Patch Settings
Overview
The Patch Settings component enables you to configure settings for the cloud-native patch process. This component contains the following:
- Configurations tab: Enables you to view existing patch configurations and to add new configurations for use with patch deployments. You can use the default configuration to quickly get started, and you can specify your own custom configurations. Creating several configurations gives you the flexibility to assign different patch configurations to different agent policy groups.
- Patch Groups tab: Enables you to add new patch groups and to manage existing patch groups. A patch group contains a particular set of patches that is used in deployment operations.
Configurations
A configuration defines many characteristics of a patch deployment. You can specify what patches are deployed, whether a reboot will be performed of the target machine, when the deployment occurs, and more. You may choose to use the default configuration behavior, which will deploy all critical security patches, or you can create your own unique configurations.
Configuration Summary
The table contains a list of all available patch configurations. By default, the table contains the following columns and is sorted by the Deployed Date column.
- Configurations: Shows the name of the configuration. You can click the name to view the configuration details.
- Current version: Shows the current version of the configuration. This value can be used to understand the number of times the configuration has been edited and saved.
- Deployed: Shows the date and time that the configuration was last deployed.
- Last saved date: Shows the date and time that the configuration was last saved.
- Last saved by: Shows the name of the person who last saved the configuration.
- Availability: Shows the current status of the configuration. Possible values are:
- New: The configuration exists, but is not yet associated with any agent policy groups.
- Pending: A request for this configuration to be associated with one or more policy groups has been made, but the process is not yet complete.
- Active: The configuration is associated with one or more policy groups.
- Previously active: This configuration version is no longer associated with a policy group. It may have been superseded by another version or replaced by a different configuration.
- Draft: The configuration contains changes that have not yet been made available to the endpoints assigned to the associated policy groups.
- Failed: The configuration contains changes that failed to be made available to the endpoints assigned to the associated policy groups.
Actions You Can Perform on Existing Configurations
- Open configuration: Enables you to view the settings of the selected configuration. If you want to edit the settings after opening the configuration, click Edit configuration.
- Clone configuration: Enables you to create a copy of the current version of the selected configuration. The default name of the new configuration will be "Clone of {selected configuration name}." If the original configuration was associated with one or more agent policy groups, those associations will be removed from the cloned configuration.
Default Patch Configuration
You can quickly utilize the patch management capabilities in Ivanti Neurons by using the default patch configuration, aptly named Default. This configuration will remediate all critical security patches in your environment. You can use the default configuration as is or use it as a template that you edit and save as a custom configuration. The default configuration includes:
- Deploy all critical security patches
- Reboot Behavior
- Post-deployment reboot when required, immediately after installation
- If the user is logged on, force the reboot action after 24 hours / 1 day
- Show the user a 1-hour countdown time-out
- Allow the user to extend the time-out up to a scheduled action time of 10 minutes
- Scheduling
- Run on reboot if schedule missed
- Deployment Schedule:
- Weekly, every Sunday at 12:01am Local Time
Creating a Custom Patch Configuration
To create your own custom patch configuration, click Create configuration.
- Configuration name: The name you want to assign to this configuration.
- Comment: Provide a comment that describes the purpose of this configuration.

This tab enables you to configure a number of different options related to the deployment of patches.
Tip: A summary of your custom patch configuration options is available by clicking Show summary. This summary is updated in real time as you add, delete or modify your patch configuration options.
Deployment behavior
This area enables you to configure what patches will be deployed.
There are three configurable options: Deploy by severity, Deploy by Patch Group and Selected Vendors/Products. If you don't modify any of the options, then by default only critical security patches will be deployed. If you enable and configure both the Deploy by severity and the Deploy by Patch Group options, the effect is additive, with all of the patches for each configured option being deployed. If you enable and configure Selected Vendors/Products, that option will filter out patches from the other two options.
Example 1: If you want to deploy only those patches that are contained within a patch group:
- Disable the Deploy by severity and Selected Vendors/Products options
- Enable the Deploy by Patch Group option and select the desired patch group
Example 2: Say you configure the following:
- Deploy by severity: Security Critical and Security Important are selected
- Deploy by Patch Group You select one patch group that contains one Security Critical patch, one Security Important patch and two Security Moderate patches
- Selected Vendors/Products: This option is disabled
In this case, Security Critical and Security Important patches will be deployed for all vendors and products. In addition, all four patches contained in the patch group will be deployed, including the two Security Moderate patches.
Example 3: Same as Example 2, but you also use the Selected Vendors/Products option to specify that only Adobe patches should be deployed. In this case, the only patches that will be deployed will be Adobe Security Critical patches, Adobe Security Important patches and any Adobe patches contained in the patch group.
Deployment behavior options
- Deploy by severity: If enabled, allows you to specify the types of patches and the severity levels that should be included in the deployment. By default, only critical security patches is selected.
- Security patches: Security bulletin-related patches. You can choose to deploy one or more specific severity levels.
- Critical: Vulnerabilities that can be exploited by an unauthenticated remote attacker or vulnerabilities that break guest/host operating system isolation. The exploitation results in the compromise of confidentiality, integrity, availability user data, or processing resources without user interaction. Exploitation could be leveraged to propagate an Internet worm or execute arbitrary code between virtual machines and the host.
- Important: Vulnerabilities whose exploitation results in the compromise of confidentiality, integrity, or availability of user data and processing resources. Such flaws could allow local users to gain privileges, allow authenticated remote users to execute arbitrary code, or allow local or remote users to easily cause a denial of service.
- Moderate: Flaws where the ability to exploit is mitigated to a significant degree by configuration or difficulty of exploitation, but in certain deployment scenarios could still lead to some compromise of the confidentiality, integrity, or availability of user data and processing resources. These are the types of vulnerabilities that could have had a critical impact or important impact but are less easily exploited based on a technical evaluation of the flaw, or affect unlikely configurations.
- Low: All other issues that have a security impact. Vulnerabilities where exploitation is believed to be extremely difficult, or where successful exploitation would have minimal impact.
- Uncategorized: Security patches that have not been assigned a severity level.
- Non-Security patches: Vendor patches that fix known software problems that are not security issues. You can choose to deploy for one or more specific vendor severity levels. See Security patches for a description of the available severity levels.
- Security patches: Security bulletin-related patches. You can choose to deploy one or more specific severity levels.
- Deploy by Patch Group: If enabled, allows you to specify one or more patch groups that contain the patches that you want to deploy. This is a good way to make sure that only approved patches are deployed. Missing patches not contained in the specified patch groups will not be deployed unless they are specified in the Deploy by severity filter. Details about the available patch groups can be viewed using the Patch Groups tab within the Patch settings page. Patch groups are managed from within Patch Intelligence.
You may want to quickly remind yourself which patches are contained in a group before you select it. To do that, click the numeric link in the Patches column. The patches contained in the group are displayed at the bottom of the page. Use the Status column to determine the status of each individual patch.The status shown is actually an approximated status based on the use of this patch group with the current patch configuration. A number of factors can affect the patch status. For example, if you use Selected Vendors/Products in conjunction with a patch group, that may filter out one or more patches from the group.
- Active: This patch group has been used by this configuration to make the patch available to the end-user devices. The devices are part of the policy groups that are associated with this patch configuration.
- Not active: There are two possible reasons for this patch status. (1) This patch group has not been used to make the patch available to any devices. (2) The patch configuration to which this patch group is assigned has not been made active to devices.
There is a scenario where a patch that is listed as Not active may actually be active. If the patch resides in more than one patch group, one of those other patch groups may have been used to make this patch active to devices.
- Selected Vendors/Products: If disabled, patches for all available vendors and products will be included in the deployment defined by the Deploy by severity and Deploy by Patch Group options. As new products and patches become available, they will be added to the deployment.
- Select All: Enabling this check box selects all currently available patches for all vendors and products in the list. New vendor and product patches that become available at a later date will not be added to the deployment.
- Selecting individual vendors and products: Only patches for the selected vendors, product families and/or product versions will be deployed. Unselected vendors and products are filtered out from the deployment.
If enabled, it allows you to specify the vendors, product families and product versions that can be deployed to endpoints. Vendors and products that are not selected will be excluded from the deployment. The items are presented in a hierarchical list. If you enable a check box at one level, all check boxes at lower levels are also enabled.
TIP: If you want to exclude a small number of items, you can enable Select All and then clear the check boxes of the items you want to exclude.
Reboot Behavior
This area enables you to configure if and when your target machines will be rebooted during the deployment process.
- Pre-deployment reboot: Specifies if a reboot of the target machines should be performed before patches are deployed. There are two options:
- Never: Specifies that it is unnecessary to reboot each machine before patches are deployed.
- Always: Specifies that each machine should be reboot before the patches are deployed. It is considered a best practice to reboot machines before installing significant new software, especially for large software changes such as operating system product levels.
If you elect to reboot the machines, you can then specify the amount of warning that a logged-on user will receive and you can choose the degree of control the user will have over the reboot process. You can:- Elect to force a reboot after a number of minutes have passed
- Alert the user that a reboot will occur when they log off
- Select the duration to display a countdown message when the shutdown sequence is initiated. To preview the dialog box that the user will see, click Example countdown.
- Allow the user to extend the time-out countdown up to a specified maximum.
- Allow the user to cancel the time-out. If a time-out is canceled, the patches will not be deployed until the user logs off or manually reboots the machine.
- Allow the user to cancel the reboot. The patches will not be installed until the machine is restarted.
- Post-deployment reboot: Specifies if a reboot of the target machines should be performed after patches are deployed. There are three options:
- Never: Specifies that it is unnecessary to reboot each machine after patches are deployed.
- Always: Specifies that each machine should be rebooted after the patches are deployed. This is the safest option when deploying patches as most patches require a reboot in order to complete, but there may be times when machines are rebooted unnecessarily.
- When required: Specifies that the Ivanti Neurons agent will determine whether or not a reboot of each machine is required.
If you elect to reboot the machines, you can then specify the amount of warning that a logged-on user will receive and you can choose the degree of control the user will have over the reboot process. You can:- Schedule the reboot to occur either immediately after installation of the patches or after a number of days at a specified time
If a target machine is rebooted before a scheduled reboot occurs, the scheduled reboot is no longer necessary and will be canceled.
- Elect to force a reboot after a number of minutes, hours or days have passed
- Alert the user that a reboot will occur when they log off
- Select the duration to display a countdown message when the shutdown sequence is initiated.
- Allow the user to extend the time-out countdown up to a specified maximum.
- Allow the user to cancel the time-out. If a time-out is canceled, the patches will not be deployed until the user logs off or manually reboots the machine.
- Allow the user to cancel the reboot. The patches will not be installed until the machine is rebooted.
- Schedule the reboot to occur either immediately after installation of the patches or after a number of days at a specified time
Scheduling
This area enables you to configure deployments that are performed on a recurring schedule.
- Set recurrence: Allows you to regularly schedule deployment operations at a specific time and using a specified recurrence pattern. For example, a deployment can be run every night at midnight, or every Saturday at 9 PM, every weekday at 11 PM, or at any other user selected time and interval.
- Run on reboot if schedule missed: If the scheduled deployment is missed, it will be performed the next time the machine is reboot.
- Deploy patches: You can schedule the patch deployment using the following options:
- Daily: The deployments will run every day of the week at the time of your choosing.
- Weekly: The deployments will run on the specified day of the week at the time of your choosing.
- Monthly: The deployments will run on the specified date each month at the time of your choosing. You can also use this option to schedule a deployment in conjunction with Microsoft's Patch Tuesday. For example, you might schedule a monthly patch deployment to occur the day after Patch Tuesday by enabling the Also deploy after Patch Tuesday check box and then specifying 1 as the number of days after Patch Tuesday to delay the deployment.
- Patch Tuesday: Schedule the deployments to run on the same day as Microsoft's regular monthly patching event, known as Patch Tuesday.
- Stage content before deployment: Specifies if you want to create the deployment package and copy the deployment package to the target machines prior to the actual deployment. You can stage the content anywhere from 1 - 23 hours before the deployment is performed. A patch scan is automatically performed by the agent at the start of the staging process in order to reassess the machine's patch status before the deployment.
There is an exception for patch deployments that will occur on the first day of the month. To avoid issues with leap years and other similar quirks in the calendar, the interface will prevent you from staging content on the day prior to the first day of the month. For example, if you schedule a deployment for 8:00 am on the first day of the month, you will only be allowed to stage content 1 - 8 hours before the deployment.
- Upcoming tasks: This table shows a list of upcoming tasks. It enables you to view all of the events that are projected to occur over the next 60 days using the currently selected configuration. Note that the information provided in this table is a projection; many things could occur to prevent one or more of the events from occurring.

This tab enables you to associate the patch configuration with one or more agent policy groups. The association of the patch configuration to a policy group defines the endpoints to which the configuration will be deployed. All devices using a specific policy will be governed by the patch configuration you associate with that policy.
Important! The agent policy group must have the Patch Management capability enabled in order to utilize the patch configuration.
You can associate a patch configuration with multiple agent policy groups.
Examples
- You might create a patch configuration for all vendors and products used by the IT Support teams within your organization. You can then associate this configuration with the agent policy groups that cover your regional teams, such as AMER IT Support, EMEA IT Support, and APAC IT Support.
- You might create a patch configuration for patches that are released on a Patch Tuesday. You can then associate this configuration with a pilot agent policy group that you want to use to test the patch deployments. If the deployments are successful, you can associate the configuration with your primary agent policy group for wider distribution.
- You might create one patch configuration for your laptop and workstation devices and a separate patch configuration for your server devices. You then associate the proper patch configuration with the agent policy group that is governing each device type.
To associate the current patch configuration with one or more agent policy groups:
- Click Select policy groups.
- Choose the desired agent policy groups.
To help you choose, the following information is provided about the available policy group(s):- Policy group: The name of the agent policy group.
- Endpoints: Shows the number of endpoints currently using the agent policy group.
- Current patch configuration: Shows the name of the patch configuration currently associated with the agent policy group.
- Click Confirm.
The list of all agent policy groups currently associated with the patch configuration is displayed on the Associations page.

This tab enables you to track changes that have been made to the patch configuration. The table displays all versions of the configuration. By default, the table contains the following columns and is sorted by the Version column.
- Version: The numerical value of the version. The first save of the configuration will be version 1. Each time the configuration is edited and saved the version value will be incremented by one. Clicking the version value will open the configuration details for that particular version.
- Configuration name: The name of the patch configuration.
- Save date: The date and time the configuration edit was saved.
- Last saved by: The name of the team member who last edited this version of the configuration. If you modify a patch group that is associated with a patch configuration, that qualifies as a revision to the configuration.
-
Availability: Shows the current status of the configuration. Possible values are New, Pending, Active, Previously active, Draft, and Failed
- Description: The comment that was provided at the time the configuration edit was saved.
Actions
- Revert to selected version: Enables you to revert the patch configuration to an earlier version. Be sure to update the configuration description and to click Save after performing your action. Patch groups are not included in the revert action. Whatever patch groups are included in the current patch configuration will be included in the reverted patch configuration.
Export
Enables you to export the contents of the table to a CSV file. You can choose to export all items in the table or just selected items.
The CSV file is created using ISO standards and is stored in your local Downloads folder. If you use Excel to view the file, the data can be converted to the locale of the machine so that it can be viewed in a more human-readable format.
Any sorting or filtering applied to the configurations will be retained in the exported output. All columns will be included regardless of what has been selected in the Column Chooser.
Select the first column check box for the configurations you want to export. Alternatively, select the check box in the header cell to select all configurations.
Click Export to create the CSV file.

The following buttons are available while using any of the three patch configuration tabs.
- Save and make active: Save the patch configuration and make it active for the devices that are assigned to the associated policy group(s). Each device will receive the new configuration the next time the device's agent checks in with Ivanti Neurons.
- Save: Saves the patch configuration without closing the page, enabling you to keep working.
- Undo changes: Undoes any changes, returning the patch configuration to its previous saved state.
- Close: Closes the page without saving the latest changes to the patch configuration.
Patch Groups
A patch group is a collection of one or more patches. Patch groups are used to deploy a particular set of patches.
Example: Suppose your organization has a patch approval process under which you have certified four patches as being mandatory for your organization. By creating a patch group that contains only those four patches, you can be certain that those specified patches will be deployed.
Patch Group Summary
The table contains a list of all current patch groups. By default, the table contains the following columns and is sorted by the Last modified column.
- Name: The name of the patch group.
- Patch count: The number of patches contained in the patch group.
- Last modified: The date and time the patch group was last edited and saved.
- Last edited by: The name of the person who last edited and saved the patch group.
- Status: The current status of the patch group.
- Active: The group is available for selection in the Deploy by Patch Group filter. The group may or may not be currently included in a patch configuration.
- Archived: The group is not available for selection in the Deploy by Patch Group filter. The group is either not included in a patch configuration or is in the process of being removed from a patch configuration; see the description of the Archive Patch Group action.
Adding a New Patch Group
To create a new patch group, click Add a Patch Group and then provide a descriptive name for the group. The name must be unique and is case insensitive.
The patch group will initially be empty. To add patches to a group, see the description of the Open Patch Group action in the next section.
Actions You Can Perform on an Existing Patch Group
- Rename Patch Group: Enables you to specify a new name for an existing group.
- Open Patch Group: Enables you to add and manage patches in the selected group. These actions are performed within Patch Intelligence.
- Archive Patch Group: Enables you to set the status of the selected groups to Archived. Archived patch groups are not available for selection on the Deploy By Patch Group option within a patch configuration. If the group is currently associated with a patch configuration, a new version of the patch configuration is created without the patch group. You have two options:
- Archive only: Sets the status of the patch group to Archived. If the group is associated with a patch configuration, the new version of the patch configuration is not made active to endpoints.
- Archive and make patch configuration active: Sets the status of the patch group to Archived. If the group is associated with a patch configuration, the new version of the patch configuration is made active to endpoints the next time the agents check in with Ivanti Neurons.
- Restore Patch Group: Enables you to change the status of the selected groups from Archived to Active.
Using a Patch Group
To use a patch group in a deployment, go to Patch Management > Patch Settings > Configurations, edit a new or existing configuration and then choose the desired patch group(s) on the Deploy by Patch Group option.