Windows OS
Patch Management Using Endpoint Central – Windows OS
Description
This page describes how to manage Microsoft Windows OS patches using ManageEngine Endpoint Central (EPC). Patch management involves scanning systems, identifying missing patches, approving them, and deploying them to Windows endpoints in a controlled and automated manner.
Endpoint Central supports patch management for all major Windows client and server versions and helps ensure your systems remain secure and compliant.
Supported Windows Versions
Endpoint Central supports patching for the following versions:
Windows Desktop OS
- Windows 11 (All Editions)
- Windows 10 (All Editions)
- Windows 8.1
- Windows 7 SP1
Windows Server OS
- Windows Server 2022
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 / 2012 R2
- Windows Server 2008 R2 SP1
> ⚠️ Ensure the Windows machines are domain-joined or accessible over the network, and that the agent is installed.
1. Preparing the Windows Machine
- Install the Endpoint Central agent on the Windows machine.
- Ensure firewall rules allow communication with the EPC server.
- Verify internet access or WSUS/local patch sync availability.
- Ensure system time is in sync with the Domain Controller or NTP server.
2. Installing the Endpoint Central Agent
Step 1: Download the Agent
Go to: Agent → Computers → Download Agent → Windows → 64-bit → Download Agent
Step 2: Install the Agent
- Run the downloaded installer manually or deploy it via Group Policy/SCCM.
- The agent will auto-register with the Endpoint Central server.
Step 3: Verify Agent Installation
Navigate to: Agent → Computers
- Confirm the system appears as "Installed".
3. Configuring Patch Settings
Step 1: Enable Patch Types
Go to: Admin → Patch Settings → Patch Database Settings
- Enable the following:
* Security Updates * Non-Security Updates * Feature Packs * Critical Updates * Service Packs (optional)
- Click Save
Step 2: Configure Reboot Settings
In Deployment Policy, define:
- Whether to force a reboot
- Reboot during non-business hours only
- User deferral options (optional)
Step 3: Set Proxy if Needed
Go to: Admin → Server Settings → Proxy Server
- Configure proxy if your server accesses the internet via proxy
- Else, choose: Direct Connection to the Internet
4. Scanning and Patching Windows Machines
Step 1: Scan the System
Go to: Threats & Patches → Scan Systems
- Select the Windows endpoints
- Click Scan Now to detect missing patches
Step 2: View and Approve Patches
Go to: Threats & Patches → By Patches → Missing Patches
- Review the list of missing patches
- Select required updates
- Click Install / Publish Patches
Step 3: Create a Deployment Task
- Select the approved patches
- Choose a Deployment Policy
- Set Deployment Time (e.g., Deploy Anytime at the Earliest)
- Select target computers or groups
- Click Deploy
5. Monitoring and Reporting
Monitor patch deployment from:
- Threats & Patches → Deployment Status
- Reports → Patch Reports → Windows Patch Summary
6. Best Practices
- Enable regular automatic patch scans (daily or weekly)
- Use pilot groups for testing critical updates
- Schedule patch deployment outside business hours
- Enable email alerts for failed or pending deployments
