How to automate patch management with PDQ Deploy & Inventory

Brock Bingham candid headshot
Brock Bingham|February 17, 2022
automating patch management
automating patch management

Patch management is a core component of cybersecurity. As such, we've covered patch management and automated patch management in detail to help organizations better understand what it is and why it's critical to network security.

Now, we want to highlight what automated patch management looks like with PDQ Deploy and Inventory. We'll showcase the processes involved from start to finish and demonstrate how Deploy and Inventory can simultaneously provide comprehensive coverage while simplifying the entire patch management process.

Getting to know PDQ Deploy and Inventory

Before we work through the patch management process, it's important to get a base understanding of what each product is designed to do.

PDQ Deploy

PDQ Deploy is a deployment solution that streamlines the deployment of applications, updates, and scripts to Windows devices. Instead of manual installations, PDQ Deploy allows IT administrators to remotely distribute applications to hundreds or thousands of devices in a matter of minutes. Deployments can be initiated manually or automatically using several different trigger mechanisms.

PDQ Deploy also includes the Package Library, which contains hundreds of pre-built packages for popular applications and Windows updates. Packages in the Package Library are automatically updated when new versions of applications are released, which is an essential part of the automation process.

PDQ Inventory

PDQ Inventory is a device management solution that scans networked Windows devices, gathering and centrally storing detailed system configuration information. PDQ Inventory provides sysadmins with rapid access to computer information, such as installed applications, hardware configurations, user data, and much more.

To help sysadmins manage this information, PDQ Inventory dynamically organizes devices into pre-configured collections. Collections are built upon a set of filters, and when devices match the filter criteria, they become a member of the collection. With over a thousand pre-built collections in PDQ Inventory, administrators can accurately group and organize managed devices.

PDQ Inventory is also highly customizable, allowing admins to create custom collections, tools, and scanners to meet their organizational needs.

Bringing PDQ Deploy and PDQ Inventory together to automate patch management

PDQ Deploy and PDQ Inventory both come packed with best-in-class feature sets, but, much like Voltron, Power Rangers, or Captain Planet, you unlock their full potential when you combine their powers.

By utilizing both PDQ Deploy and PDQ Inventory, you gain the ability to target dynamic collections, which is essential when automating deployments. You also unlock heartbeat triggers, enabling deployments to devices as they come online. Heartbeat triggers ensure that even hard-to-reach devices don't miss out on critical patches.

Now that we have a basic understanding of the products and their feature sets, let's go through the process of automating a deployment. For this example, we'll showcase how easy it is to fully automate the distribution of Windows cumulative updates. Specifically, we'll target devices running Windows 10 21H2 64-bit.

If you don't have PDQ Inventory or PDQ Deploy but want to follow along with the article, you can download a 14-day free trial. Installation is easy and only takes a few minutes. Check out our guides to Installing PDQ Deploy and Installing PDQ Inventory if you need help getting started.

Identifying targets in PDQ Inventory

The first step in configuring an automated deployment is identifying the target devices. Since PDQ Inventory automatically organizes devices into collections, this step is pretty much done for us, making it easy to identify the machines we need to target.

With PDQ Inventory open, from the menu tree, expand Collection Library > Windows Updates > Workstations > Windows 10 > Windows 10 Version 21H2 > Cumulative Update 64-bit.

automating patch management 1

There are two child collections within the Cumulative Update 64-bit collection: Win 10 Version 21H2 Cumulative Update 64-bit (Latest) and (Old)

automating patch management 2

Notice that I currently have one endpoint in the (Latest) collection and two endpoints in the (Old) collection. Inventory automatically moves devices between these two collections depending on if they have the latest updates or not. Once a computer receives the latest update and is scanned by Inventory, it automatically joins the (Latest) collection. As a new update becomes available, computers automatically move to the (Old) collection until they receive the latest update and are rescanned.

If you click on the Win 10 Version 21H2 Cumulative Update 64-bit (Old) collection, you'll see which machines are currently members and how the collection is filtered.

automating patch management 3

Since our goal is to automate the distribution of the latest Windows 10 21H2 64-bit cumulative updates, we'll target the Win 10 Version 21H2 Cumulative Update 64-bit (old) collection with our deployment.

Downloading the package from PDQ Deploy and creating a schedule

Now that we know what we'll target, we can download the package from the Package Library in PDQ Deploy and configure a schedule.

  • With PDQ Deploy open, click Package Library.

  • In the Filter field, enter 21h2.

  • Locate the Win 10 (20H2/21H1/21H2) - Cumulative Update (64-bit) package, select it, then click Download Selected (As Auto Download).

automating patch management 4
  • Locate the package in the Packages folder, right-click it, then click New Schedule.

automating patch management 5
  • Enter a name for the schedule, such as Win 10 21H2 Cumulative Update 64-bit in the Schedule Name field.

  • Click on the Triggers tab.

  • Click the Weekly trigger to add it to your schedule.

  • From the drop-down menu, select Tuesday and Thursday.

  • Change the deployment time to 3:30 PM.

automating patch management 6
  • Click the Targets tab.

  • Click Choose Targets > PDQ Inventory > Collection.

automating patch management 7
  • Expand Collection Library > Windows Updates > Workstations > Windows 10 > Windows 10 Version 21H2 > Cumulative Update 64-bit and select Win 10 Version 21H2 Cumulative Update 64-bit (Old).

  • Click OK.

automating patch management 8
  • Click the Options tab.

  • Select Stop deploying to targets once they succeed if it's not already selected.

automating patch management 9
  • Click OK to finish creating the schedule.

With the schedule created, our automated deployment is complete. The cumulative update package will deploy to the devices in the targeted collection every Tuesday and Thursday at 3:30 PM. Once a computer receives the update, it will move into the Win 10 Version 21H2 Cumulative Update 64-bit (Latest) collection, where it will remain until a new update is released. When a new update is released, devices will return to the Win 10 Version 21H2 Cumulative Update 64-bit (Old) collection, and the process will repeat.

It's important to note that the schedule created in this guide is just an example and is not necessarily adequate for your organization. Deployment schedules in production environments should be tailored to the needs of your network and users. Check out our video covering deployment and scheduling best practices to learn more.

Wrapping Up

Sysadmins face a continuous onslaught of newly discovered vulnerabilities. Quickly distributing patches is essential for securing network devices against cyber threats.

Without the right tools, patch management becomes a full-time job that can quickly overwhelm sysadmins. However, the right tools can uncomplicate the patch management process, making it easy for sysadmins to ensure their devices and networks are secure.

Brock Bingham candid headshot
Brock Bingham

Born in the '80s and raised by his NES, Brock quickly fell in love with everything tech. With over 15 years of IT experience, Brock now enjoys the life of luxury as a renowned tech blogger and receiver of many Dundie Awards. In his free time, Brock enjoys adventuring with his wife, kids, and dogs, while dreaming of retirement.

Related articles