ActivePatch includes a number of security related features which ensure that the distribution and application of updates is safe and can only be applied by authorized users. The patch file or package has its own internal signature which includes a checksum, a universally unique identifier (UUID), and a one-way hash that uniquely identifies the update. An attempt to directly modify the file using external tools, such as a binary file editor, will invalidate this signature and will result in an error if an attempt is made to access or apply the update.

When an individual patch file or a patch package is created, a password can be used to secure the contents of the patch so that it can only be accessed if that same password is provided during the application process. In the case of patch packages, the package cannot be opened without the password. This ensures that the patch or package can only be applied by those users who have been given the password. Passwords may be of any length and are case sensitive.

In addition to protecting a patch file or package with a password, an expiration date can be specified when the patch is created. This ensures that an update can only be applied within a given period of time, and attempts to apply the patch after the expiration period will result in an error. The use of an expiration period is optional and specified in terms of days from the date that the patch or package file was created.

For additional security during the application of the update, ActivePatch can also be instructed to only update and register components which have been digitally signed using Microsoft's AuthentiCode technology. This is the same method that is used by Internet Explorer when downloading and installing ActiveX controls through the browser. This ensures that the given component has been signed by a trusted organization.