Patch Settings

The Patch Settings component enables you to configure settings for the cloud-native patch process. This component contains the following:

  • Configurations tab: Enables you to view existing patch configurations and to add new configurations for use with patch deployments. You can use the default configuration to quickly get started, and you can specify your own custom configurations. Creating several configurations gives you the flexibility to assign different patch configurations to different agent policies.
  • Patch Groups tab: Enables you to add new patch groups and to manage existing patch groups. A patch group contains a particular set of patches that is used in deployment operations.

Configurations

A configuration defines many characteristics of a patch deployment. You can specify what patches are deployed, whether a reboot will be requested of the target device, when the deployment occurs, and more. You may choose to use the default configuration behavior, which will deploy all critical security patches for Windows, or you can create your own unique configurations.

Configuration Summary

The table on the Configurations tab contains a list of all available patch configurations. By default, the table contains the following columns and is sorted by the Deployed Date column.

  • Configurations: Shows the name of the configuration. You can click the name to view the configuration details.
  • Current version: Shows the current version of the configuration. This value can be used to understand the number of times the configuration has been edited and saved.
  • Deployed: Shows the date and time that the configuration was last deployed.
  • Last saved date: Shows the date and time that the configuration was last saved.
  • Last saved by: Shows the name of the person who last saved the configuration.
  • Availability: Shows the current status of the configuration. Possible values are:
    • New: The configuration exists, but is not yet associated with any agent policies.
    • Pending: A request for this configuration to be associated with one or more policies has been made, but the process is not yet complete.
    • Active: The configuration is associated with one or more policies.
    • Previously active: This configuration version is no longer associated with a policy. It may have been superseded by another version or replaced by a different configuration.
    • Draft: The configuration contains changes that have not yet been made available to the endpoints assigned to the associated policies.
    • Failed: The configuration contains changes that failed to be made available to the endpoints assigned to the associated policies.
    • Archive pending: A request for this configuration to be archived has been made, but the process is not yet complete.
    • Archived: The configuration has been archived and cannot be used unless it is restored.
  • Associated: Shows if a policy is associated with the configuration.

Actions You Can Perform on Existing Configurations

  • Open configuration: Enables you to view the settings of the selected configuration. If you want to edit the settings after opening the configuration, click Edit configuration.
  • Clone configuration: Enables you to create a copy of the current version of the selected configuration. The default name of the new configuration is "Clone of {selected configuration name}." If the original configuration was associated with one or more agent policies, those associations will be removed from the cloned configuration.
  • Archive configuration / Restore configuration: Enable you to archive or restore configurations. You cannot archive configurations that have a policy associated with them.
  • Delete configuration: Enables you to delete configurations that have been archived. You cannot retrieve deleted configurations.

Default Patch Configuration

You can quickly utilize the patch management capabilities in Ivanti Neurons by using the default patch configuration, aptly named Default. This configuration will remediate all critical security patches in your Windows environment. You can use the default configuration as is or use it as a template that you edit and save as a custom configuration. The default configuration includes, for Windows only:

  • Deploy all critical security patches
  • Post-deployment reboot when required is requested
  • Scheduling:
    • Run on reboot if schedule missed
    • Deploy weekly, every Sunday at 12:01am Local Time

For information about creating a new patch configuration, see Creating a Custom Patch Configuration.

Patch Groups

A patch group is a collection of one or more patches. Patch groups are used to deploy a particular set of patches.

Example: Suppose your organization has a patch approval process under which you have certified four patches as being mandatory for your organization. By creating a patch group that contains only those four patches, you can be certain that those specified patches will be deployed.

Patch Group Summary

The table contains a list of all current patch groups. By default, the table contains the following columns and is sorted by the Last modified column.

  • Name: The name of the patch group.
  • Patch count: The number of patches contained in the patch group.
  • Recent Changes: The number of recent changes to the patch group. Changes include: patches added, patches removed, patch group name changes, and patch group archive status. Click on a number to display the Patch Group audit page to view further details.
  • Last modified: The date and time the patch group was last edited and saved.
  • Last edited by: The name of the person who last edited and saved the patch group.
  • Status: The current status of the patch group.
    • Active: The group is available for selection in the Deploy by Patch Group filter. The group may or may not be currently included in a patch configuration.
    • Archived: The group is not available for selection in the Deploy by Patch Group filter. The group is either not included in a patch configuration or is in the process of being removed from a patch configuration; see the description of the Archive Patch Group action.

Adding a New Patch Group

To create a new patch group, click Add a Patch Group and then provide a descriptive name for the group. The name must be unique and is case insensitive.

The patch group will initially be empty. To add patches to a group, see the description of the Open Patch Group action in the next section.

Actions You Can Perform on an Existing Patch Group

  • Rename Patch Group: Enables you to specify a new name for an existing group.
  • Open Patch Group: Enables you to add and manage patches in the selected group. These actions are performed within Patch Intelligence.
  • Archive Patch Group: Enables you to set the status of the selected groups to Archived. Archived patch groups are not available for selection on the Deploy By Patch Group option within a patch configuration. If the group is currently associated with a patch configuration, a new version of the patch configuration is created without the patch group. You have two options:
    • Archive only: Sets the status of the patch group to Archived. If the group is associated with a patch configuration, the new version of the patch configuration is not made active to endpoints.
    • Archive and make patch configuration active: Sets the status of the patch group to Archived. If the group is associated with a patch configuration, the new version of the patch configuration is made active to endpoints the next time the agents check in with Ivanti Neurons.
  • Restore Patch Group: Enables you to change the status of the selected groups from Archived to Active.

Using a Patch Group

To use a patch group in a deployment, go to Patch Management > Patch Settings > Configurations, edit a new or existing configuration and then choose the desired patch group(s) on the Deploy by Patch Group option.

Related topics

Patch Management Overview

Endpoint Vulnerability

Patch Intelligence

Deployment History