Patch detection and reporting features are always enabled on all Miradore sites, whereas the patch distribution feature is disabled by default. Customers with the Premium Plan can enable automated patch deployment for Windows devices as described in this article.
Enabling automated patch deployment for Windows devices
Navigate to the Management > Patches page and open the Installation settings tab.
Here you can enable the automated patching of your Windows devices. If needed, you can also exclude or include some products and vendors with custom installation rules.
Pilot testing
You can define separate patch installation settings for a pilot group with Miradore. It is highly recommended to take advantage of this option to minimize the possible problems. See the description of the pilot group settings in the table below.
| Patch installation settings for devices in the pilot group | |
| Install patches |
Do you want to verify the functionality of patches on pilot devices before rolling them out to all Windows devices? When you enable the patch installation for the pilot group, remember to define the Pilot group tags and Installation delay. If the installation is disabled, the devices in the group are excluded from patching. |
| Pilot group tags |
Use device or user tags to select a group of pilot computers. Try to choose the pilot computers so that they represent all of your Windows devices as well as possible. This is important because it helps you detect potential patch compatibility issues before deploying patches to the rest of the devices. If a device or its user has any of the specified tags, the device is in the pilot group. If you're not yet familiar with device tagging, see the article about Device tagging. When the patch installation for pilot group computers is disabled, the devices having the pilot group tags are excluded from patching. |
| Installation delay |
This field defines the number of days Miradore waits before it attempts to install the patch to the devices in the pilot group. The delay is counted from the time a patch appears in the Miradore patch feed. This field has no effect if the patch installation for the pilot group computers is disabled. Make sure that the installation delay for the pilot group is shorter than the installation delay for the rest of your Windows computers. In this way, you have enough time to ensure the correct functionality of the patches. |
Main installation settings
In addition to the pilot group settings, you can define patch installation settings for other devices. You can define the settings to be applied to all devices outside the pilot group, or you may restrict the patch installation to a specific group with tags.
Please note that if a device or its user has tags from both pilot and main groups, the device belongs to the pilot group. In case the automated patch deployment is restricted with tags, the device with no tags is excluded from patching. See the description of the settings from the table below.
| Patch installation settings for devices not in the pilot group | |
| Install patches |
Enabling this setting activates automated patch installation for all Windows computers not belonging to the pilot group. |
| Tags | With this field, you may restrict the patch installations to a specific group of devices. Use device or user tags to select a group of computers for the patch installation.
If the device or its user has any of these defined tags, the computer is included in the group. Please read about device tagging for more information. |
| Installation delay |
This field defines the number of days Miradore waits before it attempts to install the patch to the defined devices. The delay is counted from the time a patch appears in the Miradore patch feed. Installation delay for the devices not in the pilot group should be higher than the installation delay for the pilot group. In this way, you have enough time to ensure the correct functionality of the patches before the installation on all Windows PCs. Important information: Managed devices will receive the installation delay setting when they sync with Miradore next time. If you want your devices to get the settings immediately, go to the Devices page and run Actions > Start patch installation now from the page toolbar. |
Configuring Windows Update for the managed computers
To ensure the proper functionality of Miradore's patch management feature in your managed computers, we recommend configuring Windows Update on the managed computers as follows:
- Make sure the Windows Update Service is not disabled. Patch deployments won't succeed if the service is disabled.
- Set Windows Automatic Updates to Never check for updates (Windows 7 & 8). This will speed up the patch deployments. If Windows Automatic Updates is configured to check for updates, it may slow down patch deployments with Miradore. It also makes patching more manageable when there is only one system patching device.
- On Windows 10 computers you cannot modify the automatic updates setting from the Control panel, but you can edit the settings through the Group Policy Editor or use Miradore's Windows Update configuration profile to disable the automatic updates. On domain-joined computers, this setting is most likely managed through group policies by your administrator.
Related articles:
Troubleshooting patch deployments
Have feedback on this article? Please share it with us!
Previous Article:
« Viewing available and installed patches for Windows devices
Next Article:
The advantages of a pilot group »