Home » Patch Management Architecture

Patch Management Architecture

The Patch Management Architecture

The Patch Management architecture consists of the following components:

Patch Management Architecture


Fig: Patch Management Architecture


The External Patch Crawler resides at the Zoho Corp. site and repeatedly probes the internet to draw vulnerability information from the Microsoft website and Apple website.


Patch download, assessment for patch authenticity and testing for functional correctness is also carried out at this site. The final analysis and data are correlated to obtain a consolidated vulnerability database which serves as a baseline for vulnerability assessment in the enterprise. The modified vulnerability database is then published to the Central Patch Repository for further use. The whole process of information gathering, patch analysis and publishing the latest vulnerability database occurs periodically.


The Central Patch Repository is a portal in the Zoho Corp. site, which hosts the latest vulnerability database that has been published after a thorough analysis. This database is exposed for download by the Endpoint Central server situated in the customer site, and provides information required for patch scanning and installation.


The Endpoint Central Server is located at the enterprise (customer site) and subscribes to the Central Patch repository, to periodically download the vulnerability database. It scans the systems in the enterprise network, checks for missing and available patches against the comprehensive vulnerability database, downloads and deploys missing patches and service packs, generates reports to effectively manage the patch management process in your enterprise.

How it Works?

Patch Management using Endpoint Central is a simple two-stage process:

Patch Assessment or Scanning

Endpoint Central periodically scans the systems in your  network to assess the patch needs. Using a comprehensive database consolidated from Microsoft's and other bulletins, the scanning mechanism checks for the existence and state of the patches by performing file version checks, registry checks and checksums. The vulnerability database is periodically updated with the latest information on patches, from the Central Patch Repository. The scanning logic automatically determines which updates are needed on each client system, taking into account the operating system, application, and update dependencies.

On successful completion of an assessment, the results of each assessment are returned and stored in the server database. The scan results can be viewed from the web-console.

Patch download and deployment

On selecting the patches to be deployed, you can a trigger a download or a deploy request. At first the selected patches are downloaded from the internet and stored in a particular location in the Endpoint Central server. Then they are pushed to the target machines remotely, after which they are installed sequentially.

To configure Patch Management follow this link.