12.5 Creating Patch Policies

Before you can begin deploying patches to devices, the ZENworks Agent must perform the Discover Applicable Updates (DAU) task. The DAU task allows the ZENworks Agent to detect the status (Patched, Not Patched, or Not Applicable) of each patch, depending on the devices in your network.

The patch detection cycle occurs each day at the ZENworks Server where a DAU task is scheduled for all managed devices (servers and workstations.) You can also initiate a DAU task from an individual agent. You can see the results of the patch detection scan in the Patches section under the Security tab or the Devices tab of the ZENworks Server. The results are available even if a workstation is disconnected from the network.

To deploy patches, you can create patch policies or use Deploy Remediation. Patch policies automate the patch deployment process and are recommended over Deploy Remediation. You can define rules in patch policies to limit patch caching and distribution to only those patches that your devices require.

The following steps assume that one or more patches are available from the subscription service.

  1. In ZENworks Control Center, navigate to Security > Patch Policies.

  2. Click New in the Patch Policies page.

  3. Follow the prompts to create a patch policy.

    Click the Help button on each page for detailed information about the page.

  4. Click the patch policy after it is created, and select the Relationships page.

  5. Click Add in the Device Assignments panel, and assign one or more devices to the policy.

  6. Click Publish to distribute and apply applicable patches to the devices according to the patch policy configuration.

IMPORTANT:It is recommended that you initially apply patches to a test device before applying them to devices throughout the zone. Any devices that are configured as “Test” devices will automatically apply the patches to the assigned test devices via the Sandbox without executing Step 6 (publishing the policy).

When first creating the patch policy, you can also configure the policy to auto approve patches after successful test enforcements. Selecting this option in the policy configuration will automatically publish the policy to all devices assigned to the policy after 100 percent of Test devices pass (omitting the need to publish (Step 6 above).