Patch Management Scan Types

Offline patching is a key feature of Patch Management Engine (PME). PME has the capability to do the patch scan and install/remove updates without using Microsoft Update servers as Windows Update Agent (WUA) data-source. You must manually enable this feature and have an environment with a working probe.

Scan Types

WUA Scans

Patch Management can use various data sources for gathering patch data - WUA (Microsoft), N-able offline metadata, 3rd party patches... "WUA Only" mode returns only patches from WUA and 3rd party patches. Result should be basically the same what user can see in Windows Update UI.

Requirements:

  • Access to MS Update servers

  • Access to SIS server or N-central probe

    We would recommend most of our customers use WUA mode, unless they need to be offline for security reason.

WUA Offline

WUA search based on offline metadata files provided by N-able. Result contains:

  • WUA patches, it should be close to result from "WUA Only", but obtained without contacting MS Update servers.

  • Patches based on N-able offline metadata (Security Only Updates, historical Feature Updates, etc.).

Requirements:

  • Access to SIS server or N-central probe.

  • Offline mode installation always needs to have installer file available (there is no option to fall back to handing over patch data to WUA and let it install by itself).

  • Offline mode installation doesn't use Deployment Image Servicing and Management (DISM) as its primary installation tool, it uses Windows Update Standalone Installer (WUSA), which is capable of installing Microsoft Software Update (MSU) packages.

Disabling/Enabling Scan Types for N-central 2020.1+

You can choose between regular online WUA scanning and offline scanning feature from the Patch Profile.

  1. In the left-hand navigation menu click Configuration.

  2. Click Patch Management.

  3. Under the PATCH SETUP WIZARD, click CREATE A NEW PATCH CONFIGURATION.

  4. Under PATCH DETECTION METHOD, select if you want regular online WUA scanning (Windows Update) or offline scanning (Offline Update for Secured Networks).

  5. Finish filling out the rest of the information and click FINISH.

Disabling/Enabling Scan Types for Older Versions

Any N-central version older than 2020.1 will NOT have the option to select between online WUA or Offline scanning. However, you can still enable the feature demand using manual action on the device itself. If you want to change the patch scan mode to offline for a given device, look for the following property:

<OfflineScan>1</OfflineScan>

in %Programfiles(x86)%\MspPlatform\PME\config\PmeConfig.xml file. Value 1 means that offline scan mode is enabled and value 0 means using regular online mode.

You don't need to restart any services or do any further actions. Just changing this config record is all it takes to change the scan mode.

Available Patches in Offline

In addition to updates that are available in offline mode already (e.g. Third Party Patches, Security-Only patches and Servicing Stack Updates), we also support "system" updates, or updates that are targeted to the Windows system itself, such as:

  • Cumulative Updates (Windows 10)

  • Monthly Rollups (Windows 8.1)

  • Out of band system updates (optional system updates)

  • etc.

We don't yet support offline patching for updates targeting additional products, such as:

  • Silverlight

  • SQL Server

  • Office

  • some .NET framework updates

  • etc.

The key indicator whether we can offer an update in offline mode is if the MSU installer is available. Check by looking up the update in the MS Update Catalog and checking downloads section. Only MSU installers contain the detectoid files that are acrucial part of our offline patch workflow.