Patch tasks
It is recommended to regularly check for software updates and apply them as soon as possible. GravityZone automates this process through security policies, but if you need to update the software on certain endpoints right away, run the following tasks in this order:
Prerequisites
The security agent with Patch Management module is installed on target endpoints.
For the scanning and installation tasks to be successful, Windows endpoints must meet these conditions:
Trusted Root Certification Authorities stores the DigiCert Trusted Root G4 certificate.
Intermediate Certification Authorities includes the DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1.
Endpoints have installed the patches mentioned in these Microsoft articles:
For Windows 7 and Windows Server 2008 R2: Microsoft Security Advisory 3033929
For Windows Vista and Windows Server 2008: You cannot run an application that is signed with a SHA-256 certificate on a computer that is running Windows Vista SP2 or Windows Server 2008 SP2
For the module to work on macOS endpoints, Bitdefender Endpoint Security Tools components must have Full Disk Access permissions. For details, refer to Full Disk Access is not granted for Bitdefender Endpoint Security Tools in macOS.
It is recommended to have a Relay machine available with Patch Caching Server role for storing and distributing software patches for Windows endpoints. In this specific case, the Relay machine requires 100 GB of free disk space.
For details on installing Bitdefender Endpoint Security Tools with various modules and roles, including Relay, refer to Install security agents - standard procedure.
Alternately, for details on how to to add the Relay role to a machine already having the security agent installed on, refer to Reconfigure agent.
Patch Scan
Endpoints with outdated software are vulnerable to attacks. It is recommended to regularly check the software installed on your endpoints and update it as soon as possible. To scan your endpoints for missing patches:
Go to the Network page.
Select the container that you want from the left-side pane. All endpoints from the selected container are displayed in the right-side pane table.
Select the target endpoints.
Click the task.png Tasks button at the upper side of the table and choose Patch Scan. A confirmation window will appear.
Click Yes to confirm the scan task.
When the task finishes, GravityZone adds in Patch Inventory all patches your software needs. For more details, refer to Patch Inventory.
You can view and manage the task on the Network > Tasks page. For more information, refer to Viewing and managing tasks.
Note
To schedule patch scanning, edit the policies assigned to the target endpoints, and configure the settings in the Patch management section. For more information, refer to Patch Management.
Patch Install
To install one or more patches on the target endpoints:
Go to the Network page.
Select the container that you want from the left-side pane. All endpoints from the selected container are displayed in the right-side pane table.
Click the Tasks button at the upper side of the table and choose Patch Install.
A configuration window will appear. Here, you can view all patches missing from the target endpoints.
If needed, use the sorting and filtering options at the upper side of the table to find specific patches.
Click the Columns button at the upper-right side of the pane to view only relevant information.
Select the patches you want to install.
Certain patches depend on others. In such case, they are automatically selected once with the patch.
Clicking the numbers of CVEs or Products will display a pane in the left side. The pane contains additional information, such as the CVEs which the patch resolves, or the products to which the patch applies. When done reading, click Close to hide the pane.
Select Reboot endpoints after installing the patch, if required to restart the endpoints immediately after the patch installation, if a system restart is required. Take into account that this action may disrupt the user activity.
Click Install.
The installation task is created, together with sub-tasks for each target endpoint.
You can view and manage the task on the Network > Tasks page. For more information, refer to Viewing and managing tasks.
Note
To schedule patch deployment and configure the settings in the Configuration Profiles > Maintenance Windows section. For more information, refer to Maintenance Windows.
You can also install a patch from the Patch Inventory page, starting from a certain patch that you are interested in. In this case, select the patch from the list, click the Install button at the upper side of the table and configure the patch installation details. For more details, refer to Patch Inventory.
After installing a patch, we recommend sending a Patch scan task to target endpoints. This action will update the patch information stored in GravityZone for your managed networks.
On macOS, GravityZone applies operating system patches only for minor versions, for example from version 13.5 (Ventura) to 13.6 (Ventura), but not from 13.9 (Ventura) to 14.0 (Sonoma). Installing an operating system patch may require restarting the endpoint. The local user can postpone the installation for up to 4 hours in the prompt window.
You can uninstall patches:
Remotely, by sending a patch uninstall task from GravityZone.
Locally on the endpoint. In this case, you need to log in as an administrator to the endpoint and run the uninstaller manually.