Apply a software patch

You can automate the remediation of vulnerabilities that were detected by Managed Risk by applying software patches to supported third-party software if Arctic Wolf Agent is installed on the asset. At this time, software patches are available on a subset of Managed Risk Agent scan supported OSes and includes a range of supported third-party applications that do not require a reboot.

Note:
  • You cannot cancel a software patch after it is scheduled.
  • When a software patch is scheduled for an endpoint that has the power off, or if a system reboot occurs during the software patch process on an endpoint, the Patch Status remains in Patch Initiated for five days. After five days, if it is not past the Patch Enforcement Deadline date, the process is rescheduled. If it is past the Patch Enforcement Deadline date, the Patch Status changes to Patch Failed.
  • A software patch notification may not appear on an endpoint when a system reboots because of the sequence of system and user processes on Windows operating systems. If this occurs, a silent deferral or update of the application can occur.

We recommend that you patch a small number of assets first, preferably using test devices within your IT team. Wait 1-2 days and validate that the patches were successful. Then, patch the remaining assets.

Tip: You can tag assets by patch release cadence. Use saved filters with tags to manage patching in phases.

  • A Managed Risk subscription

  • An subscription.

  • Arctic Wolf Agent installed on the endpoint with a version of Windows - arcticwolfagent-2026-01_45 or later

  • Managed Risk administrator permissions in the Unified Portal

  • One of these supported 64-bit OSes: Windows 10, 11, 2012, 2012 R2, 2016, 2019, 2022, 2025

  1. Sign in to the Arctic Wolf Unified Portal.
  2. If an Agent vulnerability scan of assets was not done after you added the subscription, manually rescan your assets to get the available patches for identified risks.
    For more information, see Rescan assets.
  3. In the navigation menu, click Managed Risk > Risks.
    Note: To view vulnerabilities that have a software patch available, use this filter:
    • Columns — Select Patch Status.
    • Operator — Select is any of.
    • Value — Select Patch Available.
    For more information, see Risk filters.
  4. Do one of these actions:
    • To apply the patch to a single vulnerability:
      1. On the Risks page, click the All tab.
      2. For the vulnerability to fix with a software patch, do one of these actions:
        • In the Actions column, click > Apply Patch.
        • In the Actions column, click > View Risk, and then click Apply Patch.
    • Apply the patch to multiple vulnerabilities:
      1. On the Risks page, click the All tab, and then select one or more vulnerabilities to fix with a software patch. If needed, click to expand the row to see more detail about the software that requires a patch in the Remediation details.
      2. Click Apply Patch.

        The Apply Patch button is only available if the status is Patch Available or Patch Failed.

  5. In the Apply Patch panel, choose when to apply the patch:
    • Schedule patch deployment — On the specified date, starts the software patch process. Arctic Wolf sends a Software Update notification to endpoints that informs users that a software patch update is available. If you select this option, in the Patch Deployment Date (local Time) field, enter the date and time that you want the software patch process started. This is your local time, so it will not be the same time for the endpoint if the endpoint is in a different timezone.
    • Deploy patch now — Immediately starts the software patch process. Arctic Wolf sends a Software Update notification to endpoints that informs users that a software patch update is available.
  6. In the Patch Enforcement Deadline (in Days) field, enter the number of days from the patch schedule date when the software will be patched on the selected endpoints.
    Before the deadline arrives, the end users will see a Software Update notification with the option to update now or update later. On the deadline, users will see a Critical Software Update notification with the option to update now.
  7. Optional: Select the Force patch with no deferral window checkbox if you want to prevent users from deferring the software update.
    Users will see Critical Software Update notification on the endpoints.
  8. Verify that the specified asset and software are correct, and then click Deploy Patches.
    For the selected risks, the Patch Status changes to Patch Initiated, and the end user, depending on the Patch Enforcement Deadline (in Days) and Force patch with no deferral window settings, receives a Software Update or Critical Software Update notification.
  9. Based on the software update notification the end user receives, they complete the preferred action:
    Note: If the endpoint has a graphical user interface, the software update notification will be displayed to the end users. Otherwise, the software will be patched without any notification.
    • Software Update — The end user has these options:
      • Click Update Later, close the notification, or not take any action for 15 minutes — This defers the software update. This can be done up to two times. The software update is rescheduled for half-way between the rescheduling date and the enforcement date. After the maximum number of deferrals, the end user receives a Critical Software Update notification. If the computer is offline, the notification may not appear.
      • Click Quit Apps & Update Now — The system closes the specified software applications and then applies the software patch.
    • Critical Software Update — The end user cannot defer the software update because the Patch Enforcement Deadline was reached, the software patch was requested within 15 minutes of the Patch Enforcement Deadline, or the Force patch with no deferral window checkbox was selected when the patch update was scheduled. The end user has 15 minutes to prepare for the software patch update. They can click Quit Apps & Update Now to start the update now or be forced to start the update after 15 minutes. The notification cannot be closed.
  10. When the software patching process in complete on the endpoint for the selected risks, the end users receive a Software Update Complete notification, and the Patch Status changes to reflect the status of applying the patch.
  11. If the Patch Status is Patch Applied, wait for the next scheduled vulnerability scan or manually rescan the assets to verify that the risk is resolved. When the risk is remediated, the risk Status updates to Resolved.
    For more information, see Rescan assets.
    Note:
    • If the risk Status does not change to Resolved after a successful patch and rescan, the CVE might be present on one or more applications that do not have a patch available. In this situation, the Patch Status is Patch Unavailable.
    • If you are experiencing errors with this feature, create a ticket that includes the output from the Agent Diagnostic Tool.

      For more information, see Run the Agent diagnostic tool and Create a Unified Portal ticket.