Download and install patches

To install patches and updates, Cytomic Patch uses the task infrastructure implemented in Advanced EDR.

Requirements

Patches released by Microsoft are installed using the Windows Update service on the target workstation or server. However, to prevent Cytomic Patch from overlapping with the Windows Update service, the latter should be configured to be inactive on the computer. See General options

Required permissions

The user account used to access the web console must have the Install, uninstall, and exclude patches permission assigned to its role. For more information about the permissions system, see Managing roles and permissions.

Patch download and bandwidth savings

Before the solution installs a patch, the computer downloads it from the software vendor. The download occurs in the background on each computer when a patch installation task starts. To minimize bandwidth usage, the solution uses cache computers on the network to download and disseminate patches and updates.

Limits to downloading patches from proxy and cache computers

Patches can be downloaded directly from the Internet and also through a Advanced EDR proxy or cache computer. See Configuring downloads from cache computers and Configuring proxies lists for Internet access.

There are limitations to using one method or another, depending on the computer operating system:

Computers with a Windows or macOS operating system: They can download patches from cache computers and the Internet. They cannot download patches from the Advanced EDR proxy.
Computers with a Linux operating system: Linux computers use the distribution package manager to download patches from the Internet. They cannot download patches from the Advanced EDR proxy or cache computers.

Cache computers store patches for up to 30 days, after which patches are deleted. If a computer requests a patch from a cache computer, but the cache computer does not have the patch in its repository, the computer waits for the cache computer to download it. The wait time depends on the size of the patch to download. If the cache computer cannot download the patch, the target computer tries to download the patch instead.

After patches are applied to a target computer, they are deleted from the storage media.

Types of patch installation tasks

Quick (Install option): Downloads and installs the patch in real time but does not restart the computer, even if the installation requires a restart. Quick tasks start to download patches as soon as you create the task. This can result in high bandwidth usage if the task applies to many computers or the patches are large.
Scheduled (Schedule installation option): Enables you to configure all settings related to the patch installation and start the task when you want. If the start time of multiple tasks coincides, the solution delays tasks up to 2 minutes to prevent simultaneous downloads and minimize bandwidth usage.

Interrupting patch installation tasks

You can cancel patch installation tasks if the installation process has not started yet on the target computers. If the installation process has already begun, however, you cannot cancel the task as doing so could cause errors on computers.

Patches corresponding to the operating system

Even if you set a computer with an incompatible operating system as the target for a specific patch, computers receive only patches that correspond to their operating systems.

Installing operating system patches on macOS computers

Some operating system patches for macOS computers require that the computer restart to complete patch installation, regardless of the restart options you select when configuring the patch installation task.

These patches contain new features, bug fixes, and enhancements for the operating system installed, but do not upgrade the operating system to a higher version. You can identify these patches because they include the text SoftwareUpdate in their name. This name appears on the Detected patch page and in the Available patches list.

Warning messages

Because installing these patches restarts the computer automatically, a warning message is shown to you and the computer user in these circumstances:

When you select any of these patches from the list of available patches to create a quick or scheduled task. If you accept the message, the task runs (quick task), or you are taken to the task settings (scheduled task). See From the Available patches list.
When you select macOS from Install patches for the following products upon configuring a patch installation task. A warning message appears for you to confirm whether you want to include those patches in the task. This option is disabled by default. See Configuring a patch installation task.
The target computer for the task shows a message to the computer user informing that a patch installation task is in progress and the computer will restart.

Installation on Apple macOS computers

With Apple macOS computers, you must enter the volume owner user name and password to install operating system patches.

If the credentials are correct: The Installation column in the Available patches list shows the Pending restart text. When patch installation is complete, the computer restarts automatically and the patch disappears from the list.
If the computer user cancels the installation: The computer shows an error code on the task results page. See Task results.

If the patch installation task for a macOS computer includes patches that do not require credentials, the patches proceed to install.

Installation on Intel macOS computers

In this case, you do not need to enter any credentials. The target computer for the task shows a message to the computer user informing that a patch installation task is in progress.

Because you cannot postpone the automatic restart, we recommend that you close and save any open files.

Patch installation in the console

From the Available patches list

From the top menu, select Status.
In the My lists section of the side panel, click Add. Select Available patches
Use the filter tool to narrow your search.

Select the checkboxes for the computers/patches you want to install.
To create a quick task, select Install in the toolbar. To create a scheduled task, select Schedule installation. For more information about how to configure a scheduled task, see Configuring a patch installation task.

If the patches you select to install include operating system patches for macOS that require the computer to automatically restart, a warning message appears. See Installing operating system patches on macOS computers

From the Available patches by computers list

From the top menu, select Status.
In the My lists section of the side panel, click Add. Select Available patches by computers.
Use the filter tool to narrow your search.
Click the context menu associated with the patch. A list appears and shows the Available patches. See From the Available patches list.

From the computer tree

From the top menu, select Computers. From the left panel, select the My organization tab in the computer tree.
To install patches on a group of computers, click the group context menu. Select View available patches. A list appears and shows the Available patches. See From the Available patches list.
To schedule the installation of patches on a group of computers, click the group context menu. Select Schedule patch installation. A new patch installation task is created. For more information about how to configure it, see Configuring a patch installation task.

From the computer tree list

From the top menu, select Computers. From the left panel, select the My organization tab in the computer tree.
Select the group of computers. Select the checkboxes for the computers you want to patch.
If you selected a single computer, click the computer context menu. Select View available patches. If you selected more than one, select View available patches in the toolbar above. A list appears and shows the Available patches. See From the Available patches list.
To schedule installation of groups of patches, if you selected a single computer, click the computer context menu. Select Schedule patch installation. If you selected more than one, select Schedule patch installation in the toolbar above. A new patch installation task is created. For more information about how to configure it, see Configuring a patch installation task.

From the Tasks menu

From the top menu, select Tasks. Click Add task. Select Install patches.

Configuring a patch installation task

Enter general details of the task in the Name and Description fields.
If no recipients are defined, click the No recipients selected link in the Recipients section. A page opens where you can select the computers that will receive the configured task.
To access the computer selection page, you must first save the task. If you did not save the task, a warning message appears.
If you want to send the patch installation task only to computers you designated as test computers on your network, enable the Run the task only on test computers toggle. You designate a computer as a test computer in the Cytomic Patch settings profile you assign to it. See Cytomic Patch features.
Select the types of computers you want to receive the task: Workstation, Laptop, or Server.
Click to add individual computers or computer groups. Click to remove them.
On the Edit task page, click the View computers button to view the computers that will receive the task.

Schedule the task. You can configure these parameters:

Starts: Indicates the task start date/time.

Value	Description
As soon as possible (selected)	The task runs immediately provided the computer is available (turned on and accessible from the cloud), or as soon as it becomes available within the time interval specified in the If the computer is turned off section
As soon as possible (cleared)	The task runs on the date selected in the calendar. Specify whether the time is based on the computer local time or the Advanced EDR server time.
If the computer is turned off	If the computer is turned off or cannot be accessed, the task does not run. The task scheduler enables you to establish the task expiration time, from 0 (the task expires immediately if the computer is not available) to infinite (the task is always active and waits indefinitely for the computer to be available). Do not run: The task is immediately canceled if the computer is not available at the scheduled time. Run the task as soon as possible, within: Define a time interval during which the task will run if the computer becomes available. Run when the computer is turned on: There is no time limit. The solution waits indefinitely for the computer to be available to run the task.
Task execution parameters

Frequency: Set a repeat interval (every day, week, month, or year) from the date specified in the Starts: field.

Value	Description
One time	The task runs only once at the time specified in the Starts: field.
Daily	The task runs every day at the time specified in the Starts: field.
Weekly	Use the checkboxes to select the days of the week on which the task must run, at the time specified in the Starts: field.
Monthly	Choose an option: Run the task on a specific day of every month. If you select the 29th, 30th, or 31st of the month, and the month does not have that day, the task runs on the last day of the month. Run the task on the first, second, third, fourth, or last Monday to Sunday of every month.
Task frequency parameters

In Security patches, select the criticality or importance of the patches to install.
In Install patches for the following products, specify which products to install patches for. The product tree appears ordered by operating systems. Each operating system contains the patches that are available for it. Specify which products are to receive patches by selecting the relevant checkboxes in the product tree.

If the patches you select to install include operating system patches for macOS that require the computer to automatically restart, a message appears for you to confirm whether you want to include those patches in the task. See Installing operating system patches on macOS computers

Because the product tree is a dynamic resource that changes over time, keep these rules in mind when you select items from the tree:
- When you select a node, you also select all of its child nodes and all items dependent on them. For example, when you select Adobe you also select all nodes below that node.
- If you select a node, and Cytomic Patch automatically adds a child node to that branch, that node is selected as well. For example, as previously explained, selecting Adobe also selects all of its child nodes. Additionally, if, later, Cytomic Patch adds a new program or family to the Adobe group, that program or family is selected as well. Conversely, if you manually select a number of child nodes from the Adobe group, and later Cytomic Patch adds a new child node to the group, this is not automatically selected.
- The programs to patch are evaluated at the time when tasks run, not at the time when they are created or configured. For example, if Cytomic Patch adds an entry to the tree after you have created a patch task, and that entry is selected automatically in accordance with the aforementioned mechanism, the task installs the patches associated with that new program when it runs.
In the Restart options section, select an option to specify whether computers must restart automatically after patches install.
- Do not restart automatically: If you select this option, users see a message indicating that their computer must restart and can select whether to restart immediately or later. If the latter is selected, a reminder appears 24 hours later.
  
  Computers with a Linux operating system without a GUI are sent a message reminding of the need to restart to complete the patch installation.
- Automatically restart workstations only: Select the time interval to restart workstations. At the end of the set time, the agent shows the computer user a reminder message with the Restart now button and a countdown timer indicating how much time they have left before the computer restarts.
  
  Computers with a Linux operating system without a GUI are sent a message informing of the time remaining until the restart.
  
  As the restart approaches, you are no longer able to close the notification message. Every 30 minutes, the message appears on screen to remind the user of the need to restart. When the countdown finishes, the computer restarts automatically.
- Automatically restart servers only: This option behaves in the same way as Automatically restart workstations only, but applies to servers only.
- Automatically restart both workstations and servers: This option behaves in the same way as Automatically restart workstations only, but applies to both workstations and servers.
Click Save. The task is added to the list of configured tasks. However, it shows the Unpublished label, meaning that it is not yet active.
To publish a task, click the Publish button. The task is added to the Advanced EDR task scheduler, which runs it in accordance with its settings.

When two or more patch installation tasks that require a restart overlap in time, Advanced EDR restarts the computer when indicated by the task whose restart interval is closer in time. This avoids postponing the computer restart indefinitely if multiple successive patch installation tasks are chained together.

Lower versions of the security software

Lower versions of Advanced EDR that do not support the feature of setting the restart interval set it to 4 hours automatically.

If the recipient computers have a lower version of the security software installed, they might not correctly interpret frequency settings. These computers interpret the task frequency settings as follows:

Daily tasks: Unchanged.
Weekly tasks: Recipient computers ignore the days selected in the task by the administrator in the latest software. The first run occurs on the specified start date and then runs again every 7 days.
Monthly tasks: Recipient computers ignore the days selected in the task by the administrator in the latest software. The first run occurs on the specified start date and then runs again every 30 days.