{"id":3147,"date":"2026-02-20T10:50:06","date_gmt":"2026-02-20T10:50:06","guid":{"rendered":"https:\/\/zecurit.com\/help\/endpoint-management\/patch-management\/"},"modified":"2026-02-20T12:39:55","modified_gmt":"2026-02-20T12:39:55","slug":"patch-management","status":"publish","type":"docs","link":"https:\/\/zecurit.com\/help\/endpoint-management\/patch-management\/","title":{"rendered":"Patch Management"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Overview<\/h2>\n\n\n\n<p>Zecurit&#8217;s <a href=\"https:\/\/zecurit.com\/endpoint-management\/patch-management\"><strong>Patch Management<\/strong> <\/a>module helps IT administrators automate, control, and audit the patching lifecycle for all managed Windows endpoints, from a single device to thousands across multiple locations.<\/p>\n\n\n\n<p>Without a centralized patch strategy, organizations are exposed to known vulnerabilities that attackers actively exploit. Zecurit eliminates this gap by giving you full visibility into which devices are missing critical updates, and the tools to enforce consistent patching policies at scale.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What You Can Do with Patch Management<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Capability<\/th><th>Description<\/th><\/tr><\/thead><tbody><tr><td>Windows Update Policy<\/td><td>Create and deploy granular Windows Update configurations to device groups<\/td><\/tr><tr><td>Missing Patch Detection<\/td><td>Scan endpoints and identify missing security and feature updates<\/td><\/tr><tr><td>Deferral Controls<\/td><td>Defer quality and feature updates to control rollout timing<\/td><\/tr><tr><td>Active Hours Management<\/td><td>Prevent forced restarts during business hours<\/td><\/tr><tr><td>WSUS Integration<\/td><td>Route update traffic through an internal WSUS server<\/td><\/tr><tr><td>Compliance Reporting<\/td><td>Track patch status across all managed endpoints<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Key Concepts<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Profiles<\/h3>\n\n\n\n<p>A <strong>Profile<\/strong> is a collection of configuration policies (including Windows Update Policy) that you define once and apply to one or more device groups or individual devices. All policies within a profile are automatically enforced on the next device check-in.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Device Groups<\/h3>\n\n\n\n<p>You can organize endpoints into <strong>Groups<\/strong> (e.g., by department, location, or risk level) and assign different patch profiles to each group. For example, your IT team may receive patches immediately while other departments get a 7-day deferral window.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Policy vs. Detection<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Policy<\/strong> (Windows Update Policy) controls <em>how<\/em> updates are applied \u2014 schedule, deferrals, restart behavior, bandwidth, and sources.<\/li>\n\n\n\n<li><strong>Detection<\/strong> (Missing Patch) tells you <em>what<\/em> updates are currently absent on any given device, so you can act before vulnerabilities are exploited.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Use Case: End-to-End Patch Workflow<\/h2>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><strong>Scenario:<\/strong> Your organization has 200 endpoints across IT, HR, and Finance departments. You need IT devices to get patches first, and other departments to receive them after a 7-day deferral. You also need a daily report of any device missing critical security updates.<\/p>\n<\/blockquote>\n\n\n\n<p><strong>Step 1 : Create Device Groups<\/strong> Navigate to <strong>Groups and Devices<\/strong> and create three groups: <code>IT-Devices<\/code>, <code>HR-Devices<\/code>, and <code>Finance-Devices<\/code>.<\/p>\n\n\n\n<p><strong>Step 2 : Create Patch Profiles<\/strong> Under <strong>Configurations > Create Profile<\/strong>, create two profiles:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>IT-Patch-Policy<\/code> : no deferral, auto download and install<\/li>\n\n\n\n<li><code>Corp-Patch-Policy<\/code> : 7-day quality update deferral, notify before install<\/li>\n<\/ul>\n\n\n\n<p><strong>Step 3 : Configure Windows Update Policy<\/strong> Within each profile, open <strong>Windows Update Policy<\/strong> and configure update behavior, restart windows, and WSUS settings as needed.<\/p>\n\n\n\n<p><strong>Step 4 : Publish and Associate<\/strong> Publish each profile and associate it with the corresponding device group. Policies are applied at the next device check-in.<\/p>\n\n\n\n<p><strong>Step 5 : Monitor Missing Patches<\/strong> Use <strong>Missing Patch Detection<\/strong> to run daily scans and identify any endpoints that have not yet received critical updates. Export or schedule reports for compliance records.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Sub-Topics in This Section<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/zecurit.com\/help\/endpoint-management\/patch-management\/windows-update-policy\/\">Windows Update Policy \u2013 Policy Creation &amp; Association<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/zecurit.com\/help\/endpoint-management\/patch-management\/missing-patch-detection\/\">Missing Patch Detection \u2013 How to Find Missing Patches<\/a><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Related Resources<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/zecurit.com\/endpoint-management\/patch-management\/\">Zecurit Patch Management Product Page<\/a><\/li>\n<\/ul>\n\n\n\n<p><\/p>\n","protected":false},"featured_media":3176,"parent":3006,"menu_order":5,"comment_status":"open","ping_status":"closed","template":"","doc_tag":[],"class_list":["post-3147","docs","type-docs","status-publish","has-post-thumbnail","hentry"],"comment_count":0,"_links":{"self":[{"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/docs\/3147","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/docs"}],"about":[{"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/types\/docs"}],"replies":[{"embeddable":true,"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/comments?post=3147"}],"version-history":[{"count":2,"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/docs\/3147\/revisions"}],"predecessor-version":[{"id":3175,"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/docs\/3147\/revisions\/3175"}],"up":[{"embeddable":true,"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/docs\/3006"}],"prev":[{"title":"Power Management","link":"https:\/\/zecurit.com\/help\/endpoint-management\/power-management\/","href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/docs\/3018"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/media\/3176"}],"wp:attachment":[{"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/media?parent=3147"}],"wp:term":[{"taxonomy":"doc_tag","embeddable":true,"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/doc_tag?post=3147"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}