System settings for patch management

Attribute name

Description

This field defines how many times the installation or uninstallation of a patch or Windows 10 version update will be retried if the installation/uninstallation fails.

On the Asset configuration item's Security tab, you can see how many times the installation of patch has failed on that device. You can see an error message explaining the reason of the installation failure by clicking the "Failed" text on the Status column.

You can reset the retry counter using the "Reset retries" button which is available in the asset's "Security patch status" table's header. After this, Miradore tries to install the patch or update again.

Reset retries button is available if Miradore has failed to install one or more patches to the device.

This setting controls whether the managed devices are allowed to download patch installation media to the device prior to the next maintenance window.

Miradore recommends to allow downloading, because then there will be more time for the patch installations during the maintenance window. Downloading patch media in advance is especially useful if the maintenance window is short.

If this setting is set to "No", then devices will download the patch installation media and install the patches during the maintenance window.

With this setting, you can remotely control the configuration of Windows Update automatic updates for the Windows devices that are in the scope of Miradore patch management. You can define the scope on the "Patch scan and install" scheduled job, which can be found from System settings > Clients > General > Built-in scheduled tasks > Windows.

This setting will take effect when the "Patch scan and install" scheduled job runs next time on the device.

Not configured: Miradore does not change the configuration of Windows Update automatic updates for the devices.

On: Enables Windows Update automatic updates in the devices.

Off: Disables Windows Update automatic updates in the devices.

Miradore recommends to disable the automatic Windows Updates when Miradore is used for patching, because Windows Update may interfere the patch installations. It is also easier to manage patches when only one system is used for patching.

Notice that selecting "Not configured" restores the original Windows Update configuration back to the devices if you want to cancel the activation or deactivation of automatic updates.

Notice that in an Active Directory environment a Group Policy for automatic updates may override this setting.

This field configures if devices should always download patches from one of the installation points OR if the devices are allowed to download patches directly from the Internet in case the patch media is not available on the installation points.

The possibility to download patches from the Internet improves the patch deployment process for example to the remote workers' devices that are not connected to the company network so often.

This setting only affects the patching of Windows devices during initial installation.

A device gets patched during the initial installation only if the "Miradore install latest patches" system package has been attached to the end packages group of the initial installation.

This setting determines if devices are allowed to download patch installation media during their initial installation directly from the patch vendors through the internet if the patch media is not available on the installation points.

Patch installation media often becomes available to the installation points soon after the patch has been approved for some device in your environment.

If you set the "Allow downloading patches from internet during initial installation = No", Miradore only installs the applicable patches from the installation point to the device, but it doesn't attempt to download the other missing patches from the software vendors. In this case it is possible that part of the device's software will remain unpatched after the initial installation.

If you set the "Allow downloading patches from internet during initial installation = Yes", Miradore first installs the applicable patches from the installation point to the device, and then it downloads the rest of the missing patches from the software vendors over the internet, and installs them to the device. As a result, the software installed on the device gets patched as thoroughly as possible during the initial installation. However, there can still be patches that don't support automatic downloading and must be installed manually.

Attribute name

Description

Determines whether Miradore shows system tray notification messages to device users when patch installations are started or completed by Miradore. See the example picture of a system tray notification.

Attribute name

Description

This field defines what happens at the managed devices by default if a recently installed patch requires a restart to complete the installation. You can override this default setting at the asset configuration item (for one specific asset) and also at the asset group item (for group of assets).  See Inheritance of Patch management settings for more information. 

• Do nothing: Miradore Client doesn't show any messages to the user and the managed computer is not restarted automatically either.

• Show simple dialog: Miradore Client shows a message to the user telling that a computer restart is required. In the message window, there are two buttons "Restart now", which reboots the device immediately, and  "Postpone", which postpones the reboot. The message appears again when patcher runs next time if the computer hasn't been restarted before that. There is no limit for the number of postpones that the device user can make.

• Show dialog with reboot timer and postpone options: Miradore Client shows a message to the user which tells that a computer restart is needed to complete the security patch installation. In the message window, there is countdown timer which reboots the computer automatically after certain time if user doesn't respond to the message. The countdown timer duration can be configured in "Reboot timer" field. In addition, there are two buttons "Restart now" which restarts the computer immediately and "Postpone" which postpones the restart message for the selected time. The message reappears after the selected time has elapsed. The number of available postpones can be configured in "Max postpones" field.

• Reboot without asking: The managed computer will be automatically restarted after security patch(es) requiring reboot have been installed.

The default messages have been localized for 17 different languages, and administrators can choose the default language for the end-user messages in "System settings > Main > Client popup window > Default end-user language". If the Self-service portal is enabled, and the end-user has chosen preferred language there, The reboot dialog will be shown with the user's preferred language.

Notice that if  asset belongs to multiple asset groups, and it has been configured to inherit the reboot option, then the asset inherits the reboot option from the asset group, which has the most user-friendly reboot option configured (Do nothing is the most user friendly and Reboot without asking is the least user-friendly option).

Set the value of "Use custom reboot message" field to "Yes" if you want to use a custom reboot message instead of default message to tell the users when they need to restart their computers in order to complete the installation of security patches. You can enter your custom reboot message to "Custom reboot message" field.

See the attached image of the default message below.

Enter a custom reboot message into this field.

Miradore Client will show the custom reboot message to the device end-user after installing patches that require a computer restart if "Use custom reboot message" = Yes". The custom message is used in the "simple dialog" which only has the "Restart now" and "Postpone" buttons, and also in the dialog which has the countdown timer and postpone reminder option.

The custom message replaces the "Software update installation requires a reboot. Please restart your computer to complete the installation" part in the reboot dialog.

The other dialog texts, like button labels and counter texts are displayed in the language that is selected in "Administration > System settings > Main > Client popup window > Default end-user language". Therefore, it is recommended to write the custom message with the same language than what has been selected as the language for the client messages.

This message will be shown to the device user after the installation of a Windows 10 version update if the installation requires a computer restart.

See Managing Windows 10 version updates to learn more about Windows 10 updates.

This field defines, in minutes, the duration of the countdown timer that is used in the Miradore Client message to automatically restart the computer if user doesn't respond to the message. After the given time has elapsed, the computer will be automatically restarted, if the device end-user doesn't postpone the reboot.

Reboot timer is only used when "Default reboot option = Show dialog with reboot timer and postpone options".

The maximum value for this field is 1440 minutes (24 hours).

This field defines how many times device's end-user is allowed to postpone the reboot after Miradore has installed security patches that require a computer restart.

Max postpones setting is effective when "Default reboot option = Show dialog with reboot timer and postpone options".

Attribute name

Description

Miradore Clients regularly scan what security patches are or are not installed in managed assets.

In order to speed up the deployment and installation of not-installed security patches, Miradore can be configured to download security patch installation packages to media master installation point automatically.

In this field, you can configure what security patches Miradore should download to the media master installation point automatically. The choices are described below with bullets.

• No: Miradore does not automatically download patch installation packages. This option helps to conserve free disk space at installation points.

• Download approved, not-installed patches (recommended setting): Miradore automatically downloads the installation packages of the security patches, which are missing from assets according to the patch inventory and which also have been approved to be installed. However, Miradore will not automatically download installation packages for patches that have not been approved for any devices.

• Download all not-installed patches: Miradore automatically downloads installation packages of all security patches that have not yet been installed, regardless of whether they have been approved or not in Miradore. This option may consume a considerable amount of disk space from installation points.

Notice:

• Regardless of your choice in this field, you can always use "Download patch(es)" task in Security patch status view or at the Security patch item form to download security patch installation packages to the media master installation point as well.

• You can also create dynamic Security patch automatic approval rule items in Security patch automatic approval rules view and choose "Download when approved = Yes", which means that certain kind of security patches are automatically approved by the rule and the installation packages of those patches are automatically downloaded to the media master installation point. The use of automatic security approval rules is recommended for approving urgent security patches.

• Miradore automatically cleans installation points by deleting installation packages of out-dated security patches and patches that haven't been installed in past 90 days. If a cleaned patch is required again later, it will get re-downloaded by the normal download procedure. This cleaning behaviour can be turned off with an internal system flag if needed. Contact Miradore support for more instructions.

This setting defines how many days the cached patch data will be preserved at the master installation point if the patch is not installed to any devices.

The day counter begins from the last date when the patch was installed to some device with Miradore. If the patch has never been installed, then the counter begins from the last date when metadata about the patch was imported to Miradore server by Miradore patch manager.

When the defined storage time is reached, the cached patch data will be removed from the master installation point.

Default value for this setting is 90 days.

This setting defines how many days Miradore stores metadata about patches that have become obsolete at the Miradore server.

A patch becomes obsolete when it's omitted from the daily patch feed that is imported to Miradore server by Miradore patch manager component. This may happen because the patch has been withdrawn or the patch has been replaced with a newer one, for example.

When the defined storage time is reached, the patch metadata and also the possibly cached patch data will be both removed.

Default value for this setting is 45 days.

This setting defines how many days after the release date patches are in the scope of the automatic patch approval rules.

Leave this field empty if you wish to manage patch approval status with the automatic rules also for the older patches.

Note that some old patches might not have a release date recorded in Miradore. The automatic patch approval rules will not process patches without a release date if you set any value in this field. Instead, those patches must be approved manually.

This setting determines which patch language versions Miradore downloads to the media master installation point if someone uses the "Download now" task in the Patch item page or Security patches view. It is recommended to choose here the main languages that are used in your environment. The intention is to speed-up the patching process by downloading early the patches that will most likely be needed.

Notice that, regardless of this setting, Miradore can still download additional patch language versions automatically if any device reports missing patches in some other (unselected) language.

Good to know: There is "Downloads" section on the Patch item page, where it is possible to see which patch language versions Miradore has cached to the media master installation point. If you switch the Patch page into edit mode, you will also see a download button on the rightmost edge of the table which can be used to download additional patch language versions manually.