Skip to main content


Patch Management FAQ

This topic aims to provide answers to the most frequently asked questions about the Patch Management module in GravityZone.

The Patch Scan task will be available to be ran on the all the endpoints with the Patch Management module.

The Patch Scan task does not download any updates, but it rather inventories and reports the installed applications and compares the versions and the updates installed to the latest available patches from the update catalog.

The updates catalog resides on the GravityZone Update Server and it is mirrored in the Patch Management Cache Server. All the data processing reported by a Patch Scan task is done on the GravityZone side.

The endpoint doing the Patch Scan task reports the result to the Communication Server, then the Communication Server reports the information to the Database Server. From there, the web PHP processors (Web Console) parse the events and move them into the final destination in the Database Server, which is then going to report them to the Web Console.

The Patch Scan task does not need the endpoints to have internet connectivity, as the task just locally inventories the installed software and updates, then it reports back to the GravityZone console.

The Patch Scan task inventories the installed software and updates, submits this information to GravityZone, then GravityZone compares the data to the update catalog.

The Patch Scan task runs independently of the settings in  Policies > Configuration Profiles > Maintenance Windows. The Patch Install task will be influenced by this setting as follows:

  • If a Patch Management Cache Server is defined, the endpoint will request the update from that Relay. If the Relay does not have the update downloaded, it will download it from the vendor on the first request.

  • If no Patch Management Cache Server is defined, the endpoint will download the update directly from the vendor's update location.

  • It is not possible to have an empty list in the Maintenance Windows settings and also disable the Use vendors websites as fallback location for downloading the patches option.

The GravityZone appliance will not need any extra access, compared to the normal ports defined in the GravityZone Communication Ports article.

The Relay with Patch Management Cache Server will need access to the vendors update locations to be able to download the updates upon request (from the Internet).

The endpoints with Patch Management module will need normal connectivity as per GravityZone Communication Ports article, with the GravityZone appliance roles and relays.

In addition, in case the Use vendors websites as fallback location for downloading the patches is required to work, the endpoint will need Internet access and access to the vendors update locations to be able to download the updates when a Patch Install task is submitted to it.

Yes, Patch Management delivers patches for Microsoft products (OS and other software).

Yes, the list of supported vendors is available here.

The Patch Management module enables organizations to set endpoint test groups that allows testing the patches before full launch into productions.

The patches are delivered as they are created and made available by the software vendors. Patches are tested by software vendors but testing into controlled environment is recommended for each organization, as each endpoint environment is unique.

These are the main options for installing patches:

  • Install each patch individual (manual task)

  • Install automatically only for specific, trusted, vendors

  • Install security and non-security patches on a separate basis.

The module provides only patches (from 1.0 to 1.9, for example). It does not perform upgrades (from 1.9 to 2.0).