Patch management settings in the protection plan

In the Patch management module of the protection plan, you can configure the following patch management settings:

  • What updates to install for Microsoft and third-party products for Windows OS.
  • When to run the automatic patch installation.
  • Whether to run a pre-update backup.

For more information about creating a protection plan and enabling the Patch management module, see Creating a protection plan.

The availability of this feature depends on the service quotas that are enabled for your account.

Microsoft products

To install the Microsoft updates on the selected machines, enable the Update Microsoft products option.

Select what updates you want to be installed:

  • All updates - Installs all approved updates.
  • Only Security and Critical updates - Installs all approved security and critical updates.
  • Updates of specific products (Automatic test approval and testing) - You can define custom settings for different products. If you want to update specific products, for each product you can define which updates to install by category, severity, or approval status. If you want to configure automatic test approval and testing of the patches, select this option.

For Microsoft products, patch distribution uses the Windows API service. Patches and updates are not downloaded or stored internally or on distribution agents. Instead, they are downloaded from Microsoft CDN. Thus, even with the Updater role assigned, the agent cannot download and distribute patches.

Windows third-party products

To install the third-party updates for Windows OS on the selected machines, enable the Windows third-party products option.

Select what updates you want to be installed:

  • Only last major updates - Install the latest available version of the update.
  • Only last minor updates - Install approved minor version of the update.
  • Updates of specific products (Automatic patch approval and testing) - Define custom settings for different products. If you want to update specific products then, for each product, you can define which updates to install by category, severity, or approval status. If you want to configure automatic test approval and testing of the patches, select this option.

For Windows third-party products, patches are distributed directly to the managed workloads from an internal Acronis database. In case the Updater role is assigned to an agent, this agent will be used to download and distribute patches.

Schedule

Define the schedule and conditions according to which the updates will be installed on the selected machines.

Field Description
Schedule the task run using the following events

This setting defines when the task will be run.

The following values are available:

  • Schedule by time – This is the default setting. The task will run according to the specified time.
  • When user logs in to the system – By default, a login of any user will start the task. You can modify this setting so that only a specific user account can trigger the task.

  • When user logs off the system – By default, a logoff of any user will start the task. You can modify this setting so that only a specific user account can trigger the task.

    The task will not run at system shutdown. Shutting down and logging off are different events in the scheduling configuration.

  • On the system startup – The task will run when the operating system starts.
  • On the system shutdown – The task will run when the operating system shuts down.
Schedule type

The field appears if, in Schedule the task run using the following events, you have selected Schedule by time.

The following values are available:

  • Monthly – Select the months and the weeks or days of the month when the task will run.
  • Daily – This is the default setting. Select the days of the week when the task will run.
  • Hourly – Select the days of the week, repetition number, and the time interval in which the task will run.
Start at

The field appears if, in Schedule the task run using the following events, you have selected Schedule by time

Select the exact time when the task will run.
Configure maintenance window for patches

The field appears if, in Schedule the task run using the following events, you have selected Schedule by time.

Select this setting if you want the patch installation to run only during the time interval that you will specify. If the patch installation process has not completed by the end time defined by the maintenance window for patches, it will be stopped automatically.
Run within a date range

The field appears if, in Schedule the task run using the following events, you have selected Schedule by time.

Set a range in which the configured schedule will be effective.
Specify a user account whose login to the operating system will initiate a task

The field appears if, in Schedule the task run using the following events, you have selected When user logs in to the system.

The following values are available:

  • Any user - Use this option if you want the login of any user to trigger the task.
  • The following user - Use this option if you want only the login of a specific user account to trigger the task.
Specify a user account whose logout from the operating system will initiate a task

The field appears if, in Schedule the task run using the following events, you have selected When user logs off the system.

The following values are available:

  • Any user - Use this option if you want the logout of any user to trigger the task.
  • The following user - Use this option if you want only the logout of a specific user account to trigger the task.
Start conditions

Defines all conditions that must be met simultaneously for the task to run.

Start conditions for antimalware scans are similar to the start conditions for the Backup module that are described in "Start conditions".

You can define the following additional start conditions:

  • Distribute task start time within a time window – This option allows you to set the time frame for the task in order to avoid network bottlenecks. You can specify the delay in hours or minutes. For example, if the default start time is 10:00 AM and the delay is 60 minutes, then the task will start between 10:00 AM and 11:00 AM.
  • If the machine is turned off, run missed tasks at the machine startup
  • Prevent the sleep or hibernate mode during task running – This option is effective only for machines running Windows.
  • If start conditions are not met, run the task anyway after – Specify the period after which the task will run, regardless of the other start conditions.
Start conditions are not supported for Linux.
Reboot after update

Define whether to reboot the machine automatically after the installation of the updates completes.

The following values are available:

  • Never – A reboot will never be initiated after the updates.
  • If required – A reboot will be initiated only if it is required for applying the updates.
  • Always – A reboot will be always initiated after the updates. You can specify a reboot delay.
Do not reboot until backup is finished If you select this option, if a backup process is running, the reboot of the machine will be delayed until the backup is completed.

Pre-update backup

Run backup before installing software updates – the system will create an incremental backup of machine before installing any updates on it. If there were no backups created earlier, then a full backup of machine will be created. It allows you to prevent such cases when the installation of updates was unsuccessful and you need to get back to the previous state. For the Pre-update backup option to work, the corresponding machines must have both the patch management and the backup module enabled in a protection plan and the items to back up – entire machine or boot+system volumes. If you select inappropriate items to back up, then the system will not allow you to enable the Pre-update backup option.