches — Designate the devices in the assigned groups as test computers.
- Do not install patches — Do not apply patches to devices in the assigned groups.
- To specify how often to search for patches, from the Search Frequency drop-down list, select a frequency.
- To specify which patches to search for, in the Patch Criticality section, enable or disable toggles for different types of Security Patches, Other Patches, and Service Packs.
The Other Patches category includes patches with bug fixes and feature enhancements for macOS and Linux. - Click Save.
- Select the profile and assign recipients, if required.
For more information, go to Assign a Settings Profile.
Manage Patch Installation with Multiple Settings Profiles
When a Service Provider manages the security of multiple managed accounts from a single Endpoint Security management UI, some managed accounts might have Patch Management and some might not. To make sure that a patch installation task is not sent by the Service Provider to computers that do not have Patch Management, you can create different patch installation settings profiles.
To configure Patch Management to install or not install on computers:
- In a Subscriber account, create a settings profile for computers with a Patch Management license.
- In the settings profile, select Install Patches from the Patch Installation drop-down list.
- Assign the settings profile to computers with the license.
- Create a second settings profile for client computers without a Patch Management license.
- In the settings profile, select Do Not Install Patches from the Patch Installation drop-down list.
- Assign the settings profile to computers without a license.
- In a Service Provider account, create a patch installation task and assign it to the account with computers that have a Patch Management license and do not have a Patch Management license. For more information, go to Multi-Tenant Management — Manage Tasks.
Designate Computers as Test Computers for Patch Installation
When you install patches on test computers, you can verify the installation results before you install the patches on other computers on the network.
To configure Patch Management to install patches on test computers only:
- In a Subscriber account, create a Patch Management settings profile.
- In the settings profile, select Designate as test computers and install patches from the Patch installation drop-down list.
- Assign the settings profile to computers you want to designate as test computers.
- Create a patch installation task.
- Assign the task to recipients.
- Enable Run the task only on test computers.
- In a Subscriber account, enable the toggle.
- In a Service Provider account, select Yes.
This option is disabled by default. If you do not enable this option, the task runs for all computers, including test computers.