12.0 Patch Management

Patch Management lets you apply software patches automatically and consistently to minimize vulnerabilities and issues.

Patch Management stays current with the latest patches and fixes by regular Internet communication with the ZENworks Patch Service. After the initial 60-day evaluation period, Patch Management requires a paid subscription for you to continue the daily download of the latest vulnerability and patch information.

When a new patch is available from the subscription service, a ZENworks Server downloads information about it. You can deploy the patch to devices or disregard the patch.

With Patch Management, after the patches are downloaded to the ZENworks server and a patch scan is performed, you can identify the vulnerable devices in your zone. However, you cannot easily identify the vulnerability addressed by the patch. To identify the vulnerability addressed by the patch you need to view the Patch Details window or you need to know the CVE ID based on which you can perform a search. However, now, as part of the Security feature, ZENworks provides you with a new security view that simplifies the setting up and tracking of security in your zone. You can quickly grasp the security posture of your devices with the vulnerability based view and approach to remediation. You can identify patches based on the CVE information and then remediate the vulnerable devices by applying the relevant patch remediation policy or bundle. The process by which ZENworks identifies these vulnerabilities is as follows:

  1. Administrator creates and runs a CVE subscription to import data from the NVD repository.

  2. Administrator creates and runs a Patch subscription to import data from the Patch Content repository.

    After the CVE and Patch subscriptions are run, CVEs and Patches are imported to the configured ZENworks Server.

  3. ZENworks maps the patches to the CVEs, based on the CVE ID associated with the patch signature.

    When a patch scan is performed on devices as part of the device refresh, the vulnerable devices are identified. Users can also configure the patch scan schedule or they can manually run the initiate patch scan quick task based on their requirement.

  4. The applicable patches are then deployed on the vulnerable devices, either through patch policies or through remediation bundles.

After all the CVE’s patches are installed on the device, the device is no longer vulnerable.

The following sections explain how to use the CVE and Patch Management features to identify the vulnerabilities and issues that can occur with outdated or unpatched software.