Install Patches

Applies To: WatchGuard Patch Management

WatchGuard Patch Management uses tasks to install patches and updates. To install patches on computers, you must add a task.

You can either add a task to install a patch immediately or schedule a task to run at a specific time. When you run a task immediately, Patch Management downloads and installs the patch in real time but does not restart the computer, even if the installation requires a restart. Scheduled tasks enable you to configure all settings related to the patch installation and start the task at the time you want.

You can also add tasks to uninstall previously installed patches if they cause issues.

For more information, see these sections:

Download Patches

Before WatchGuard Patch Management installs a patch, the computer downloads it from the software vendor. The download occurs in the background on each computer when a patch installation task starts.

To minimize bandwidth usage, Patch Management uses cache computers on the network to download and disseminate patches and updates.

Patch installation tasks might have to download patches from a software vendor if cache/repository computers do not already have the patches. Quick tasks start to download patches as soon as you create the task. This can result in high bandwidth usage if the task applies to many computers or the patches are large.

Scheduled patch installation tasks start to download the patches when you configure the task. If the start time of multiple tasks coincides, Patch Management delay tasks up to 2 minutes to prevent simultaneous downloads and minimize bandwidth usage.

Cache computers store patches for up to 30 days, after which patches are deleted. If a computer requests a patch from a cache computer, but the cache computer does not have the patch in its repository, the computer waits for the cache computer to download it. The wait time depends on the size of the patch to download. If the cache computer cannot download the patch, the target computer tries to download the patch instead.

Proxy computers cannot download patches or updates.

You can also manually download a patch and copy it to the cache computer. For more information, see Download Patches Manually.

Add Patch Installation Tasks

You can add a task to install patches from the Available Patches list, the Computers page, or the Tasks page.

Software vendors define the importance of the security patches they make available to address vulnerabilities. Patch classifications are not universal and vary by vendor. To determine whether you want to install a patch, we recommend that you review its description, especially for patches that a vendor does not classify as Critical.

Configure a Scheduled Patch Installation Task

After you add a scheduled patch installation task, you must configure the task and publish it.

To configure a scheduled patch installation task:

  1. In the New Task or Edit Task page, in the Name text box, type a name for the task.

    Screen shot of the New Task page

  2. In the Description text box, type a description of the task.
  3. In the Recipients text box, to add computers, click the recipients or click No Recipients Selected Yet.
    The Recipients page opens.
  4. To add computer groups and computers:
    1. Click .
    2. Select the computer groups or computers you want.
    3. Click Add.
  5. Click Back.
  6. Specify when the task will start.
    • To start the task as soon as possible, select the As Soon as Possible check box.
    • To start the task at a specific time, select the date and time.
    • To specify the time based on the time on the discovery computer, select the Computer's Local Time check box.
      If you do not select this check box, the time is based on WatchGuard server time.
  7. Select an option to specify when to run the task if the computer is turned off at the scheduled time.
  8. From the Frequency drop-down list, select how often you want the task to run (One Time, Daily, Weekly, Monthly).
    • If you select Weekly, specify the days of the week to run the task each week.
    • If you select Monthly, specify the day or date to run the task each month.
  9. Select the criticality or importance of the Security Patches to install (Critical, Important, Moderate, Low, or Unspecified).

    Screen shot of the New Task page Criticality settings

  10. To install patches that are not security-related, enable Other patches (non-security related).
  11. To install service packs, enable Service Pack.
  12. To specify which products to install patches for, in the Install Patches for the Following Products section, select check boxes next to specific software vendors, software products, and patches. To install all available patches, select the All check box.

    Screen shot of New Task page product settings.

  13. In the Restart Options section, select an option to specify whether computers restart automatically after patches install. If you select Do Not Start Automatically, users see a message that their computer must restart and can select whether to restart immediately or later.
  14. In the upper-right corner, click Save.
  15. Publish the task. For more information, see Publish a Task.

Uninstall Patches

Sometimes, the patches that software vendors publish do not work correctly and can cause issues. WatchGuard Patch Management enables you to uninstall (roll back) installed patches.

You can uninstall installed patches when the patch supports the uninstall feature. If the software vendor does not allow you to uninstall a patch, you see the text Non-uninstallable patch on the Patch Installed details page and cannot uninstall the patch.

Patches that you uninstall appear again in the Available Patches list, and will reinstall when a scheduled patch installation task runs. If you never want to install a specific patch on your computers, you can exclude it. For more information, see Exclude Patches.

To avoid the need to uninstall patches frequently, we recommend that you test patches on a small number of computers before you install them across your network.

To uninstall a patch:

  1. In WatchGuard Cloud, select Configure > Endpoints.
  2. Select Status > Patch Management.
    The Patch Management dashboard opens.
  3. In the Available Patches or Last Patch Installation Tasks tile, click View Installation History.
    The Installation History list opens.

    Screen shot of Installation History page

  4. Click the row of the patch you want to uninstall.
    The Patch Installed details page opens.

    Screen shot of Patch Installed page

  5. Click Uninstall the Patch, if available.
    The Uninstall Patch dialog box opens.

    Screen shot of Uninstall Patch dialog box

  6. Select an option to specify whether to uninstall the patch from the selected computer or all computers on the network.
  7. Click Uninstall the Patch.
    Patch Management creates a task to uninstall the patch.

If uninstallation requires a restart, the user receives a prompt to restart the computer.

See Installation Task Results

After a patch installation or uninstallation task runs, you can see the results.

To see the installation task results:

  1. In WatchGuard Cloud, select Configure > Endpoints
  2. Select Tasks
    The Tasks page opens.
  3. In the installation or uninstallation task row, click View Results.
    The Task Results page opens and shows the status of the task for each computer.

See Installation History

The Installation History list shows details of patches that Patch Management installed and tried to install in the specified time period.

To see installation history:

  1. In WatchGuard Cloud, select Configure > Endpoints
  2. Select Status > Patch Management.
    The Patch Management dashboard opens.
  3. In the Available Patches or Last Patch Installation Tasks tile, click View Installation History.
    The Installation History list opens. You can filter the list by Group, Program, or Patch.

    Screen shot of Installation History page

  4. To see the installed patches, in the row for a computer, click and select View Installed Patches on the Computer.

  5. To see all computers with the same patch installed, click and select View Computers with Patch Installed.

Related Topics

About Patch Management

Download Patches Manually

Exclude Patches