Quick Start Guide - Patch Management for Windows
This section provides a Quick Start Guide to setup and use Patch Management for Windows covering the following information along with links back to the main Help section for further detail:
- Designate a Site Concentrator (Optional)
- Enable and Configure Patch Management
- View Patch and Vulnerability Information
- Manage Patches on Individual Devices
- Disable Patch Management
Patch Management for Windows engine takes administrative control of Windows Update to download files and install the patches.
Designate a Site Concentrator (Optional)
A typical workstation may require as much as 20 - 30MB of Microsoft Windows patches alone in any given month. To reduce the volume of traffic where there are a large number of workstations, you can designate a server mode device Site Concentrator. The Site Concentrator acts as a repository for the other devices at that site, downloading and caching Agent features, updates and patch installation files. These other Agents, then retrieve the files from the Site Concentrator, ensuring each patch is only downloaded once and reducing external network traffic.
When Agents connecting through a Site Concentrator cannot upload due to upstream proxy issues, it is reported in the device Summary tab. For example: Proxy error: Unable to connect through proxy server.
- On the All Devices view Client List, expand the Client.
- Right-click the target Site and select Edit Site.
- Go to Site Concentrator.
- Populate the required information.
- Save to apply.
Create Custom Patch Management for Windows Policies
You can apply a default policy or use your own custom templates when using the Patch Management for Windows Feature Policy configuration option. This allows you to quickly and easily roll-out Patch Management for Windows with pre-configured settings, rather than manual configure each setting for each entity which can be time-consuming and potentially introduce the possibility of human error during the setup and subsequent configuration process.
- Log into N-sight RMM.
- Go to Settings > Patch Management for Windows > Feature Policy.
- Click New.
- Enter a Policy Name for identification.
- Choose an existing policy to Base policy on.
- Select the device type the policy is available for in Policy Type.
- Click Add to create.
- Select the new policy in the dialog.
- Edit (or double-click on the policy).
- Configure the policy sections to match the updated requirements. These settings are also covered in the below Patch Management for Windows Configuration Sections;
- General Settings
- Patch Status Check (Scan)
- Approval Policy
- Installation Schedule (including reboots)
- Failed Patch alerting
- Save to apply.
We recommend you create Client specific policies because they enable you to create policies that precisely match client requirements, and they can be combined with the Manage Feature Policies for Client Group feature. This feature allows users in the Client Group to manage their assigned policies. Since any changes will affect the devices using that policy, we do not recommend using shared policies with this feature.
Enable Patch Management for Windows
Patch Management for Windows is configurable for Windows devices based on type, at specific Clients and Sites or on individual devices.
Servers and workstations inherit their configuration from the site, which will in turn inherit from the client, which will in turn inherit the default configuration for all servers and workstations. Device level settings take precedence over those set at the policy level.
Multiple Devices
- Log into N-sight RMM.
- Go to Settings > Patch Management > Settings.
- Select the Entity type to apply the configuration to (all servers and workstations or servers and workstations at specific clients and sites).
- Green - Enabled for all devices under that entity including device level settings.
- Grey - Disabled on at least one device under that entity including device level settings.
- Orange – A child entities has a different configuration to the parent. If a Client only has one Site, its status indicator reflects that of the Site.
- Choose the Setting from On, Off or Use Parent (only for Client or Site).
- Select the Server/Workstation Policy from the drop-down menu(s).
- OK to save and apply.
Feature status indicators (colored dots) in the Settings dialog indicate if the feature is enabled or disabled at the entity level, and whether devices under an entity have the same settings:
For more information, see Feature and Functionality Settings Icons.
Individual Device
- Log into N-sight RMM.
- Right-click on the device in the North-pane (or from the Edit Server, Workstation or Device drop-down).
- Select Edit <Device Type> > Patch Management for Windows.
- Choose the Setting from On, Off or Use Policy Setting (On) or (Off).
- Select the Policy Settings from the Policy drop-down menu.
- OK to save and apply.
Read the Windows 10 supportability statement.
Settings Options
Setting: On - Select the Patch Management for Windows Configuration Method
Select one of the available configuration options for the selected entity: Patch Management for Windows Feature Policy or manual settings configuration.
Apply a Patch Management Feature Policy
- Tick Use Patch Management policies (Recommended).
- Select the relevant default or custom policy from the drop-down. Where workstations are selected, you can select different policies for desktops and laptops.
If you select Patch Management Feature Policy, you can select a different policy but cannot switch to manual configuration.
For new N-sight RMM accounts only Patch Management Feature Policy is available.
Configure Settings Manually (Legacy)
- Manually configure the below settings for each selected entity.
- Patch Status Check (Scan).
- Patch Auto Approval.
- Installation Schedule (including reboots).
- Failed Patch alerting.
Configure the Patch Scan and Patch Management for Windows Settings
Patch Scan |
Choose N-sight RMM and email notifications behavior when missing Patches and Vulnerabilities are discovered. |
||||||||||
Schedule (Patch Scan) |
Configure when the Patch Scan runs on the target devices.
Regardless of the applied schedule, on-demand Patch Scans may be initiated from the device's context menu. As covered in the Manual Scan section above. |
||||||||||
Auto Approval (Patch Installation) |
Select the installation approval Action for Microsoft patches based on Classification and Other Vendors patches based on product.
All patches must be approved before they are installed via Patch Management for Windows and if not selected for automatic or manual approval, the patches may subsequently be approved for all Servers and Workstations or at the Client or Site level via Patch Management Workflow and at the device level through the Patches tab. |
||||||||||
Installation Schedule |
Configure when patches are to be installed for the selection:
The Scheduled Time selected under Installation Schedule refers to the local time of the computer the Agent is installed on. Please take this into consideration where your Clients, Sites or Devices are in different timezones, to ensure Patches are not installed at an inappropriate time. One suggestion is to set a custom Installation Schedule at the Client, Site or Device level based on their timezone. |
||||||||||
Failed Patches |
Select the behavior when a patch reports as failed.
In addition to automatically retrying a failed patch, you also have the option to manually reprocess any patch where it is in the Failed state. |
After Patch Management for Windows is installed on a device it automatically runs a Patch Scan based on the entered Scan Schedule settings.
View Patch and Vulnerability Information
The scan results are displayed against the Patch Status Check, accessible from the device's Checks tab in the All Devices view.
The Check's More Information link contains a summary of the results the last time the Check ran, click the link for detailed information in including the Last Scan run time along with the vulnerabilities and missing patches that were identified.
Information across multiple devices is available in the Patch Overview Report with the Failure Report containing only those patches where an installation problem was encountered.
Manage Patches From the All Devices view
Patch Option | Description |
---|---|
Approve | Authorizes the patch for installation at the next scheduled installation time. |
Ignore |
Applied to patches that explicitly are not to be installed. When a patch is ignored, it is not identified in the All Devices view or Reports as missing. Reasons for ignoring a patch include those circumstances where its installation is known to cause issues, the patch is outside of the Client's service contract or where installing the patch would have licensing implications for the product. |
Do Nothing | Sets the patch to NOT have any Patch Approval Action apply to it. The patch status will instead reflect what is set in the applied Patch Management for Windows Policy. |
Reprocess Failed | Where problems were experienced installing a patch it is marked as Failed in the South-pane. Selecting a Failed patch brings up the additional option to Reprocess Failed, which will attempt to install the patch again during the next installation cycle (either scheduled or manual). |
Uninstall | Only available for Microsoft patches with Yes in the Uninstallable column. Supports the removal of up to ten patches at any one time. For more information on patch removal please refer to the section Uninstall Microsoft Patches. |
Individual Devices
Patches are managed at the individual device level by selecting the computer in the North-pane then going to its Patches tab.
This tab lists all of the discovered patches along with their Severity, Classification, Patch Name, Product, Date Installed (where detected) along with whether it is Installable and / or Uninstallable.
To simplify the identification of a patch's current state, patches are grouped based on their status: Missing, Installed, Pending etc.
To perform an action against a patch, or number of patches
- Use multi-select (Shift and left-click for a range or Control and left-click for specific patches).
- Right-click on one of the patches (or from the Patch drop-down).
- Choose the required action from : Approve, Ignore, Do Nothing, Reprocess Failed or Uninstall (only available for installed Microsoft patches that are marked as Uninstallable).
These actions are also available for individual patches from the Patch Information dialog
- Double-click on the target patch in the South-pane.
- Choose the required action in the dialog.
Regardless of where the action is performed, if Approve is selected the user is prompted to Use existing schedule or Schedule a new time to install the selection entering the password of the user account they have logged into N-sight RMM as to confirm.
Multiple Devices
Patches are managed across multiple devices at the overall device type (server or workstation), Client or Site level through the Patch Management Workflow (choose how each of the specified patches is handled, including installation schedule).
Use the available filters to reduce the returned information, for example filtering by patch status or searching by patch name, then through multi-select (use Shift and left-click to choose a range of patches or Control and left-click for specific patches).
Patch Management for Windows Workflow
- Choose the required action from Approve, Ignore, Do Nothing, Reprocess Failed or Uninstall.
- Select the target Clients and Sites.
- Set the installation schedule: use existing or setup a new schedule which is only applicable to this patch selection.
Patch Uninstall - the uninstall option is only available for Microsoft patches that are marked as Uninstallable in the All Devices view.
Visit Patch Approval Actions for information on the patch approval hierarchy.
Disable Patch Management for Windows
Multiple Devices
- Log into the N-sight RMM.
- Go to Settings > Patch Management > Settings.
- Select the Entity type to apply the configuration to (all servers and workstations or servers and workstations at specific clients and sites).
- Choose Setting: Off or Use Parent (Off) (only for Client or Site).
- OK to save and apply.
Individual Device
- Log into N-sight RMM.
-
Right-click on the device in the North-pane (or from the Edit Server, Workstation or Device drop-down).
- Go to Edit <Device Type> and Patch Management.
- Choose the Setting: On, Off or Use Policy Setting (Off).
- OK to save and apply.