Contents
Patch Management
4
Introduction 4
Monitoring for Missing Patches
4
Setting up Patch Management in N-central
5
Adding a WSUS Server to N-central
8
What Versions of WSUS Are Supported? 8
How N-central Monitors Your WSUS Servers 10
Enabling or Disabling WSUS Servers 10
Changing which Customers can Use a WSUS Server 11
Configuring WSUS Server's Patch and Language Options 12
Maintaining your WSUS Servers 14
Patch Profiles
16
Adding Patch Profiles 16
Patch Profile Settings 17
Editing Patch Profiles 21
Viewing the Folders and Devices Associated to a Patch Profile 21
Deleting Patch Profiles 22
Configuring Devices for Patch Management
22
Approving and Declining Patches
24
Automatically Approving Patches
29
Viewing Installed Patches
34
Patch Status Report 36
Patch Inventory Report 36
Missing Patches Report 36
WSUS Status Report 36
Patch Management
Introduction
In today's security-conscious environment, providing patch monitoring and management services is crit-ical for anyone delivering managed IT services. The challenge is that while delivering patch management services has the potential to be both complex and expensive, your customers will not want to pay extra for it and will simply expect it to be a part of your service offering. With these issues in mind, N-able Tech-nologies provides an integrated patch management feature with N-central 9.1, powered by Microsoft WSUS 3.0.
N-central takes a unique approach to providing patch management by dividing patch monitoring and patch management into two separate functions. Patch Monitoring, which provides the ability to see which software patches are missing on devices, can be done on both Essential and Professional devices, while Patch Management (the approval and declining of specific patches) can only be done on Pro-fessional devices. This distinction provides added flexibility that allows IT service providers to better tailor their service offerings to the needs of their clients.
Who Should Read This Guide?
This document is designed for N-central administrators. It is highly recommended that anyone who is using the Patch Management features in versions prior to N-central 9.1 read this guide before upgrad-ing.
This guide is current as of October 18, 2012.
Monitoring for Missing Patches
When an N-central 9.1 Windows Agent is installed on a device, the Patch Status service is automatically added to that device. The Patch Status service queries the Windows Update Agent (WUA) on the device to determine the patches that are missing. WUA is local to the device that is being monitored and so the Patch Status service will report patch data even if the device is not configured to report to a WSUS server.
The Patch Status service returns key information including:
l the total number of missing patches l the number of patches installed with errors
l missing patches by category (Security Updates, Critical Updates, Service Packs, Update Rollups,
Feature Packs, Updates, and Software Driver Updates)
Setting up Patch Management in N-central
N-central provides a very flexible, powerful, integrated patch distribution and management solution. The solution is based on Microsoft WSUS but all configuration and management of WSUS is managed using the N-central interface. Beyond installing WSUS, there is virtually no interaction required with the WSUS user interface.
There are three phases to setting up patch management in N-central:
l Configuring your WSUS servers l Creating Patch Profiles
l Approving and Declining Patches
Before reviewing how to configure your WSUS servers, we should first examine where you might want to install them.
Common WSUS Deployment Scenarios
your customer's network) or can be publicly accessible on the internet. Through patch profiles, N-cen-tral also gives you the ability to use a mix of on-site and publicly-accessible WSUS servers – giving you the flexibility to offer patch management to devices that are on the road (like a Salesperson's laptop) and in the office.
The main advantage to using on-site WSUS servers is that they can store patches locally and dis-tribute them to servers and workstations on the local network. This optimizes the Internet bandwidth that is used because the patches are only downloaded from the internet once. The disadvantage of on-site WSUS servers is that they can only be used for devices on the same network – as soon as a device leaves the network, it no can no longer be managed by that WSUS server.
The main advantage of a publicly accessible WSUS server is that it can be used by any device that has internet access. The disadvantage of a publicly accessible WSUS server is that each patch must be downloaded separately by each device – making bandwidth consumption an issue.
Adding a WSUS Server to N-central
Adding a WSUS server to N-central is simple - you simply install a Windows Agent on it. The Windows Agent will discover the installed WSUS software and will then add the server to the list displayed on the WSUS Server Management screen (accessible throughConfiguration>Patch Management> WSUS Serversin the N-central UI). WSUS servers that have been discovered but are not yet enabled for patch management will be indicated by an icon. Servers that have been enabled will be indicated by a icon. If you install WSUS on the server after the agent has been installed, the WSUS server will still be discovered as the agent repeats its discovery action every 24 hours. Additionally, you can trigger an immediate discovery by clickingUpdate Nowon theAssettab of the device in question.
The following are the time intervals for interaction between Windows Agents and WSUS:
Activity Interval
Patch Discovery (Patches Needed) Upon agent start and every 22 hours
WSUS Group Creation If successful: every 6 hours
If unsuccessful: every 5 minutes
Reapply WSUS Group Hierarchy Every 6 hours
WSUS Server Configuration If successful: every 24 hours
If unsuccessful: every 5 minutes
Verify Patch Status Every 12 hours
Patch Approval Synchronization ForSecurity UpdatesandCritical Updates: every 24 hours
For all other categories: every 168 hours (7 days)
What Versions of WSUS Are Supported?
To display the WSUS servers managed by N-central
l In the navigation pane, clickConfiguration>Patch Management>WSUS Servers.
To add a new WSUS server to the list of WSUS servers managed by N-central
Note: The following procedure can only be performed at the Customer or Site level. Select the
appro-priate Customer or Site in theView Selection Menuto continue.
1. In the navigation pane, clickConfiguration>Patch Management>WSUS Servers. 2. ClickAdd.
3. TheAdd WSUS Serversdialog box that appears will instruct you to install an agent on the WSUS server itself (and provides a link for downloading a Windows agent). N-central's asset dis-covery mechanism will automatically add the server to the list.
Note: If the WSUS server is publicly-accessible, you must change theNetwork Addressof the WSUS server in N-central from the private IP address to a public IP address.
To force N-central to detect WSUS on a device already managed by N-central 1. Navigate to the appropriate customer.
2. ClickAll Devicesview in the navigation pane.
3. Click on the name of the device that is the WSUS server. 4. Select theAssettab in theDevice Propertiesscreen. 5. ClickUpdate Now.
Note: When the discovery job is completed, the WSUS server will be included in the list displayed
Previously-configured WSUS Servers
For N-central to manage devices in WSUS, client-side targeting must be disabled in the WSUS UI by per-forming the following:
To configure client-side targeting on a WSUS server
1. ClickControl Panel>Administrative Tools>Windows Server Update Servicesto access the WSUS UI on the WSUS server.
2. ClickOptionsin the left-hand UI pane. 3. ClickComputersin the middle UI pane. 4. SelectUse the Update Services console. 5. ClickOK.
How N-central Monitors Your WSUS Servers
Once you have configured WSUS and are using it to manage software patches, it will become a key com-ponent of your infrastructure. As a result, WSUS itself must be managed and monitored. When you add a WSUS server to N-central, theWSUS 3.0service template will be automatically assigned to the device. This provides complete monitoring of WSUS including event log, process availability, and the WSUS Status service. This monitoring ensures that the WSUS server is not reporting errors and that it is synchronizing with Microsoft correctly. The collected data is included in the WSUS Status report which will help in providing optimal service levels and can demonstrate the availability of the patch solution to your customer's auditors.
Tip: If your WSUS server is publicly-accessible and your WMI-based services transition to a Mis-configuredstate, perform the following:
1. In N-central, configure theNetwork Addressof the WSUS server to the public IP address. 2. Wait until your WMI-based services transition to a Misconfigured state.
3. Disable the Windows Firewall on the WSUS server.
4. After the scan for the WMI-based services is completed again, the services should transition back to a Normal state.
5. Enable the Windows Firewall on the WSUS server once more.
Enabling or Disabling WSUS Servers
Managing a WSUS server in N-central includes the ability to enable or disable the server as a point of dis-tribution for patches.
You must enable or disable WSUS servers on an individual basis as you cannot enable or disable multiple WSUS servers simultaneously.
Note: All newly-added WSUS servers are disabled by default.
To enable a WSUS server
1. In the navigation pane, clickConfiguration>Patch Management>WSUS Servers. 2. In theEnabledcolumn beside the name of the WSUS server that you want to enable, click the
icon.
Note: A icon will appear in theEnabledcolumn beside the name of the WSUS server that has been enabled.
To disable a WSUS server
1. In the navigation pane, clickConfiguration>Patch Management>WSUS Servers. 2. In theEnabledcolumn beside the name of the WSUS server that you want to disable, click the
icon.
3. In theDisable WSUS Serverdialog box, clickSave.
Note: An icon will appear in theEnabledcolumn beside the name of the WSUS server that has been disabled.
Changing which Customers can Use a WSUS Server
The WSUS Server Management screen can be accessed from any level (System, Service Organization, or Customer). Only the WSUS servers that can be managed by the current user will be displayed. Under theCustomer/SO Namecolumn, you will see the level at which the WSUS server is currently listed. If you want the WSUS server to only be visible to devices within the current customer, this column should display the customer name.
To change the level of a WSUS Server
1. In the navigation pane, clickConfiguration>Patch Management>WSUS Servers. 2. Select the check box beside each of the server names whose level you want to change in the
WSUS Server Managementscreen.
Tip: Selecting the check box at the top of the column will select all of the WSUS servers in the
list.
3. ClickMake Available at Another Level.
4. Select the new level from the drop-down menu in theMake Available at Another Leveldialog. 5. ClickSave.
Configuring WSUS Server's Patch and Language Options
l Products to support l Product Classifications
l Download and Store Patches on the WSUS server l Which languages to support
l Synchronization schedule
Since you can select more than one server from the WSUS Servers screen, it is easy to configure all of your WSUS servers to use the same settings. It is strongly recommended that you manage these set-tings through N-central rather than using the WSUS user interface.
Best Practices
l If you are using a hosted server, DO NOT store patches locally but if you are using an on-premise server, DO store patches locally.
l If you store patches locally, adjust the languages supported to only those that are in use by your customers. This will minimize WSUS disk space requirements.
l Ensure that your WSUS server is set to synchronize automatically at least once per day. This will ensure that your patch list is always up to date.
To configure WSUS Server options
Note: No configuration changes can be made to disabled WSUS servers. The settings are saved in
1. In the navigation pane, clickConfiguration>Patch Management>WSUS Servers. 2. Select the check box beside each of the names of the WSUS servers that you want to configure in
theWSUS Server Managementscreen.
Tip: Selecting the check box at the top of the column will select all of the WSUS servers in the
list.
3. ClickConfigure WSUS Options.
4. Select the configuration options in theConfigure WSUS Server Settingsdialog that you want to apply from the following:
a. Select which product you would like to support- identifies the patch products you want the WSUS server to support.
b. Select the update classification to provide- identifies the classification of patches you want the WSUS server to provide.
c. Specify where you would like to store Update Files- identifies whether Windows Update files will be stored locally on the WSUS server or not. If you selectStore updates locally, you must identify the type and language of updates to be stored.
d. Configure your desired Synchronization schedule- identifies whether the WSUS server will synchronize manually or automatically. If you selectSynchronize
automatically, you must select the time of the first synchronization as well as the number of synchronizations per day.
Note: When selecting check boxes in theConfigure WSUS Server Settingsdialog, your selection can have three possible settings:
Selected Indicates that the setting will be applied to the WSUS server.
Not Selected
Indicates that the setting will not be applied to the WSUS server.
No Change Indicates that the setting will not change any current settings already applied to the WSUS server.
5. ClickSave.
Maintaining your WSUS Servers
If you select a WSUS server and clickCleanup WSUS, the task is created as a "run now" scheduled task whose status can be viewed in theJob Statusview. If you wish to schedule this task for periodic execution, you can do so from theConfiguration>Scheduled Tasksmenu.
To clean up WSUS servers
1. In the navigation pane, clickConfiguration>Patch Management>WSUS Servers. 2. Select the check box beside each of the names of the WSUS servers that you want to clean in the
WSUS Server Managementscreen.
Tip: Selecting the check box at the top of the column will select all of the WSUS servers in the
list.
3. ClickCleanup WSUS.
4. Type theNameyou want to use to identify the cleanup task in theWSUS Cleanup Settings dialog.
5. Select the cleanup settings you want to apply to the task from the following:
l Delete unneeded update files l Decline expired updates l Decline superseded updates
6. ClickSave.
Patch Profiles
Patch profiles are used to configure all of the patch-related settings that need to be configured on Win-dows devices. This includes items such as the WSUS server to use, whether or not to reboot after install-ing the patches, and whether or not to alert the user when new patches are downloaded.
Patch profiles are a key feature in N-central, as they allow you to re-use the same patch settings across multiple customers. This saves you and your technicians time that would have to be otherwise spent configuring patch settings in the Group Policy of each of your customer's domains.
Access to patch profiles is based upon the level at which they are created. For example, a profile created at the System level is available at all levels while a profile created at the Service Organization level would only be available within that Service Organization.
Best Practices
l Configuring the default Patch Management profile at the highest level possible will provide consistent settings for all lower-level accounts. For example, modifying the default Patch Management profile at the Product Administrator level will define the settings for the pro-files in all Service Organization and Customer accounts.
l It is strongly recommended that you disable any group policy objects that configure Win-dows Update as they will conflict with the N-central settings.
Adding Patch Profiles
N-central provides a default Patch Management profile. Depending on your needs, however, it may be necessary to create additional profiles.
You can also copy a profile by using the "clone" feature to create a new profile that has a similar con-figuration to an existing one but with minor differences. This can make the task of creating multiple pro-files faster and easier.
Note: Cloning a profile will include both its settings and its associated devices.
To add a new profile
1. In the navigation pane, clickConfiguration>Patch Management > Profiles. 2. ClickAddin theProfilesscreen.
3. Define the profile settings as required in theAdd Profilesscreen. For more information, refer to
4. ClickSave.
5. ClickSavein the dialog box that appears confirming whether you want to save the new profile. To clone a profile
1. In the navigation pane, clickConfiguration>Patch Management > Profiles. 2. Select the profile you want to duplicate in theProfilesscreen.
3. Clickclone.
4. Type a descriptiveNameto identify the profile.
5. In theDescriptionfield, type additional information about the profile. 6. ClickSave.
Note: After you have cloned a profile, you need to edit the new profile's settings. For more
infor-mation, refer toEditing Patch Profiles on page 21.
Patch Profile Settings
Patch Management profiles have a number of different settings that will affect how patches will be deployed including:
Setting Description
Name A descriptive term or label used to identify the profile.
Description Additional information about the profile that will be displayed in theProfilestable.
Configure Automatic Updates Disable
Auto-matic Updates
Activates (or de-activates) N-central's ability to automatically install software patches when they are approved through N-central.
Setting Description
Configure Auto-matic Updat-ing
Defines how the deployment of patches will be applied to target devices from one of:
l Notify before download- Will send a notification of software updates being avail-able before they are downloaded and before they are installed.
l Automatically download and notify of installation- Will automatically down-load software updates when they are available but will send a notification before they are installed.
l Automatic download and scheduled installation- Will automatically download software updates when they are available and will install them at the scheduled date and time.
l Automatic Updates is required but end users can configure it- Will
auto-matically download software updates but will allow users to configure options such as the date and time when they will be installed.
Note: IfAutomatic download and scheduled installationis selected, you must select aSchedule Install DayandSchedule Install Timewhen patches will be installed.
Enable Auto-matic Updates Detection
Activates (or de-activates) the automatic detection of software updates.
Note: IfEnable Automatic Updates Detectionis set toYes, you must select the Auto-matic Updates Detection Frequency (Hours)value to determine the interval between when N-central will check for software updates (to a maximum of 22 hours).
Allow Non-Administrators to receive update noti-fications
Provides permission for N-central to send notifications to non-administrator accounts. For example, if this option is enabled, end users will be notified when software updates have been downloaded and are available to be installed on their computers.
Turn on Soft-ware Noti-fications
Activates (or de-activates) the transmission of notifications. The notifications sent will depend on the setting selected for theConfigure Automatic Updatingoption.
Allow Auto-matic Updates Immediate Installation
Setting Description
No Auto Restart with Logged On User for Sched-uled Automatic Updates
Activates (or de-activates) N-central's ability to automatically restart Windows devices when a user is currently logged on. If this is set toYes, N-central will not restart the device auto-matically after software updates are installed and a user is logged on to the device. The user will be prompted to restart the device.
Delay Restart for Scheduled Installations
Activates (or de-activates) a specified delay before N-central will restart Windows devices fol-lowing the installation of software updates.
Note: IfDelay Restart for Scheduled Installationsis set toYes, you must select a value forWait (minutes) before proceeding with scheduled restartfrom 1 minute to 29 minutes.
Re-Prompt Restart with Scheduled Installations
Activates (or de-activates) a specified delay before N-central will send another prompt to logged-on users that Windows devices will be restarted following the installation of software updates.
Note: IfRe-Prompt Restart with Scheduled Installationsis set toYes, you must type a value forWait (minutes) before proceeding with scheduled restart.
Reschedule Automatic Updates Scheduled Installation
Activates (or de-activates) a specified delay before N-central will install software updates that were missed (for example, if a device was shut down during a scheduled software update).
Setting Description Enable Win-dows Update Power Man-agement to Automatically Wake up the System
Activates (or de-activates) the capability to "wake up" a Windows device (even if it is in hiber-nation mode) in order to install a critical software update.
Specify Patch Server to use (WSUS or Win-dows Update)
Identifies either the WSUS server or Windows Update service that will be used for deploying patches.
Note: Using a Windows Update service for deploying patches will disable the patch approval features available with a WSUS server.
After you have identified the server or service from which patches will be deployed, activate (or de-activate)Allow Signed Updates from an Intranet Microsoft update service location. This controls whether or not software updates will be accepted if they are signed by a certificate found in the "Trusted Publishers" certificate store of the local computer. If this setting is set toNo, software updates from an intranet Microsoft update service location will only be accepted if they are signed by Microsoft.
Do not display "Install Updates and Shut Down" option in Shut Down Menu
Activates (or de-activates) the ability to display an "Install Updates and Shut Down" option when a Windows device is being turned off or restarted even if software updates are avail-able.
Note: IfDo not display "Install Updates and Shut Down" option in Shut Down Menuis set toYes, you must activate (or de-activate) theDo not adjust default option to "Install Updates and Shut Down" in Shut Down Menuoption.
One of the key settings for Patch Management profiles is theSpecify Patch Server to use. This deter-mines the location to which the Windows Update agent will connect in order to receive patch infor-mation. There are several options available including:
l Windows Update(default setting) l Best Available
l WSUS Servers
These options provide very different results. The Windows Update option configures the Windows Update Agent to connect to the Windows Update service. This allows patch management to be performed on a device without using WSUS. The advantage to this is the universal availability of the Windows Update site. One drawback, however, is the lack of management capabilities - the administrator cannot con-figure which individual patches should be applied.
use that server. If there is no customer-level WSUS server available, N-central will attempt to configure an SO-level server. If an SO-level server isn’t available, N-central then will attempt to use a product-level server. Should there be no WSUS servers available, N-central will configure the WUA to use Windows Update. The advantage to this functionality is that N-central will re-evaluate the best available con-figuration whenever a new server is enabled. As a result, if a system is configured to use an SO-level server and a customer-level WSUS server is added, N-central will automatically reconfigure the devices to use the customer-level server.
SelectingWSUS Serversallows you to select a specific WSUS server. Use this option if you know the specific server that you want to use.
Editing Patch Profiles
Any patch profile (including the default profile provided by N-central) can be modified . When a profile is modified, any changes made will be applied to all of the devices that use the profile.
If you try to edit a profile that was created at a higher account level, N-central will automatically create a copy of the profile at the level that it is being edited, including the associated devices, and save it at that level. This will disconnect the association to the profile that was created at a higher account level. For example, an SO Admin attempting to edit a profile created at the system level will create a new copy of the profile within their respective service organization.
To edit a profile
1. In the navigation pane, clickConfiguration>Patch Management > Profiles.
2. Click the name of the profile that you would like to edit in theNamecolumn of theProfiles screen.
3. Update the profile settings as required in theEdit Profilesscreen. For more information, refer to
Patch Profile Settings on page 17. 4. ClickSave.
5. ClickSaveto confirm the modifications when prompted.
Viewing the Folders and Devices Associated to a Patch Profile
You can view the associations a Patch Management profile has to folder templates, folders, and devices. You can view the associations a Patch Management profile has to folders.
To view profile associations
1. In the navigation pane, clickConfiguration>Patch Management > Profiles.
2. Click the name of the profile for which you would like to view all associations in theNamecolumn of theProfilesscreen.
Deleting Patch Profiles
You may want to delete one or more patch profiles as your patch deployment policies evolve. Be cautious when you do this as devices will need to use an existing profile if they are to receive deployed patches. If you try to delete a profile that is currently being used by one or more devices, you will be warned that it is an active profile. You may then either cancel the deletion or specify a replacement profile to be applied to those devices that are using the profile.
Tip: You can delete multiple patch profiles simultaneously.
To delete a profile
1. In the navigation pane, clickConfiguration>Patch Management > Profiles.
2. Select the check box next to the profile (or profiles) that you want to delete in theProfilesscreen.
Tip: You can select the check box next to theNamecolumn to select all of the profiles. 3. ClickDelete.
4. When prompted, clickDeleteto confirm the removal of the selected profiles.
Configuring Devices for Patch Management
After WSUS servers are configured (and enabled) and your patch profiles are set up and ready to use, you can enable Patch Management on your managed devices. The Patch Management feature is only available on Professional devices that have a Windows Agent installed on them. Patch Management can be enabled in three different ways:
l on a per-device basis,
l by bulk-editing multiple devices simultaneously, or
l by configuring Patch Management options through a folder.
Note: It may take up to 24 hours for the Patch Management feature to be fully operational as the
Win-dows Update Agent (WUA) on all configured devices must synchronize with a WSUS server. Fol-lowing the completion of this initial registration period, Patch Management functionality will be fully available on managed devices.
To configure single or multiple devices for Patch Management
Note: The following procedure can only be performed at the Customer or Site level. Select the
appro-priate Customer or Site in theView Selection Menuto continue.
TheAll Devicesview screen appears. 2. Perform the following:
l For a single device, click the device that you would like to edit in theNamecolumn.
l For multiple devices, select the check box beside each of the device names you wish to edit and
click Edit.
3. UnderPatch Management, selectEnable Patch Management.
4. From theSelect Patch Management Configuration Profiledrop-down list, select the profile that you want to be applied to the device (or devices).
Note: You canAdda new profile orView/Editprofiles to ensure that the correct one is selected.
5. ClickOK.
The device properties are updated and theAll Devicesview screen appears.
Note: You can click Saveto apply the settings and remain on the current screen.
To enable Patch Management using Rules
Note: The following procedure can only be performed at the Service Organization or Customer level.
Select the appropriate Service Organization or Customer in theView Selection Menuto con-tinue.
2. In theNamecolumn of theRulesscreen, click the Rule that you would like to edit. 3. In theEdit Rulescreen, select theConfiguration Optionstab.
4. UnderPatch Management, selectEnable Patch Management Settings.
5. From theSelect Patch Management Configuration Profiledrop-down list, select the profile that you want to be applied to the devices associated with the folder template.
6. ClickSave.
Note: This operation can also be carried out at the Customer level for individual Rules.
After you enable Patch Management on a device and apply a profile, the N-central agent will configure the settings for the device and then connect to the specified WSUS server so that the device can be placed in the correct computer groups.
Approving and Declining Patches
After the configuration of the WSUS system is complete, you can begin approving patches for deploy-ment.
In N-central, patches can be deployed using one of two methods:
l automatically using Automatic Patch Approval rules (for more information, refer toAutomatically Approving Patches on page 29), or
l the Patch Deployment Wizard.
Through the Patch Deployment Wizard, N-central allows you to efficiently deploy patches across a number of Windows devices (regardless of the customer that they belong to) by completing the following steps:
1. Filtering and searching available patches to determine which should be deployed. 2. Selecting the approval status to be assigned to patches.
3. Setting a patch deployment deadline (if applicable).
4. Accepting EULAs (End User License Agreements) on a individual patch basis or all at once (if appli-cable).
To display the list of patches waiting for deployment
l In the navigation pane, clickConfiguration>Patch Management>Approve/Decline
Patches.
Current Status and Approval Reported for Patches
The list of available patches displayed on theSelect Patchesscreen includes specific information for each patch including:
l KB (Knowledge Base) Number l Patch Name l Date l Classification l Severity l Status l Approval
Clicking on the name of the patch will display additional information such as thePatch Description, whether it has beenSupersededor not, if the patch isRemovable, theRestart Behavior, and other pieces of information relevant to the patch.
TheStatusof each patch will be a combination of the individualStatusvalues of that patch across all applicable devices. The combined Status value can be one of the following (listed in order of impor-tance):
3. Installed 4. Not Needed
The highest-ranked of these statuses found on any applicable device will be reported as the combined Statusfor the patch. For example, if one device had a status of Failed for this patch, while two other devices have a status of Needed for this patch, the patch would have an overall combinedStatusof Failed.
Patches with the statusNeededwill be displayed with the following icon:
Clicking on this icon will display all of the devices that are reporting theNeededstatus for this soft-ware patch. This allows you to better understand which devices will be installing the patch after it has been approved.
TheApprovalvalue of each patch will be a combination of the individualApprovalvalues of that patch across all computer groups. TheApprovalvalues are combined as follows:
l Declined + any other Approval value = Declined
l Approved for Install + Not Approved = Approved for Install l Approved for Install + Approved for Removal = Mixed
l Approved for Install + Not Approved + Approved for Removal = Mixed l Not Approved + Approved for Removal = Mixed
To filter the list of patches
Depending on your configuration, the list of available patches can be quite long and may require fil-tering in order to provide a manageable amount of patch information.
1. In the navigation pane, clickConfiguration>Patch Management>Approve/Decline Patches.
2. Select the classification of patches you want to display from one of the following in the Clas-sificationcolumn of theSelect Patchesscreen:
l Critical Updates l Definition Updates l Drivers l Feature Packs l Security Updates l Service Packs l Tools l Update Rollups l Updates
l Approved for Install l Approved for Removal l Declined
l Mixed
l Not Approved
4. Select the severity rating of patches you want to display from one of the following in theSeverity column: l Critical l Important l Low l Moderate l Unspecified
5. Select the specific software for which you want to display patches in theProductscolumn. 6. Select the current status of patches you want to display from one of the following in theStatus
column:
l Failed l Installed l Needed l Not Needed
Tip: You can use Ctrl-click or click-and-drag to select multiple criteria within a column.
7. Type the information to be used to filter the patch list in theEnter text to search forfield (including the name of the patch, Knowledge Base number, or other criteria).
8. ClickFilter.
Note: You can useReset Filterto undo any selections you have made and display the entire list of available patches.
To approve/decline patches
1. In the navigation pane, clickConfiguration>Patch Management>Approve/Decline Patches.
Note: This feature may also be accessed through theActionsmenu.
2. If necessary, filter the list of displayed patches in theSelect Patchesscreen as described inTo filter the list of patches on page 26.
Tip: You can select the check box next to theKB Numbercolumn to select all of the patches in the list that is currently displayed.
4. Click2. Approve PatchesorNext Stepto proceed.
5. Select the criteria forSet selected patches tofrom one of the following in theApprove Patchesscreen:
l Approved for Install l Approved for Removal l Declined
Note: Declinedis only available as an approval criteria for Product Administrators or SO Admin-istrators if there are no product-level WSUS servers available in N-central.Approved for Removalis only available for software patches that support this feature.
If you selectedApproved for Install, you will need toSpecify your target devices (or device groups)by navigating through the list of folders and choosing the service organization, customer and folder (or folders) for which the associated devices will have the patch installed.
Note: The target devices tree is hierarchical in nature so that selecting a folder at one level will
apply the patches to matching folders at all levels below the one that is selected (including new devices as they are added). Icons in the target devices tree indicate selections as fol-lows:
Approved for Install
Indicates that approved patches will be installed on all devices associated with the folder.
Not Approved Indicates that approved patches will not be installed on all devices associated with the folder.
No Change Indicates that existing patch approvals should not be altered for devices asso-ciated with the folder.
6. Click3. Set Installation Deadlines(if applicable) orNext Stepto proceed.
Note: If applicable, theSet Installation Deadlinescreen will appear. If no deadline setting is available, skip tostep 11.
7. Specify the deadline options for the patchesfrom one of the following:
If you selectedCustom, you will need to specify theDateandTimethat will be the deadline by which all approved patches must be installed. Click in the respective fields to selectDateand Timevalues.
8. Click4. Review and Accept EULAs(if applicable) orNext Stepto proceed.
Note: If applicable, theReview and Accept EULAsscreen will appear. If no EULAs are pro-vided for the accepted patches, skip tostep 11.
9. ClickEULAbeside the name of the patch to read its End User License Agreement.
When the EULA is displayed, clickAcceptorDeclinein the dialog box to indicate acceptance or refusal of the agreement. You can also select the check box next to the patch (or patches) to accept a EULA without displaying it.
Tip: You can select the check box next toAccept EULAto indicate acceptance of the EULAs for all of the patches.
10. Click5. Confirmation(if applicable) orAccept EULA and Approve Patchesto proceed. 11. ClickFinishin theConfirmationscreen.
Note: At any time during the Patch Deployment Wizard, you can clickBackto review previous stages of the procedure.
Automatically Approving Patches
Creating Patch Approval Rules allows N-central to automatically approve patches for you that meet spe-cific criteria – saving you and your technicians time and effort.
Note: Patch Approval Rules are stored and run on the N-central server. They are not passed on as an
automatic approval rule to the WSUS server. Patch Approval Rules are created and applied through N-central which then passes the approval to the WSUS server.
Automatic Patch Approval Rules can be created at the Product Administrator, Service Organization and Customer levels. Editing and deleting rules is restricted by the level at which they are created:
l Rules created at a higher level can be used but not edited or deleted by lower level accounts. l Rules created at a lower level can be edited or deleted by higher level accounts.
Rules can be enabled or disabled to allow further temporary suspension. N-central also allows you to run a Rule on-demand. The Rule status will be indicated by one of the following icons:
Enabled Disabled
Warning -This automatic approval rule has no groups associated.
This warning is displayed when a rule is not associated with any valid groups (for exam-ple, if a group has been removed after the rule was created). The rule will not be applied and must be edited to associate it with a valid group.
To add an Automatic Patch Approval rule
1. In the navigation pane, clickConfiguration>Patch Management>Automatic Approvals. 2. ClickAddin theAutomatic Patch Approval Rulesscreen.
Name A unique identifier for the rule.
Descrip-tion
A personalized summary of the rule that should identify what it does.
Approve Patches for
Used to identify how the rule will be applied based on the following criteria:
l Products- eitherLocal PublisherorMicrosoft(with the option to select individ-ual products within each category).
l Classifications- selected from one or more of the following:
l Critical Updates l Definition Updates l Drivers l Feature Packs l Security Updates l Service Packs l Tools l Update Rollups l Updates
l Groups- for selecting multiple devices by folder.
Note: The criteria displayed in theProductandClassificationslists are provided by data accessed through theWSUS Serversscreen. If aProductorClassification has not been enabled in the WSUS server profile, it will not be available in theAdd Automatic Patch Approval Rulescreen.
Specify the dead-line options for the patches
Select from one of:
l None- no deadline applied.
l Custom- used to specify how many days after approval that the patch should be installed and by what time on the deadline date.
4. ClickSave.
5. ClickYes - Run the Rule NoworNo - Do Not Run the Rule Nowin the Do you Want to Run this Rule Now?prompt based on your current needs. If you select Yes, the rule will be applied and software patches approved. If you select No, the rule will not be applied.
Note: If you choose to run the new rule immediately, it will be applied against all of the software
To delete an Automatic Patch Approval rule
1. In the navigation pane, clickConfiguration>Patch Management>Automatic Approvals. 2. Select the check box next to the rule that you would like to delete in theAutomatic Patch
Approval Rulesscreen.
Tip: Selecting the check box at the top of the column heading will select all of the rules.
3. ClickDelete.
4. ClickDeletein the Confirm Deleteprompt. To edit an Automatic Patch Approval rule
Note: Modifications made to existing rules will only be applied to new software patches that are
down-loaded after the changes have been made.
1. In the navigation pane, clickConfiguration>Patch Management>Automatic Approvals. 2. Click theNameof the rule that you would like to modify in theAutomatic Patch Approval
Rulesscreen.
3. Modify the properties of the rule as needed in theEdit Automatic Patch Approval Rulescreen. 4. ClickSave.
To enable an Automatic Patch Approval rule
1. In the navigation pane, clickConfiguration>Patch Management>Automatic Approvals. 2. Select the check box beside each of the rules that you want to enable in theAutomatic Patch
Approval Rulesscreen.
Tip: Selecting the check box at the top of the column will select all of the rules.
3. ClickEnable.
4. ClickEnablein the Confirm Enableprompt.
Note: A will appear in theEnabledcolumn beside the name of the rule (or rules) that has been enabled.
To disable an Automatic Patch Approval rule
1. In the navigation pane, clickConfiguration>Patch Management>Automatic Approvals. 2. Select the check box beside each of the rules that you want to disable in theAutomatic Patch
Approval Rulesscreen.
3. ClickDisable.
4. ClickDisablein the Confirm Disableprompt.
Note: An will appear in theEnabledcolumn beside the name of the rule (or rules) that has been disabled.
To run an Automatic Patch Approval rule
1. In the navigation pane, clickConfiguration>Patch Management>Automatic Approvals. 2. Select the check box beside each of the rules that you want to run in theAutomatic Patch
Approval Rulesscreen.
Tip: Selecting the check box at the top of the column will select all of the rules.
3. ClickRun Rule Now.
Viewing Installed Patches
Patch Management Reporting
A key element of N-central's Patch Management feature is the ability to provide effective reporting. The patch management reports are designed to be highly flexible in order to support a variety of use cases. Specifically, there are several key reports that you can deliver:
Patch Status Report
l Missing Patches (by system) l One, several, or all devices l One, several, or all categories l Patches older than a certain age l Installed Patches (by system)
l One, several, or all devices l One, several, or all categories
l Patches installed in the last <x> many days l All Patches (installed and missing)
Patch Inventory Report
l Missing Patches (by patch) l Installed Patches (by patch)
l Which computers are missing a specific patch l Which computers have a specific patch
l Report on patches by name or KB article or other criteria
Missing Patches Report
l Show (per customer) the number of missing patches (by type) l Show top <x> customers by missing patches
l Click through to show individual customer details
WSUS Status Report
l WSUS servers (up to a maximum of 20) that have the largest number of assigned devices l Indicate the WSUS level, version, number of customers, number of devices and details on
syn-chronization for each WSUS server
l Indicate customer assignment, update products, and update classifications for WSUS servers l Indicate device assignment, update products, and update classifications for WSUS servers
Leveraging these reports, N-central can support a wide range of needs including:
l helping a technician understand the software patches that need to be deployed or the devices on
l showing a customer their patch status,
l showing a customer the work that was done, needs to be done, or
Appendix: Patch Installation and Approval Status
The list of available patches displayed on theSelect Patchesscreen includes the following information for each patch:
l KB (Knowledge Base) Number l Patch Name l Date l Classification l Severity l Status l Approval
TheStatusof each patch will be a combination of the individualStatusvalues of that patch across all applicable devices. The combined Status value can be one of the following (listed in order of importance):
1. Failed 2. Needed 3. Installed 4. Not Needed
The highest-ranked of these statuses found on any applicable device will be reported as the combined Statusfor the patch. For example, if one device had a status of Failed for this patch, while two other devices have a status of Needed for this patch, the patch would have an overall combinedStatusof Failed.
Patches with the statusNeededwill be displayed with the following icon:
Clicking on this icon will display all of the devices that are reporting theNeededstatus for this software patch. This allows you to better understand which devices will be installing the patch after it has been approved.
TheApprovalvalue of each patch will be a combination of the individualApprovalvalues of that patch across all computer groups. TheApprovalvalues are combined as follows:
l Declined + any other Approval value = Declined
l Approved for Install + Not Approved = Approved for Install l Approved for Install + Approved for Removal = Mixed
the documented features. This document does not represent any firm commitments by N-able Technologies Inc. to features and/or dates. N-able Technologies will at its best effort, try to meet the specified schedule and will update this document should there be any significant changes. N-able Technologies reserves the right to change the release schedule and the content of any of the planned updates or enhancements without notice. Publication or dissemination of this document alone is not intended to create and does not constitute a business relationship between N-able Technologies and the recipient.
Feedback
N-able Technologies is a market driven organization that places importance on customer, partner and alliance feedback. All feedback is welcome at the following email address:[email protected].
About N-able Technologies
N-able Technologies is the global leader in remote monitoring and management software for managed service providers and IT departments. N-able’s award-winning N-central platform and complementary toolsets, backed by best-in-class business and tech-nical services, are proven to reduce IT support costs, improve network performance and increase productivity through the proactive monitoring, management and optimization of IP-enabled devices and IT infrastructure. N-able is 100% channel-friendly and main-tains operations in North America, the U.K., the Netherlands and Australia.
Copyright © 2012 N-able Technologies
All rights reserved. This document contains information intended for the exclusive use of N-able Technologies' personnel, partners, and potential partners. The information herein is restricted in use and is strictly confidential and subject to change without notice. No part of this document may be altered, reproduced, or transmitted in any form or by any means, electronic or mechanical, for any pur-pose, without the express written permission of N-able Technologies.
Copyright protection includes, but is not limited to, program code, program documentation, and material generated from the soft-ware product displayed on the screen, such as graphics, icons, screen displays, screen layouts, and buttons.
