Patch & Configuration Compliance Automation

Keep your devices secure, compliant, and up to date - without disrupting the business.

Book a patch management review

Wanstor’s Patch Management

Keeping devices patched is one of the simplest and most effective ways to reduce exposure to known security vulnerabilities. Wanstor’s Managed Patch Management service delivers structured, staged patching across your desktops and servers – backed by monitoring and clear performance targets – so you stay protected without constant internal effort.

 

Why it matters

Unpatched systems are vulnerable to widely known security issues where fixes already exist. Our managed patching approach focuses on safe, timely installation and controlled rollouts to limit risk while protecting day-to-day operations.

What you get

  • Managed patch deployment for operating systems and supported applications across Windows, macOS and Linux devices in scope.
  • Staged rollouts (Pilot → Standard → High Impact) to reduce disruption and catch issues early.
  • Security-first prioritisation using vendor-aligned severity ratings to drive patch urgency.
  • Compliance visibility via a proactive reporting dashboard, including recommended remediations.
  • Defined timelines (KPIs) for zero-days, security patches, and non-security updates.

What we patch

Devices in scope

We patch customer desktops and servers running Microsoft Windows, macOS and Linux, as agreed within your managed patching scope.
To ensure accurate coverage, we recommend an inventory scan during onboarding to identify and onboard the right devices.

    Software in scope

    By default, this includes:

    • Supported Operating Systems
    • Microsoft applications
    • Supported third-party applications
    • Anti-virus definition updates

    All in-scope software (excluding VMware Tools) is automatically patched unless you request exclusions during onboarding or through our change request process.

    How our patching approach works

    1. Prioritised by severity
    We use ManageEngine Endpoint Central severity ratings (aligned with Microsoft severity guidance) to prioritise updates – so critical vulnerabilities are treated as urgent, while lower-risk items follow an appropriate schedule.

    2. Staged deployment to minimise disruption
    We group devices during onboarding and roll patches out in phases:

      • Pilot Group (canary devices across departments/use cases)
      • Standard Impact (default group)
      • High Impact (disruption-sensitive systems)

    This helps you validate patches early and reduce operational risk.

    Patch rollout timelines

    These KPIs apply to devices that are online and connected to the internet for at least 2 hours within the target period (offline devices update when they’re back online).

     

    Zero-day & critical security patches

    If a vendor releases an out-of-cycle patch for a publicly disclosed zero-day, we accelerate deployment:

    • Pilot group: within 24 hours
    • All affected systems: within 48 hours

     

    All other security patches

    For vendor-rated Important / Moderate / Low security updates:

    • Patched within 14 days for in-scope systems.

    Linux note: Security-only patching is supported for Red Hat where a relevant bulletin exists; for other Linux flavours we trigger an update of all modules and align to the non-security schedule below.

     

    Non-security updates & rollups

    For non-security updates, rollups and server service packs:

    • Patched within 30 days

     

    Windows 11 feature updates

    Choose your preferred model:

    • Automatic: rolled out as released
    • On-demand: rolled out when you raise a support ticket

     

    Driver updates

    • Security driver updates follow the severity/timelines above
    • Non-security driver updates are not deployed automatically

    FAQ

    Will patching disrupt users?
    We use staged rollouts and defined patch windows. End-user devices can postpone reboots up to 72 hours (default).

    What if devices are offline?
    KPIs apply to devices online for at least 2 hours during the target period; offline devices patch when they return online.

    What happens if a patch fails?
    We attempt remediation by uninstalling/reinstalling as appropriate. For servers, if remediation fails, a restore may be performed from backups.

    Can we exclude certain apps or systems?
    Yes – exclusions can be agreed during onboarding or via our change request process.

    Ready to reduce patch risk?

    If you want patching that’s structured, monitored, and aligned to clear timelines, without overloading internal IT - Wanstor can help.