Patch Settings

Overview

The Patch Settings component enables you to configure settings for the cloud-native patch process. This component contains the following:

  • Configurations tab: Enables you to view existing patch configurations and to add new configurations for use with patch deployments. You can use the default configuration to quickly get started, and you can specify your own custom configurations. Creating several configurations gives you the flexibility to assign different patch configurations to different agent policy groups.
  • Patch Groups tab: Enables you to add new patch groups and to manage existing patch groups. A patch group contains a particular set of patches that is used in deployment operations.

Configurations

A configuration defines many characteristics of a patch deployment. You can specify what patches are deployed, whether a reboot will be performed of the target machine, when the deployment occurs, and more. You may choose to use the default configuration behavior, which will deploy all critical security patches, or you can create your own unique configurations.

Configuration Summary

The table contains a list of all available patch configurations. By default, the table contains the following columns and is sorted by the Deployed Date column.

  • Configurations: Shows the name of the configuration. You can click the name to view the configuration details.
  • Current version: Shows the current version of the configuration. This value can be used to understand the number of times the configuration has been edited and saved.
  • Deployed: Shows the date and time that the configuration was last deployed.
  • Last saved date: Shows the date and time that the configuration was last saved.
  • Last saved by: Shows the name of the person who last saved the configuration.
  • Availability: Shows the current status of the configuration. Possible values are:
    • New: The configuration exists, but is not yet associated with any agent policy groups.
    • Pending: A request for this configuration to be associated with one or more policy groups has been made, but the process is not yet complete.
    • Active: The configuration is associated with one or more policy groups.
    • Previously active: This configuration version is no longer associated with a policy group. It may have been superseded by another version or replaced by a different configuration.
    • Draft: The configuration contains changes that have not yet been made available to the endpoints assigned to the associated policy groups.
    • Failed: The configuration contains changes that failed to be made available to the endpoints assigned to the associated policy groups.

Actions You Can Perform on Existing Configurations

  • Open configuration: Enables you to view the settings of the selected configuration. If you want to edit the settings after opening the configuration, click Edit configuration.
  • Clone configuration: Enables you to create a copy of the current version of the selected configuration. The default name of the new configuration will be "Clone of {selected configuration name}." If the original configuration was associated with one or more agent policy groups, those associations will be removed from the cloned configuration.

Default Patch Configuration

You can quickly utilize the patch management capabilities in Ivanti Neurons by using the default patch configuration, aptly named Default. This configuration will remediate all critical security patches in your environment. You can use the default configuration as is or use it as a template that you edit and save as a custom configuration. The default configuration includes:

  • Deploy all critical security patches
  • Reboot Behavior
    • Post-deployment reboot when required, immediately after installation
    • If the user is logged on, force the reboot action after 24 hours / 1 day
    • Show the user a 1-hour countdown time-out
      • Allow the user to extend the time-out up to a scheduled action time of 10 minutes
  • Scheduling
    • Run on reboot if schedule missed
    • Deployment Schedule:
      • Weekly, every Sunday at 12:01am Local Time

Creating a Custom Patch Configuration

To create your own custom patch configuration, click Create configuration.

  • Configuration name: The name you want to assign to this configuration.
  • Comment: Provide a comment that describes the purpose of this configuration.

Patch Groups

A patch group is a collection of one or more patches. Patch groups are used to deploy a particular set of patches.

Example: Suppose your organization has a patch approval process under which you have certified four patches as being mandatory for your organization. By creating a patch group that contains only those four patches, you can be certain that those specified patches will be deployed.

Patch Group Summary

The table contains a list of all current patch groups. By default, the table contains the following columns and is sorted by the Last modified column.

  • Name: The name of the patch group.
  • Patch count: The number of patches contained in the patch group.
  • Last modified: The date and time the patch group was last edited and saved.
  • Last edited by: The name of the person who last edited and saved the patch group.
  • Status: The current status of the patch group.
    • Active: The group is available for selection in the Deploy by Patch Group filter. The group may or may not be currently included in a patch configuration.
    • Archived: The group is not available for selection in the Deploy by Patch Group filter. The group is either not included in a patch configuration or is in the process of being removed from a patch configuration; see the description of the Archive Patch Group action.

Adding a New Patch Group

To create a new patch group, click Add a Patch Group and then provide a descriptive name for the group. The name must be unique and is case insensitive.

The patch group will initially be empty. To add patches to a group, see the description of the Open Patch Group action in the next section.

Actions You Can Perform on an Existing Patch Group

  • Rename Patch Group: Enables you to specify a new name for an existing group.
  • Open Patch Group: Enables you to add and manage patches in the selected group. These actions are performed within Patch Intelligence.
  • Archive Patch Group: Enables you to set the status of the selected groups to Archived. Archived patch groups are not available for selection on the Deploy By Patch Group option within a patch configuration. If the group is currently associated with a patch configuration, a new version of the patch configuration is created without the patch group. You have two options:
    • Archive only: Sets the status of the patch group to Archived. If the group is associated with a patch configuration, the new version of the patch configuration is not made active to endpoints.
    • Archive and make patch configuration active: Sets the status of the patch group to Archived. If the group is associated with a patch configuration, the new version of the patch configuration is made active to endpoints the next time the agents check in with Ivanti Neurons.
  • Restore Patch Group: Enables you to change the status of the selected groups from Archived to Active.

Using a Patch Group

To use a patch group in a deployment, go to Patch Management > Patch Settings > Configurations, edit a new or existing configuration and then choose the desired patch group(s) on the Deploy by Patch Group option.

Related topics

Patch Management Overview

Endpoint Vulnerability

Patch Intelligence

Deployment History