Providing Patch Management With N-central. Version 7.1

Similar documents
Providing Patch Management With N-central. Version 7.2

Providing Patch Management with N-central. Version 9.1

Getting Started. Version 9.1

Installation Guide. Help Desk Manager. Version v12.1.0

Backup Manager Configuration and Deployment Guide. Version 9.1

RMM/MDM. Quick Reference Guide

Shavlik Patch for Microsoft System Center

ALTIRIS Software Delivery Solution for Windows 6.1 SP3 Product Guide

Managing Software Updates with System Center 2012 R2 Configuration Manager

CLOUD SECURITY FOR ENDPOINTS POWERED BY GRAVITYZONE

Silect Software s MP Author

Sophos for Microsoft SharePoint startup guide

GFI Cloud User Guide A guide to administer GFI Cloud and its services

N-central 8.0 On-Premise Software and N-compass 3.1 Advanced Reporting Software

Abila MIP. Installation Guide

Audit Management Reference

Configuration Information

Release 2.0. Cox Business Online Backup Quick Start Guide

Maintenance Guide. Outpost Firewall 4.0. Personal Firewall Software from. Agnitum

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

Sophos Enterprise Console Help. Product version: 5.1 Document date: June 2012

Symantec AntiVirus Corporate Edition Patch Update

User Guide - English. ServerView Suite. DeskView and ServerView Integration Pack for Microsoft SCCM

SOLARWINDS ORION. Patch Manager Evaluation Guide for ConfigMgr 2012

HELP DOCUMENTATION E-SSOM DEPLOYMENT GUIDE

3 Setting up Databases on a Microsoft SQL 7.0 Server

Sophos Anti-Virus for NetApp Storage Systems startup guide

Synthetic Monitoring Scripting Framework. User Guide

PROMISE ARRAY MANAGEMENT (PAM) for

CA XOsoft Replication for Windows

ProSystem fx Engagement

Sophos Anti-Virus for NetApp Storage Systems user guide. Product version: 3.0

Microsoft Dynamics CRM Adapter for Microsoft Dynamics GP

Allworx OfficeSafe Operations Guide Release 6.0

BillQuick Agent 2010 Getting Started Guide

XenClient Enterprise Upgrade Guide

Colligo Manager 6.0. Offline Mode - User Guide

Patch Management Table of Contents:

Installing Windows Server Update Services (WSUS) on Windows Server 2012 R2 Essentials

Tutorial. Patch Management

Veritas Cluster Server Database Agent for Microsoft SQL Configuration Guide

Xythos on Demand Quick Start Guide For Xythos Drive

HDA Integration Guide. Help Desk Authority 9.0

Kaspersky Security Center Web-Console

Windows Server Update Services 3.0 SP2 Step By Step Guide

Installation Instruction STATISTICA. Concurrent Network License with Borrowing Domain Based Registration

Installation Guide. Novell Storage Manager for Active Directory. Novell Storage Manager for Active Directory Installation Guide

CentreWare Internet Services Setup and User Guide. Version 2.0

Sophos Cloud Migration Tool Help. Product version: 1.0

Abila MIP. Installation User's Guide

Omtool Server Monitor administrator guide

Blackbaud Sphere & The Raiser s Edge Integration Guide

Administrator s Guide

Thirtyseven4 Endpoint Security (EPS) Upgrading Instructions

Metalogix SharePoint Backup. Advanced Installation Guide. Publication Date: August 24, 2015

Portions of this product were created using LEADTOOLS LEAD Technologies, Inc. ALL RIGHTS RESERVED.

ALTIRIS Patch Management Solution 6.2 for Windows Help

CTERA Agent for Windows

STATISTICA VERSION 11 CONCURRENT NETWORK LICENSE WITH BORROWING INSTALLATION INSTRUCTIONS

VMware/Hyper-V Backup Plug-in User Guide

Backup Assistant. User Guide. NEC NEC Unified Solutions, Inc. March 2008 NDA-30282, Revision 6

Attix5 Pro Server Edition

Desktop Surveillance Help

System 800xA Tools. System Version 5.1. Power and productivity for a better world TM

Remote Management System

Dell Statistica Document Management System (SDMS) Installation Instructions

Trend ScanMail. for Microsoft Exchange. Quick Start Guide

Idera SQL Diagnostic Manager Management Pack Guide for System Center Operations Manager. Install Guide. Idera Inc., Published: April 2013

SC-T35/SC-T45/SC-T46/SC-T47 ViewSonic Device Manager User Guide

Installing and Configuring vcloud Connector

Dell SupportAssist Version 2.0 for Dell OpenManage Essentials Quick Start Guide

User's Manual. Intego Remote Management Console User's Manual Page 1

LepideAuditor Suite for File Server. Installation and Configuration Guide

vsphere Replication for Disaster Recovery to Cloud

Bosch ReadykeyPRO Unlimited Installation Guide, product version 6.5. This guide is item number DOC , revision 2.029, May 2012.

Outpost Network Security

Installation Notes for Outpost Network Security (ONS) version 3.2

Citrix Access Gateway Plug-in for Windows User Guide

BitDefender Security for Exchange

Managed Antivirus Quick Start Guide

Dell KACE K1000 System Management Appliance Version 5.4. Service Desk Administrator Guide

13 Managing Devices. Your computer is an assembly of many components from different manufacturers. LESSON OBJECTIVES

Management Pack for vrealize Infrastructure Navigator

Hosting Users Guide 2011


Novell ZENworks Asset Management

NovaBACKUP. Storage Server. NovaStor / May 2011

Installing FileMaker Pro 11 in Windows

In the same spirit, our QuickBooks 2008 Software Installation Guide has been completely revised as well.

Installing and Configuring vcloud Connector

Software Version 5.1 November, Xerox Device Agent User Guide

Juris Installation / Upgrade Guide

FileMaker Server 15. Getting Started Guide

SMALL BUSINESS EDITION. Sophos Control Center startup guide

Getting Started with Vision 6

Legal Notes. Regarding Trademarks KYOCERA Document Solutions Inc.

User Guide. CTERA Agent. August 2011 Version 3.0

Legal Notes. Regarding Trademarks KYOCERA Document Solutions Inc.

WhatsUp Gold v16.3 Installation and Configuration Guide

Change Management for Rational DOORS User s Guide

Transcription:

Providing Patch Management With N-central Version 7.1

Contents Patch Management 3 Introduction 3 Monitoring for Missing Patches 3 Setting up Patch Management in N-central 4 Adding a WSUS Server to N-central 7 What Versions of WSUS Are Supported? 7 How N-central Monitors Your WSUS Servers 8 Enabling or Disabling WSUS Servers 9 Changing which Customers can Use a WSUS Server 10 Configuring WSUS Server's Patch and Language Options 11 Maintaining your WSUS Servers 13 Patch Profiles 15 Adding Patch Profiles 15 Patch Profile Settings 16 Editing Patch Profiles 19 Viewing the Folders and Devices Associated to a Patch Profile 19 Deleting Patch Profiles 20 Configuring Devices for Patch Management 20 Approving and Declining Patches 22 Viewing Installed Patches 26 Patch Management Reporting 28 Patch Status Report 28 Patch Inventory Report 28 Missing Patches Report 28 WSUS Status Report 28 Upgrading Patch Management from N-central 7.0 29 Appendix: Patch Installation and Approval Status 30

Patch Management Introduction In today's security-conscious environment, providing patch monitoring and management services is critical for anyone delivering managed IT services. The challenge is that while delivering patch management services has the potential to be both complex and expensive, your customers will not want to pay extra for it and will simply expect it to be a part of your service offering. With these issues in mind, N-able Technologies provides a new integrated patch management feature with N-central 7.1, powered by Microsoft WSUS 3.0. N-central 7.1 takes a unique approach to providing patch management by dividing patch monitoring and patch management into two separate functions. Patch Monitoring, which provides the ability to see which software patches are missing on devices, can be done on both Essential and Professional devices, while Patch Management (the approval and declining of specific patches) can only be done on Professional devices. This distinction provides added flexibility that allows IT service providers to better tailor their service offerings to the needs of their clients. Who Should Read This Guide? This document is designed for N-central administrators. It is highly recommended that anyone who is using the Patch Management features in versions prior to N-central 7.1 read this guide before upgrading. This guide is current as of Tuesday, November 09, 2010. Monitoring for Missing Patches When an N-central 7.1 Windows Agent is installed on a device, the Patch Status service is automatically added to that device. The Patch Status service queries the Windows Update Agent (WUA) on the device to determine the patches that are missing. WUA is local to the device that is being monitored and so the Patch Status service will report patch data even if the device is not configured to report to a WSUS server. The Patch Status service returns key information including: the total number of missing patches the number of patches installed with errors missing patches by category (Security Updates, Critical Updates, Service Packs, Update Rollups, Feature Packs, Updates, and Software Driver Updates) missing patches (of specific categories) older than a user-specified number of days. - 3 -

Setting up Patch Management in N-central N-central 7.1 provides a very flexible and powerful patch distribution and management solution. The solution is based on Microsoft WSUS but the configuration and management of WSUS is done using the N-central user interface making it easy and efficient to manage multiple WSUS servers at the same time. Beyond installing WSUS, there is virtually no interaction required with the WSUS user interface. There are three phases to setting up patch management in N-central: Configuring your WSUS servers Creating Patch Profiles Approving and Declining Patches Before reviewing how to configure your WSUS servers, we should first examine where you might want to install them. Common WSUS Deployment Scenarios N-central 7.1 provides a great deal of flexibility in how you deploy your WSUS servers. You can make WSUS servers available to just one customer, all customers within a Service Organization, or across all Service Organizations in your N-central server. Those WSUS servers can be either on-site (within your customer's network) or can be publicly accessible on the internet. Through patch profiles, N-central also gives you the ability to use a mix of on-site and publicly-accessible WSUS servers giving - 4 -

you the flexibility to offer patch management to devices that are on the road (like a Salesperson's laptop) and in the office. The main advantage to using on-site WSUS servers is that they can store patches locally and distribute them to servers and workstations on the local network. This optimizes the Internet bandwidth that is used because the patches are only downloaded from the internet once. The disadvantage of on-site WSUS servers is that they can only be used for devices on the same network as soon as a device leaves the network, it no can no longer be managed by that WSUS server. The main advantage of a publicly accessible WSUS server is that it can be used by any device that has internet access. The disadvantage of a publicly accessible WSUS server is that each patch must be downloaded separately by each device making bandwidth consumption an issue. It is likely that you will want to use patch profiles (covered later on in this document) to have your customer's workstations and servers report to an on-site WSUS server, and your customer's laptops report to a publicly accessible WSUS server. - 5 -

- 6 -

Adding a WSUS Server to N-central Adding a WSUS server to N-central is simple - you simply install a Windows Agent on it. The Windows Agent will discover the installed WSUS software and will then add the server to the list displayed on the WSUS Server Management screen (accessible through Setup > Patch Management > WSUS Servers in the N-central UI). WSUS servers that have been discovered but are not yet enabled for patch management will be indicated by an icon. Servers that have been enabled will be indicated by a icon. If you install WSUS on the server after the agent has been installed, the WSUS server will still be discovered as the agent repeats its discovery action every 24 hours. Additionally, you can trigger an immediate discovery by clicking Update Now on the Asset tab of the device in question. What Versions of WSUS Are Supported? N-central 7.1 supports, at minimum, Microsoft WSUS 3.0 Service Pack 2. Older versions of WSUS will be discovered but cannot be used for patch management in N-central. As new versions of WSUS become available, N-able Technologies will test the integration with N-central and make any updates necessary to provide support for the new version. We do not recommend upgrading WSUS until official support is provided for the new version in order to ensure that your patch system is operating properly. To display the WSUS servers managed by N-central 1. On the menu bar, click Setup > Patch Management > WSUS Servers. The WSUS Server Management screen appears. To add a new WSUS server to the list of WSUS servers managed by N-central Note: The following procedure can only be performed at the customer level. Select the appropriate customer in the navigation pane to continue. For more information, refer to Navigating N-central. 1. On the menu bar, click Setup > Patch Management > WSUS Servers. 2. Click Add. The Add WSUS Servers dialog box that appears will instruct you to install an agent on the WSUS server itself (and provides a link for downloading a Windows agent). N-central's asset - 7 -

discovery mechanism will automatically add the server to the list. Note: If the WSUS server is publicly-accessible, you must change the Network Address of the WSUS server in N-central from the private IP address to a public IP address. To force N-central to detect WSUS on a device already managed by N-central 1. Navigate to the appropriate customer. 2. Click All Devices View in the navigation pane. 3. Click on the name of the device that is the WSUS server. The Device Properties screen appears. 4. Select the Asset tab. 5. Click Update Now. When the discovery job is completed, the WSUS server will be included in the list displayed on the WSUS Server Management screen. Previously-configured WSUS Servers For N-central to manage devices in WSUS, client-side targeting must be disabled in the WSUS UI by performing the following: To configure client-side targeting on a WSUS server 1. Click Control Panel > Administrative Tools > Windows Server Update Services to access the WSUS UI on the WSUS server. 2. Click Options in the left-hand UI pane. 3. Click Computers in the middle UI pane. 4. Select Use the Update Services console. 5. Click OK. How N-central Monitors Your WSUS Servers Once you have configured WSUS and are using it to manage software patches, it will become a key component of your infrastructure. As a result, WSUS itself must be managed and monitored. When you add a WSUS server to N-central, the WSUS 3.0 service template will be automatically assigned to the device. This provides complete monitoring of WSUS including event log, process availability, and the WSUS Status service. This monitoring ensures that the WSUS server is not reporting errors and that it is synchronizing with Microsoft correctly. The collected data is included in the WSUS Status report which will help in providing optimal service levels and can demonstrate the availability of the patch solution to your customer's auditors. Tip: If your WSUS server is publicly-accessible and your WMI-based services transition to a Misconfigured state, perform the following: 1. In N-central, configure the Network Address of the WSUS server to the public IP - 8 -

address. 2. Wait until your WMI-based services transition to a Misconfigured state. 3. Disable the Windows Firewall on the WSUS server. 4. After the scan for the WMI-based services is completed again, the services should transition back to a Normal state. 5. Enable the Windows Firewall on the WSUS server once more. Enabling or Disabling WSUS Servers Managing a WSUS server in N-central includes the ability to enable or disable the server as a point of distribution for patches. Enabling a WSUS server allows it to be used for deploying patches and to be monitored by N-central. Disabling a WSUS server makes it unavailable for deploying patches and it will not be monitored by N- central. Note: All newly-added WSUS servers are disabled by default. To enable a WSUS server 1. On the menu bar, click Setup > Patch Management > WSUS Servers. The WSUS Server Management screen appears. 2. Select the check box beside each of the server names you want to enable. Tip: Selecting the check box at the top of the column will select all of the WSUS servers in the list. 3. Click Enable. A will appear in the Enabled column beside the name of the WSUS server (or servers) that has been enabled. To disable a WSUS server 1. On the menu bar, click Setup > Patch Management > WSUS Servers. The WSUS Server Management screen appears. 2. Select the check box beside each of the server names you want to disable. Tip: Selecting the check box at the top of the column will select all of the WSUS servers in the list. 3. Click Disable. A dialog box will appear confirming whether you want to disable the WSUS server (or servers). 4. Click Save. An will appear in the Enabled column beside the name of the WSUS server (or servers) that has been disabled. - 9 -

Changing which Customers can Use a WSUS Server The WSUS Server Management screen can be accessed from any level (System, Service Organization, or Customer). Only the WSUS servers that can be managed by the current user will be displayed. Under the Customer/SO Name column, you will see the level at which the WSUS server is currently listed. If you want the WSUS server to only be visible to devices within the current customer, this column should display the customer name. If you want to make a WSUS server visible to all devices at the service organization level, select it and click Make Available at Another Level. Select the service organization name from the drop-down menu that appears and click Save. You will see the customer name change to the service organization name. To change the level of a WSUS Server 1. On the menu bar, click Setup > Patch Management > WSUS Servers. The WSUS Server Management screen appears. 2. Select the check box beside each of the server names whose level you want to change. Tip: Selecting the check box at the top of the column will select all of the WSUS servers in the list. 3. Click Make Available at Another Level. - 10 -

The Make Available at Another Level dialog appears. 4. Select the new level from the drop-down menu. 5. Click Save. The setting listed under the Customer/SO Name column will change. Configuring WSUS Server's Patch and Language Options In addition to controlling which customers can use a given WSUS server, you can also use the WSUS Server Management screen to configure the WSUS server s patch and language options. Available options include: Products to support Product Classifications Download and Store Patches on the WSUS server Which languages to support Synchronization schedule Since you can select more than one server from the WSUS Servers screen, it is easy to configure all of your WSUS servers to use the same settings. It is strongly recommended that you manage these settings through N-central rather than using the WSUS user interface. Best Practices If you are using a hosted server, DO NOT store patches locally but if you are using an onpremise server, DO store patches locally. If you store patches locally, adjust the languages supported to only those that are in use by your customers. This will minimize WSUS disk space requirements. Ensure that your WSUS server is set to synchronize automatically at least once per day. This will ensure that your patch list is always up to date. - 11 -

To configure WSUS Server options Note: No configuration changes can be made to disabled WSUS servers. The settings are saved in N- central. When the WSUS server is enabled, the settings are then applied to the WSUS server. 1. On the menu bar, click Setup > Patch Management > WSUS Servers. The WSUS Server Management screen appears. 2. Select the check box beside each of the names of the WSUS servers that you want to configure. Tip: Selecting the check box at the top of the column will select all of the WSUS servers in the list. 3. Click Configure WSUS Options. The Configure WSUS Server Settings dialog appears. 4. Select the configuration options that you want to apply from the following: a. Select which product you would like to support - identifies the patch products you want the WSUS server to support. b. Select the update classification to provide - identifies the classification of patches you want the WSUS server to provide. - 12 -

c. Specify where you would like to store Update Files - identifies whether Windows Update files will be stored locally on the WSUS server or not. If you select Store updates locally, you must identify the type and language of updates to be stored. d. Configure your desired Synchronization schedule - identifies whether the WSUS server will synchronize manually or automatically. If you select Synchronize automatically, you must select the time of the first synchronization as well as the number of synchronizations per day. Note: When selecting check boxes in the Configure WSUS Server Settings dialog, your selection can have three possible settings: Selected Not Selected No Change Indicates that the setting will be applied to the WSUS server. Indicates that the setting will not be applied to the WSUS server. Indicates that the setting will not change any current settings already applied to the WSUS server. 5. Click Save. The WSUS Server Management screen appears. Maintaining your WSUS Servers WSUS servers require periodic maintenance which includes deleting unnecessary patches, optimizing the database, and other routine tasks. All of these actions can be done by performing a WSUS Server Cleanup Task from the WSUS Server Management screen. If you select a WSUS server and click Cleanup WSUS, the task is created as a "run now" management task whose status can be viewed in the Job Status Dashboard. If you wish to schedule this task for periodic execution, you can do so from the Setup > Management Tasks menu. - 13 -

To clean up WSUS servers 1. On the menu bar, click Setup > Patch Management > WSUS Servers. The WSUS Server Management screen appears. 2. Select the check box beside each of the names of the WSUS servers that you want to clean. Tip: Selecting the check box at the top of the column will select all of the WSUS servers in the list. 3. Click Cleanup WSUS. The WSUS Cleanup Settings dialog appears. 4. Type the Name you want to use to identify the cleanup task. 5. Select the cleanup settings you want to apply to the task from the following: Remove unused updates and update revisions Delete computers not contacting the server Delete unneeded update files Decline expired updates Decline superseded updates 6. Click Save. The WSUS Server Management screen appears. - 14 -

Patch Profiles Patch profiles are used to configure all of the patch-related settings that need to be configured on Windows devices. This includes items such as the WSUS server to use, whether or not to reboot after installing the patches, and whether or not to alert the user when new patches are downloaded. Patch profiles are a key feature in N-central, as they allow you to re-use the same patch settings across multiple customers. This saves you and your technicians time that would have to be otherwise spent configuring patch settings in the Group Policy of each of your customer's domains. Access to patch profiles is based upon the level at which they are created. For example, a profile created at the System level is available at all levels while a profile created at the Service Organization level would only be available within that Service Organization. Best Practices Configuring the default Patch Management profile at the highest level possible will provide consistent settings for all lower-level accounts. For example, modifying the default Patch Management profile at the Product Administrator level will define the settings for the profiles in all Service Organization and Customer accounts. It is strongly recommended that you disable any group policy objects that configure Windows Update as they will conflict with the N-central settings. Adding Patch Profiles N-central provides a default Patch Management profile. Depending on your needs, however, it may be necessary to create additional profiles. You can also copy a profile by using the "clone" feature to create a new profile that has a similar configuration to an existing one but with minor differences. This can make the task of creating multiple profiles faster and easier. Note: Cloning a profile will include both its settings and its associated devices. To add a new profile 1. On the menu bar, click Setup > Patch Management > Profiles. The Profiles screen appears. 2. Click Add. The Add Profiles screen appears. 3. Define the profile settings as required. For more information, refer to Patch Profile Settings on page 16. 4. Click Save. A dialog box will appear confirming whether you want to save the new profile. 5. Click Save. The Profiles screen appears. To clone a profile 1. On the menu bar, click Setup > Patch Management > Profiles. - 15 -

The Profiles screen appears. 2. Select the profile you want to duplicate. 3. Click clone. 4. Type a descriptive Name to identify the profile. 5. In the Description field, type additional information about the profile. 6. Click Save. The Profiles screen appears. Note: After you have cloned a profile, you need to edit the new profile's settings. For more information, refer to Editing Patch Profiles on page 19. Patch Profile Settings Patch Management profiles have a number of different settings that will affect how patches will be deployed including: Setting Name Description Description A descriptive term or label used to identify the profile. Additional information about the profile that will be displayed in the Profiles table. Configure Automatic Updates Disable Automatic Updates Activates (or de-activates) N-central's ability to automatically install software patches when they are approved through N-central. Warning! Disabling this option means that all devices associated with this profile must have software patches manually applied. Configure Automatic Updating Defines how the deployment of patches will be applied to target devices from one of: Notify before download - Will send a notification of software updates being available before they are downloaded and before they are installed. Automatically download and notify of installation - Will automatically download software updates when they are available but will send a notification before they are installed. Automatic download and scheduled installation - Will automatically download software updates when they are available and will install them at the scheduled date and time. Automatic Updates is required but end users can configure it - Will automatically download software updates but will allow users to configure options such as the date and time when they will be installed. Note: If Automatic download and scheduled installation is selected, you must select a Schedule Install Day and Schedule Install Time when patches will be installed. - 16 -

Setting Enable Automatic Updates Detection Allow Non- Administrators to receive update notifications Turn on Software Notifications Allow Automatic Updates Immediate Installation No Auto Restart with Logged On User for Scheduled Automatic Updates Delay Restart for Scheduled Installations Re-Prompt Restart with Scheduled Installations Reschedule Automatic Updates Scheduled Installation Description Activates (or de-activates) the automatic detection of software updates. Note: If Enable Automatic Updates Detection is set to Yes, you must select the Automatic Updates Detection Frequency (Hours) value to determine the interval between when N-central will check for software updates (to a maximum of 22 hours). Provides permission for N-central to send notifications to non-administrator accounts. For example, if this option is enabled, end users will be notified when software updates have been downloaded and are available to be installed on their computers. Activates (or de-activates) the transmission of notifications. The notifications sent will depend on the setting selected for the Configure Automatic Updating option. Activates (or de-activates) the immediate installation of minor updates that do not interrupt Windows services or require Windows to be restarted. If this is set to Yes, N-central will immediately install these updates as soon as they are downloaded and ready to be installed. Activates (or de-activates) N-central's ability to automatically restart Windows devices when a user is currently logged on. If this is set to Yes, N-central will not restart the device automatically after software updates are installed and a user is logged on to the device. The user will be prompted to restart the device. Activates (or de-activates) a specified delay before N-central will restart Windows devices following the installation of software updates. Note: If Delay Restart for Scheduled Installations is set to Yes, you must select a value for Wait (minutes) before proceeding with scheduled restart from 1 minute to 29 minutes. Activates (or de-activates) a specified delay before N-central will send another prompt to logged-on users that Windows devices will be restarted following the installation of software updates. Note: If Re-Prompt Restart with Scheduled Installations is set to Yes, you must type a value for Wait (minutes) before proceeding with scheduled restart. Activates (or de-activates) a specified delay before N-central will install software updates that were missed (for example, if a device was shut down during a scheduled software update). Note: If Reschedule Automatic Updates Scheduled Installation is set to Yes, you must type a value for Wait (minutes) after system startup. - 17 -

Setting Enable Windows Update Power Management to Automatically Wake up the System Specify Patch Server to use (WSUS or Windows Update) Description Activates (or de-activates) the capability to "wake up" a Windows device (even if it is in hibernation mode) in order to install a critical software update. Identifies either the WSUS server or Windows Update service that will be used for deploying patches. Note: Using a Windows Update service for deploying patches will disable the patch approval features available with a WSUS server. After you have identified the server or service from which patches will be deployed, activate (or de-activate) Allow Signed Updates from an Intranet Microsoft update service location. This controls whether or not software updates will be accepted if they are signed by a certificate found in the "Trusted Publishers" certificate store of the local computer. If this setting is set to No, software updates from an intranet Microsoft update service location will only be accepted if they are signed by Microsoft. Do not display "Install Updates and Shut Down" option in Shut Down Menu Activates (or de-activates) the ability to display an "Install Updates and Shut Down" option when a Windows device is being turned off or restarted even if software updates are available. Note: If Do not display "Install Updates and Shut Down" option in Shut Down Menu is set to Yes, you must activate (or de-activate) the Do not adjust default option to "Install Updates and Shut Down" in Shut Down Menu option. One of the key settings for Patch Management profiles is the Specify Patch Server to use. This determines the location to which the Windows Update agent will connect in order to receive patch information. There are several options available including: Windows Update (default setting) Best Available WSUS Servers These options provide very different results. The Windows Update option configures the Windows Update Agent to connect to the Windows Update service. This allows patch management to be performed on a device without using WSUS. The advantage to this is the universal availability of the Windows Update site. One drawback, however, is the lack of management capabilities - the administrator cannot configure which individual patches should be applied. Best Available configures the Windows Update Agent to use the best available WSUS server directing N-central to look for a customer-level WSUS server. If one is available, the device will be configured to use that server. If there is no customer-level WSUS server available, N-central will attempt to configure an SO-level server. If an SO-level server isn t available, N-central then will attempt to use a productlevel server. Should there be no WSUS servers available, N-central will configure the WUA to use Windows Update. The advantage to this functionality is that N-central will re-evaluate the best available - 18 -

configuration whenever a new server is enabled. As a result, if a system is configured to use an SO-level server and a customer-level WSUS server is added, N-central will automatically reconfigure the devices to use the customer-level server. Selecting WSUS Servers allows you to select a specific WSUS server. Use this option if you know the specific server that you want to use. Editing Patch Profiles Any patch profile (including the default profile provided by N-central) can be modified. When a profile is modified, any changes made will be applied to all of the devices that use the profile. If you try to edit a profile that was created at a higher account level, N-central will automatically create a copy of the profile at the level that it is being edited, including the associated devices, and save it at that level. This will disconnect the association to the profile that was created at a higher account level. For example, an SO Admin attempting to edit a profile created at the system level will create a new copy of the profile within their respective service organization. To edit a profile 1. On the menu bar, click Setup > Patch Management > Profiles. The Profiles screen appears. 2. In the Name column, click the name of the profile that you would like to edit. The Edit Profiles screen appears. 3. Update the profile settings as required. For more information, refer to Patch Profile Settings on page 16. 4. Click Save. 5. When prompted, click Save to confirm the modifications. The Profiles screen appears. Viewing the Folders and Devices Associated to a Patch Profile You can view the associations a Patch Management profile has to folder templates, folders and devices. You can view the associations a Patch Management profile has to folders. To view profile associations 1. On the menu bar, click Setup > Patch Management > Profiles. The Profiles screen appears. 2. In the Name column, click the name of the profile for which you would like to view all associations. The Edit Profiles screen appears. 3. Click the Associations tab. - 19 -

The Associations tab appears, displaying all associations for the selected profile. Deleting Patch Profiles You may want to delete one or more patch profiles as your patch deployment policies evolve. Be cautious when you do this as devices will need to use an existing profile if they are to receive deployed patches. If you try to delete a profile that is currently being used by one or more devices, you will be warned that it is an active profile. You may then either cancel the deletion or specify a replacement profile to be applied to those devices that are using the profile. Tip: You can delete multiple patch profiles simultaneously. To delete a profile 1. On the menu bar, click Setup > Patch Management > Profiles. The Profiles screen appears. 2. Select the check box next to the profile (or profiles) that you want to delete. Tip: You can select the check box next to the Name column to select all of the profiles. 3. Click Delete. 4. When prompted, click Delete to confirm the removal of the selected profiles. The Profiles screen appears. Configuring Devices for Patch Management After WSUS servers are configured (and enabled) and your patch profiles are set up and ready to use, you can enable Patch Management on your managed devices. The Patch Management feature is only available on Professional devices that have a Windows Agent installed on them. Patch Management can be enabled in three different ways: on a per-device basis, by bulk-editing multiple devices simultaneously, or by configuring Patch Management options through a folder. Note: It may take up to 24 hours for the Patch Management feature to be fully operational as the Windows Update Agent (WUA) on all configured devices must synchronize with a WSUS server. Following the completion of this initial registration period, Patch Management functionality will be fully available on managed devices. To configure single or multiple devices for Patch Management Note: The following procedure can only be performed at the customer level. Select the appropriate customer in the navigation pane to continue. For more information, refer to Navigating N-central. 1. Click All Devices View in the navigation pane. The All Devices View screen appears. 2. Perform the following: - 20 -

For a single device, click the device that you would like to edit in the Name column. For multiple devices, select the check box beside each of the device names you wish to edit and click Edit. 3. Under Patch Management, select Enable Patch Management. 4. From the Select Patch Management Configuration Profile drop-down list, select the profile that you want to be applied to the device (or devices). 5. Click OK. The device properties are updated and the All Devices View screen appears. To enable Patch Management using folder templates Note: This feature is available at the Service Organization level. 1. On the menu bar, click Setup > Folder Templates. The Folder Templates screen appears. 2. In the Name column, click the folder that you would like to edit. The Edit Folder Template screen appears. 3. Under Patch Management, select Manage Patch Settings. 4. From the Select Patch Management Configuration Profile drop-down list, select the profile that you want to be applied to the devices associated with the folder template. 5. Click OK. - 21 -

The folder template is updated and the Folder Templates screen appears. Note: This operation can also be carried out at the Customer level for individual folders. For more information, refer to Editing Folders. After you enable Patch Management on a device and apply a profile, the N-central agent will configure the settings for the device and then connect to the specified WSUS server so that the device can be placed in the correct computer groups. Approving and Declining Patches After the configuration of the WSUS system is complete, you can begin approving patches for deployment. N-central allows you to efficiently deploy patches across a number of Windows devices (regardless of the customer that they belong to) by completing the following steps: 1. Filtering and searching available patches to determine which should be deployed. 2. Selecting the approval status to be assigned to patches. 3. Setting a patch deployment deadline (if applicable). 4. Accepting EULAs (End User License Agreements) on a individual patch basis or all at once (if applicable). 5. Confirming your selections. To display the list of patches waiting for deployment On the menu bar, click Setup > Patch Management > Deploy Patches. The Select Patches screen appears. To filter the list of patches Depending on your configuration, the list of available patches can be quite long and may require - 22 -

filtering in order to provide a manageable amount of patch information. 1. On the menu bar, click Setup > Patch Management > Deploy Patches. The Select Patches screen appears. 2. In the Classification column, select the classification of patches you want to display from one of the following: Critical Updates Definition Updates Drivers Feature Packs Security Updates Service Packs Tools Update Rollups Updates 3. In the Approval column, select the current approval setting of patches you want to display from one of the following: Approved for Install Approved for Removal Declined Mixed Not Approved 4. In the Severity column, select the severity rating of patches you want to display from one of the following: Critical Important Low Moderate Unspecified 5. In the Status column, select the current status of patches you want to display from one of the following: Failed Installed Needed Not Needed Tip: You can use Ctrl-click or click-and-drag to select multiple criteria within a column. 6. In the Enter text to search for field, type information to use to filter the patch list including the name of the patch, Knowledge Base number, or other criteria. 7. Click Filter. - 23 -

Note: You can use Reset Filter to undo any selections you have made and display the entire list of available patches. To deploy patches 1. On the menu bar, click Setup > Patch Management > Deploy Patches. The Select Patches screen appears. 2. If necessary, filter the list of displayed patches as described above. 3. Select the check box next to the patch (or patches) you would like to deploy. Tip: You can select the check box next to the KB Number column to select all of the patches in the list that is currently displayed. 4. Click 2. Approve Patches or Next Step to proceed. The Approve Patches screen appears. 5. Select the criteria for Set selected patches to from one of the following: Approved for Install Approved for Removal Declined Note: Declined is only available as an approval criteria for Product Administrators or SO Administrators if there are no product-level WSUS servers available in N-central. Approved for Removal is only available for software patches that support this feature. If you selected Approved for Install, you will need to Specify your target devices (or device groups) by navigating through the list of folders and choosing the service organization, customer and folder (or folders) for which the associated devices will have the patch installed. Note: The target devices tree is hierarchical in nature so that selecting a folder at one level will apply the patches to matching folders at all levels below the one that is selected (including new devices as they are added). Icons in the target devices tree indicate selections as follows: Approved for Install Not Approved No Change Indicates that approved patches will be installed on all devices associated with the folder. Indicates that approved patches will not be installed on all devices associated with the folder. Indicates that existing patch approvals should not be altered for devices associated with the folder. 6. Click 3. Set Installation Deadlines (if applicable) or Next Step to proceed. If applicable, the Set Installation Deadline screen appears. If no deadline setting is available, skip to step 11. 7. Specify the deadline options for the patches from one of the following: - 24 -

None Custom If you selected Custom, you will need to specify the Date and Time that will be the deadline by which all approved patches must be installed. Click in the respective fields to select Date and Time values. 8. Click 4. Review and Accept EULAs (if applicable) or Next Step to proceed. If applicable, the Review and Accept EULAs screen appears. If no EULAs are provided for the accepted patches, skip to step 11. 9. Click EULA beside the name of the patch to read its End User License Agreement. When the EULA is displayed, click Accept or Decline in the dialog box to indicate acceptance or refusal of the agreement. You can also select the check box next to the patch (or patches) to accept a EULA without displaying it. Tip: You can select the check box next to Accept EULA to indicate acceptance of the EULAs for all of the patches. 10. Click 5. Confirmation (if applicable) or Accept EULA and Approve Patches to proceed. The Confirmation screen appears. 11. Click Finish. The Select Patches screen appears. Note: At any time during the Patch Deployment Wizard, you can click Back to review previous stages of the procedure. - 25 -

Viewing Installed Patches The Windows Agent will automatically discover all installed patches on the device when the agent is first installed as well as when the agent runs its daily asset discovery. This includes information such as patch details, installation date, and installation status. This information is then made available in the N- central UI on the device's Asset tab and is also included in the Patch Status Report and Patch Inventory Report. Patch Information on the Asset tab - 26 -

Patch details in the Patch Status report - 27 -

Patch Management Reporting A key element of N-central's Patch Management feature is the ability to provide effective reporting. The patch management reports are designed to be highly flexible in order to support a variety of use cases. Specifically, there are several key reports that you can deliver: Patch Status Report Missing Patches (by system) One, several, or all devices One, several, or all categories Patches older than a certain age Installed Patches (by system) One, several, or all devices One, several, or all categories Patches installed in the last <x> many days All Patches (installed and missing) Patch Inventory Report Missing Patches (by patch) Installed Patches (by patch) Which computers are missing a specific patch Which computers have a specific patch Report on patches by name or KB article or other criteria Missing Patches Report Show (per customer) the number of missing patches (by type) Show top <x> customers by missing patches Click through to show individual customer details WSUS Status Report WSUS servers (up to a maximum of 20) that have the largest number of assigned devices Indicate the WSUS level, version, number of customers, number of devices and details on synchronization for each WSUS server Indicate customer assignment, update products, and update classifications for WSUS servers Indicate device assignment, update products, and update classifications for WSUS servers Leveraging these reports, N-central can support a wide range of needs including: helping a technician understand the software patches that need to be deployed or the devices on which a bad patch needs to be rolled back, showing a customer their patch status, showing a customer the work that was done, needs to be done, or demonstrating to an auditor that patch management SLA s are being met. - 28 -

Upgrading Patch Management from N-central 7.0 Note: During the upgrade to N-central 7.1, any instances of the Patch Management service will be replaced with the new Patch Status service. New instances of the Patch Status service will, however, report a Misconfigured status until Windows agents are also upgraded to 7.1.0.1060. While N-central 7.0 provided patch management using integration with Microsoft WSUS 3.0, the features included in N-central 7.0 were quite different in both architecture and scope. Due to these changes, any existing N-central patch management configuration options will not be upgraded. To use your existing patch management configuration in N-central 7.1 1. Upgrade your N-central server to 7.1. 2. Uninstall the N-able Connector from the WSUS server. 3. On your domain controller, remove all patch-related group policy settings. 4. Install a 7.1 agent on the WSUS server. 5. Promote the WSUS server to the SO-level. 6. Configure the WSUS options to match the settings that suit your needs and environment. 7. Enable the WSUS server. 8. Create a patch profile at the SO-level: a. Specify the patch management settings. b. Set the WSUS server to Best Available. With only one server (at the SO-level) all devices will use it. 9. Enable Patch Management on all devices for which you want to manage patches. You can use your folder templates to simplify this task. This will cause all devices that you have enabled for Patch Management to check into the WSUS server. N-central will automatically create the groups and manage the devices. Note: It can take several hours for all of the devices to register with N-central and be displayed. At this point in time, there will be no approved patches. All existing patches that were installed on devices will remain but all other patches will be Not Approved so that no changes should take place. Going forward, you simply have to approve any patches that you wish to have applied. - 29 -

Appendix: Patch Installation and Approval Status The list of available patches displayed on the Select Patches screen includes the following information for each patch: KB (Knowledge Base) Number Patch Name Date Classification Severity Status Approval The Status of each patch will be a combination of the individual Status values of that patch across all applicable devices. The combined Status value can be one of the following (listed in order of importance): 1. Failed 2. Needed 3. Installed 4. Not Needed The highest-ranked of these statuses found on any applicable device will be reported as the combined Status for the patch. For example, if one device had a status of Failed for this patch, while two other devices have a status of Needed for this patch, the patch would have an overall combined Status of Failed. Patches with the status Needed will be displayed with the following icon: Clicking on this icon will display all of the devices that are reporting the Needed status for this software patch. This allows you to better understand which devices will be installing the patch after it has been approved. The Approval value of each patch will be a combination of the individual Approval values of that patch across all computer groups. The Approval values are combined as follows: Declined + any other Approval value = Declined Approved for Install + Not Approved = Approved for Install Approved for Install + Approved for Removal = Mixed Approved for Install + Not Approved + Approved for Removal = Mixed Not Approved + Approved for Removal = Mixed - 30 -

Disclaimer This document may include planned release dates for service packs and version upgrades. These dates are based on our current development plans and on our best estimates of the research and development time required to build, test, and implement each of the documented features. This document does not represent any firm commitments by N-able Technologies Inc. to features and/or dates. N-able Technologies will at its best effort, try to meet the specified schedule and will update this document should there be any significant changes. N-able Technologies reserves the right to change the release schedule and the content of any of the planned updates or enhancements without notice. Publication or dissemination of this document alone is not intended to create and does not constitute a business relationship between N-able Technologies and the recipient. Feedback N-able Technologies is a market driven organization that places importance on customer, partner and alliance feedback. All feedback is welcome at the following email address: feedback@n-able.com. About N-able Technologies N-able Technologies is the global leader in remote monitoring and management software for managed service providers and IT departments. N-able s award-winning N-central platform and complementary toolsets, backed by best-in-class business and technical services, are proven to reduce IT support costs, improve network performance and increase productivity through the proactive monitoring, management and optimization of IP-enabled devices and IT infrastructure. N-able is 100% channel-friendly and maintains operations in North America, the U.K., the Netherlands and Australia. Copyright 2010 N-able Technologies All rights reserved. This document contains information intended for the exclusive use of N-able Technologies' personnel, partners, and potential partners. The information herein is restricted in use and is strictly confidential and subject to change without notice. No part of this document may be altered, reproduced, or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of N-able Technologies. Copyright protection includes, but is not limited to, program code, program documentation, and material generated from the software product displayed on the screen, such as graphics, icons, screen displays, screen layouts, and buttons. N-able Technologies, N-central, and N-compass are trademarks or registered trademarks of N-able Technologies International Inc., licensed for use by N-able Technologies, Inc. All other names and trademarks are the property of their respective holders.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information