Appearance
Patching
Patch Tuesday won't break your monitoring.
Windows Update and the Linux package manager. Policy-driven, scheduled, with deferral windows. The agent self-tests after every patch run — no silent updater failures.
- Policy-driven
Org → client → asset hierarchy. Standard MSP shape, no surprises.
- Self-test
After every patch run. No silent updater failures. We learned the hard way.
- Audited
Per-asset history, org-level coverage report, SLA reporting for patch lag.
Policy hierarchy
Org → client → asset. A policy specifies approved categories (security, critical, optional, drivers), deferral window (start / end day-of-week, hour-of-day), reboot behaviour (auto, prompt, never), and maintenance window override.
What gets patched
The targets.
- Windows — Windows Update API. Cumulative, security, drivers, .NET. Reboot orchestrated.
- Linux — apt, dnf, yum, zypper depending on distro. Held packages respected.
Pre-flight, learned the hard way
The Linux updater pre-2026-04-20 had ProtectSystem=full blocking writes to the install directory, the install dir wasn’t on ReadWritePaths, and the agent published success before it knew the binary swap had landed. We documented and fixed all three. Updater follow-up bugs are tracked openly.
Audit
Every patch run logged.
- Per-asset patch history with timestamp, KB / package, success / failure, reboot status
- Org-level patch coverage report — what is compliant, what is outstanding, what is overdue
- SLA reporting for patch lag (e.g., critical patches outstanding > 7 days)
Pairs well with
Other things in the platform
Common questions
Can I exclude specific KBs?
Yes. Per-policy KB blocklist.What about WSUS?
The Windows agent uses the Windows Update Agent API directly. WSUS sources are honoured if configured at the OS level, otherwise we go to Microsoft direct.Do you patch the agent itself?
The agent self-updates on a separate path with its own self-test gate. Agent updates are not driven by the patch policy.What happens if a patch fails?
Agent reports failure with exit code. Telemetry event publishes. Patch run is retryable. Audit log captures the trail.Can I see drift across the fleet?
Yes. Compliance dashboard shows patch posture per asset, per client, per organisation.