Patch management settings

To learn how to create a protection plan with the patch management module, refer to "Creating a protection plan". By using the protection plan, you can specify what updates for Microsoft products and other third-party products for Windows OS to automatically install on the defined machines.

The availability of this feature depends on the service quotas that are enabled for your account.

The following settings can be specified for the patch management module.

Microsoft products

To install the Microsoft updates on the selected machines, enable the Update Microsoft products option.

Select what updates you want to be installed:

  • All updates
  • Only Security and Critical updates
  • Updates of specific products: you can define custom settings for different products. If you want to update specific products, for each product you can define which updates to install by category, severity, or approval status.

Windows third-party products

To install the third-party updates for Windows OS on the selected machines, enable the Windows third-party products option.

Select what updates you want to be installed:

  • Only last major updates allows you to install the latest available version of the update.
  • Only last minor updates allows you to install the minor version of the update.
  • Updates of specific products: you can define custom settings for different products. If you want to update specific products, for each product you can define which updates to install by category, severity, or approval status.

Schedule

Define the schedule according to which the updates will be installed on the selected machines.

Schedule the task run using the following events:

  • Schedule by time – The task will run according to the specified time.
  • When user logs in to the system – By default, a login of any user will start the task. You can modify this setting so that only a specific user account can trigger the task.
  • When user logs off the system – By default, a logoff of any user will start the task. You can modify this setting so that only a specific user account can trigger the task.

    The task will not run at system shutdown. Shutting down and logging off are different events in the scheduling configuration.

  • On the system startup – The task will run when the operating system starts.
  • On the system shutdown – The task will run when the operating system shuts down.

Default setting: Schedule by time.

Schedule type:

  • Monthly – Select the months and the weeks or days of the month when the task will run.
  • Daily – Select the days of the week when the task will run.
  • Hourly – Select the days of the week, repetition number, and the time interval in which the task will run.

Default setting: Daily.

Start at – Select the exact time when the task will run.

Run within a date range – Set a range in which the configured schedule will be effective.

Start conditions – Define all conditions that must be met simultaneously for the task to run.

Start conditions for antimalware scans are similar to the start conditions for the Backup module that are described in "Start conditions". You can define the following additional start conditions:

  • Distribute task start time within a time window – This option allows you to set the time frame for the task in order to avoid network bottlenecks. You can specify the delay in hours or minutes. For example, if the default start time is 10:00 AM and the delay is 60 minutes, then the task will start between 10:00 AM and 11:00 AM.
  • If the machine is turned off, run missed tasks at the machine startup
  • Prevent the sleep or hibernate mode during task running – This option is effective only for machines running Windows.
  • If start conditions are not met, run the task anyway after – Specify the period after which the task will run, regardless of the other start conditions.
Start conditions are not supported for Linux.

Reboot after update – define whether reboot is initiated after installing updates:

  • Never – reboot will never be initiated after the updates.
  • If required – reboot is done only if it is required for applying the updates.
  • Always – reboot will be always initiated after the updates. You can always specify the reboot delay.

Do not reboot until backup is finished – if the backup process is running, the machine reboot will be delayed until the backup is completed.

Pre-update backup

Run backup before installing software updates – the system will create an incremental backup of machine before installing any updates on it. If there were no backups created earlier, then a full backup of machine will be created. It allows you to prevent such cases when the installation of updates was unsuccessful and you need to get back to the previous state. For the Pre-update backup option to work, the corresponding machines must have both the patch management and the backup module enabled in a protection plan and the items to back up – entire machine or boot+system volumes. If you select inappropriate items to back up, then the system will not allow you to enable the Pre-update backup option.