Quick Start Guide - Patch Management

This section provides a Quick Start Guide to setup and use Patch Management covering the following information along with links back to the main Help section for further detail:

The Patch Management engine takes administrative control of Windows Update to download files and install the patches.

Designate a Site Concentrator (Optional)

A typical workstation may require as much as 20 - 30MB of Microsoft Windows patches alone in any given month. To reduce the volume of traffic where there are a large number of workstations, you can designate a server mode device Site Concentrator. The Site Concentrator acts as a repository for the other devices at that site, downloading and caching Agent features, updates and patch installation files. These other Agents, then retrieve the files from the Site Concentrator, ensuring each patch is only downloaded once and reducing external network traffic.

When Agents connecting through a Site Concentrator cannot upload due to upstream proxy issues, it is reported in the device Summary tab. For example: Proxy error: Unable to connect through proxy server.

  1. On the N-sight RMM Dashboard Client list, expand the Client
  2. Right-click the target Site and select Edit Site
  3. Go to Site Concentrator
  4. Populate the required information
  5. Save to apply

Create Custom Patch Management Policies

You can apply a default policy or use your own custom templates when using the Patch Management Feature Policy configuration option. This allows you to quickly and easily roll-out Patch Management with pre-configured settings, rather than manual configure each setting for each entity which can be time-consuming and potentially introduce the possibility of human error during the setup and subsequent configuration process.

  1. Log into the Dashboard
  2. Go to Settings > Patch Management > Feature Policy
  3. Click New
  4. Enter a Policy Name for identification
  5. Choose an existing policy to Base policy on
  6. Select the device type the policy is available for in Policy Type
  7. Click Add to create
  8. Select the new policy in the dialog
  9. Edit (or double-click on the policy)
  10. Configure the policy sections to match the updated requirements. These settings are also covered in the below Patch Management Configuration Sections
  11. Save to apply

We recommend creating Client specific policies. These not only allow you to create policies that precisely match the client's requirements, but can be combined with the Manage Feature Policies for Client Group feature. Where enabled, this feature allows users in the Client Group to manage their assigned policies. As any changes will affect the devices using that policy we do not recommend using shared policies with this feature.

Enable and Configure Patch Management

Patch Management is configurable for all devices on the Dashboard based on type, at specific Clients and Sites or on individual devices.

Servers and workstations inherit their configuration from the site, which will in turn inherits from the client, which will in turn inherits the default configuration for all servers and workstations. Device level settings take precedence over those set at the policy level.

Multiple Devices

  1. Log into the Dashboard
  2. Go to Settings > Patch Management > Settings
  3. Select the Entity type to apply the configuration to (all servers and workstations or servers and workstations at specific clients and sites)
  4. Feature status indicators (colored dots) in the Settings dialog indicate if the feature is enabled or disabled at the entity level, and whether devices under an entity have the same settings:

    • Green - Feature or functionality enabled for all devices under that entity. This includes device level settings
    • Grey - Feature or functionality disabled on at least one device under that entity. This includes device level settings
    • Orange – One of the child entities has a different configuration to the parent. Where a Client only has one Site, its status indicator reflects that of the Site.

    For more information on these states, see Feature and Functionality Settings Icons.

  5. Choose the Setting from On, Off or Use Parent (only for Client or Site)
  6. Configure the Patch Status Check (Scan) and Patch behavior: Auto Approval ,Installation Schedule (including reboots),Failed Patch alerting. Covered below.
  7. OK to save and apply

Individual Device

  1. Log into the Dashboard
  2. Right-click on the device in the North-pane (or from the Edit Server, Workstation or Device drop-down)
  3. Go to Edit <Device Type> and Patch Management
  4. Choose the Setting from On, Off or Use Policy Setting (On) or (Off)
  5. Configure the Patch Status Check (Scan) and Patch behavior: Auto Approval ,Installation Schedule (including reboots),Failed Patch alerting. Covered below.
  6. OK to save and apply

Read the Windows 10 supportability statement.

Settings Options

Setting: On - Select the Patch Management Configuration Method

Select one of the available configuration options for the selected entity: Patch Management Feature Policy or manual settings configuration.

Apply a Patch Management Feature Policy

  1. Tick Use Patch Management policies (Recommended)
  2. Select the relevant default or custom policy from the drop-down. Where workstations are selected, you can select different policies for desktops and laptops

If you select Patch Management Feature Policy, you can select a different policy but cannot switch to manual configuration.



For new Dashboard accounts only Patch Management Feature Policy is available.

Configure Settings Manually (Legacy)

  1. Manually configure the below settings for each selected entity.
  2. Patch Status Check (Scan)
  3. Patch Auto Approval
  4. Installation Schedule (including reboots)
  5. Failed Patch alerting

Configure the Patch Scan and Patch Management Settings

Patch Scan

Choose the Dashboard and email notifications behavior when missing Patches and Vulnerabilities are discovered.

Schedule (Patch Scan)

Cconfigure when the Patch Scan runs on the target devices.

DSC Cycle

Runs the Patch Scan at the same time as the Daily Safety Checks. (Default)

Manual Scan

The Patch Scan only runs when manually initiated from the Deviance context menu.

In the North-pane of the Dashboard use multi-select to choose the target devices (use Shift and left-click to choose a range of devices or Control and left-click for specific machines) right-click on one of the selection then go to Patch Management, Re-run Patch Scan.

Scheduled Scan

Run the Patch Scan based on the entered time and repetition.

Regardless of the applied schedule, on-demand Patch Scans may be initiated from the device's context menu. As covered above in the Manual Scan section above.

Auto Approval (Patch Installation)

Select the installation approval Action for Microsoft and Other Vendors patches based on Severity.

Severity

Critical, Important, Moderate, Low, Other

Action

Ignore

Do not install patches of this Severity

Approve

Approve patches of this Severity for automatic installation the next time Patch Management remediation runs (Installation Schedule).

Please note that automatically approved patches are not reported as Missing in the Patch Status Check (or Patches tab and subsequent Reports) but will go immediately to Pending.

Manual

Approve and install patches of this severity at a later date.

All patches must be approved before they are installed via Patch Management and if not selected for automatic or manual approval, they patches may subsequently be approved for all Servers and Workstations or at the Client or Site level via Patch Management Workflow or Approval Policy and at the device level through the Patches tab..

Installation Schedule

Configure when patches are to be installed for the selection:

Manual

Initiate the installation from the Dashboard

Scheduled Installation

Install the patches at the specified time: Day, Week or Month

Choose whether to Reboot After Installation: Never, When Required or Always

And how missed schedules are handled.

The Scheduled Time selected under Installation Schedule refers to the local time of the computer the Agent is installed on. Please take this into consideration where your Dashboard contains Clients, Sites or Devices in different timezones, to ensure Patches are not installed at an inappropriate time. One suggestion is to set a custom Installation Schedule at the Client, Site or Device level based on their timezone.

Failed Patches

Select the behavior when a patch reports as failed.

Automatically reprocess failed patches

Where a patch installation fails, enabling this option will retry the patch deployment based on the device's patch Installation Schedule.

For handling those instances where a patch fails to install multiple times, we have included the ability to set the number of times a patch will be reprocessed (maximum of 5) before it is considered failed,

To avoid installing pches at at time that may not be suitable to the business or user, this reprocessing option respects the patch Installation Schedule .

For example, if patches are set to install every weekday at 10:00am and a patch fails on Monday, then the Dashboard will retry that patch each day at 10:00am until either the patch installs or the maximum number of attempts is reached. Or where patches are set to install manually, we will attempt to retry that patch each time you run a manual patch remediation until either the patch installs or the maximum number of attempts is reached.

Please be aware that running a manual remediation does not count towards the Automatically reprocess failed patches count where the Installation Schedule is set to Scheduled (daily, weekly or monthly). The count figure is only incremented when the remediation takes place  as part of the device's scheduled remediation.

Whilst in the reprocessing state, a patch is not reported as failed on the Dashboard.

Send an email when patch installation fails

As a patch installation failure may require investigation, you can choose whether to send an email notification where a patch fails to install.

In addition to automatically retrying a failed patch, we also have the option to manually reprocess any patch where it is in the Failed state on the Dashboard.

Once Patch Management installs on a device it automatically runs a Patch Scan based on the entered Scan Schedule settings.

View Patch and Vulnerability Information

The scan results are displayed against the Patch Status Check, accessible from the device's Checks tab on the Dashboard.

The Check's More Information link contains a summary of the results the last time the Check ran, click the link for detailed information in including the Last Scan run time along with the vulnerabilities and missing patches that were identified.

Information across multiple devices is available in the Patch Overview Report with the Failure Report containing only those patches where an installation problem was encountered.

Manage Patches From the Dashboard

Individual Devices

Patches are managed at the individual device level by selecting the computer in the North-pane then going to its Patches tab.

This tab lists all of the discovered patches along with their Severity level, Patch Name, Product, Date Installed (if installed by Patch Management) along with whether it is Installable and / or Uninstallable.

To simplify the identification of a patch's current state, patches are grouped based on their status: Missing, Installed, Pending etc.

To perform an action against a patch, or number of patches...

  1. Use multi-select (Shift and left-click for a range or Control and left-click for specific patches)
  2. Right-click on one of the patches (or from the Patch drop-down)
  3. Choose the required action from : Approve, Ignore, Do Nothing, Reprocess Failed or Uninstall (only available for installed Microsoft patches that are marked as Uninstallable)

These actions are also available for individual patches from the Patch Information dialog...

  1. Double-click on the target patch in the South-pane
  2. Choose the required action in the dialog

Regardless of where the action is performed, if Approve is selected the user is prompted to Use existing schedule or Schedule a new time to install the selection entering the password of the account they have logged on to the Dashboard under to confirm.

Multiple Devices

Patches are managed across multiple devices at the overall device type (server or workstation), Client or Site level through the Patch Management Workflow (choose how each of the specified patches is handled, including installation schedule).

Use the available filters to reduce the returned information, for example filtering by patch status or searching by patch name, then through multi-select (use Shift and left-click to choose a range of patches or Control and left-click for specific patches).

Patch Management Workflow

  1. Choose the required action from Approve, Ignore, Do Nothing, Reprocess Failed or Uninstall
  2. Select the target Clients and Sites
  3. Set the installation schedule: use existing or setup a new schedule which is only applicable to this patch selection

Patch Uninstall - the uninstall option is only available for Microsoft patches that are marked as Uninstallable on the Dashboard.

Visit Patch Approval Actions for information on the patch approval hierarchy.

Disable Patch Management

Multiple Devices

  1. Log into the Dashboard
  2. Go to Settings > Patch Management > Settings
  3. Select the Entity type to apply the configuration to (all servers and workstations or servers and workstations at specific clients and sites)
  4. Choose Setting:Off or Use Parent if off (only for Client or Site)
  5. OK to save and apply

Individual Device

  1. Log into the Dashboard
  2. Right-click on the device in the North-pane (or from the Edit Server, Workstation or Device drop-down)

  3. Go to Edit <Device Type> and Patch Management
  4. Choose the Setting: On, Off or Use Policy Setting (Off)
  5. OK to save and apply