Install Patches

Applies To: WatchGuard Patch Management

WatchGuard Patch Management uses tasks to install patches and updates. To install patches on computers, you must add a task.

You can either add a task to install a patch immediately or schedule a task to run at a specific time. When you run a task immediately, Patch Management downloads and installs the patch in real time but does not restart the Windows or Linux computer, even if the installation requires a restart. Some macOS patches will automatically restart the computer (for example, _SoftwareUpdate.pkg).

Scheduled tasks enable you to configure all settings related to the patch installation and start the task at the time you want. You can also add tasks to uninstall previously installed patches if they cause issues.

For more information, go to these sections:

Download Patches

Before WatchGuard Patch Management installs a patch, the computer downloads it from the software vendor. The download occurs in the background on each computer when a patch installation task starts.

To minimize bandwidth usage, Patch Management uses cache computers on the network to download and disseminate patches and updates.

Patch installation tasks might have to download patches from a software vendor if cache or repository computers do not already have the patches. Quick tasks start to download patches as soon as you create the task. This can result in high bandwidth usage if the task applies to many computers or the patches are large.

Scheduled patch installation tasks start to download the patches when you configure the task. If the start time of multiple tasks coincides, Patch Management delay tasks up to 2 minutes to prevent simultaneous downloads and minimize bandwidth usage.

Cache computers store patches for up to 30 days, after which patches are deleted. If a computer requests a patch from a cache computer, but the cache computer does not have the patch in its repository, the computer waits for the cache computer to download it. The wait time depends on the size of the patch to download. If the cache computer cannot download the patch, the target computer tries to download the patch instead.

Linux computers use the distribution package manager to download patches from the Internet. They cannot download patches from a cache computers you specify in WatchGuard Endpoint Security.

Proxy computers cannot download patches or updates.

You can also manually download a patch and copy it to the cache computer. For more information, go to Download Patches Manually.

Add Patch Installation Tasks

You can add a task to install patches from the Available Patches list, the Computers page, or the Tasks page.

Software vendors define the importance of the security patches they make available to address vulnerabilities. Patch classifications are not universal and vary by vendor. To determine whether you want to install a patch, we recommend that you review its description, especially for patches that a vendor does not classify as Critical.

  1. In WatchGuard Cloud, select Monitor > Endpoints.
  2. Select Status > Patch Management.
  3. In the Available Patches tile, click View All Available Patches.
    The Available Patches list opens.

    Screen shot of Available Patches list

  4. Click Filters and filter the list to review the patches you want to install (for example, filter by operating system, computer type, patch type, installation option, criticality, installation status, or program vendor).
  5. In the results, select the check boxes for the computers and patches you want to install.
    The icon shows next to computers designated as a test computer for patch installation.
  6. In the toolbar:
    • To install the patches immediately, click Install. In the dialog box that opens, click Install Patch.
      Patch Management adds a patch installation task and starts it immediately.
    • To install the patches at a specific time, click Schedule Installation. In the dialog box that opens, click Schedule Installation.
      The Edit Task page opens. Follow the steps to Configure a Scheduled Patch Installation Task.
  1. In WatchGuard Cloud, select Configure > Endpoints.
  2. Select Computers.
    The Computers page opens.
  3. From the left pane, select The My Organization folder icon. My Organization.
  4. Select the computer or group you want to install patches on.
    The icon shows next to computers designated as a test computer for patch installation.
  5. From the options menu The options icon. for the computer or group, select Schedule Patch Installation.
    The Edit Task page opens. Follow the steps to Configure a Scheduled Patch Installation Task.
  1. In WatchGuard Cloud, select Configure > Endpoints
  2. Select Tasks.
    The Tasks page opens.
  3. Click Add Task.
  4. Select Install Patches.
    The New Task page opens.
  5. Follow the steps to Configure a Scheduled Patch Installation Task.

Configure a Scheduled Patch Installation Task

After you add a scheduled patch installation task, you must configure the task and publish it.

To configure a scheduled patch installation task:

  1. In the New Task or Edit Task page, in the Name text box, type a name for the task.

    Screen shot of the New Task page

  2. In the Description text box, type a description of the task.
  3. In the Recipients text box, to add computers, click the recipients or click No Recipients Selected Yet.
    The Recipients page opens.
  4. To add computer groups and computers:

    1. To assign the task to test computers only in the groups you select, enable Run the task only on test computers.This option is disabled by default. If you do not enable this option, the task runs for all computers, including test computers. For information on how to identify test computers, go to Configure Patch Management Security Settings.

    2. Click The Add icon..
    3. Select the computer groups or computers you want.
    4. Click Add.
  5. Click Back.
  6. Specify when the task will start.
    • To start the task as soon as possible, select the As Soon as Possible check box.
    • To start the task at a specific time, select the date and time.
    • To specify the time based on the time on the discovery computer, select the Computer's Local Time check box.
      If you do not select this check box, the time is based on WatchGuard server time.
  7. Select an option to specify when to run the task if the computer is turned off at the scheduled time.
  8. From the Frequency drop-down list, select how often you want the task to run (One Time, Daily, Weekly, Monthly).
    • If you select Weekly, specify the days of the week to run the task each week.
    • If you select Monthly, specify the day or date to run the task each month.
  9. Select the criticality or importance of the Security Patches to install (Critical, Important, Moderate, Low, or Unspecified).

    Screen shot of the New Task page Criticality settings

  10. To install patches that are not security-related, enable Other patches (non-security related).
    This category includes patches with bug fixes and feature enhancements for macOS and Linux.
  11. To install service packs, enable Service Pack.
    Windows Service Packs are not applied to macOS or Linux computers or devices.
  12. To specify which operating system and products to install patches for, in the Install Patches for the Following Products section, select or clear check boxes next to specific operating systems, software vendors, software products, and patches. To install all available patches, select the All check box.

    Screen shot of New Task page product settings.

If you select macOS, a warning message prompts you to confirm that you want to include patches for macOS. Some macOS patches automatically restart the computer (_SoftwareUpdate.pkg). We recommend that you close and save any open files.

Patches for macOS require the user to enter the volume owner user name and password. This does not include Intel macOS computers. If the patch installation task for a macOS computer includes patches that do not require credentials, the patches proceed to install.

  1. In the Restart Options section, select an option to specify whether computers restart automatically after patches install. If you select Do Not Start Automatically, users see a message that their computer must restart and can select whether to restart immediately or later.
  2. From the Delay Restart drop-down list, select the amount of time allowed before Patch Management forces a restart (from 5 minutes, up to 7 days).
  3. In the upper-right corner, click Save.
  4. Publish the task. For more information, go to Publish a Task.

Uninstall Patches

You cannot uninstall Linux and macOS patches.

Sometimes, the patches that software vendors publish do not work correctly and can cause issues. WatchGuard Patch Management enables you to uninstall (roll back) installed patches.

You can uninstall installed patches when the patch supports the uninstall feature. If the software vendor does not allow you to uninstall a patch, you see the text Non-uninstallable patch on the Patch Installed details page and cannot uninstall the patch.

Patches that you uninstall appear again in the Available Patches list, and will reinstall when a scheduled patch installation task runs. If you never want to install a specific patch on your computers, you can exclude it. For more information, go to Exclude Patches.

We recommend that you test patches on a small number of computers before you install the patches across your network. You can designate computers as test computers for patch installation. For more information, go to Configure Patch Management Security Settings.

To uninstall a patch:

  1. In WatchGuard Cloud, select Configure > Endpoints.
  2. Select Status > Patch Management.
    The Patch Management dashboard opens.
  3. In the Available Patches or Last Patch Installation Tasks tile, click View Installation History.
    The Installation History list opens.

    Screen shot of Installation History page

  4. Click the row of the patch you want to uninstall.
    The Patch Installed details page opens.

    Screen shot of Patch Installed page

  5. Click Uninstall the Patch, if available.
    The Uninstall Patch dialog box opens.

    Screen shot of Uninstall Patch dialog box

  6. Select an option to specify whether to uninstall the patch from the selected computer or all computers on the network.
  7. Click Uninstall the Patch.
    Patch Management creates a task to uninstall the patch.

If uninstallation requires a restart, the user receives a prompt to restart the computer.

Review Installation Task Results

After a patch installation or uninstallation task runs, you can review the results.

Only endpoints of the relevant operating system receive the task and appear as recipients.

To see the installation task results:

  1. In WatchGuard Cloud, select Configure > Endpoints.
  2. Select Tasks.
    The Tasks page opens.
  3. In the installation or uninstallation task row, click View Results.
    The Task Results page opens and shows the status of the task for each computer.

Screen shot of task results in Endpoint Security

Installation Status Values

The task results table can include these status values:

  • Pending — Task has not been launched and requires action. From the Installation History list, you can select a pending task to review the results and corresponding error, if any. For more information, go to View Installation History and Patch Management Errors During Patch Installation.
  • In progress — Task is currently running.
  • Finished — Task finished successfully.
  • Failed — Task failed and returned an error.
  • Canceled (the task could not start at the scheduled time) — Target computer was not accessible at the time the task was set to start or during the specified time period.
  • Canceled — Task was manually canceled.
  • Canceled (maximum run time exceeded) — Task was automatically canceled because it exceeded the configured maximum run time.

View Installation History

The Installation History list shows the details of patches that Patch Management installed and tried to install in the specified time period.

To review installation history:

  1. In WatchGuard Cloud, select Configure > Endpoints.
  2. Select Status > Patch Management.
    The Patch Management dashboard opens.
  3. In the Available Patches or Last Patch Installation Tasks tile, click View Installation History.
    The Installation History list opens.

    Screen shot of Installation History page

  4. To filter the Installation History list, click Filters.

    • Dates — Select whether you want to see results for the last 24 hours, 7 days, or month.
    • Platform — Select the operating system platform you want to filter the list for.
    • Computer Type — Select the check box for each type of endpoint you want to filter the list for (for example, workstation, laptop, or server).
    • Computer, Program, Patch — Enter the name of the Computer, Program, or Patch you want to filter the list for.
    • Registers — Select whether you want to filter the list to Show All patch installation attempts, or Show Only the Last installation attempt.
    • Criticality — Select the check box for the patch severity you want to filter the list for (for example, Critical, Important, Medium, Service Pack, and more).
    • Installation — Select the check box for the installation status you want to filter the list for (for example, Installed, Requires Restart, Download Error, and Installation Error). If the status was Requires Restart and the patch successfully installs on the computer after it restarts, the table dynamically updates to Installed.
    • CVE — Enter the patch CVE ID (for example, CVE-2018-2790).

  5. Click Filter.

  6. The Installation column shows the installation status. To review the installed patches, in the row for a computer, click The options icon. and select View Installed Patches on the Computer.

  7. To view all computers with the same patch installed, in the row for a computer, clickThe options icon. and select View Computers with Patch Installed.

  8. To export a .CSV file of the installation history, click .

    • Select Export to export the information in the table to a .CSV file.

    • Select Extended Export to export the information in the table, as well as information on the task (name, launch date, start date, and end date) and latest installation attempt, to a .CSV file.

Related Topics

About Patch Management

Download Patches Manually

Exclude Patches

Designate a Cache Computer (Windows computers)