Overview
Zecurit’s Patch Management module helps IT administrators automate, control, and audit the patching lifecycle for all managed Windows endpoints, from a single device to thousands across multiple locations.
Without a centralized patch strategy, organizations are exposed to known vulnerabilities that attackers actively exploit. Zecurit eliminates this gap by giving you full visibility into which devices are missing critical updates, and the tools to enforce consistent patching policies at scale.
What You Can Do with Patch Management
| Capability | Description |
|---|---|
| Windows Update Policy | Create and deploy granular Windows Update configurations to device groups |
| Missing Patch Detection | Scan endpoints and identify missing security and feature updates |
| Deferral Controls | Defer quality and feature updates to control rollout timing |
| Active Hours Management | Prevent forced restarts during business hours |
| WSUS Integration | Route update traffic through an internal WSUS server |
| Compliance Reporting | Track patch status across all managed endpoints |
Key Concepts
Profiles
A Profile is a collection of configuration policies (including Windows Update Policy) that you define once and apply to one or more device groups or individual devices. All policies within a profile are automatically enforced on the next device check-in.
Device Groups
You can organize endpoints into Groups (e.g., by department, location, or risk level) and assign different patch profiles to each group. For example, your IT team may receive patches immediately while other departments get a 7-day deferral window.
Policy vs. Detection
- Policy (Windows Update Policy) controls how updates are applied — schedule, deferrals, restart behavior, bandwidth, and sources.
- Detection (Missing Patch) tells you what updates are currently absent on any given device, so you can act before vulnerabilities are exploited.
Use Case: End-to-End Patch Workflow
Scenario: Your organization has 200 endpoints across IT, HR, and Finance departments. You need IT devices to get patches first, and other departments to receive them after a 7-day deferral. You also need a daily report of any device missing critical security updates.
Step 1 : Create Device Groups Navigate to Groups and Devices and create three groups: IT-Devices, HR-Devices, and Finance-Devices.
Step 2 : Create Patch Profiles Under Configurations > Create Profile, create two profiles:
IT-Patch-Policy: no deferral, auto download and installCorp-Patch-Policy: 7-day quality update deferral, notify before install
Step 3 : Configure Windows Update Policy Within each profile, open Windows Update Policy and configure update behavior, restart windows, and WSUS settings as needed.
Step 4 : Publish and Associate Publish each profile and associate it with the corresponding device group. Policies are applied at the next device check-in.
Step 5 : Monitor Missing Patches Use Missing Patch Detection to run daily scans and identify any endpoints that have not yet received critical updates. Export or schedule reports for compliance records.
Sub-Topics in This Section
- Windows Update Policy – Policy Creation & Association
- Missing Patch Detection – How to Find Missing Patches