How can I exclude or block patches from being installed, with an Atera IT Automation Profile?

Atera's Patch Management gives you total administrative control over device patching. In addition to selecting the patch categories you want to install, within an IT automation profile, you can also exclude patches you don't want installed. This includes the ability to exclude specific OS and software patches as well as the powerful capability to block Windows automatic updates.

• Exclude OS Patches
• Disable Windows Automatic Updates 
• Exclude Software Patches

Exclude OS Patches

You can exclude OS patches that you don't want to install, within an IT automation profile. You can select from critical, security, service packs, drivers and tools, and Mac OS updates.

To exclude OS patches:

1.  Navigate to Admin > Patch Management and IT Automation.

The Patch Management and IT Automation page appears. 

2. Click to open the relevant IT Automation profile.

3. After selecting the desired scheduling and patches, click Manage, in the OS Excluded Patches section.

The Select Patches screen appears.

4.  Select the relevant patches to exclude by checking the boxes next to the specific patches.

5.  Click Select.

To ensure the patches do not get automatically installed by Windows Update, you can disable automatic Windows updates (instructions below)

Note: The automatic Windows Update feature overrides the patch exclusion feature in Atera's automation profiles. This means that if Windows Update is not disabled, excluded patches could still get installed.

6. Once finished selecting any desired scheduling and patch categories, click Save to save the profile.

The selected patches are now excluded in the automation profile (and will be excluded when assigned to, and run on customers and agents).

7. Remember to assign the profile to the relevant customers or agents.

Note: You can also exclude OS patches from ALL automation profiles, in addition to excluding them from individual profiles.

Disable Windows Automatic Updates 

With Atera's IT automation profiles, you can prevent the Microsoft Windows Update feature from installing automatic, local updates. This is useful if you'd like to maintain complete control over what gets installed on your customers' devices.

Important notes:

• 'Security Intelligence Updates for Microsoft Defender Antivirus' will not be disabled and will continue to automatically update (even if you've disabled Windows Update in the Atera profile).
• If you disable the automatic Windows Update feature, be sure to include all the patches you wish to install within the Atera IT automation profile, to ensure your customers' devices stay secure and up-to-date.
• This feature disables the local user's option to check for and install automatic updates themselves (Windows 10 OS only). If they try, they will see a message like the one below (see image). With earlier Windows OS versions, users will not be blocked from searching for and installing updates.
• This feature won’t work on Windows OS Home versions (as they don’t support Group Policy).

To disable Windows automatic updates:

1.  Navigate to Admin > Patch Management and IT Automation.

The Patch Management and IT Automation page appears. 

2. Click to open the relevant IT Automation profile.

Note: The Windows local updates feature may not appear in older automation profiles. If it doesn't appear, we recommend creating a new automation profile, copying the settings, and then deleting the old profile.

3. Locate the Windows local updates section, and select Disable

Note: Feature options include:

• Don't affect - The profile won’t affect automatic local update settings
• Enable - Enables Windows to install automatic local updates
• Disable - Blocks Windows from installing automatic local updates 

4. Once finished selecting any other desired scheduling and patches, click Save to save the profile.

This profile will now disable Windows automatic updates when assigned to, and run on customers and agents.

5. Remember to assign the profile to the relevant customers or agents.

Important notes:

• When the automatic Windows Update feature is enabled (via local setting or Atera), it may override the ‘OS Excluded Patches’ and IT automation schedule set in Atera. This means, patches you've excluded may get installed anyway.
• If a local user manually re-enables automatic Windows updates on their device, it will revert to the settings you've selected in the Atera automation profile the next time the scheduled profile is run (or run manually).
• If you ever need to manually re-enable automatic Windows updates on a device, follow these instructions.

Exclude Software Patches

You can exclude software patches that that you don't want to install, within an IT automation profile. Software patches are installed/excluded via our integrations with Chocolatey and Homebrew.

To exclude software patches from an automation profile:

1.  Navigate to Admin > Patch Management and IT Automation.

The Patch Management and IT Automation page appears. 

2. Click to open the relevant IT Automation profile.

3. Click Manage under the Software Excluded Patches section.

The Exclude Software Installation screen appears.

Note: The screen that appears may differ depending on whether the automation profile was created before or after our Patch Management and IT Automation page redesign in 2021.

4.  Search for and select the relevant patches (within either the Windows or Mac tabs) by checking the boxes next to the patches.

5.  Click Exclude

6. Once finished selecting any desired scheduling and patches, click Save to save the profile.

The selected patches are now excluded in the automation profile (and will be excluded when assigned to, and run on customers and agents).

7. Remember to assign the profile to the relevant customers or agents.