Policies - Settings tab - Patch Settings

Policy Management > Policies > Settings tab > Patch Settings checkbox

Pre/Post Procedure

Run procedures either before and/or after Initial Update or Automatic Update. For example, you can run procedures to automate the preparation and setup of newly added machines before or after Initial Update.

• Run procedure before Initial Update
• Run procedure after Initial Update
• Run procedure before Automatic Update
• Run procedure after Automatic Update

Patch Policy Membership

Assign one or more patch policy names to this policy.

Reboot Action

• Reboot immediately after update - Reboots the computer immediately after the install completes.
• Reboot <day of week> at <time of day> after install - After the patch install completes, the computer is rebooted at the selected day of week and time of day. Use these settings to install patches during the day when users are logged in, then force a reboot in the middle of the night. Selecting every day reboots the machine at the next specified time of day following the patch installation.
• Warn user that machine will reboot in <N> minutes (without asking permission) - When the patch install completes, the message below pops open warning the user and giving them a specified number of minutes to finish up what they are doing and save their work. If no one is currently logged in, the system reboots immediately.

• Skip reboot if user logged in - If the user is logged in, the reboot is skipped after the patch install completes. Use this setting to avoid interrupting your users. This is the default setting.
• If user logged in ask to reboot every <N> minutes until the reboot occurs - This setting displays the message below, asking the user if it is OK to reboot now. If no one is at the computer or they answer no, the same message appears every N minutes repeatedly, until the system has been rebooted. If no one is currently logged in, the system reboots immediately.

• If user logged in ask permission. Reboot if no response in <N> minutes. Reboot if user not logged in - This setting displays the message below, asking the user if it is OK to reboot now. If no one is at the computer, it reboots automatically after N minutes without saving any open documents. If no one is currently logged in, the system reboots immediately.

• If user logged in ask permission. Do nothing if no response in <N> minutes. Reboot if user not logged in - This setting displays the message below, asking the user if it is OK to reboot now. If no one is at the computer, the reboot is skipped. If no one is logged in, reboot immediately.

• Do not reboot after update - Does not reboot. Typically used if the machine is a server and you need to control the reboot. You can be notified via email when a new patch has been installed by checking Email when reboot required and filling in an email address. You can also format the email message by clicking the Format Email button. This option only displays for master role users.

The following types of patch reboot emails can formatted:

• Patch Reboot

  Note: Changing the email alarm format changes the format for all Patch Reboot emails.

The following variables can be included in your formatted email alerts and in procedures.

• <at> - alert time
• <db-view.column> - Include a view.column from the database. For example, to include the computer name of the machine generating the alert in an email, use <db-vMachine.ComputerName>
• <gr> - group ID
• <id> - machine ID

• Run select agent procedure before machine is rebooted - If checked, the selected agent procedure is run just before the machine is rebooted.

Run select agent procedure after machine is rebooted - If checked, the selected agent procedure is run just after the machine is rebooted.

File Source

• Copy packages to working directory on local drive with most free space - Patches are downloaded, or copied from a file share, to the managed machine's hard disk. Several patches, especially service packs, may require significant additional local disk space to completely install. Check this box to download patches to the Working Directory, but use the drive on the managed machine with the most free disk space. Uncheck this box to always use the drive specified in Working Directory for the machine ID.
• Delete package after install (from working directory) - The install package is typically deleted after the install to free up disk space. Uncheck this box to leave the package behind for debugging purposes. If the install fails and you need to verify the Command Line switches, do not delete the package so you have something to test with. The package is stored in the Working Directory on the drive specified in the previous option.
• Download from Internet - Each managed machine downloads the patch executable file directly from the internet at the URL specified in Patch Location.
• Pulled from system server - First the Kaseya Server checks to see if it already has a copy of the patch file. If not, the new patch executable is downloaded automatically and stored on the Kaseya Server, then used for all subsequent distributions to managed machines. When a patch needs to be installed on a managed machine, this patch file is pushed to that machine from the Kaseya Server. A Clear Cache button displays for this option only in Patch Management > File Source. Click Clear Cache to clear all downloaded patches stored on the Kaseya Server.

  Note: The location for patch files stored on the Kaseya Server is <Kaseya installation directory>\WebPages\ManagedFiles\VSAPatchFiles\

• Pulled from file server using UNC path - This method is recommended if you support many machines on the same LAN.

Patch files are downloaded to the local directory of a selected machine ID. The local directory on the machine ID is configured to be shared with other machine IDs on the same LAN. All other machine IDs on the same LAN use a UNC path to the shared folder located on the first machine ID. All other machines on the same LAN require a credential to access the shared folder on the first machine and install the patch files. A credential is specified for the first machine with the shared directory using Agent > Set Credential.

Setup

1. Enter a UNC path in the Pulled from file server using UNC path field. For example, \\computername\sharedname\dir\.
2. Use the Machine Group Filter drop-down list to select a group ID.
3. Select a machine ID from the File share located on drop-down list.
4. Enter a shared local directory in the in local directory field.

   Note: The value in the in local directory field must be in full path format, such as c:\shareddir\dir.

   First the Kaseya Server checks to see if the patch file is already in the file share. If not, the machine ID with the file share automatically loads the patch file either directly from the internet or gets it from the Kaseya Server. In either case, the managed machine with the file share must have an agent on it.

5. File Server automatically gets patch files from - Select one of the following options:
   • the Internet - Use this setting when the managed machine running the file share has full internet access.
   • the system server - Use this setting when the managed machine running the file share is blocked from getting internet access.
6. Download from Internet if machine is unable to connect to the file server - Optionally check this box to download from the internet. This is especially useful for laptops that are disconnected from the company network but have internet access.

Patch Alert

Check any of these checkboxes to perform their corresponding actions when an alarm condition is encountered.

• Create Alarm
• Create Ticket
• Run Script <agentprocedure> on <machineID>
• Email Recipients - Enter multiple addresses separated by commas.

The system can trigger an alert for the following alarm conditions for a selected machine ID:

• New patch is available
• Patch install fails
• Agent credential is invalid or missing

  Note: An agent credential is not required to install patches unless the machine’s File Source is configured as Pulled from file server using UNC path. If an agent credential is assigned, it will be validated as a local machine credential without regard to the File Source configuration. If this validation fails, the alert will be raised. If the machine’s File Source is configured as Pulled from file server using UNC path, a credential is required. If it is missing, the alert will be raised. If it is not missing, it will be validated as a local machine credential and as a network credential. If either of these validations fails, the alert will be raised.

• Windows Auto Update changed

Patch Procedures Schedule

• Patch Scan - Schedules scans to search for missing patches on each managed machine. Scanning takes very little resources and can be safely scheduled to run at any time of day. The scanning operation does not impact users at all. Schedule and clear the schedule using Edit Schedule and Reset.
• Automatic Update - Schedules an update of managed machines with Microsoft patches on a recurring basis. Automatic Update obeys both the Patch Approval Policy and the Reboot Action policy. Schedule and clear the schedule using Edit Schedule and Reset.

Topic 8168: Send Feedback. Download a PDF of this online book from the first topic in the table of contents. Print this topic.