Category filter
Windows Patches & Updates Management
Overview
Windows patch management is the process of regularly deploying and managing updates, bug fixes, and security patches for Windows operating systems and applications. These patches mitigate vulnerabilities and software bugs that serve as entry points for cyber-attacks. By ensuring devices maintain the most secure and updated versions, patch management improves overall security, device performance, and organizational productivity.
Core Policy Framework
Hexnode UEM provides four specific policies to govern OS-level and application-specific update configurations for Windows endpoints. These are found in the Hexnode UEM console by navigating to Policies > New Policy > Create a fully custom policy > Windows and selecting the relevant entry under the Patches & Updates sub-section:
| Policy Name | Functional Description | Key Features & Attributes |
|---|---|---|
| Windows Update Preferences | Configures management preferences for Windows updates. | Includes options for driver updates, optional updates, downloads over metered networks, Target Product, Target Version, and deferral of Quality and Feature Updates. |
| WSUS Specific Settings | Distributes Microsoft and third-party updates via Windows Server Update Services (WSUS). | Includes update service URL, detection frequency, third-party signed updates, online Microsoft update permissions, and proxy behavior. |
| Windows Update Experience | Configures download and installation parameters for user experience. | Includes automatic update behavior, Active Hours, skip restart checks, enforce reboots, disable pause updates, and notification settings (visibility and deadlines). |
| App Updates | Streamlines the patching of applications to ensure optimal security and compatibility. | Scheduled maintenance windows, automated update preferences for all or targeted applications, and version enforcement for critical tools. |
System Logic & Compatibility
1. Framework Architecture & Precedence
Hexnode UEM utilizes a category-based logic to ensure configuration stability on the endpoint. To prevent resource conflicts, the system distinguishes between Windows update management (OS-level) and application-level patching:
- Precedence within Update Management: This rule applies exclusively to the suite of policies that govern the core Windows update agent (Windows Update Preferences, WSUS Specific Settings, and Windows Update Experience). If multiple configurations from this specific category are assigned to a single endpoint, the most recently associated policy assumes priority as the active configuration. Any previously deployed configurations within this suite are superseded by the latest association.
- Parallel Execution Logic: The App Updates policy operates within an independent functional lane. Deployment of this policy does not interfere with or overwrite active OS update configurations. This separation allows both system-level and application-level update cycles to execute concurrently without cross-policy conflict.
2. Monitoring and Enforcement Mechanisms
- Deployment Visibility: Administrators can audit the deployment status of these policies via the Manage tab. By selecting a specific device and navigating to the Action History sub-tab, the real-time status of each policy association is visible.
- Reporting Logic: The Action History will show the status (e.g., Success, Pending, or Failed) for all associated policies. While multiple OS update policies may report a “Success” state (indicating successful delivery), the precedence rule dictates that only the latest association is actively enforced. Conversely, the App Updates policy reports its status independently, directly reflecting its operational state at the endpoint.
