Skip to main content

Patch Management FAQ

This topic provides answers to the most frequently asked questions about the Patch Management module in GravityZone.

How does the Patch Scan task retrieve the list of applicable updates?

The Patch Scan task is designed to make an inventory of the installed applications on a system and report it to GravityZone. It compares the installed versions and updates to the latest available patches from the update catalog. It does not download any updates.

The updates catalog resides on the GravityZoneUpdate Server and is mirrored in the Patch Caching Server. All the data processing reported by a Patch Scan task is done on the GravityZone side.

The endpoint doing the Patch Scan task reports the result to the Communication Server, which then sends the information to the Database Server From there, the web PHP processors parse the events and move them into the  Database Server, which then reports them to GravityZoneControl Center.

Does the Patch Scan task require internet connectivity to function properly?

No. The Patch Scan task does not require that endpoints have internet connectivity, because it performs a local inventory of installed software and updates, and then reports the findings to the GravityZoneControl Center.

Does the Patch Management Cache Server provide the patch information needed by endpoints for a Patch Scan?

The Patch Scan task inventories the installed software and updates, and submits this information to GravityZone, which then compares the data to the update catalog.

Do the on-demand tasks (Patch Scan and Patch Install) use the patch download settings defined in maintenance windows?

The Patch Scan task runs independently of the settings in  Policies > Configuration Profiles > Maintenance windows.

The Patch Install task is influenced by this policy setting in the following ways:

  • If a Patch Caching Server is defined, the endpoint will request the update from that Relay. If the Relay does not have the update downloaded, it will download it from the vendor on the first request.

  • If no  Patch Caching Server is defined, the endpoint will download the update directly from the vendor's update location.

  • You should either have a Maintenance window set up, or the following option enabled: Use vendors websites as fallback location for downloading the patches.

The GravityZone appliance only requires the ports defined in the GravityZone Communication Ports article.

To download the updates on-demand, relays configured with a Patch Caching Server require access to the vendors' update locations

The endpoints with Patch Management module require connectivity with the GravityZone roles and relays.

For the Use vendors websites as fallback location for downloading the patches option to function properly, the endpoint requires Internet access and access to the vendors' update locations. This configuration is necessary for the successful download of updates when running a Patch Install task.

Can there be interference between the activities of the Windows Update Service and the Bitdefender Endpoint Security ToolsPatch Management module?

Yes.

Does GravityZone have a feature to disable the Windows Update service?

No.

Is there a best practice related to the configuration of Windows Update Service when implementing Patch Management?

No.

Does Patch Management cover Microsoft patches?

Yes, Patch Management delivers patches for Microsoft products (OS and other software).

Do you have a list of available patches?

Yes, the list of supported vendors is available here.

How will Patch Management ensure patches are tested before installing in production?

You can set endpoint test groups, which allows for testing before full launch in production environments.

Does Bitdefender test any patches?

The patches are delivered as they are released by the software vendors. Patches are tested by software vendors but testing in a controlled environment is recommended for each organization, as each endpoint environment is unique.

Can I select specific patches to install on endpoints?

These are the main options for installing patches:

  • Install each patch individually (manual task).

  • Install patches by category (security and non-security).

  • Automatically install patches (only available for specific/trusted vendors).

Does Patch Management only provide patches or does it also upgrade products?

The module provides only software patches and updates. It does not perform upgrades.