Providing Patch Management With N-central. Version 7.1

(1)

(2)

Patch Management

3

Introduction 3

Monitoring for Missing Patches

3 Setting up Patch Management in N-central

4 Adding a WSUS Server to N-central

7

What Versions of WSUS Are Supported? 7

How N-central Monitors Your WSUS Servers 8

Enabling or Disabling WSUS Servers 9

Changing which Customers can Use a WSUS Server 10

Configuring WSUS Server's Patch and Language Options 11

Maintaining your WSUS Servers 13

Patch Profiles

15

Adding Patch Profiles 15

Patch Profile Settings 16

Editing Patch Profiles 19

Viewing the Folders and Devices Associated to a Patch Profile 19

Deleting Patch Profiles 20

Configuring Devices for Patch Management

20 Approving and Declining Patches

22 Viewing Installed Patches

26 Patch Management Reporting

28

Patch Status Report 28

Patch Inventory Report 28

Missing Patches Report 28

WSUS Status Report 28

Upgrading Patch Management from N-central 7.0

29

(3)

Patch Management

Introduction

In today's security-conscious environment, providing patch monitoring and management services is crit-ical for anyone delivering managed IT services. The challenge is that while delivering patch management services has the potential to be both complex and expensive, your customers will not want to pay extra for it and will simply expect it to be a part of your service offering. With these issues in mind, N-able Technologies provides a new integrated patch management feature with N-central 7.1, powered by Microsoft WSUS 3.0.

N-central 7.1 takes a unique approach to providing patch management by dividing patch monitoring and patch management into two separate functions. Patch Monitoring, which provides the ability to see which software patches are missing on devices, can be done on both Essential and Professional devices, while Patch Management (the approval and declining of specific patches) can only be done on Pro-fessional devices. This distinction provides added flexibility that allows IT service providers to better tailor their service offerings to the needs of their clients.

Who Should Read This Guide?

This document is designed for N-central administrators. It is highly recommended that anyone who is using the Patch Management features in versions prior to N-central 7.1 read this guide before upgrad-ing.

This guide is current as of Tuesday, November 09, 2010.

Monitoring for Missing Patches

When an N-central 7.1 Windows Agent is installed on a device, the Patch Status service is automatically added to that device. The Patch Status service queries the Windows Update Agent (WUA) on the device to determine the patches that are missing. WUA is local to the device that is being monitored and so the Patch Status service will report patch data even if the device is not configured to report to a WSUS server.

The Patch Status service returns key information including:

l the total number of missing patches l the number of patches installed with errors

l missing patches by category (Security Updates, Critical Updates, Service Packs, Update Rollups,

Feature Packs, Updates, and Software Driver Updates)

(4)

Setting up Patch Management in N-central

N-central 7.1 provides a very flexible and powerful patch distribution and management solution. The solution is based on Microsoft WSUS but the configuration and management of WSUS is done using the N-central user interface – making it easy and efficient to manage multiple WSUS servers at the same time. Beyond installing WSUS, there is virtually no interaction required with the WSUS user interface. There are three phases to setting up patch management in N-central:

l Configuring your WSUS servers l Creating Patch Profiles

l Approving and Declining Patches

Before reviewing how to configure your WSUS servers, we should first examine where you might want to install them.

Common WSUS Deployment Scenarios

(5)

you the flexibility to offer patch management to devices that are on the road (like a Salesperson's lap-top) and in the office.

The main advantage to using on-site WSUS servers is that they can store patches locally and dis-tribute them to servers and workstations on the local network. This optimizes the Internet bandwidth that is used because the patches are only downloaded from the internet once. The disadvantage of on-site WSUS servers is that they can only be used for devices on the same network – as soon as a device leaves the network, it no can no longer be managed by that WSUS server.

The main advantage of a publicly accessible WSUS server is that it can be used by any device that has internet access. The disadvantage of a publicly accessible WSUS server is that each patch must be downloaded separately by each device – making bandwidth consumption an issue.

(6)

(7)

Adding a WSUS Server to N-central

Adding a WSUS server to N-central is simple - you simply install a Windows Agent on it. The Windows Agent will discover the installed WSUS software and will then add the server to the list displayed on the WSUS Server Management screen (accessible throughSetup>Patch Management>WSUS Serversin the N-central UI). WSUS servers that have been discovered but are not yet enabled for patch management will be indicated by an icon. Servers that have been enabled will be indicated by a icon. If you install WSUS on the server after the agent has been installed, the WSUS server will still be discovered as the agent repeats its discovery action every 24 hours. Additionally, you can trigger an immediate discovery by clickingUpdate Nowon theAssettab of the device in question.

What Versions of WSUS Are Supported?

N-central 7.1 supports, at minimum, Microsoft WSUS 3.0 Service Pack 2. Older versions of WSUS will be discovered but cannot be used for patch management in N-central. As new versions of WSUS become available, N-able Technologies will test the integration with N-central and make any updates necessary to provide support for the new version. We do not recommend upgrading WSUS until official support is provided for the new version in order to ensure that your patch system is operating properly.

To display the WSUS servers managed by N-central

1. On the menu bar, clickSetup>Patch Management>WSUS Servers.

TheWSUS Server Managementscreen appears.

To add a new WSUS server to the list of WSUS servers managed by N-central

Note:The following procedure can only be performed at the customer level. Select the appropriate customer in the navigation pane to continue. For more information, refer toNavigating N-cen-tral.

1. On the menu bar, clickSetup>Patch Management>WSUS Servers. 2. ClickAdd.

(8)

discovery mechanism will automatically add the server to the list.

Note:If the WSUS server is publicly-accessible, you must change theNetwork Addressof the WSUS server in N-central from the private IP address to a public IP address.

To force N-central to detect WSUS on a device already managed by N-central 1. Navigate to the appropriate customer.

2. ClickAll Devices Viewin the navigation pane.

3. Click on the name of the device that is the WSUS server.

TheDevice Propertiesscreen appears.

4. Select theAssettab. 5. ClickUpdate Now.

When the discovery job is completed, the WSUS server will be included in the list displayed on the

WSUS Server Managementscreen.

Previously-configured WSUS Servers

For N-central to manage devices in WSUS, client-side targeting must be disabled in the WSUS UI by per-forming the following:

To configure client-side targeting on a WSUS server

1. ClickControl Panel>Administrative Tools>Windows Server Update Servicesto access the WSUS UI on the WSUS server.

2. ClickOptionsin the left-hand UI pane. 3. ClickComputersin the middle UI pane. 4. SelectUse the Update Services console. 5. ClickOK.

How N-central Monitors Your WSUS Servers

Once you have configured WSUS and are using it to manage software patches, it will become a key com-ponent of your infrastructure. As a result, WSUS itself must be managed and monitored. When you add a WSUS server to N-central, theWSUS 3.0service template will be automatically assigned to the device. This provides complete monitoring of WSUS including event log, process availability, and the WSUS Status service. This monitoring ensures that the WSUS server is not reporting errors and that it is synchronizing with Microsoft correctly. The collected data is included in the WSUS Status report which will help in providing optimal service levels and can demonstrate the availability of the patch solution to your customer's auditors.

Tip:If your WSUS server is publicly-accessible and your WMI-based services transition to a Mis-configuredstate, perform the following:

(9)

address.

2. Wait until your WMI-based services transition to a Misconfigured state. 3. Disable the Windows Firewall on the WSUS server.

4. After the scan for the WMI-based services is completed again, the services should

transition back to a Normal state.

5. Enable the Windows Firewall on the WSUS server once more.

Enabling or Disabling WSUS Servers

Managing a WSUS server in N-central includes the ability to enable or disable the server as a point of dis-tribution for patches.

Enabling a WSUS server allows it to be used for deploying patches and to be monitored by N-central. Disabling a WSUS server makes it unavailable for deploying patches and it will not be monitored by N-central.

Note:All newly-added WSUS servers are disabled by default. To enable a WSUS server

2. Select the check box beside each of the server names you want to enable.

Tip:Selecting the check box at the top of the column will select all of the WSUS servers in the list.

3. ClickEnable.

A will appear in theEnabledcolumn beside the name of the WSUS server (or servers) that has been enabled.

To disable a WSUS server

2. Select the check box beside each of the server names you want to disable.

Tip:Selecting the check box at the top of the column will select all of the WSUS servers in the list.

3. ClickDisable.

A dialog box will appear confirming whether you want to disable the WSUS server (or servers).

4. ClickSave.

(10)

Changing which Customers can Use a WSUS Server

The WSUS Server Management screen can be accessed from any level (System, Service Organization, or Customer). Only the WSUS servers that can be managed by the current user will be displayed. Under theCustomer/SO Namecolumn, you will see the level at which the WSUS server is currently listed. If you want the WSUS server to only be visible to devices within the current customer, this column should display the customer name.

If you want to make a WSUS server visible to all devices at the service organization level, select it and clickMake Available at Another Level. Select the service organization name from the drop-down menu that appears and clickSave. You will see the customer name change to the service organization name.

To change the level of a WSUS Server

2. Select the check box beside each of the server names whose level you want to change. Tip:Selecting the check box at the top of the column will select all of the WSUS servers in the

list.

(11)

TheMake Available at Another Leveldialog appears.

4. Select the new level from the drop-down menu. 5. ClickSave.

The setting listed under theCustomer/SO Namecolumn will change.

Configuring WSUS Server's Patch and Language Options

In addition to controlling which customers can use a given WSUS server, you can also use the WSUS Server Management screen to configure the WSUS server’s patch and language options. Available options include:

l Products to support l Product Classifications

l Download and Store Patches on the WSUS server l Which languages to support

l Synchronization schedule

Since you can select more than one server from the WSUS Servers screen, it is easy to configure all of your WSUS servers to use the same settings. It is strongly recommended that you manage these set-tings through N-central rather than using the WSUS user interface.

Best Practices

l If you are using a hosted server, DO NOT store patches locally but if you are using an on-premise server, DO store patches locally.

l If you store patches locally, adjust the languages supported to only those that are in use by your customers. This will minimize WSUS disk space requirements.

(12)

To configure WSUS Server options

Note:No configuration changes can be made to disabled WSUS servers. The settings are saved in N-central. When the WSUS server is enabled, the settings are then applied to the WSUS server. 1. On the menu bar, clickSetup>Patch Management>WSUS Servers.

2. Select the check box beside each of the names of the WSUS servers that you want to configure. Tip:Selecting the check box at the top of the column will select all of the WSUS servers in the

list.

3. ClickConfigure WSUS Options.

TheConfigure WSUS Server Settingsdialog appears.

4. Select the configuration options that you want to apply from the following:

a. Select which product you would like to support- identifies the patch products you want the WSUS server to support.

(13)

c. Specify where you would like to store Update Files- identifies whether Windows Update files will be stored locally on the WSUS server or not. If you selectStore updates locally, you must identify the type and language of updates to be stored.

d. Configure your desired Synchronization schedule- identifies whether the WSUS server will synchronize manually or automatically. If you selectSynchronize automatically, you must select the time of the first synchronization as well as the number of synchronizations per day.

Note:When selecting check boxes in theConfigure WSUS Server Settingsdialog, your selec-tion can have three possible settings:

Selected Indicates that the setting will be applied to the WSUS server. Not

Selected

Indicates that the setting will not be applied to the WSUS server.

No Change

Indicates that the setting will not change any current settings already applied to the WSUS server.

5. ClickSave.

Maintaining your WSUS Servers

WSUS servers require periodic maintenance which includes deleting unnecessary patches, optimizing the database, and other routine tasks. All of these actions can be done by performing aWSUS Server Cleanup Taskfrom theWSUS Server Managementscreen.

(14)

To clean up WSUS servers

2. Select the check box beside each of the names of the WSUS servers that you want to clean. Tip:Selecting the check box at the top of the column will select all of the WSUS servers in the

list.

3. ClickCleanup WSUS.

TheWSUS Cleanup Settingsdialog appears.

4. Type theNameyou want to use to identify the cleanup task.

5. Select the cleanup settings you want to apply to the task from the following:

l Remove unused updates and update revisions l Delete computers not contacting the server l Delete unneeded update files

l Decline expired updates l Decline superseded updates

6. ClickSave.

(15)

Patch Profiles

Patch profiles are used to configure all of the patch-related settings that need to be configured on Win-dows devices. This includes items such as the WSUS server to use, whether or not to reboot after install-ing the patches, and whether or not to alert the user when new patches are downloaded.

Patch profiles are a key feature in N-central, as they allow you to re-use the same patch settings across multiple customers. This saves you and your technicians time that would have to be otherwise spent configuring patch settings in the Group Policy of each of your customer's domains.

Access to patch profiles is based upon the level at which they are created. For example, a profile created at the System level is available at all levels while a profile created at the Service Organization level would only be available within that Service Organization.

Best Practices

l Configuring the default Patch Management profile at the highest level possible will provide con-sistent settings for all lower-level accounts. For example, modifying the default Patch Man-agement profile at the Product Administrator level will define the settings for the profiles in all Service Organization and Customer accounts.

l It is strongly recommended that you disable any group policy objects that configure Windows Update as they will conflict with the N-central settings.

Adding Patch Profiles

N-central provides a default Patch Management profile. Depending on your needs, however, it may be necessary to create additional profiles.

You can also copy a profile by using the "clone" feature to create a new profile that has a similar con-figuration to an existing one but with minor differences. This can make the task of creating multiple pro-files faster and easier.

Note:Cloning a profile will include both its settings and its associated devices. To add a new profile

1. On the menu bar, clickSetup >Patch Management >Profiles.

TheProfilesscreen appears.

2. ClickAdd.

TheAdd Profilesscreen appears.

3. Define the profile settings as required. For more information, refer toPatch Profile Settings on page 16.

4. ClickSave.

A dialog box will appear confirming whether you want to save the new profile.

5. ClickSave.

To clone a profile

(16)

2. Select the profile you want to duplicate. 3. Clickclone.

4. Type a descriptiveNameto identify the profile.

5. In theDescriptionfield, type additional information about the profile. 6. ClickSave.

Note:After you have cloned a profile, you need to edit the new profile's settings. For more infor-mation, refer toEditing Patch Profiles on page 19.

Patch Profile Settings

Patch Management profiles have a number of different settings that will affect how patches will be deployed including:

Setting Description

Name A descriptive term or label used to identify the profile.

Description Additional information about the profile that will be displayed in theProfilestable.

Configure Automatic Updates

Disable Auto-matic Updates

Activates (or de-activates) N-central's ability to automatically install software patches when they are approved through N-central.

Warning! Disabling this option means that all devices associated with this profile must have software patches manually applied.

Configure Automatic Updating

Defines how the deployment of patches will be applied to target devices from one of:

l Notify before download- Will send a notification of software updates being

avail-able before they are downloaded and before they are installed.

l Automatically download and notify of installation- Will automatically download

software updates when they are available but will send a notification before they are installed.

l Automatic download and scheduled installation- Will automatically download software updates when they are available and will install them at the scheduled date and time.

l Automatic Updates is required but end users can configure it- Will auto-matically download software updates but will allow users to configure options such as the date and time when they will be installed.

(17)

Setting Description

Enable Auto-matic Updates Detection

Activates (or de-activates) the automatic detection of software updates.

Note: IfEnable Automatic Updates Detection is set toYes, you must select the Auto-matic Updates Detection Frequency (Hours)value to determine the interval between when N-central will check for software updates (to a maximum of 22 hours). Allow Non-Administrators to receive update noti-fications

Provides permission for N-central to send notifications to non-administrator accounts. For example, if this option is enabled, end users will be notified when software updates have been downloaded and are available to be installed on their computers.

Turn on Soft-ware Noti-fications

Activates (or de-activates) the transmission of notifications. The notifications sent will depend on the setting selected for theConfigure Automatic Updatingoption.

Allow Auto-matic Updates Immediate Installation

Activates (or de-activates) the immediate installation of minor updates that do not interrupt Windows services or require Windows to be restarted. If this is set toYes, N-central will immediately install these updates as soon as they are downloaded and ready to be installed.

No Auto Restart with Logged On User for Scheduled Automatic Updates

Activates (or de-activates) N-central's ability to automatically restart Windows devices when a user is currently logged on. If this is set toYes, N-central will not restart the device auto-matically after software updates are installed and a user is logged on to the device. The user will be prompted to restart the device.

Delay Restart for Scheduled Installations

Activates (or de-activates) a specified delay before N-central will restart Windows devices fol-lowing the installation of software updates.

Note: IfDelay Restart for Scheduled Installationsis set toYes, you must select a value forWait (minutes) before proceeding with scheduled restartfrom 1 minute to 29 minutes.

Re-Prompt Restart with Scheduled Installations

Activates (or de-activates) a specified delay before N-central will send another prompt to logged-on users that Windows devices will be restarted following the installation of software updates.

Note: IfRe-Prompt Restart with Scheduled Installationsis set toYes, you must type a value forWait (minutes) before proceeding with scheduled restart.

Reschedule Automatic Updates Scheduled Installation

Activates (or de-activates) a specified delay before N-central will install software updates that were missed (for example, if a device was shut down during a scheduled software update).

(18)

Setting Description Enable Win-dows Update Power Man-agement to Automatically Wake up the System

Activates (or de-activates) the capability to "wake up" a Windows device (even if it is in hiber-nation mode) in order to install a critical software update.

Specify Patch Server to use (WSUS or Win-dows Update)

Identifies either the WSUS server or Windows Update service that will be used for deploying patches.

Note: Using a Windows Update service for deploying patches will disable the patch approval features available with a WSUS server.

After you have identified the server or service from which patches will be deployed, activate (or de-activate)Allow Signed Updates from an Intranet Microsoft update service loca-tion. This controls whether or not software updates will be accepted if they are signed by a certificate found in the "Trusted Publishers" certificate store of the local computer. If this set-ting is set toNo, software updates from an intranet Microsoft update service location will only be accepted if they are signed by Microsoft.

Do not display "Install Updates and Shut Down" option in Shut Down Menu

Activates (or de-activates) the ability to display an "Install Updates and Shut Down" option when a Windows device is being turned off or restarted even if software updates are avail-able.

Note: IfDo not display "Install Updates and Shut Down" option in Shut Down Menuis set toYes, you must activate (or de-activate) theDo not adjust default option to "Install Updates and Shut Down" in Shut Down Menuoption. One of the key settings for Patch Management profiles is theSpecify Patch Server to use. This deter-mines the location to which the Windows Update agent will connect in order to receive patch infor-mation. There are several options available including:

l Windows Update(default setting) l Best Available

l WSUS Servers

These options provide very different results. The Windows Update option configures the Windows Update Agent to connect to the Windows Update service. This allows patch management to be performed on a device without using WSUS. The advantage to this is the universal availability of the Windows Update site. One drawback, however, is the lack of management capabilities - the administrator cannot con-figure which individual patches should be applied.

(19)

configuration whenever a new server is enabled. As a result, if a system is configured to use an SO-level server and a customer-level WSUS server is added, N-central will automatically reconfigure the devices to use the customer-level server.

SelectingWSUS Serversallows you to select a specific WSUS server. Use this option if you know the specific server that you want to use.

Editing Patch Profiles

Any patch profile (including the default profile provided by N-central) can be modified . When a profile is modified, any changes made will be applied to all of the devices that use the profile.

If you try to edit a profile that was created at a higher account level, N-central will automatically create a copy of the profile at the level that it is being edited, including the associated devices, and save it at that level. This will disconnect the association to the profile that was created at a higher account level. For example, an SO Admin attempting to edit a profile created at the system level will create a new copy of the profile within their respective service organization.

To edit a profile

2. In theName column, click the name of the profile that you would like to edit.

TheEdit Profilesscreen appears.

3. Update the profile settings as required. For more information, refer toPatch Profile Settings on page 16.

4. ClickSave.

5. When prompted, clickSaveto confirm the modifications.

Viewing the Folders and Devices Associated to a Patch Profile

You can view the associations a Patch Management profile has to folder templates, folders and devices. You can view the associations a Patch Management profile has to folders.

To view profile associations

2. In theName column, click the name of the profile for which you would like to view all associations.

TheEdit Profilesscreen appears.

(20)

TheAssociationstab appears, displaying all associations for the selected profile.

Deleting Patch Profiles

You may want to delete one or more patch profiles as your patch deployment policies evolve. Be cau-tious when you do this as devices will need to use an existing profile if they are to receive deployed patches. If you try to delete a profile that is currently being used by one or more devices, you will be warned that it is an active profile. You may then either cancel the deletion or specify a replacement pro-file to be applied to those devices that are using the propro-file.

Tip:You can delete multiple patch profiles simultaneously.

To delete a profile

2. Select the check box next to the profile (or profiles) that you want to delete.

Tip:You can select the check box next to theNamecolumn to select all of the profiles.

3. ClickDelete.

4. When prompted, clickDeleteto confirm the removal of the selected profiles.

Configuring Devices for Patch Management

After WSUS servers are configured (and enabled) and your patch profiles are set up and ready to use, you can enable Patch Management on your managed devices. The Patch Management feature is only available on Professional devices that have a Windows Agent installed on them. Patch Management can be enabled in three different ways:

l on a per-device basis,

l by bulk-editing multiple devices simultaneously, or

l by configuring Patch Management options through a folder.

Note:It may take up to 24 hours for the Patch Management feature to be fully operational as the Win-dows Update Agent (WUA) on all configured devices must synchronize with a WSUS server. Fol-lowing the completion of this initial registration period, Patch Management functionality will be fully available on managed devices.

To configure single or multiple devices for Patch Management

Note:The following procedure can only be performed at the customer level. Select the appropriate customer in the navigation pane to continue. For more information, refer toNavigating N-cen-tral.

1. ClickAll Devices Viewin the navigation pane.

TheAll Devices Viewscreen appears.

(21)

l For a single device, click the device that you would like to edit in theNamecolumn.

l For multiple devices, select the check box beside each of the device names you wish to edit and

click Edit.

3. UnderPatch Management, selectEnable Patch Management.

4. From theSelect Patch Management Configuration Profiledrop-down list, select the profile that you want to be applied to the device (or devices).

5. ClickOK.

The device properties are updated and theAll Devices Viewscreen appears.

To enable Patch Management using folder templates

Note:This feature is available at the Service Organization level. 1. On the menu bar, clickSetup >Folder Templates.

TheFolder Templatesscreen appears.

2. In theNamecolumn, click the folder that you would like to edit.

TheEdit Folder Templatescreen appears.

3. UnderPatch Management, selectManage Patch Settings.

4. From theSelect Patch Management Configuration Profiledrop-down list, select the profile that you want to be applied to the devices associated with the folder template.

(22)

The folder template is updated and theFolder Templatesscreen appears.

Note:This operation can also be carried out at the Customer level for individual folders. For more information, refer toEditing Folders.

After you enable Patch Management on a device and apply a profile, the N-central agent will configure the settings for the device and then connect to the specified WSUS server so that the device can be placed in the correct computer groups.

Approving and Declining Patches

After the configuration of the WSUS system is complete, you can begin approving patches for deploy-ment. N-central allows you to efficiently deploy patches across a number of Windows devices (regardless of the customer that they belong to) by completing the following steps:

1. Filtering and searching available patches to determine which should be deployed. 2. Selecting the approval status to be assigned to patches.

3. Setting a patch deployment deadline (if applicable).

4. Accepting EULAs (End User License Agreements) on a individual patch basis or all at once (if appli-cable).

5. Confirming your selections.

To display the list of patches waiting for deployment

l On the menu bar, clickSetup>Patch Management>Deploy Patches.

TheSelect Patchesscreen appears.

To filter the list of patches

(23)

filtering in order to provide a manageable amount of patch information.

1. On the menu bar, clickSetup>Patch Management>Deploy Patches.

2. In theClassificationcolumn, select the classification of patches you want to display from one of the following: l Critical Updates l Definition Updates l Drivers l Feature Packs l Security Updates l Service Packs l Tools l Update Rollups l Updates

3. In theApprovalcolumn, select the current approval setting of patches you want to display from one of the following:

l Approved for Install l Approved for Removal l Declined

l Mixed

l Not Approved

4. In theSeveritycolumn, select the severity rating of patches you want to display from one of the following: l Critical l Important l Low l Moderate l Unspecified

5. In theStatuscolumn, select the current status of patches you want to display from one of the following:

l Failed l Installed l Needed l Not Needed

Tip:You can use Ctrl-click or click-and-drag to select multiple criteria within a column.

6. In theEnter text to search forfield, type information to use to filter the patch list including the name of the patch, Knowledge Base number, or other criteria.

(24)

Note:You can useReset Filterto undo any selections you have made and display the entire list of available patches.

To deploy patches

1. On the menu bar, clickSetup>Patch Management>Deploy Patches.

2. If necessary, filter the list of displayed patches as described above.

3. Select the check box next to the patch (or patches) you would like to deploy.

Tip:You can select the check box next to theKB Numbercolumn to select all of the patches in the list that is currently displayed.

4. Click2. Approve PatchesorNext Stepto proceed.

TheApprove Patchesscreen appears.

5. Select the criteria forSet selected patches tofrom one of the following:

l Approved for Install l Approved for Removal l Declined

Note:Declinedis only available as an approval criteria for Product Administrators or SO Admin-istrators if there are no product-level WSUS servers available in N-central.Approved for Removalis only available for software patches that support this feature.

If you selectedApproved for Install, you will need toSpecify your target devices (or device groups)by navigating through the list of folders and choosing the service organization, customer and folder (or folders) for which the associated devices will have the patch installed. Note:The target devices tree is hierarchical in nature so that selecting a folder at one level will

apply the patches to matching folders at all levels below the one that is selected (including new devices as they are added). Icons in the target devices tree indicate selections as fol-lows:

Approved for Install

Indicates that approved patches will be installed on all devices asso-ciated with the folder.

Not Approved Indicates that approved patches will not be installed on all devices asso-ciated with the folder.

No Change Indicates that existing patch approvals should not be altered for devices associated with the folder.

6. Click3. Set Installation Deadlines(if applicable) orNext Stepto proceed.

If applicable, theSet Installation Deadlinescreen appears. If no deadline setting is available, skip tostep 11.

(25)

l None l Custom

If you selectedCustom, you will need to specify theDateandTimethat will be the deadline by which all approved patches must be installed. Click in the respective fields to selectDateand Timevalues.

8. Click4. Review and Accept EULAs(if applicable) orNext Stepto proceed.

If applicable, theReview and Accept EULAsscreen appears. If no EULAs are provided for the accepted patches, skip tostep 11.

9. ClickEULAbeside the name of the patch to read its End User License Agreement.

When the EULA is displayed, clickAcceptorDeclinein the dialog box to indicate acceptance or refusal of the agreement. You can also select the check box next to the patch (or patches) to accept a EULA without displaying it.

Tip:You can select the check box next toAccept EULAto indicate acceptance of the EULAs for all of the patches.

10. Click5. Confirmation(if applicable) orAccept EULA and Approve Patchesto proceed.

TheConfirmation screen appears.

11. ClickFinish.

(26)

Viewing Installed Patches

The Windows Agent will automatically discover all installed patches on the device when the agent is first installed as well as when the agent runs its daily asset discovery. This includes information such as patch details, installation date, and installation status. This information is then made available in the N-central UI on the device'sAssettab and is also included in the Patch Status Report and Patch Inventory Report.

(27)

(28)

Patch Management Reporting

A key element of N-central's Patch Management feature is the ability to provide effective reporting. The patch management reports are designed to be highly flexible in order to support a variety of use cases. Specifically, there are several key reports that you can deliver:

Patch Status Report

l Missing Patches (by system) l One, several, or all devices l One, several, or all categories l Patches older than a certain age l Installed Patches (by system)

l One, several, or all devices l One, several, or all categories

l Patches installed in the last <x> many days l All Patches (installed and missing)

Patch Inventory Report

l Missing Patches (by patch) l Installed Patches (by patch)

l Which computers are missing a specific patch l Which computers have a specific patch

l Report on patches by name or KB article or other criteria

Missing Patches Report

l Show (per customer) the number of missing patches (by type) l Show top <x> customers by missing patches

l Click through to show individual customer details

WSUS Status Report

l WSUS servers (up to a maximum of 20) that have the largest number of assigned devices l Indicate the WSUS level, version, number of customers, number of devices and details on

syn-chronization for each WSUS server

l Indicate customer assignment, update products, and update classifications for WSUS servers l Indicate device assignment, update products, and update classifications for WSUS servers

Leveraging these reports, N-central can support a wide range of needs including:

l helping a technician understand the software patches that need to be deployed or the devices on

which a bad patch needs to be rolled back,

l showing a customer their patch status,

l showing a customer the work that was done, needs to be done, or

(29)

Upgrading Patch Management from N-central 7.0

Note:During the upgrade to N-central 7.1, any instances of the Patch Management service will be replaced with the new Patch Status service. New instances of the Patch Status service will, how-ever, report a Misconfigured status until Windows agents are also upgraded to 7.1.0.1060. While N-central 7.0 provided patch management using integration with Microsoft WSUS 3.0, the fea-tures included in N-central 7.0 were quite different in both architecture and scope. Due to these changes, any existing N-central patch management configuration options will not be upgraded. To use your existing patch management configuration in N-central 7.1 1. Upgrade your N-central server to 7.1.

2. Uninstall the N-able Connector from the WSUS server.

3. On your domain controller, remove all patch-related group policy settings. 4. Install a 7.1 agent on the WSUS server.

5. Promote the WSUS server to the SO-level.

6. Configure the WSUS options to match the settings that suit your needs and environment. 7. Enable the WSUS server.

8. Create a patch profile at the SO-level: a. Specify the patch management settings.

b. Set the WSUS server toBest Available. With only one server (at the SO-level) all devices will use it.

9. Enable Patch Management on all devices for which you want to manage patches. You can use your folder templates to simplify this task.

This will cause all devices that you have enabled for Patch Management to check into the WSUS server. N-central will automatically create the groups and manage the devices.

(30)

Appendix: Patch Installation and Approval Status

The list of available patches displayed on theSelect Patchesscreen includes the following information for each patch:

l KB (Knowledge Base) Number l Patch Name l Date l Classification l Severity l Status l Approval

TheStatusof each patch will be a combination of the individualStatusvalues of that patch across all applicable devices. The combined Status value can be one of the following (listed in order of importance):

1. Failed 2. Needed 3. Installed 4. Not Needed

The highest-ranked of these statuses found on any applicable device will be reported as the combined Statusfor the patch. For example, if one device had a status of Failed for this patch, while two other devices have a status of Needed for this patch, the patch would have an overall combinedStatusof Failed.

Patches with the statusNeededwill be displayed with the following icon:

Clicking on this icon will display all of the devices that are reporting theNeededstatus for this software patch. This allows you to better understand which devices will be installing the patch after it has been approved.

TheApprovalvalue of each patch will be a combination of the individualApprovalvalues of that patch across all computer groups. TheApprovalvalues are combined as follows:

l Declined + any other Approval value = Declined

l Approved for Install + Not Approved = Approved for Install l Approved for Install + Approved for Removal = Mixed

(31)

development plans and on our best estimates of the research and development time required to build, test, and implement each of the documented features. This document does not represent any firm commitments by N-able Technologies Inc. to features and/or dates. N-able Technologies will at its best effort, try to meet the specified schedule and will update this document should there be any significant changes. N-able Technologies reserves the right to change the release schedule and the content of any of the planned updates or enhancements without notice. Publication or dissemination of this document alone is not intended to create and does not constitute a business relationship between N-able Technologies and the recipient.

Feedback

N-able Technologies is a market driven organization that places importance on customer, partner and alliance feedback. All feedback is welcome at the following email address:[email protected].

About N-able Technologies

N-able Technologies is the global leader in remote monitoring and management software for managed service providers and IT departments. N-able’s award-winning N-central platform and complementary toolsets, backed by best-in-class business and tech-nical services, are proven to reduce IT support costs, improve network performance and increase productivity through the proactive monitoring, management and optimization of IP-enabled devices and IT infrastructure. N-able is 100% channel-friendly and main-tains operations in North America, the U.K., the Netherlands and Australia.

All rights reserved. This document contains information intended for the exclusive use of N-able Technologies' personnel, partners, and potential partners. The information herein is restricted in use and is strictly confidential and subject to change without notice. No part of this document may be altered, reproduced, or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of N-able Technologies.

Copyright protection includes, but is not limited to, program code, program documentation, and material generated from the soft-ware product displayed on the screen, such as graphics, icons, screen displays, screen layouts, and buttons.