Patch management settings in the protection plan
In the Patch management module of the protection plan, you can configure the following patch management settings:
- What updates to install for Microsoft and third-party products for Windows OS.
- When to run the automatic patch installation.
- Whether to run a pre-update backup.
For more information about creating a protection plan and enabling the Patch management module, see Creating a protection plan.
Microsoft products
To install the Microsoft updates on the selected machines, enable the Update Microsoft products option.
Select the installation option:
| Option | Description |
|---|---|
| All updates | Use this option if you want to install all approved updates. |
| Only Security and Critical updates | Use this option if you want to install all approved security and critical updates. |
| Updates of specific products (Automatic patch approval and testing) |
Use this option if you want to define custom settings for different products. If you want to update specific products, for each product you can define which updates to install by category, severity, or approval status. If you want to configure automatic test approval and testing of the patches, select this option. |
For Microsoft products, patch distribution uses the Windows API service. Patches and updates are not downloaded or stored internally or on distribution agents. Instead, they are downloaded from Microsoft CDN. Thus, even with the Updater role assigned, the agent cannot download and distribute patches.
Windows third-party products
To install the third-party updates for Windows OS on the selected machines, enable the Windows third-party products option.
Select the installation options:
| Option | Description |
|---|---|
| All updates | Use this option if you want to install all approved updates. * |
| Only major updates | Use this option if you want to install all approved major updates. |
| Only minor updates | Use this option if you want to install approved minor updates. |
| Updates of specific products (Automatic patch approval and testing) |
Use this option if you want to define custom settings for different products. If you want to update specific products then, for each product, you can define which updates to install by category, severity, or approval status. If you want to configure automatic test approval and testing of the patches, select this option. |
| Install the latest versions only for applications with detected vulnerabilities | Select this check box if you want to install the latest updates only for applications that have detected vulnerabilities. * |
* This option requires Cyber Protect agent version 23.11.36772 or later.
For Windows third-party products, patches are distributed directly to the managed workloads from an internal Acronis database. In case the Updater role is assigned to an agent, this agent will be used to download and distribute patches.
Schedule
Define the schedule and conditions according to which the updates will be installed on the selected machines.
| Field | Description |
|---|---|
| Schedule the task run using the following events |
This setting defines when the task will be run. The following values are available:
|
| Schedule type |
The field appears if, in Schedule the task run using the following events, you have selected Schedule by time. The following values are available:
|
| Start at |
The field appears if, in Schedule the task run using the following events, you have selected Schedule by time Select the exact time when the task will run. |
| Configure maintenance window for patches |
The field appears if, in Schedule the task run using the following events, you have selected Schedule by time. Select this setting if you want the patch installation to run only during the time interval that you will specify. If the patch installation process has not completed by the end time defined by the maintenance window for patches, it will be stopped automatically. |
| Run within a date range |
The field appears if, in Schedule the task run using the following events, you have selected Schedule by time. Set a range in which the configured schedule will be effective. |
| Specify a user account whose login to the operating system will initiate a task |
The field appears if, in Schedule the task run using the following events, you have selected When user logs in to the system. The following values are available:
|
| Specify a user account whose logout from the operating system will initiate a task |
The field appears if, in Schedule the task run using the following events, you have selected When user logs off the system. The following values are available:
|
| Start conditions |
Defines all conditions that must be met simultaneously for the task to run. Start conditions for antimalware scans are similar to the start conditions for the Backup module that are described in "Start conditions". You can define the following additional start conditions:
Start conditions are not supported for Linux.
|
| Reboot after update |
Define whether to reboot the machine automatically after the installation of the updates completes. The following values are available:
|
| Do not reboot until backup is finished | If you select this option, if a backup process is running, the reboot of the machine will be delayed until the backup is completed. |
Pre-update backup
Run backup before installing software updates – the system will create an incremental backup of machine before installing any updates on it. If there were no backups created earlier, then a full backup of machine will be created. It allows you to prevent such cases when the installation of updates was unsuccessful and you need to get back to the previous state. For the Pre-update backup option to work, the corresponding machines must have both the patch management and the backup module enabled in a protection plan and the items to back up – entire machine or boot+system volumes. If you select inappropriate items to back up, then the system will not allow you to enable the Pre-update backup option.