Patch management settings in the protection plan
In the Patch management module of the protection plan, you can configure the following patch management settings:
- What updates to install for Microsoft and third-party products for Windows OS.
- When to run the automatic patch installation.
- Whether to run a pre-update backup.
For more information about creating a protection plan and enabling the Patch management module, see Creating a protection plan.
Microsoft products
To install the Microsoft updates on the selected machines, enable the Update Microsoft products option.
Select the installation option:
| Option | Description |
|---|---|
| All updates | Use this option if you want to install all approved updates. |
| Only Security and Critical updates | Use this option if you want to install all approved security and critical updates. |
| Updates of specific products (Automatic patch approval and testing) |
Use this option if you want to define custom settings for different products. If you want to update specific products, for each product you can define which updates to install by category, severity, or approval status. If you want to configure automatic test approval and testing of the patches, select this option. |
For Microsoft products, patch distribution uses the Windows API service. Patches and updates are not downloaded or stored internally or on distribution agents. Instead, they are downloaded from Microsoft CDN. Thus, even with the Updater role assigned, the agent cannot download and distribute patches.
Windows third-party products
To install the third-party updates for Windows OS on the selected machines, enable the Windows third-party products option.
This functionality requires the Advanced Management (RMM) pack.
Select the installation options:
| Option | Description |
|---|---|
| All updates | Use this option if you want to install all approved updates. * |
| Only major updates | Use this option if you want to install all approved major updates. |
| Only minor updates | Use this option if you want to install approved minor updates. |
| Updates of specific products (Automatic patch approval and testing) |
Use this option if you want to define custom settings for different products. If you want to update specific products then, for each product, you can define which updates to install by category, severity, or approval status. If you want to configure automatic test approval and testing of the patches, select this option. |
| Install the latest versions only for applications with detected vulnerabilities | Select this check box if you want to install the latest updates only for applications that have detected vulnerabilities. * |
* This option requires Cyber Protect agent version 23.11.36772 or later.
For Windows third-party products, patches are distributed directly to the managed workloads from an internal Acronis database. In case the Updater role is assigned to an agent, this agent will be used to download and distribute patches.
Schedule
Define the schedule and conditions according to which the updates will be installed on the selected machines.
| Field | Description |
|---|---|
| Schedule the task run using the following events |
This setting defines when the task will be run. The following values are available:
|
| Schedule type |
The field appears if, in Schedule the task run using the following events, you have selected Schedule by time. The following values are available:
|
| Start at |
The field appears if, in Schedule the task run using the following events, you have selected Schedule by time Select the exact time when the task will run. |
| Configure maintenance window for patches |
The field appears if, in Schedule the task run using the following events, you have selected Schedule by time. Select this setting if you want the patch installation to run only during the time interval that you will specify. If the patch installation process has not completed by the end time defined by the maintenance window for patches, it will be stopped automatically. |
| Run within a date range |
The field appears if, in Schedule the task run using the following events, you have selected Schedule by time. Set a range in which the configured schedule will be effective. |
| Specify a user account whose login to the operating system will initiate a task |
The field appears if, in Schedule the task run using the following events, you have selected When user logs in to the system. The following values are available:
|
| Specify a user account whose logout from the operating system will initiate a task |
The field appears if, in Schedule the task run using the following events, you have selected When user logs off the system. The following values are available:
|
| Start conditions |
Defines all conditions that must be met simultaneously for the task to run. Start conditions for antimalware scans are similar to the start conditions for the Backup module that are described in "Start conditions". You can define the following additional start conditions:
Start conditions are not supported for Linux.
|
Restart options
Configure if you want the workloads to be restarted after the patches installation.
The following table provides more information about the restart options.
| Option | Description |
|---|---|
| Restart if required | If you want the workload to be restarted after the software is installed or uninstalled only if the software requires it, select this checkbox. |
| Always restart |
If you want the workload to always be restarted after the software is installed or uninstalled, select this checkbox. |
| Do not restart |
If you do not want the workload to be restarted after the software is installed or uninstalled, select this checkbox. |
| Schedule automatic restart |
This option is available if you selected Restart if required or Always restart. The option enables automatic restart of the workload. |
| If a user is logged on to the device, the device will be automatically restarted after: |
This option is available if you selected Schedule automatic restart. Select the period after which the workload will be restarted automatically. The user who is logged in to the workload will be notified about a pending automatic restart and the time when it will happen. Thus, users can save their work and prepare for the restart. |
| Additional notifications |
This option is available if you selected Schedule automatic restart. Select this option if you want the user who is logged in to the workload to be reminded repeatedly about a pending restart before the selected period passes. The timing of notifications depends on the selected period and transitions into a countdown as the restart time nears. This ensures that users stay informed and prepared for the restart. Notifications are triggered by a successful software update or deployment and are sent at the following times. The timing of the first notification coincides with the selected period.
|
| If no user is logged on to the device, restart it immediately |
This option is available if you selected Schedule automatic restart. If you select this option and no user is logged in to the workload, the workload will be restarted immediately, without waiting for the selected period before automatic restart to pass. |
Pre-update backup
Run backup before installing software updates – the system will create an incremental backup of machine before installing any updates on it. If there were no backups created earlier, then a full backup of machine will be created. It allows you to prevent such cases when the installation of updates was unsuccessful and you need to get back to the previous state. For the Pre-update backup option to work, the corresponding machines must have both the patch management and the backup module enabled in a protection plan and the items to back up – entire machine or boot+system volumes. If you select inappropriate items to back up, then the system will not allow you to enable the Pre-update backup option.