Quick Start Guide - Patch Management for Windows

This section provides a Quick Start Guide to setup and use Patch Management for Windows covering the following information along with links back to the main Help section for further detail:

Patch Management for Windows engine takes administrative control of Windows Update to download files and install the patches.

Designate a Site Concentrator (Optional)

A typical workstation may require as much as 20 - 30MB of Microsoft Windows patches alone in any given month. To reduce the volume of traffic where there are a large number of workstations, you can designate a server mode device Site Concentrator. The Site Concentrator acts as a repository for the other devices at that site, downloading and caching Agent features, updates and patch installation files. These other Agents, then retrieve the files from the Site Concentrator, ensuring each patch is only downloaded once and reducing external network traffic.

When Agents connecting through a Site Concentrator cannot upload due to upstream proxy issues, it is reported in the device Summary tab. For example: Proxy error: Unable to connect through proxy server.

  1. On the All Devices view Client list, expand the Client.
  2. Right-click the target Site and select Edit Site.
  3. Go to Site Concentrator.
  4. Populate the required information.
  5. Save to apply.

Create Custom Patch Management for Windows Policies

You can apply a default policy or use your own custom templates when using the Patch Management for Windows Feature Policy configuration option. This allows you to quickly and easily roll-out Patch Management for Windows with pre-configured settings, rather than manual configure each setting for each entity which can be time-consuming and potentially introduce the possibility of human error during the setup and subsequent configuration process.

  1. Log into N-sight RMM.
  2. Go to Settings > Patch Management for Windows > Feature Policy.
  3. Click New.
  4. Enter a Policy Name for identification.
  5. Choose an existing policy to Base policy on.
  6. Select the device type the policy is available for in Policy Type.
  7. Click Add to create.
  8. Select the new policy in the dialog.
  9. Edit (or double-click on the policy).
  10. Configure the policy sections to match the updated requirements. These settings are also covered in the below Patch Management for Windows Configuration Sections;
  11. Save to apply.

We recommend you create Client specific policies because they enable you to create policies that precisely match client requirements, and they can be combined with the Manage Feature Policies for Client Group feature. This feature allows users in the Client Group to manage their assigned policies. Since any changes will affect the devices using that policy, we do not recommend using shared policies with this feature.

Enable Patch Management for Windows

Patch Management for Windows is configurable for Windows devices based on type, at specific Clients and Sites or on individual devices.

Servers and workstations inherit their configuration from the site, which will in turn inherit from the client, which will in turn inherit the default configuration for all servers and workstations. Device level settings take precedence over those set at the policy level.

Multiple Devices

  1. Log into N-sight RMM.
  2. Go to Settings > Patch Management > Settings.
  3. Select the Entity type to apply the configuration to (all servers and workstations or servers and workstations at specific clients and sites).
  4. Feature status indicators (colored dots) in the Settings dialog indicate if the feature is enabled or disabled at the entity level, and whether devices under an entity have the same settings:

    • Green - Enabled for all devices under that entity including device level settings.
    • Grey - Disabled on at least one device under that entity including device level settings.
    • Orange – A child entities has a different configuration to the parent. If a Client only has one Site, its status indicator reflects that of the Site.

    For more information, see Feature and Functionality Settings Icons.

  5. Choose the Setting from On, Off or Use Parent (only for Client or Site).
  6. Select the Server/Workstation Policy from the drop-down menu(s).
  7. OK to save and apply.

Individual Device

  1. Log into N-sight RMM.
  2. Right-click on the device in the North-pane (or from the Edit Server, Workstation or Device drop-down).
  3. Select Edit <Device Type> > Patch Management for Windows.
  4. Choose the Setting from On, Off or Use Policy Setting (On) or (Off).
  5. Select the Policy Settings from the Policy drop-down menu.
  6. OK to save and apply.

Read the Windows 10 supportability statement.

Settings Options

Setting: On - Select the Patch Management for Windows Configuration Method

Select one of the available configuration options for the selected entity: Patch Management for Windows Feature Policy or manual settings configuration.

Apply a Patch Management Feature Policy

  1. Tick Use Patch Management policies (Recommended).
  2. Select the relevant default or custom policy from the drop-down. Where workstations are selected, you can select different policies for desktops and laptops.

If you select Patch Management Feature Policy, you can select a different policy but cannot switch to manual configuration.

For new N-sight RMM accounts only Patch Management Feature Policy is available.

Configure Settings Manually (Legacy)

  1. Manually configure the below settings for each selected entity.
  2. Patch Status Check (Scan).
  3. Patch Auto Approval.
  4. Installation Schedule (including reboots).
  5. Failed Patch alerting.

Configure the Patch Scan and Patch Management for Windows Settings

Patch Scan

Choose N-sight RMM and email notifications behavior when missing Patches and Vulnerabilities are discovered.

Schedule (Patch Scan)

Configure when the Patch Scan runs on the target devices.

DSC Cycle

Runs the Patch Scan at the same time as the Daily Safety Checks. (Default).

Manual Scan

The Patch Scan only runs when manually initiated from the Device context menu.

In the North-pane of the All Devices view use multi-select to choose the target devices (use Shift and left-click to choose a range of devices or Control and left-click for specific machines) right-click on one of the selection then go to Patch Management> Re-run Patch Scan.

Scheduled Scan

Run the Patch Scan based on the entered time and repetition.

Regardless of the applied schedule, on-demand Patch Scans may be initiated from the device's context menu. As covered in the Manual Scan section above.

Auto Approval (Patch Installation)

Select the installation approval Action for Microsoft patches based on Classification and Other Vendors patches based on product.

Classification/product

MS Patch Classification / 3rd Party Product

Action

Ignore

Do not install patches of this Classification/product.

Approve

Approve patches of this Classification/product for automatic installation the next time Patch Management for Windows remediation runs (Installation Schedule).

Please note that automatically approved patches are not reported as Missing in the Patch Status Check (or Patches tab and subsequent Reports) but will go immediately to Pending.

Manual

Approve and install patches of this classification/product at a later date.

All patches must be approved before they are installed via Patch Management for Windows and if not selected for automatic or manual approval, the patches may subsequently be approved for all Servers and Workstations or at the Client or Site level via Patch Management Workflow and at the device level through the Patches tab.

Installation Schedule

Configure when patches are to be installed for the selection:

Manual

Initiate the installation from the All Devices view.

Scheduled Installation

Install the patches at the specified time: Day, Week or Month.

Choose whether to Reboot After Installation: Never, When Required or Always.

And how missed schedules are handled.

The Scheduled Time selected under Installation Schedule refers to the local time of the computer the Agent is installed on. Please take this into consideration where your Clients, Sites or Devices are in different timezones, to ensure Patches are not installed at an inappropriate time. One suggestion is to set a custom Installation Schedule at the Client, Site or Device level based on their timezone.

Failed Patches

Select the behavior when a patch reports as failed.

Automatically reprocess failed patches

Where a patch installation fails, enabling this option will retry the patch deployment based on the device's patch Installation Schedule.

For handling those instances where a patch fails to install multiple times, we have included the ability to set the number of times a patch will be reprocessed (maximum of 5) before it is considered failed,

To avoid installing patches at a time that may not be suitable to the business or user, this reprocessing option respects the patch Installation Schedule .

For example, if patches are set to install every weekday at 10:00am and a patch fails on Monday, then N-sight RMM will retry that patch each day at 10:00am until either the patch installs or the maximum number of attempts is reached. Or where patches are set to install manually, we will attempt to retry that patch each time you run a manual patch remediation until either the patch installs or the maximum number of attempts is reached.

Please be aware that running a manual remediation does not count towards the Automatically reprocess failed patches count where the Installation Schedule is set to Scheduled (daily, weekly or monthly). The count figure is only incremented when the remediation takes place  as part of the device's scheduled remediation.

Whilst in the reprocessing state, a patch is not reported as failed.

Send an email when patch installation fails

As a patch installation failure may require investigation, you can choose whether to send an email notification where a patch fails to install.

In addition to automatically retrying a failed patch, you also have the option to manually reprocess any patch where it is in the Failed state.

After Patch Management for Windows is installed on a device it automatically runs a Patch Scan based on the entered Scan Schedule settings.

View Patch and Vulnerability Information

The scan results are displayed against the Patch Status Check, accessible from the device's Checks tab in the All Devices view.

The Check's More Information link contains a summary of the results the last time the Check ran, click the link for detailed information in including the Last Scan run time along with the vulnerabilities and missing patches that were identified.

Information across multiple devices is available in the Patch Overview Report with the Failure Report containing only those patches where an installation problem was encountered.

Manage Patches From the All Devices view

Patch Option Description
Approve Authorizes the patch for installation at the next scheduled installation time.
Ignore Applied to patches that explicitly are not to be installed. When a patch is ignored, it is not identified in the All Devices view or Reports as missing.

Reasons for ignoring a patch include those circumstances where its installation is known to cause issues, the patch is outside of the Client's service contract or where installing the patch would have licensing implications for the product.

Do Nothing Sets the patch to NOT have any Patch Approval Action apply to it. The patch status will instead reflect what is set in the applied Patch Management for Windows Policy.
Reprocess Failed Where problems were experienced installing a patch it is marked as Failed in the South-pane. Selecting a Failed patch brings up the additional option to Reprocess Failed, which will attempt to install the patch again during the next installation cycle (either scheduled or manual).
Uninstall Only available for Microsoft patches with Yes in the Uninstallable column.

Supports the removal of up to ten patches at any one time. For more information on patch removal please refer to the section Uninstall Microsoft Patches.

Individual Devices

Patches are managed at the individual device level by selecting the computer in the North-pane then going to its Patches tab.

This tab lists all of the discovered patches along with their Severity, Classification, Patch Name, Product, Date Installed (where detected) along with whether it is Installable and / or Uninstallable.

To simplify the identification of a patch's current state, patches are grouped based on their status: Missing, Installed, Pending etc.

To perform an action against a patch, or number of patches

  1. Use multi-select (Shift and left-click for a range or Control and left-click for specific patches).
  2. Right-click on one of the patches (or from the Patch drop-down).
  3. Choose the required action from : Approve, Ignore, Do Nothing, Reprocess Failed or Uninstall (only available for installed Microsoft patches that are marked as Uninstallable).

These actions are also available for individual patches from the Patch Information dialog

  1. Double-click on the target patch in the South-pane.
  2. Choose the required action in the dialog.

Regardless of where the action is performed, if Approve is selected the user is prompted to Use existing schedule or Schedule a new time to install the selection entering the password of the user account they have logged into N-sight RMM as to confirm.

Multiple Devices

Patches are managed across multiple devices at the overall device type (server or workstation), Client or Site level through the Patch Management Workflow (choose how each of the specified patches is handled, including installation schedule).

Use the available filters to reduce the returned information, for example filtering by patch status or searching by patch name, then through multi-select (use Shift and left-click to choose a range of patches or Control and left-click for specific patches).

Patch Management for Windows Workflow

  1. Choose the required action from Approve, Ignore, Do Nothing, Reprocess Failed or Uninstall.
  2. Select the target Clients and Sites.
  3. Set the installation schedule: use existing or setup a new schedule which is only applicable to this patch selection.

 

Patch Uninstall - the uninstall option is only available for Microsoft patches that are marked as Uninstallable in the All Devices view.

Visit Patch Approval Actions for information on the patch approval hierarchy.

Disable Patch Management for Windows

Multiple Devices

  1. Log into the N-sight RMM.
  2. Go to Settings > Patch Management > Settings.
  3. Select the Entity type to apply the configuration to (all servers and workstations or servers and workstations at specific clients and sites).
  4. Choose Setting: Off or Use Parent (Off) (only for Client or Site).
  5. OK to save and apply.

Individual Device

  1. Log into N-sight RMM.
  2. Right-click on the device in the North-pane (or from the Edit Server, Workstation or Device drop-down).

  3. Go to Edit <Device Type> and Patch Management.
  4. Choose the Setting: On, Off or Use Policy Setting (Off).
  5. OK to save and apply.