Patch Management

N-able N-central provides an automated Vulnerability and Patch Management solution designed to reduce the attack surface across managed endpoints. It ensures that devices remain protected by systematically identifying vulnerabilities and applying updates based on intelligent policies and insights.

Patch Assessment and Prioritization

Detected vulnerabilities are evaluated using industry-standard metrics like CVSS scores, allowing IT teams to prioritize remediation based on risk.

  • Visibility into missing patches by severity level

  • Group and device-level reporting dashboards

  • Tagging of critical, moderate, or low-risk vulnerabilities

Automated Patch Deployment

N-central enables centralized, policy-based automated patching for Windows and third-party software. Administrators can configure schedules, reboot options, maintenance windows, and fallback behaviors.

  • Fully automated or approval-based patch workflows

  • Patch caching and bandwidth control using probe-based deployment

  • Post-patch reboot and rollback options

Compliance and Reporting

To support compliance frameworks (for example, HIPAA, ISO 27001), N-central includes built-in reports and audit trails showing patch status and remediation timelines.

  • Audit-ready patch compliance reporting

  • Proof of remediation for regulatory requirements

  • Executive summaries and technician-level detail

Security Integration

Patch deployment workflows are hardened by the N-central secure agent communication. All patch metadata and deployment instructions are transmitted over TLS-encrypted channels, with role-based access control (RBAC) ensuring that only authorized users can modify policies or force patch actions.

Managing Windows Updates

  1. The Windows Patch Management Engine (PME) Agent communicates with the local Windows Updates Agent (WUA) and requests a list of available updates.

  2. The Windows Agent transmits this information to the N-able N-central server.

  3. The N-able N-central administrator configures approvals for the list of updates.

  4. The Windows Agent (PME) communicates with the Probe and/or Agent and requests the approved updates.

  5. The Probe/Agent downloads the updates.

  6. (optional) The Windows Agents downloads the updates from the Probe.

  7. The Windows Agent applies the schedule for installing updates.

Managing Offline Patches

Archives of the metadata for offline patches is on sis.n-able.com, and installing offline patches behaves similarly to online patching through the Microsoft Update server.

Communication with sis.n-able.com uses port 443.

Offline patching uses MSU installer files instead of the CAB installer files that are used with online patching, using the Microsoft Update server. The base URL of these files might also differ from those with online patching.

Patching data for offline devices is done through the probe using port 15000.

Monitor for missing patches

When a Windows Agent is installed on a device, the Patch Status v2 service is automatically added to that device. The Patch Status v2 service queries the Windows Update Agent (WUA) on the device to determine the Microsoft and third-party application patches that are missing.

The Patch Status service shows:

  • Total number of missing patches

  • Number of patches installed with errors

  • Missing patches by category

  • Missing patches older than a user-specified number of days

  • Patches that are missing but not yet approved (manually or automatically). We list them as missing until approvals are applied..

Superseded patches are excluded to avoid false positives.