Skip to content

Patching

Patch Tuesday won't break your monitoring.

Windows Update and the Linux package manager. Policy-driven, scheduled, with deferral windows. The agent self-tests after every patch run — no silent updater failures.

  • Policy-driven

    Org → client → asset hierarchy. Standard MSP shape, no surprises.

  • Self-test

    After every patch run. No silent updater failures. We learned the hard way.

  • Audited

    Per-asset history, org-level coverage report, SLA reporting for patch lag.

Approved categories, deferral windows, reboot orchestration — per policy.

Policy hierarchy

Org → client → asset. A policy specifies approved categories (security, critical, optional, drivers), deferral window (start / end day-of-week, hour-of-day), reboot behaviour (auto, prompt, never), and maintenance window override.

What gets patched

The targets.

  • Windows — Windows Update API. Cumulative, security, drivers, .NET. Reboot orchestrated.
  • Linux — apt, dnf, yum, zypper depending on distro. Held packages respected.

Pre-flight, learned the hard way

The Linux updater pre-2026-04-20 had ProtectSystem=full blocking writes to the install directory, the install dir wasn’t on ReadWritePaths, and the agent published success before it knew the binary swap had landed. We documented and fixed all three. Updater follow-up bugs are tracked openly.

Audit

Every patch run logged.

  • Per-asset patch history with timestamp, KB / package, success / failure, reboot status
  • Org-level patch coverage report — what is compliant, what is outstanding, what is overdue
  • SLA reporting for patch lag (e.g., critical patches outstanding > 7 days)

Common questions

  • Can I exclude specific KBs?
    Yes. Per-policy KB blocklist.
  • What about WSUS?
    The Windows agent uses the Windows Update Agent API directly. WSUS sources are honoured if configured at the OS level, otherwise we go to Microsoft direct.
  • Do you patch the agent itself?
    The agent self-updates on a separate path with its own self-test gate. Agent updates are not driven by the patch policy.
  • What happens if a patch fails?
    Agent reports failure with exit code. Telemetry event publishes. Patch run is retryable. Audit log captures the trail.
  • Can I see drift across the fleet?
    Yes. Compliance dashboard shows patch posture per asset, per client, per organisation.

Patch with confidence, audit with proof

OpsMerge is a product of Brindleford Technologies Ltd, company number 16871436, registered in England and Wales.