Patch Status service v2
Patch Status v2 is a service that reports on the status of patching using information from maintenance windows.
This topic includes:
As of N-able N-central version 12.1, agents that are upgraded to the current version will no longer report into, or have available the Patch Status service, an earlier iteration of the service. Agents will go forward using the Patch Status V2 service. Devices using older agents will continue to report to the Patch Status service.
The Patch Status service v2 monitors scheduled Maintenance Windows to assist in determining missing patches. This new service will no longer report a Failed state when a patch has been detected but has not yet completed its install and reboot cycle.
It also alerts you as to what patches have been missing for a specified amount of time since the release of an update.
Patch Status v2 does not report superseded, or not-yet-approved, updates as new patches. However, it is possible to approve superseded update for installation. If this occurs, Patch Status v2 starts tracking this update as Pending Installation and eventually as Missing Patch.
The Patch Status service is not connected to Patch Management. You can use the service and not use Patch Management and visa-versa.
Scanning and thresholds
Unlike other N-able N-central services, the Patch Status service v2 does not run at regular time intervals; rather, it is event-based. The Patch Status service v2 updates its status:
- after every Detection/Installation Maintenance Window event,
- by events in the agent, or
- by selecting Scan Now.
Full detection (Windows Update Agent scan) runs only during Detection/Installation Maintenance Window. Outside of these updates, N-able N-central uses cached patch data to refresh the Patch Status service quickly, such as when using the Scan Now feature.
Full detection typically takes 10-20 minutes to complete. In some cases, full detection can take up to 60 minutes due to internal timeouts in the agent's detection process. If cached data is used, the Patch Status is updated within five minutes.
Any manual installation of patches will appear in the Patch Status service v2 after the next Detection/Installation Maintenance Window.
If there is a problem in detection, which causes a WUA error, the Patch Status service suppresses the error status for six hours in case the error is a temporary problem.
Status updates
The status of the patch service updates on these triggers in N-able N-central:
- Regularly every 24 hours.
- When the device boots or performs a reboot.
- When performing an asset scan.
- On the completion of the Patch Detection Maintenance Window.
- On the completion of the Patch Installation Maintenance Window.
- When there is a change in Patch Approvals that affects a device.
- When enabling or disabling Patch Management.
Status
The Status page shows a graphical representation of your patch state, including approved but not yet installed patches, and unapproved patches. The summary shows high level alerting information, including reboot details, patches installed with errors and upcoming scheduled patch events.
The additional tabs provide details on the patching for a device for troubleshooting. The status information updates each time a scheduled patch detection occurs or after completing a patch cycle.
- New Patches (by age): Enables you to monitor patches that have not yet been approved, to ensure that you don't miss a patch.
- Pending Installation: A list of patches waiting to be installed. This list enables you to view the status of a patch installation. Click the View link next to a patch to see more details.
- Missing patches (by maintenance window/ by age): Enables you to see when a patch is missing because it has not been installed in expected time frame.
Service Details
The Service Details page enables you to adjust the patch classifications and priorities to monitor those patches which are most important to your customer.
Patch priorities
Patch Status service v2 enables you to categorize each patch status classification. By doing this, you can simplify patch management by focusing on the thresholds of patches that are most important to your customers. Classify each classification as a priority of Low, Medium or High. These selections are used with the threshold settings to determine when N-able N-central activates an alert.
Patch priorities are available on the Details tab of the service. The default priority settings are:
High | Critical Updates, Security Updates, Definition Updates, Third Party Patches |
Medium | Service Packs, Update Rollups, Updates, Upgrades |
Low | Drivers, Feature Packs, Tools, Unknown |
If there is a particular patch classification that you do not need or want alerts for, select the radio button in the Not Monitored column. See the Troubleshooting guide for information about Patch Status 2 errors.
Thresholds
Make threshold adjustments to detail what the patch status will monitor and alert on from various templates that apply it. Set these options for each patch priority to better refine your patch monitoring requirements.
Notify my if a new patch has not been actioned in X days | Set an alert to notify you when new patches have not been approved. This option provides a way to alert you if there are patches you forgot to approve for a device. Enter the number of days since the release date of the patch. Note that superseded patches are not included with this option. | ||||||||||||||||||||||||||||||||
Were any approved patches not successfully installed during the last patch installation window | Set the threshold to determine whether a patch was installed during a maintenance window. This option is only for patches that are approved for install during a maintenance window. A patch may be considered missing after a maintenance window if you have laptops that are often offline. Because of this, the device may not be patched after the next maintenance window is over, but after a certain amount of time following the maintenance window. This can also be an issue when installing patches manually using the Patch On Demand feature. In this situation, use the threshold setting If Your Device Does Not Have a Patch Install Window Configured... . | ||||||||||||||||||||||||||||||||
If your device does not have a patch Install Window configured | Set this option when the Patch Status service alerts you that a patch is missing on a device when it is not within an install window. This threshold is off by default. It should only be used to detect missing patches on devices that are patched ad-hoc, such as when patching on demand. N-able recommends that you disable the threshold Were any approved patches not successfully installed... if you use this threshold. | ||||||||||||||||||||||||||||||||
How many days before the patch is considered missing. | |||||||||||||||||||||||||||||||||
Reboot Required | Set the reboot warning depending on the required state of a patch. | ||||||||||||||||||||||||||||||||
Windows Update Agent Status | Set the WUA status to appear. An up-to-date WUA ensures devices will be able to have to latest Microsoft patches available for installation. N-able N-central updates the WUA automatically. An up-to-date version of the WUA is stored on the SIS server. The Patch Status service monitors the WUA and includes information of its current state. The information on the Patch Status overview page lists the installed version on the device, the version managed and available in N-able N-central, and the latest known version. The table below outlines the status thresholds for the WUA. If Patch Management is disabled in N-able N-central, the WUA status is considered unmanaged and appears as Normal.
For more information on Windows Update Agent issues, see Patch Status service error messages. | ||||||||||||||||||||||||||||||||
Patch Management Engine Status | Patch Status v2 service goes into a Missconfigured state when there is error reported from Patch Management Engine Patch or Windows Update Agent. When configured, this option evaluates these error messages, and changes the Patch Status v2 to Warning or Error based on the severity of the issue. The Misconfigured state will appear when there is logical error in threshold configuration, such as the threshold is configured incorrectly, such as a gap in values. Options for each situation are:
Error codes that can appear in the service status can include:
|
Patch threshold defaults
High Priority Patches
Notify Me If a New Patch Has Not Been Actioned in (x) Days | |
Monitoring | Normal |
Normal | 0-6 |
Warning | 7-7 |
Failed | 8-infinity |
Were Any Approved Patches Not Successfully Installed During the Last Patch Installation Window? | |
Monitoring | Normal |
How Many Days Before an Approved Patch is Considered Missing? | |
Monitoring | Off |
Medium Priority Patches
Notify Me If a New Patch Has Not Been Actioned in (x) Days | |
Monitoring | Normal |
Normal | 0-14 |
Warning | 15-15 |
Failed | 16-infinity |
Were Any Approved Patches Not Successfully Installed During the Last Patch Installation Window? | |
Monitoring | Normal |
How Many Days Before an Approved Patch is Considered Missing? | |
Monitoring | Off |
Low Priority Patches
Notify Me If a New Patch Has Not Been Actioned in (x) Days | |
Monitoring | Normal |
Normal | 0-30 |
Warning | 31-31 |
Failed | 32-infinity |
Were Any Approved Patches Not Successfully Installed During the Last Patch Installation Window? | |
Monitoring | Normal |
How Many Days Before an Approved Patch is Considered Missing? | |
Monitoring | Off |