Download and install patches

To install patches and updates, Cytomic Patch uses the task infrastructure implemented in Advanced EPDR.

Requirements

Patches released by Microsoft are installed using the Windows Update service on the target workstation or server. However, to prevent Cytomic Patch from overlapping with the Windows Update service, the latter should be configured to be inactive on the computer. See General options.

Required permissions

The user account used to access the web console must have the Install, uninstall, and exclude patches permission assigned to its role. For more information about the permissions system, see Managing roles and permissions.

Patch download and bandwidth savings

Before the solution installs a patch, the computer downloads it from the software vendor. The download occurs in the background on each computer when a patch installation task starts. To minimize bandwidth usage, the solution uses cache computers on the network to download and disseminate patches and updates.

Limits to downloading patches from proxy and cache computers

Patches can be downloaded directly from the Internet and also through a Advanced EPDR proxy or cache computer. See Configuring downloads from cache computers and Configuring proxies lists for Internet access.

There are limitations to using one method or another, depending on the computer operating system:

Computers with a Windows or macOS operating system: They can download patches from cache computers and the Internet. They cannot download patches from the Advanced EPDR proxy.
Computers with a Linux operating system: Linux computers use the distribution package manager to download patches from the Internet. They cannot download patches from the Advanced EPDR proxy or cache computers.

Cache computers store patches for up to 30 days, after which patches are deleted. If a computer requests a patch from a cache computer, but the cache computer does not have the patch in its repository, the computer waits for the cache computer to download it. The wait time depends on the size of the patch to download. If the cache computer cannot download the patch, the target computer tries to download the patch instead.

After patches are applied to a target computer, they are deleted from the storage media.

Types of patch installation tasks

Quick tasks (Install option): They download and install patches in real time but do not restart computers, even if the installation requires a restart. Quick tasks start to download patches as soon as you create the task. This can result in high bandwidth usage if the task applies to many computers or the patches are large.
Scheduled tasks (Schedule installation option): They enable you to configure all settings related to the patch installation and start the task when you want. If the start time of multiple tasks coincides, the solution delays tasks up to 2 minutes to prevent simultaneous downloads and minimize bandwidth usage.

Canceling patch installation tasks

You can cancel patch installation tasks if the installation process has not started yet on the target computers. If the installation process has already begun, however, you cannot cancel the task as doing so could cause errors on computers.

Patches according to the operating system

Even if you set a computer with an incompatible operating system as the target for a specific patch, computers receive only patches that correspond to their operating systems.

Installing operating system patches on macOS computers

Some operating system patches for macOS computers require that the computer restart to complete patch installation, regardless of the restart options you select when configuring the patch installation task.

These patches contain new features, bug fixes, and enhancements for the operating system installed, but do not upgrade the operating system to a higher version. You can identify these patches because they include the text SoftwareUpdate in their name. This name appears on the Detected patch page and in the Available patches list.

Warning messages

Because installing these patches restarts the computer automatically, a warning message is shown to you and the computer user in these circumstances:

When you select any of these patches from the list of available patches to create a quick or scheduled task. If you accept the message, the task runs (quick task), or you are taken to the task settings (scheduled task). See From the Available Patches list.
When you select macOS from Install patches for the following products upon configuring a patch installation task. A warning message appears for you to confirm whether you want to include those patches in the task. This option is disabled by default. See Configuring a patch download and installation task.
The target computer for the task shows a message to the computer user informing that a patch installation task is in progress and the computer will restart.

Installation on Apple Mac computers

Patches for Apple Mac computers require the user to enter the volume owner user name and password.

If the credentials are correct: The Installation column in the Available patches list shows the Pending restart text. When patch installation is complete, the computer restarts automatically and the patch disappears from the list.
If the computer user cancels the installation: The computer shows an error code on the task results page. See Task results.

If the patch installation task for a macOS computer includes patches that do not require credentials, the patches proceed to install.

Installation on Intel Mac computers

In this case, the user does not need to enter any credentials. The target computer for the task shows a message to the computer user informing that a patch installation task is in progress.

Because you cannot postpone the automatic restart, we recommend that you close and save any open files.

Patch installation from the console

From the Available Patches list

From the top menu, select Status.
In the My lists section of the side panel, click Add. Select Available patches.
Use the filter tool to narrow your search.

Select the checkboxes for the computers/patches you want to install.
To create a quick task, select Install in the toolbar. To create a scheduled task, select Schedule installation. For more information about how to configure a scheduled task, see Configuring a patch download and installation task.

If the patches you select to install include operating system patches for macOS that require the computer to automatically restart, a warning message appears. See Installing operating system patches on macOS computers .

From the Available Patches by Computers list

From the top menu, select Status.
In the My lists section of the side panel, click Add. Select Available patches by computers.
Use the filter tool to narrow your search.
Click the context menu associated with the patch. A list appears and shows the Available patches. See From the Available Patches list.

From the computer tree

From the top menu, select Computers. From the left panel, select the My organization tab in the computer tree.
To install patches on a group of computers, click the group context menu. Select View available patches. A list appears and shows the Available patches. See From the Available Patches list.
To schedule the installation of patches on a group of computers, click the group context menu. Select Schedule patch installation. A new patch installation task is created. For more information about how to configure it, see Configuring a patch download and installation task.

From the computer tree list

From the top menu, select Computers. From the left panel, select the My organization tab in the computer tree.
Select the group of computers. Select the checkboxes for the computers you want to patch.
If you select a single computer, click the computer context menu. Select View available patches. If you select more than one, select View available patches in the toolbar above. A list appears and shows the Available patches. See From the Available Patches list.
To schedule installation of groups of patches, if you select a single computer, click the computer context menu. Select Schedule patch installation. If you select more than one, select Schedule patch installation in the toolbar above. A new patch installation task is created. For more information about how to configure it, see Configuring a patch download and installation task.

From the Tasks menu

From the top menu, select Tasks. Click Add task. Select Install patches.

Configuring a patch download and installation task

You can configure the time when Advanced EPDR starts to download the patches on the user computer and, if necessary, the time when it restarts the computer to apply the patches.

In the Name text box, type a name for the task. In the Description text box, type a description of the task.
If no recipients are defined, click the No recipients selected link in the Recipients section. A page opens where you can select the computers that will receive the configured task.
To access the computer selection page, you must first save the task. If you did not save the task, a warning message appears.
If you want to send the patch installation task only to computers you designated as test computers on your network, enable the Run the task only on test computers toggle. You designate a computer as a test computer in the Cytomic Patch settings profile you assign to it. See Cytomic Patch features.
Select the types of computers you want to receive the task: Workstation, Laptop, or Server.
Click to add individual computers or computer groups. Click to remove them.
On the Edit task page, click the View computers button to view the computers that will receive the task.

Schedule the task. You can configure these parameters:

Starts: Specify when the task will start.

Value	Description
As soon as possible (selected)	The task runs immediately provided the computer is available (turned on and accessible from the cloud), or as soon as it becomes available within the time interval specified in the If the computer is turned off section
As soon as possible (cleared)	The task runs on the date selected in the calendar. Specify whether the time is based on the computer local time or the Advanced EPDR server time.
If the computer is turned off	If the computer is turned off or cannot be accessed, the task does not run. The task scheduler enables you to establish the task expiration time, from 0 (the task expires immediately if the computer is not available) to infinite (the task is always active and waits indefinitely for the computer to be available). Do not run: The task is immediately canceled if the computer is not available at the scheduled time. Run the task as soon as possible, within: Define a time interval during which the task will run if the computer becomes available. Run when the computer is turned on: There is no time limit. The solution waits indefinitely for the computer to be available to run the task.
Task execution parameters

Frequency: Select how often you want the task to run (one time, daily, weekly, monthly).

Value	Description
One time	The task runs only once at the time specified in the Starts: field.
Daily	The task runs every day at the time specified in the Starts: field.
Weekly	Use the checkboxes to specify the days of the week to run the task each week, at the time specified in the Starts: field.
Monthly	Choose an option: Run the task on a specific day of each month. If you select the 29th, 30th, or 31st of the month, and the month does not have that day, the task runs on the last day of the month. Run the task on the first, second, third, fourth, or last Monday to Sunday of each month.
Task frequency parameters

In Security patches, select the importance of the patches to install
In Install patches for the following products, specify which operating system and products to install patches for. The product tree is arranged by operating systems. Each operating system contains the patches that are available for it. Specify which products are to receive patches by selecting the relevant checkboxes in the product tree.

If the patches you select to install include operating system patches for macOS that require the computer to automatically restart, a message appears for you to confirm whether you want to include those patches in the task. See Installing operating system patches on macOS computers .

Because the product tree is a dynamic resource that changes over time, keep these rules in mind when you select items from the tree:
- When you select a node, you also select all of its child nodes and all items below them. For example, when you select Adobe you also select all nodes below that node.
- If you select a node, and Cytomic Patch automatically adds a child node to that branch, that node is selected as well. For example, as previously explained, selecting Adobe also selects all of its child nodes. Additionally, if, later, Cytomic Patch adds a new program or family to the Adobe group, that program or family is selected as well. Conversely, if you manually select a number of child nodes from the Adobe group, and later Cytomic Patch adds a new child node to the group, this is not automatically selected.
- The programs to patch are evaluated at the time when tasks run, not at the time when they are created or configured. For example, if Cytomic Patch adds an entry to the tree after you have created a patch task, and that entry is selected automatically in accordance with the aforementioned mechanism, the task installs the patches associated with that new program when it runs.
In the Restart options section, select an option to specify whether computers must restart automatically after patches install.
- Do not restart automatically: If you select this option, users see a message indicating that their computer must restart and can select whether to restart immediately or later. If the latter is selected, a reminder appears 24 hours later.
  
  On computers with a Linux operating system without a GUI, users receive a message that their computer must restart to complete the patch installation.
- Restart automatically: See Automatically restarting computers
Click Save. The task is added to the list of configured tasks. However, it shows the Unpublished label, meaning that it is not yet active.
To publish a task, click the Publish button. The task is added to the Advanced EPDR task scheduler, which runs it in accordance with its settings.

When two or more patch installation tasks that require a restart overlap in time, Advanced EPDR restarts the computer when indicated by the task whose restart interval is closer in time. This prevents the computer restart from being postponed indefinitely when multiple successive patch installation tasks are chained together.

Automatically restarting computers

To automatically restart computers only if any of the downloaded patches require it:

From the drop-down menu, select the type of computers that must restart:
- Automatically restart workstations only: Computers automatically restart after the update completes. You must restart servers manually.
- Automatically restart servers only: Servers automatically restart after the update completes. Users must restart computers manually.
- Automatically restart both workstations and servers: Computers and servers automatically restart after the update completes.
To set a restart interval from the moment a computer finishes downloading a patch:
- Select Delay restart.
- From the drop-down menu, select the time that must elapse before the computer restarts.
- When the restart time approaches, the security software shows a message. If the operating system uses a windowing environment, the message includes the Restart now button. The closer the time for the automatic restart, the more frequently the message appears. Eventually, the message appears in the foreground and you cannot minimize it.
To restart a computer during the time slot configured in the maintenance window assigned to it, select Restart only during defined maintenance windows. See Maintenance windows settings.

Lower versions of the security software

Lower versions of Advanced EPDR that do not enable you to specify the restart interval for computers set it to 4 hours automatically.

If the recipient computers have a lower version of the security software installed, they might not correctly interpret frequency settings. These computers interpret the task frequency settings as follows:

Daily tasks: Unchanged.
Weekly tasks: Recipient computers ignore the days selected in the task by the administrator in the latest software. The first run occurs on the specified start date and then runs again every 7 days.
Monthly tasks: Recipient computers ignore the days selected in the task by the administrator in the latest software. The first run occurs on the specified start date and then runs again every 30 days.