Automated patch management using tools like PDQ Deploy & Inventory can streamline patching across Windows devices for better cybersecurity. In this guide, we'll showcase the processes involved from start to finish and demonstrate how Deploy & Inventory can simultaneously provide comprehensive coverage while simplifying the entire patch management process.
Want to see PDQ Deploy & Inventory in action?
Sign up for a 14-day free trial.
Getting to know PDQ Deploy & Inventory
Before we work through the patch management process, it's important to get a base understanding of what each product is designed to do.
What is PDQ Deploy?
PDQ Deploy is a deployment solution that streamlines the deployment of applications, updates, and scripts to Windows devices. Instead of manual installations, PDQ Deploy allows IT administrators to remotely distribute applications to hundreds or thousands of devices in a matter of minutes. Admins can initiate deployments manually or automatically using several different trigger mechanisms.
PDQ Deploy also includes the Package Library, which contains hundreds of prebuilt packages for popular applications and Windows updates. Packages in the Package Library are automatically updated when new versions of applications are released, which is an essential part of the automation process.
What is PDQ Inventory?
PDQ Inventory is a device management solution that scans networked Windows devices, gathering and centrally storing detailed system configuration information. PDQ Inventory provides sysadmins with rapid access to computer information, such as installed applications, hardware configurations, user data, and much more.
To help sysadmins manage this information, PDQ Inventory dynamically organizes devices into preconfigured collections. Collections are built upon a set of filters, and when devices match the filter criteria, they become a member of the collection. With over a thousand prebuilt collections in PDQ Inventory, administrators can accurately group and organize managed devices.
PDQ Inventory is also highly customizable, allowing admins to create custom collections, tools, and scanners to meet their organizational needs.
How to automate patch management with PDQ Deploy & Inventory
PDQ Deploy & Inventory work best together, which is why they're sold as a combo. Combining them enables powerful automation, including dynamic targeting and heartbeat triggers to catch offline devices as they come online, ensuring that even hard-to-reach devices don't miss out on critical patches.
In short, PDQ Deploy & Inventory each come packed with best-in-class feature sets, but, much like Voltron, Power Rangers, or Captain Planet, you unlock their full potential when you combine their powers.
Now that we have a basic understanding of the products and their feature sets, let's go through the process of automating a deployment. For this example, we'll showcase how easy it is to fully automate the distribution of Windows cumulative updates. Specifically, we'll target devices running Windows 11 24H2 64-bit.
If you don't have PDQ Deploy & Inventory but want to follow along with the article, you can download a 14-day free trial. Installation is easy and only takes a few minutes. Check out our guides to Installing PDQ Deploy and Installing PDQ Inventory if you need help getting started.
How to identify targets in PDQ Inventory
The first step in configuring an automated deployment is identifying the target devices. Since PDQ Inventory automatically organizes devices into collections, this step is pretty much done for us, making it easy to identify the machines we need to target.
With PDQ Inventory open, from the menu tree, expand Collection Library > Windows Updates > Workstations > Windows 11 > Windows 11 Version 24H2 > Cumulative Update.
There are two child collections within the Cumulative Update collection: Windows 11 Version 24H2 Cumulative Update (Latest) and (Old).
Notice that I currently have one endpoint in the (Latest) collection and one endpoint in the (Old) collection. Inventory automatically moves devices between these two collections depending on if they have the latest updates or not. Once a computer receives the latest update and is scanned by Inventory, it automatically joins the (Latest) collection. As a new update becomes available, computers automatically move to the (Old) collection until they receive the latest update and are rescanned.
If you click on the Windows 11 Version 24H2 Cumulative Update (Old) collection, you'll see which machines are currently members and how the collection is filtered.
Since our goal is to automate the distribution of the latest Windows 11 24H2 cumulative updates, we'll target the Windows 11 Version 24H2 Cumulative Update (Old) collection with our deployment.
How to download the package from PDQ Deploy and create a schedule
Now that we know what we'll target, we can download the package from the Package Library in PDQ Deploy and configure a schedule.
With PDQ Deploy open, click Package Library.
In the Filter field, enter 24h2.
Locate the Windows 11 (24H2) and Windows Server 2025 - Cumulative Update (64-bit) package, select it, then click Download Selected (As Auto Download).
Locate the package in the Packages folder, right-click it, then click New Schedule.
Enter a name for the schedule, such as Windows 11 24H2 Cumulative Update in the Schedule Name field.
Click on the Triggers tab.
Click the Weekly trigger to add it to your schedule.
From the drop-down menu, select Tuesday and Thursday.
Change the deployment time to 3:30 PM.
Click the Targets tab.
Click Choose Targets > PDQ Inventory > Collection.
Expand Collection Library > Windows Updates > Workstations > Windows 11 > Windows 11 Version 24H2 > Cumulative Update and select Windows 11 Version 24H2 Cumulative Update (Old).
Click OK.
Click the Options tab.
Select Stop deploying to targets once they succeed if it's not already selected.
Click OK to finish creating the schedule.
With the schedule created, our automated deployment is complete. The cumulative update package deploys to the devices in the targeted collection every Tuesday and Thursday at 3:30 PM. Once a computer receives the update, it moves into the Windows 11 Version 24H2 Cumulative Update (Latest) collection, where it remains until a new update is released. When a new update is released, devices return to the Windows 11 Version 24H2 Cumulative Update (Old) collection, and the process repeats.
It's important to note that the schedule created in this guide is just an example and is not necessarily adequate for your organization. Deployment schedules in production environments should be tailored to the needs of your network and users. Check out our video covering deployment and scheduling best practices to learn more.
Wrapping up
By combining PDQ Deploy and Inventory, sysadmins can automate patching with precision — saving time while improving security across every Windows device.
Without the right tools, patch management becomes a full-time job that can quickly overwhelm sysadmins. However, the right tools can uncomplicate the patch management process, making it easy for sysadmins to ensure their devices and networks are secure. Try PDQ Deploy & Inventory free for 14 days to see for yourself.
