How to roll out a patch policy

Initially, the "Default" patch policy is applied to all computers. Patch assessment is disabled in the default policy.

Once patch assessment is enabled, computers begin an assessment. This can take several minutes. Subsequent assessments occur at the interval set in policy, which is daily by default.

Note If computers run an assessment before Sophos Enterprise Console has downloaded patch data from Sophos for the first time, the Patch Event viewer displays no results. The download can take several hours. To check if this has completed, see the Patch updates field in the Patch Assessment - Event Viewer.

We recommend that you introduce patch policy as follows:

  1. Deploy the patch agent to computers using the Protect Computers Wizard. (On the Select features page of the wizard, select Patch.)
    Note You must reprotect computers by running the Protect Computers Wizard if they are already running Endpoint Security and Control but do not have the patch agent installed.
  2. Enable patch assessments in your default patch policy.

    At this time, you have one patch policy for your entire network.

  3. Use the patch assessment Event Viewer to view which computers are missing patches and which are up-to-date. You can access the Event Viewer by clicking Events > Patch Assessment Events.
    Note You must install missing patches on computers manually.
  4. If you require the ability to enable or disable patch policy or assign different patch assessment intervals for various groups, create different policies for different groups.

For more information on setting up patch policy, see the Sophos Enterprise Console help.