Automate Patch Management
Automations allow you to roll out updates and patches automatically in a time slot that is the most convenient for both system administrators and remote users.
TIP: To roll out updates in stages, you can use a new Update Ring automation. See Update Rings for details.
To create an automation:
- Navigate to the Automations page and select New Automation | Deploy Update.
- On the Deploy Update step, first select updates for distribution.
- All — use this option to install all updates, irrespective of their severity or status.
- Matching filters— use this option to install the updates that match your search criteria. Add filters such as update source, update severity, etc.
- You can add several filters, and Action1 will search for and deploy updates that match them all at once (logical AND).
- Within each filter, you can provide several values, and Action1 will search for any of them (logical OR).
- The values can be included or excluded. For example, search for and deploy security updates that are coming from Microsoft or Google, but which severities are anything except Low.
- Only selected — use this option to install specific updates you’ve picked.
- Fine-tune your patch management automation:
- Automatically approve and deploy all matching updates / Require manual approval of updates — specify whether you need updates to be explicitly approved before they can be scheduled for distribution. Otherwise, you can set the time period to wait before automatically installing an update.
- Reboot options — skip or allow rebooting. You can configure the offset and notification for a user whose computer is going to be restarted.
Learn how Action1 handles reboots
Logged-in Users: If a user is logged in – even via a non-interactive session (for example, a remote desktop session on Windows) – Action1 displays a reboot prompt in that user’s logon session. This allows the user to postpone the reboot, up to the maximum delay configured in the Action1 automation settings.
Locked Sessions: If the session is locked, the reboot prompt is still displayed. The user will see this prompt immediately upon unlocking their session.
Multiple Users:
-
Windows: When multiple users are logged in, each user receives a reboot prompt in their own logon session. The reboot can proceed as soon as any one user approves it; approval from all users is not required.
-
macOS: Only the currently active interactive user receives a prompt to allow the reboot.
No Users: If no users are logged in, Action1 proceeds with the reboot immediately without displaying any prompts.
NOTE: macOS system updates cannot be installed without a reboot due to platform limitations. If automatic reboots are disabled, deployment of macOS system updates is blocked.
- Deactivate updates in Windows settings — check it to disable Windows Update and push patches and KBs via Action1 only.
NOTE: If automatic updates are already configured using Group Automation (GPO), this setting will not take effect.
- On the Select Endpoints step, pick the applicable managed endpoints. You can add endpoints one by one, select a group, or select all.
- On the Schedule step:
-
- Enter a name for the new automation (e.g., “Patch management”)
- Configure the patching schedule. Set the time that works best for your team, for example, Tuesday morning.
- Specify Missed schedule retry and maintenance window – a timeframe to retry update delivery for the powered-off or disconnected endpoints.
-
NOTE: Make sure the timeframe does not exceed the frequency of execution, i.e., do not set it to 3 days for automations running on a daily basis.
- Click Finish.
