Patch Status service

The Patch Status service is automatically added to all Windows devices. It provides insight into the state of patching on a specific device as well as providing metrics for your reporting. You can configure settings through the Status, Service Details, Self-Healing, Reports tabs on this window.

As of N-able N-central version 12.1, agents that are upgraded to the current version will no longer report into, or have available the Patch Status service. Agents will go forward using the Patch Status V2 service. Devices using older agents will continue to report to the Patch Status service.

The Patch Status service is not connected to Patch Management. You can use the service and not use Patch Management and visa versa.

Recommendations for setting up this service:

  • On the Service Details tab, set Threshold for Monitoring old patches (days) to 31 days.
  • On the Thresholds tab, turn off all thresholds except for Patches installed with errors, Missing Patches Older Than (x) Days, and Reboot Required. The service will now only alert you if something has gone wrong with your patch schedule, a patch has failed or a reboot is needed. The data will still be available for reporting.
Instances on a Device1
Device ClassLaptop - Windows, Server - Windows, and Workstation - Windows
Monitored ByWindows agent
Scan IntervalThe default interval is five minutes.
Time To StaleThe time, in minutes, that N-able N-central waits to receive data about the service. If no data is received within the specified time period, the service will transition to a Stale status. The default is 4320 minutes; 72 hours, or 3 days.
Threshold for Monitoring old patchesThe duration in days that a patch can be approved but not installed before the patch is added to the Missing Patches That Were Approved Over xx Days Ago metric. The default is 60 days.
Include Patches in the following categoriesThe types of patches to be reported by the service.

Status updates

The status of the patch service updates on these triggers in N-able N-central:

  • When the device performs a reboot.
  • When performing an asset scan.
  • On the completion of the Patch Detection Maintenance Window.
  • On the completion of the Patch Installation Maintenance Window.
  • When making a change in the Patch Management profile.

Scanning and thresholds

Unlike other N-able N-central services, the Patch Status service does not run at regular time intervals; rather, it is event-based. The Patch Status service updates its status:

  • after every Detection/Installation Maintenance Window event,
  • by events in the agent, or
  • by selecting Scan Now.

Full detection (Windows Update Agent scan) runs only during Detection/Installation Maintenance Window or an asset scan. Outside of these updates, N-able N-central uses cached patch data to refresh the Patch Status service quickly, such as when using the Scan Now feature.

Full detection typically takes 10-20 minutes to complete. In some cases, full detection can take up to 60 minutes due to internal timeouts in the agent's detection process. If cached data is used, the Patch Status is updated within five minutes.

Any manual installation of patches will appear in the Patch Status service after the next Detection/Installation Maintenance Window.

If there is a problem in detection, which causes a WUA error, the Patch Status service suppresses the error status for six hours in case the error is a temporary problem.

Status

Overview tab

The overview shows a graphical representation of your patch state, including approved but not yet installed patches, and unapproved patches. The summary shows high level alerting information, including reboot details, patches installed with errors and upcoming scheduled patch events.

The information on this tab is useful for patch troubleshooting. It updates each time a scheduled patch detection occurs or after completing a patch cycle.

Patch Download Source Messages

In the Values column of the Patch Summary table, the N-able N-central provides messages as to what sources a device is configured to download patches from and if that source is functioning.

Each message is split in to two parts. The first part of the message provides download source information about Windows Updates, and the second part of the message provides download source information about Third Party updates.

Microsoft Updates = Message 1Meaning
UnmanagedPatch Management is disabled.
Windows UpdateThe agent will only download patches from Microsoft server.
Probe 123.123.123.123The agent will download patches from the probe.
Windows Update (Probe unavailable)The agent is unable to reach the probe and will download patches from Microsoft servers.
No source (Probe unavailable, Windows Update not allowed)

The agent is unable to reach the probe and is not allowed to download patches from Microsoft’s servers. Patching will fail.

Note: You can fix this issue and allow the device to contact external sources by selecting a Patch Profile that has the Communicate Externally for Updates option selected. For more information see Patch Management Profiles.

 

Third Party Updates = Message 2Meaning
UnmanagedPatch Management is disabled.
Not EnabledThird Party Patching is disabled.
Direct from vendorsThe agent will only download patches from third party product vendors.
Probe 123.123.123.123The agent will download patches from the probe.
Direct from vendors(Probe unavailable)The agent is unable to reach the probe and will download patches from third party product vendors.
No source (Probe unavailable, Direct from vendors not allowed)

The agent is unable to reach the probe and is not allowed to download patches from third party product vendors. Patching will fail.

Note: You can fix this issue and allow the device to contact external sources by selecting a Patch Profile that has the Communicate Externally for Updates option selected. For more information see Patch Management Profiles.

Windows Update Agent

An up-to-date WUA ensures devices will be able to have to latest Microsoft patches available for installation. N-able N-central updates the WUA automatically. An up-to-date version of the WUA is stored on the SIS server. The Patch Status service monitors the WUA and includes information of its current state.

The information on the Patch Status overview page lists the installed version on the device, the version managed and available in N-able N-central, and the latest known version.

The table below outlines the status thresholds for the WUA.

If patch management is disabled in N-able N-central, the WUA status is considered unmanaged and appears as Normal.

WUA VersionWUA StatusInstall Maintenance WindowResult
Up-to-dateWorking Normal
Up-to-dateMalfunctioned Failed
Out-of-dateMalfunctionedPlannedWarning
Out-of-dateMalfunctionedPassedFailed
Out-of-dateWorkingPassedWarning
Out-of-dateWorkingNot plannedWarning
Out-of-dateMalfunctionedNot PlannedFailed

For more information on Windows Update Agent issues, see Patch Status service error messages.

Approved Patches tab

This tab provides a summary of patches that the device is waiting to install.

Not Approved Patches tab

This tab displays a list of patches available to the device that have not yet been approved. They will remain on the page until approved by the Approve/Decline patches process or by an automatic approval. From this tab, you have the ability to review and selectively approve patches for this device.

Service details

Choose to adjust key metrics including threshold for old patches to be used in the monitoring metric, Threshold for Monitoring old patches (days).

Thresholds

Make threshold adjustments to details patch status will monitor and alert on from various templates that apply it.

The Laptops - Windows Service template. Thresholds may be turned off, which prevents alerts on the number of patches available but this data will still be available to reporting.

Self-Healing

This tab enables you to configure Self-Healing actions for patch status.

Reports

This tab provides per-device reporting.