Patching Windows and macOS devices
|
|
NOTE: Patch management requires a separate KACE Cloud Secure license for devices managed with a Modern subscription, while it is included for devices managed with a Companion Edition subscription. |
When patching is enabled in KACE Cloud, you can patch the following software components of your managed Windows and macOS devices to their latest OS and app software versions. Ensuring your managed devices are up to date helps improve their overall performance and protects them from potential vulnerabilities.
| OS patching supported? | App patching supported? | |
|---|---|---|
| Windows | Yes | Yes |
| macOS | Yes (Security Library) | Yes |
|
|
NOTE: macOS OS-level patching is not available through the Patching Library. You can use macOS Auto-Updates and macOS Version Upgrades in the Security Library, to keep the OS on your managed macOS devices up to date. macOS app patching requires macOS version 11 or later. |
As an alternative to KACE Cloud Patching, you can also bring your managed Windows devices up to date using Windows Update Configurations and Windows Feature Update Configurations in the Security Library. Both Windows Feature Update Configurations and KACE Cloud patch management require a KACE Cloud Secure license, as indicated above. Windows Update Configurations are covered by your base KACE Cloud License. For more details about Windows and Feature Updates, see Configure Windows Updates in the Library.
KACE Cloud maintains a central patch catalog of applicable OS-level and app patches for your managed devices that is updated on a daily basis. When patching is configured for selected software and target devices, the patches are detected and installed as part of a policy schedule. If a patch becomes available between scheduled policy runs, target devices will be updated during the scheduled run. KACE Cloud uses the KACE Cloud Agent for Windows or macOS to facilitate the installation of patches on managed devices. When a patch filter detects that one or more managed devices requires patching, the associated KACE Cloud Agent app (Windows or macOS) is automatically added to the Library and distributed to the applicable devices. In most cases, the patching process instructs target devices to obtain and install patches directly from patch vendors' websites.
|
|
NOTE: Some publishers do not support patching of Windows apps installed through an MSI installer. These apps, such as Notepad++ can only be patched if they are installed using an EXE installer. |
When you enable the patching license, you can view the list of available patches in Supported Patch Products. Start by creating one or more patch filters. Next, associate patch filters with policies, using labels to target applicable devices. You can set policies to run on defined schedules, to ensure the patching process rolls out only at selected times. KACE Cloud administrators can also review the patches installed on individual devices.
KACE Cloud offers patch discovery and patch deployment capabilities, which allow you to gain greater control over patching workflow. The key features of this are:
-
Patch Discovery without immediate deployment
:
- You can discover patches across all devices without automatically proceeding to deployment.
- You can approve the discovered patches for deployment at a later time.
-
View Discovery results without impacting compliance
:
- You can view results of 'discover-only' scans without affecting the current compliance percentage.
- You can monitor vulnerabilities while maintaining accurate compliance metrics.
- Differentiate Patch status : You can generate reports to track patches that are discovered but not deployed and those awaiting deployment.
- Minimize production impact of detection : You can reduce overloading the environment with extensive patch discovery on all devices by linking patch filters to ‘discover-only’ policies.
-
Optimized Patch reporting :
- You can generate various reports related to patches that track patch deployments, detect the patches, missing patches, already installed patches, Patches discovered but not deployed, Devices with pending deployment patches, and so on.
- You can make a copy of the reports and then customize the reports according to your requirements. To learn more, click Create and edit reports
Operating Systems Support for Patching:
The supported and unsupported Windows Operating System and Architecture are as follows:
- Windows OS: The Support starts from Windows 10 1507 onwards. OS patches for General Availability (GA) Channel and Long-Term Servicing Channel (LTSC) are available in the catalog for Windows 10 and Windows 11.
- Windows Server: The Support starts with Windows Server 2016. Patches are also available in the catalog for Windows Server 2019, 2022, and 2025.
- Windows Insider Channels: Canary, Dev, Beta, Release Preview are unsupported.
- Architecture:
- Supported: x64 architecture
- Unsupported: x86, ARM and ARM64 architectures
Understanding patch management flows on KACE Cloud and KACE Systems Management Appliance
The patching processes on KACE Cloud and KACE Systems Management Appliance rely on the same patch catalog for application and OS patches. To get the full list of KACE Cloud supported products in the Patch Catalog, see Supported Patch Products.
Both products use an agent component to push patches to target devices. However, the patching mechanisms are slightly different. The following table covers the main elements of the patch management process on each product and explains the differences and similarities between the two work flows.
| KACE Systems Management Appliance | KACE Cloud | |
|---|---|---|
| Subscribe to patches | To enable patching, administrators must subscribe to specific patches and schedule patch downloads to the appliance. | A central patch catalog is managed in KACE Cloud. The catalog inventory is updated on a daily basis. This process is automatic and transparent to administrators and end users. |
| Select target devices and patches | Use of Smart Labels to select target devices and patches is recommended. Manual labels are also supported, but Smart Labels are more efficient because they are applied and removed automatically. You can also select devices manually. | You must use manual or Smart Labels to select the devices that you want to patch. You cannot select a target device directly, without a label. You must create patching filters to select patches. |
| Manage patching schedules | You can create and manage patch schedules that detect, deploy, and rollback the patches to which you subscribe, all using a wizard flow. | To schedule patch installation, start by creating a patching policy. A patching policy requires the following pre-configured elements:
|
|
KACE Agent facilitates patching on managed devices. The agent can be installed automatically using the Agent Provisioning Assistant, or manually on individual devices. The agent's communication settings, such as the ability to display the agent status on target devices, or maximum snooze counts, are configured on the appliance. You can view the agent status (when enabled) and issue specific commands, such as snoozing a patch install, using the KACE Agent menu in the system tray. |
KACE Cloud Agent facilitates patching on managed devices. When KACE Cloud detects that patching is required on a target device for the first time, it automatically pushes the agent installer to the device. This process is completely transparent to KACE Cloud administrators and end users. You can manage patch notifications such as snooze and reboot prompts in the Rules section of the patching policy. |
Leveraging CVSS and EPSS for Effective Patching
Utilizing the Common Vulnerability Scoring System (CVSS) and the Exploit Prediction Scoring System (EPSS) enhances the ability to prioritize vulnerabilities for effective patch management. The combined use of CVSS and EPSS allows for more informed decision-making when designing a patching strategy to enhance the overall security framework and reduce vulnerability exposure.
CVSS:- provides a standardized metric for assessing the severity of vulnerabilities.
- CVSS v3.1 scores range from 0.0 to 10.0, indicating the potential impact on systems.
- estimates the probability of a vulnerability being exploited within the next 30 days.
- expressed as a percentage from 0.0% to 100%, indicating the likelihood of exploitation.
By integrating CVSS and EPSS scores into patch filtering criteria, an administrator can:
- Better target patches that address the most critical and exploitable vulnerabilities.
- Optimize endpoint security by focusing resources on high-risk areas.
- Filter patches based on specific CVSS and EPSS values, ranges, or thresholds, ensuring a precise and prioritized approach to vulnerability management as shown in the images below:
| CVSS | EPSS |
 |  |
You can now include the CVSS Score (Critical, High, Medium, Low) and the EPSS Score for patches in patch filter to determine which patches need urgent attention in your environment.