Prerequisites and System Requirements

System Requirements

Patch Management prevents the Windows Update's optional Updates from being turned ON or OFF by the Device's End Users. Ensure Windows Update's optional Updates are turned OFF before enabling Patch Management in order to prevent unexpected and unmanaged updates occurring.

To turn Windows Update's optional Updates back on in the event a device requires Windows Update's optional Update, Patch Management must first be disabled.

Patch Management for Windows

  • Microsoft Windows 7 SP1
  • Microsoft Windows 8
  • Microsoft Windows 8.1
  • Microsoft Windows 10
  • Microsoft Windows Server 2008 R2 SP1
  • Microsoft Windows Server 2012
  • Microsoft Windows Server 2012 R2
  • Microsoft Windows Server 2016

Ensure the operating system is on the latest service pack available, which is critical for Windows 7 and Windows Server 2008 R2.

The following Operating Systems are not supported:

  • Microsoft Windows XP
  • Microsoft Windows Vista
  • Microsoft Windows Server 2003
  • Microsoft Windows Server 2008
  • Microsoft Windows 10 Home

Patch Management for Windows is not supported on Core (including Hyper-V) systems.

For more information about supported Windows versions and the associated Monitoring Agent (where applicable), see Supported operating systems: Windows.

N-sight RMM User Permissions

Agent updates, Patch Management configuration and usage is available to N-sight RMM users with enhanced permissions (for example Superuser) or a login with Agents and Patch Management for Windows privileges enabled.

Any substantive changes made, for example changes to Patch Management for Windows's configuration, are included in the User Audit Report.

Patch Download Location

During the installation process patches are downloaded to a temporary repository folder then copied to C:\Windows\Patches where they are executed from. At the end of the remediation process, the patch files are deleted from both locations.

Windows Update Agent

Patch Management for Windows uses the Windows Update Agent (wuauserv service) when scanning for Microsoft patches. The service displays as Windows Update.

The wuauserv service is enabled by default and should start automatically on all Operating Systems, however if the service is disabled or not installed then the Windows Update Agent is not invokable and Patch Management will fail to detect any Microsoft patches.

The minimum version of the Windows Update Agent (WUA) required for the N-able Patch Management engine must be greater than 7.6.7600.320. The base NT build version of windows should be 6.1 or later. Older versions of the base NT build cannot upgrade past version 7.6.7600.256 of the Windows Update Agent.

To determine the version of Windows Update Agent use the following procedure:

  1. In the File Explorer, navigate to C:\Windows\System32\ and locate the file wuaueng.dll
  2. Right-click the file and click Properties
  3. Click the Details tab, to find the Product Version

Patch Management for Windows and Windows Update

The Patch Management for Windows engine takes administrative control of Windows Update to download files and install the patches.

Windows Feature Update with Full Disk Encryption

Starting with the Windows 10 Anniversary Update release, Microsoft provides new command line parameters which specify the path to a folder that contains encryption drivers for a computer that has third-party encryption enabled. To reduce the possibility of encountering errors during the upgrade we have hardcoded the recommended default Microsoft path and will query this location for the setupconfig.ini, which is filled out by encryption vendors.

We have also added the capability to add your own custom path to the patch config files, to support those vendors who store the setupconfig.ini file in a different location. Further information is available in the Windows Feature Update with Full Disk Encryption section.

Proxies and Windows Updates

In Windows, you can configure the Agent to use a proxy to download Microsoft patches and third-party patches. However, Windows Update does not inherit the proxy settings entered in the Agent and instead applies the proxy configuration from Windows. As a result Patch Management cannot use the Agent entered proxy settings to download Windows updates. The customer can configure their systems to enable Windows Update to use a proxy to retrieve a list of updates. Visit the Microsoft article How the Windows Update client determines which proxy server to use to connect to the Windows Update Web site for further information.

Recommended Antivirus Settings

Due to the intensive nature of the Patch Status Scan on the device, its performance may be affected by any antivirus or antispyware products, particularly when they are configured for real-time scanning. In order to alleviate the impact of these programs, we would suggest adding exceptions for the following Patch Management folders (and sub-folders) to allow read/write access.

Patch Management for Windows Engine

Application Name
File Cache Service Agent
Patch Management Service Controller
Request Handler Agent

Windows Services

Windows Service Name
File Cache Service Agent
Agent PME Agent
Request Handler Agent

Program Path

Path
C:\Program Files (x86)\Advanced Monitoring Agent\FileCacheServiceAgent\
C:\Program Files (x86)\Advanced Monitoring Agent\patchman\
C:\Program Files (x86)\Advanced Monitoring Agent\RequestHandlerAgent\

Data Folder

Path
C:\ProgramData\MspPlatform\FileCacheServiceAgent\
C:\ProgramData\MspPlatform\PME\
C:\ProgramData\MspPlatform\RequestHandlerAgent\

The Group Policy Advanced Monitoring Agent installs to ...\Program Files (x86)\Advanced Monitoring Agent GP\...

Patch Management for Windows URLs

Patch Management requires specific files to successfully scan the device and problems may occur if these files are unavailable. To ensure these files are successfully downloaded, we would suggest allowing the following URLs in any firewall (including Deep Packet Inspection modules) or web monitoring software on the computer over both HTTP (port 80) and HTTPS (port 443).

Patch Management for Windows Engine

sis.n-able.com*

go.microsoft.com/*

*.download.microsoft.com

*.windowsupdate.com

*.update.microsoft.com

To ensure the successful operation of the Patch Management for Windows Engine. HTTP and HTTPS communication between the File.Cache.Service.Agent Windows service (%Programfiles(x86)%Advanced Monitoring Agent\CacheService\FileCacheServiceAgent.exe) and sis.n-able.com must not be blocked.

By default, new N-sight RMM Accounts have Patch Management for Windows enabled by default and configured for manual patch approval and installation.

Disclaimer
Please be aware that we are not responsible for any harmful effects that actions performed by Patch Management for Windows may have on the target system.