Providing Patch Management With N-central - N-able Technologies

Providing Patch Management With N-central 

Version 7.2

Contents 

Patch Management 3 

Introduction 3 

Monitoring for Missing Patches 3 

Setting up Patch Management in N-central 4 

Adding a WSUS Server to N-central 7 

What Versions of WSUS Are Supported? 7 

How N-central Monitors Your WSUS Servers 9 

Enabling or Disabling WSUS Servers 9 

Changing which Customers can Use a WSUS Server 10 

Configuring WSUS Server's Patch and Language Options 11 

Maintaining your WSUS Servers 13 

Patch Profiles 15 

Adding Patch Profiles 15 

Patch Profile Settings 16 

Editing Patch Profiles 19 

Viewing the Folders and Devices Associated to a Patch Profile 19 

Deleting Patch Profiles 20 

Configuring Devices for Patch Management 20 

Approving and Declining Patches 22 

Automatically Approving Patches 27 

Viewing Installed Patches 31 

Patch Management Reporting 33 

Patch Status Report 33 

Patch Inventory Report 33 

Missing Patches Report 33 

WSUS Status Report 33 

Upgrading Patch Management from N-central 7.0 34 

Appendix: Patch Installation and Approval Status 35

N-central 7.2 Providing Patch Management With N-central 

Patch Management 

Introduction 

In today's security-conscious environment, providing patch monitoring and management services is critical 

for anyone delivering managed IT services. The challenge is that while delivering patch management 

services has the potential to be both complex and expensive, your customers will not want to pay extra 

for it and will simply expect it to be a part of your service offering. With these issues in mind, N-able 

Technologies provides a new integrated patch management feature with N-central 7.2, powered by 

Microsoft WSUS 3.0. 

N-central 7.2 takes a unique approach to providing patch management by dividing patch monitoring 

and patch management into two separate functions. Patch Monitoring, which provides the ability to see 

which software patches are missing on devices, can be done on both Essential and Professional devices, 

while Patch Management (the approval and declining of specific patches) can only be done on Professional 

devices. This distinction provides added flexibility that allows IT service providers to better tailor 

their service offerings to the needs of their clients. 

Who Should Read This Guide? 

This document is designed for N-central administrators. It is highly recommended that anyone who is 

using the Patch Management features in versions prior to N-central 7.2 read this guide before upgrading. 

This guide is current as of Wednesday, January 26, 2011. 

Monitoring for Missing Patches 

When an N-central 7.2 Windows Agent is installed on a device, the Patch Status service is automatically 

added to that device. The Patch Status service queries the Windows Update Agent (WUA) on the device 

to determine the patches that are missing. WUA is local to the device that is being monitored and so the 

Patch Status service will report patch data even if the device is not configured to report to a WSUS 

server. 

The Patch Status service returns key information including: 

• the total number of missing patches 

• the number of patches installed with errors 

• missing patches by category (Security Updates, Critical Updates, Service Packs, Update Rollups, 

Feature Packs, Updates, and Software Driver Updates) 

• missing patches (of specific categories) older than a user-specified number of days. 

- 3 -


Setting up Patch Management in N-central 

N-central provides a very flexible, powerful, integrated patch distribution and management solution. The 

solution is based on Microsoft WSUS but all configuration and management of WSUS is managed using 

the N-central interface. Beyond installing WSUS, there is virtually no interaction required with the 

WSUS user interface. 

There are three phases to setting up patch management in N-central: 

• Configuring your WSUS servers 

• Creating Patch Profiles 

• Approving and Declining Patches 

Before reviewing how to configure your WSUS servers, we should first examine where you might want 

to install them. 

Common WSUS Deployment Scenarios 

N-central 7.2 provides a great deal of flexibility in how you deploy your WSUS servers. You can make 

WSUS servers available to just one customer, all customers within a Service Organization, or across 

all Service Organizations in your N-central server. Those WSUS servers can be either on-site (within 

your customer's network) or can be publicly accessible on the internet. Through patch profiles, N-central 

also gives you the ability to use a mix of on-site and publicly-accessible WSUS servers – giving 

- 4 -


you the flexibility to offer patch management to devices that are on the road (like a Salesperson's laptop) 

and in the office. 

The main advantage to using on-site WSUS servers is that they can store patches locally and distribute 

them to servers and workstations on the local network. This optimizes the Internet bandwidth 

that is used because the patches are only downloaded from the internet once. The disadvantage of 

on-site WSUS servers is that they can only be used for devices on the same network – as soon as a 

device leaves the network, it no can no longer be managed by that WSUS server. 

The main advantage of a publicly accessible WSUS server is that it can be used by any device that has 

internet access. The disadvantage of a publicly accessible WSUS server is that each patch must be 

downloaded separately by each device – making bandwidth consumption an issue. 

It is likely that you will want to use patch profiles (covered later on in this document) to have your 

customer's workstations and servers report to an on-site WSUS server, and your customer's laptops 

report to a publicly accessible WSUS server. 

- 5 -


- 6 -


Adding a WSUS Server to N-central 

Adding a WSUS server to N-central is simple - you simply install a Windows Agent on it. The Windows 

Agent will discover the installed WSUS software and will then add the server to the list displayed on the 

WSUS Server Management screen (accessible through Setup > Patch Management > WSUS 

Servers in the N-central UI). WSUS servers that have been discovered but are not yet enabled for 

patch management will be indicated by an icon. Servers that have been enabled will be indicated by 

a icon. If you install WSUS on the server after the agent has been installed, the WSUS server will still 

be discovered as the agent repeats its discovery action every 24 hours. Additionally, you can trigger an 

immediate discovery by clicking Update Now on the Asset tab of the device in question. 

The following are the time intervals for interaction between Windows Agents and WSUS: 

Activity 

Patch Discovery (Patches Needed) 

WSUS Group Creation 

Interval 

Upon agent start and every 22 hours 

If successful: every 6 hours 

If unsuccessful: every 5 minutes 

Reapply WSUS Group Hierarchy 

WSUS Server Configuration 

Every 6 hours 

If successful: every 24 hours 

If unsuccessful: every 5 minutes 

Verify Patch Status 

Patch Approval Synchronization 

Every 12 hours 

For Security Updates and Critical Updates: every 24 hours 

For all other categories: every 168 hours (7 days) 

What Versions of WSUS Are Supported? 

N-central 7.2 supports, at minimum, Microsoft WSUS 3.0 Service Pack 2. Older versions of WSUS will 

be discovered but cannot be used for patch management in N-central. As new versions of WSUS become 

available, N-able Technologies will test the integration with N-central and make any updates necessary 

to provide support for the new version. We do not recommend upgrading WSUS until official support is 

provided for the new version in order to ensure that your patch system is operating properly. 

- 7 -


To display the WSUS servers managed by N-central 

1. On the menu bar, click Setup > Patch Management > WSUS Servers. 

The WSUS Server Management screen appears. 

To add a new WSUS server to the list of WSUS servers managed by N-central 

Note: The following procedure can only be performed at the customer level. Select the appropriate 

customer in the navigation pane to continue. For more information, refer to Navigating N-central. 


2. Click Add. 

The Add WSUS Servers dialog box that appears will instruct you to install an agent on the 

WSUS server itself (and provides a link for downloading a Windows agent). N-central's asset discovery 

mechanism will automatically add the server to the list. 

Note: If the WSUS server is publicly-accessible, you must change the Network Address of the 

WSUS server in N-central from the private IP address to a public IP address. 

To force N-central to detect WSUS on a device already managed by N-central 

1. Navigate to the appropriate customer. 

2. Click All Devices View in the navigation pane. 

3. Click on the name of the device that is the WSUS server. 

The Device Properties screen appears. 

4. Select the Asset tab. 

5. Click Update Now. 

When the discovery job is completed, the WSUS server will be included in the list displayed on the 

WSUS Server Management screen. 

Previously-configured WSUS Servers 

For N-central to manage devices in WSUS, client-side targeting must be disabled in the WSUS UI by performing 

the following: 

- 8 -


To configure client-side targeting on a WSUS server 

1. Click Control Panel > Administrative Tools > Windows Server Update Services to access 

the WSUS UI on the WSUS server. 

2. Click Options in the left-hand UI pane. 

3. Click Computers in the middle UI pane. 

4. Select Use the Update Services console. 

5. Click OK. 

How N-central Monitors Your WSUS Servers 

Once you have configured WSUS and are using it to manage software patches, it will become a key component 

of your infrastructure. As a result, WSUS itself must be managed and monitored. When you add 

a WSUS server to N-central, the WSUS 3.0 service template will be automatically assigned to the 

device. This provides complete monitoring of WSUS including event log, process availability, and the 

WSUS Status service. This monitoring ensures that the WSUS server is not reporting errors and that it 

is synchronizing with Microsoft correctly. The collected data is included in the WSUS Status report which 

will help in providing optimal service levels and can demonstrate the availability of the patch solution to 

your customer's auditors. 

Tip: If your WSUS server is publicly-accessible and your WMI-based services transition to a Misconfigured 

state, perform the following: 

1. In N-central, configure the Network Address of the WSUS server to the public IP 

address. 

2. Wait until your WMI-based services transition to a Misconfigured state. 

3. Disable the Windows Firewall on the WSUS server. 

4. After the scan for the WMI-based services is completed again, the services should 

transition back to a Normal state. 

5. Enable the Windows Firewall on the WSUS server once more. 

Enabling or Disabling WSUS Servers 

Managing a WSUS server in N-central includes the ability to enable or disable the server as a point of distribution 

for patches. 

Enabling a WSUS server allows it to be used for deploying patches and to be monitored by N-central. 

Disabling a WSUS server makes it unavailable for deploying patches and it will not be monitored by N- 

central. 

Note: All newly-added WSUS servers are disabled by default. 

To enable a WSUS server 



2. Select the check box beside each of the server names you want to enable. 

- 9 -


Tip: Selecting the check box at the top of the column will select all of the WSUS servers in the 

list. 

3. Click Enable. 

A will appear in the Enabled column beside the name of the WSUS server (or servers) that 

has been enabled. 

To disable a WSUS server 



2. Select the check box beside each of the server names you want to disable. 


list. 

3. Click Disable. 

A dialog box will appear confirming whether you want to disable the WSUS server (or servers). 

4. Click Save. 

An will appear in the Enabled column beside the name of the WSUS server (or servers) that 

has been disabled. 

Changing which Customers can Use a WSUS Server 

The WSUS Server Management screen can be accessed from any level (System, Service Organization, or 

Customer). Only the WSUS servers that can be managed by the current user will be displayed. Under 

the Customer/SO Name column, you will see the level at which the WSUS server is currently listed. If 

you want the WSUS server to only be visible to devices within the current customer, this column should 

display the customer name. 

If you want to make a WSUS server visible to all devices at the service organization level, select it and 

click Make Available at Another Level. Select the service organization name from the drop-down 

menu that appears and click Save. You will see the customer name change to the service organization 

name. 

- 10 -


To change the level of a WSUS Server 



2. Select the check box beside each of the server names whose level you want to change. 


list. 

3. Click Make Available at Another Level. 

The Make Available at Another Level dialog appears. 

4. Select the new level from the drop-down menu. 


The setting listed under the Customer/SO Name column will change. 

Configuring WSUS Server's Patch and Language Options 

In addition to controlling which customers can use a given WSUS server, you can also use the WSUS 

Server Management screen to configure the WSUS server’s patch and language options. Available 

options include: 

- 11 -


• Products to support 

• Product Classifications 

• Download and Store Patches on the WSUS server 

• Which languages to support 

• Synchronization schedule 

Since you can select more than one server from the WSUS Servers screen, it is easy to configure all of 

your WSUS servers to use the same settings. It is strongly recommended that you manage these settings 

through N-central rather than using the WSUS user interface. 

Best 

Practices 

• If you are using a hosted server, DO NOT store patches locally but if you are using an onpremise 

server, DO store patches locally. 

• If you store patches locally, adjust the languages supported to only those that are in use by 

your customers. This will minimize WSUS disk space requirements. 

• Ensure that your WSUS server is set to synchronize automatically at least once per day. This 

will ensure that your patch list is always up to date. 

To configure WSUS Server options 

Note: No configuration changes can be made to disabled WSUS servers. The settings are saved in N- 

central. When the WSUS server is enabled, the settings are then applied to the WSUS server. 


- 12 -



2. Select the check box beside each of the names of the WSUS servers that you want to configure. 


list. 

3. Click Configure WSUS Options. 

The Configure WSUS Server Settings dialog appears. 

4. Select the configuration options that you want to apply from the following: 

a. Select which product you would like to support - identifies the patch products you want 

the WSUS server to support. 

b. Select the update classification to provide - identifies the classification of patches you 

want the WSUS server to provide. 

c. Specify where you would like to store Update Files - identifies whether Windows 

Update files will be stored locally on the WSUS server or not. If you select Store updates 

locally, you must identify the type and language of updates to be stored. 

d. Configure your desired Synchronization schedule - identifies whether the WSUS server 

will synchronize manually or automatically. If you select Synchronize automatically, you 

must select the time of the first synchronization as well as the number of synchronizations 

per day. 

Note: When selecting check boxes in the Configure WSUS Server Settings dialog, your selection 

can have three possible settings: 

Selected 

Not 

Selected 

No 

Change 

Indicates that the setting will be applied to the WSUS server. 

Indicates that the setting will not be applied to the WSUS server. 

Indicates that the setting will not change any current settings already applied 

to the WSUS server. 



Maintaining your WSUS Servers 

WSUS servers require periodic maintenance which includes deleting unnecessary patches, optimizing 

the database, and other routine tasks. All of these actions can be done by performing a WSUS Server 

Cleanup Task from the WSUS Server Management screen. 

If you select a WSUS server and click Cleanup WSUS, the task is created as a "run now" management 

task whose status can be viewed in the Job Status Dashboard. If you wish to schedule this task for periodic 

execution, you can do so from the Setup > Management Tasks menu. 

- 13 -


To clean up WSUS servers 



2. Select the check box beside each of the names of the WSUS servers that you want to clean. 


list. 

3. Click Cleanup WSUS. 

The WSUS Cleanup Settings dialog appears. 

4. Type the Name you want to use to identify the cleanup task. 

5. Select the cleanup settings you want to apply to the task from the following: 

• Remove unused updates and update revisions 

• Delete computers not contacting the server 

• Delete unneeded update files 

• Decline expired updates 

• Decline superseded updates 



- 14 -


Patch Profiles 

Patch profiles are used to configure all of the patch-related settings that need to be configured on Windows 

devices. This includes items such as the WSUS server to use, whether or not to reboot after installing 

the patches, and whether or not to alert the user when new patches are downloaded. 

Patch profiles are a key feature in N-central, as they allow you to re-use the same patch settings across 

multiple customers. This saves you and your technicians time that would have to be otherwise spent 

configuring patch settings in the Group Policy of each of your customer's domains. 

Access to patch profiles is based upon the level at which they are created. For example, a profile created 

at the System level is available at all levels while a profile created at the Service Organization level would 

only be available within that Service Organization. 

Best 

Practices 

• Configuring the default Patch Management profile at the highest level possible will provide consistent 

settings for all lower-level accounts. For example, modifying the default Patch Management 

profile at the Product Administrator level will define the settings for the profiles in all 

Service Organization and Customer accounts. 

• It is strongly recommended that you disable any group policy objects that configure Windows 

Update as they will conflict with the N-central settings. 

Adding Patch Profiles 

N-central provides a default Patch Management profile. Depending on your needs, however, it may be 

necessary to create additional profiles. 

You can also copy a profile by using the "clone" feature to create a new profile that has a similar configuration 

to an existing one but with minor differences. This can make the task of creating multiple profiles 

faster and easier. 

Note: Cloning a profile will include both its settings and its associated devices. 

To add a new profile 

1. On the menu bar, click Setup > Patch Management > Profiles. 

The Profiles screen appears. 

2. Click Add. 

The Add Profiles screen appears. 

3. Define the profile settings as required. For more information, refer to Patch Profile Settings on 

page 16. 


A dialog box will appear confirming whether you want to save the new profile. 



To clone a profile 


- 15 -



2. Select the profile you want to duplicate. 

3. Click clone. 

4. Type a descriptive Name to identify the profile. 

5. In the Description field, type additional information about the profile. 



Note: After you have cloned a profile, you need to edit the new profile's settings. For more information, 

refer to Editing Patch Profiles on page 19. 

Patch Profile Settings 

Patch Management profiles have a number of different settings that will affect how patches will be 

deployed including: 

Setting 

Name 

Description 

Description 

A descriptive term or label used to identify the profile. 

Additional information about the profile that will be displayed in the Profiles table. 

Configure Automatic Updates 

Disable Automatic 

Updates 

Activates (or de-activates) N-central's ability to automatically install software patches when 

they are approved through N-central. 

Warning! 

Disabling this option means that all devices associated with this profile must 

have software patches manually applied. 

Configure 

Automatic 

Updating 

Defines how the deployment of patches will be applied to target devices from one of: 

• Notify before download - Will send a notification of software updates being available 

before they are downloaded and before they are installed. 

• Automatically download and notify of installation - Will automatically download 

software updates when they are available but will send a notification before they are 

installed. 

• Automatic download and scheduled installation - Will automatically download 

software updates when they are available and will install them at the scheduled date 

and time. 

• Automatic Updates is required but end users can configure it - Will automatically 

download software updates but will allow users to configure options such as 

the date and time when they will be installed. 

Note: 

If Automatic download and scheduled installation is selected, you must select 

a Schedule Install Day and Schedule Install Time when patches will be 

installed. 

- 16 -


Setting 

Enable Automatic 

Updates 

Detection 

Allow Non- 

Administrators 

to receive 

update notifications 

Turn on Software 

Notifications 

Allow Automatic 

Updates 

Immediate 

Installation 

No Auto 

Restart with 

Logged On 

User for 

Scheduled 

Automatic 

Updates 

Delay Restart 

for Scheduled 

Installations 

Re-Prompt 

Restart with 

Scheduled 

Installations 

Reschedule 

Automatic 

Updates 

Scheduled 

Installation 

Description 

Activates (or de-activates) the automatic detection of software updates. 

Note: If Enable Automatic Updates Detection is set to Yes, you must select the Automatic 

Updates Detection Frequency (Hours) value to determine the interval 

between when N-central will check for software updates (to a maximum of 22 

hours). 

Provides permission for N-central to send notifications to non-administrator accounts. For 

example, if this option is enabled, end users will be notified when software updates have 

been downloaded and are available to be installed on their computers. 

Activates (or de-activates) the transmission of notifications. The notifications sent will depend 

on the setting selected for the Configure Automatic Updating option. 

Activates (or de-activates) the immediate installation of minor updates that do not interrupt 

Windows services or require Windows to be restarted. If this is set to Yes, N-central will 

immediately install these updates as soon as they are downloaded and ready to be installed. 

Activates (or de-activates) N-central's ability to automatically restart Windows devices when a 

user is currently logged on. If this is set to Yes, N-central will not restart the device automatically 

after software updates are installed and a user is logged on to the device. The user 

will be prompted to restart the device. 

Activates (or de-activates) a specified delay before N-central will restart Windows devices following 

the installation of software updates. 

Note: If Delay Restart for Scheduled Installations is set to Yes, you must select a 

value for Wait (minutes) before proceeding with scheduled restart from 1 

minute to 29 minutes. 

Activates (or de-activates) a specified delay before N-central will send another prompt to 

logged-on users that Windows devices will be restarted following the installation of software 

updates. 

Note: If Re-Prompt Restart with Scheduled Installations is set to Yes, you must type 

a value for Wait (minutes) before proceeding with scheduled restart. 

Activates (or de-activates) a specified delay before N-central will install software updates that 

were missed (for example, if a device was shut down during a scheduled software update). 

Note: If Reschedule Automatic Updates Scheduled Installation is set to Yes, you 

must type a value for Wait (minutes) after system startup. 

- 17 -


Setting 

Enable Windows 

Update 

Power Management 

to 

Automatically 

Wake up the 

System 

Specify Patch 

Server to use 

(WSUS or Windows 

Update) 

Description 

Activates (or de-activates) the capability to "wake up" a Windows device (even if it is in hibernation 

mode) in order to install a critical software update. 

Identifies either the WSUS server or Windows Update service that will be used for deploying 

patches. 

Note: Using a Windows Update service for deploying patches will disable the patch 

approval features available with a WSUS server. 

After you have identified the server or service from which patches will be deployed, activate 

(or de-activate) Allow Signed Updates from an Intranet Microsoft update service location. 

This controls whether or not software updates will be accepted if they are signed by a 

certificate found in the "Trusted Publishers" certificate store of the local computer. If this setting 

is set to No, software updates from an intranet Microsoft update service location will only 

be accepted if they are signed by Microsoft. 

Do not display 

"Install 

Updates and 

Shut Down" 

option in Shut 

Down Menu 

Activates (or de-activates) the ability to display an "Install Updates and Shut Down" option 

when a Windows device is being turned off or restarted even if software updates are available. 

Note: If Do not display "Install Updates and Shut Down" option in Shut Down 

Menu is set to Yes, you must activate (or de-activate) the Do not adjust default 

option to "Install Updates and Shut Down" in Shut Down Menu option. 

One of the key settings for Patch Management profiles is the Specify Patch Server to use. This determines 

the location to which the Windows Update agent will connect in order to receive patch information. 

There are several options available including: 

• Windows Update (default setting) 

• Best Available 

• WSUS Servers 

These options provide very different results. The Windows Update option configures the Windows Update 

Agent to connect to the Windows Update service. This allows patch management to be performed on a 

device without using WSUS. The advantage to this is the universal availability of the Windows Update 

site. One drawback, however, is the lack of management capabilities - the administrator cannot configure 

which individual patches should be applied. 

Best Available configures the Windows Update Agent to use the best available WSUS server directing 

N-central to look for a customer-level WSUS server. If one is available, the device will be configured to 

use that server. If there is no customer-level WSUS server available, N-central will attempt to configure 

an SO-level server. If an SO-level server isn’t available, N-central then will attempt to use a productlevel 

server. Should there be no WSUS servers available, N-central will configure the WUA to use Windows 

Update. The advantage to this functionality is that N-central will re-evaluate the best available 

- 18 -


configuration whenever a new server is enabled. As a result, if a system is configured to use an SO-level 

server and a customer-level WSUS server is added, N-central will automatically reconfigure the devices 

to use the customer-level server. 

Selecting WSUS Servers allows you to select a specific WSUS server. Use this option if you know the 

specific server that you want to use. 

Editing Patch Profiles 

Any patch profile (including the default profile provided by N-central) can be modified . When a profile is 

modified, any changes made will be applied to all of the devices that use the profile. 

If you try to edit a profile that was created at a higher account level, N-central will automatically create 

a copy of the profile at the level that it is being edited, including the associated devices, and save it at 

that level. This will disconnect the association to the profile that was created at a higher account level. 

For example, an SO Admin attempting to edit a profile created at the system level will create a new copy 

of the profile within their respective service organization. 

To edit a profile 



2. In the Name column, click the name of the profile that you would like to edit. 

The Edit Profiles screen appears. 

3. Update the profile settings as required. For more information, refer to Patch Profile Settings on page 

16. 


5. When prompted, click Save to confirm the modifications. 


Viewing the Folders and Devices Associated to a Patch Profile 

You can view the associations a Patch Management profile has to folder templates, folders, and devices. 

You can view the associations a Patch Management profile has to folders. 

To view profile associations 



2. In the Name column, click the name of the profile for which you would like to view all associations. 

The Edit Profiles screen appears. 

3. Click the Associations tab. 

- 19 -


The Associations tab appears, displaying all associations for the selected profile. 

Deleting Patch Profiles 

You may want to delete one or more patch profiles as your patch deployment policies evolve. Be cautious 

when you do this as devices will need to use an existing profile if they are to receive deployed 

patches. If you try to delete a profile that is currently being used by one or more devices, you will be 

warned that it is an active profile. You may then either cancel the deletion or specify a replacement profile 

to be applied to those devices that are using the profile. 

Tip: You can delete multiple patch profiles simultaneously. 

To delete a profile 



2. Select the check box next to the profile (or profiles) that you want to delete. 

Tip: You can select the check box next to the Name column to select all of the profiles. 

3. Click Delete. 

4. When prompted, click Delete to confirm the removal of the selected profiles. 


Configuring Devices for Patch Management 

After WSUS servers are configured (and enabled) and your patch profiles are set up and ready to use, 

you can enable Patch Management on your managed devices. The Patch Management feature is only 

available on Professional devices that have a Windows Agent installed on them. Patch Management can 

be enabled in three different ways: 

• on a per-device basis, 

• by bulk-editing multiple devices simultaneously, or 

• by configuring Patch Management options through a folder. 

Note: It may take up to 24 hours for the Patch Management feature to be fully operational as the Windows 

Update Agent (WUA) on all configured devices must synchronize with a WSUS server. Following 

the completion of this initial registration period, Patch Management functionality will be 

fully available on managed devices. 

To configure single or multiple devices for Patch Management 

Note: The following procedure can only be performed at the customer level. Select the appropriate 

customer in the navigation pane to continue. For more information, refer to Navigating N-central. 

1. Click All Devices View in the navigation pane. 

The All Devices View screen appears. 

2. Perform the following: 

- 20 -


• For a single device, click the device that you would like to edit in the Name column. 

• For multiple devices, select the check box beside each of the device names you wish to edit and 

click Edit. 

3. Under Patch Management, select Enable Patch Management. 

4. From the Select Patch Management Configuration Profile drop-down list, select the profile 

that you want to be applied to the device (or devices). 

Note: You can Add a new profile or View/Edit profiles to ensure that the correct one is selected. 

5. Click OK. 

The device properties are updated and the All Devices View screen appears. 

Note: You can click Save to apply the settings and remain on the current screen. 

To enable Patch Management using folder templates 

Note: This feature is available at the Service Organization level. 

1. On the menu bar, click Setup > Folder Templates. 

The Folder Templates screen appears. 

2. In the Name column, click the folder template that you would like to edit. 

The Edit Folder Template screen appears. 

3. Under Patch Management, select Manage Patch Settings. 

4. From the Select Patch Management Configuration Profile drop-down list, select the profile 

that you want to be applied to the devices associated with the folder template. 

- 21 -


5. Click OK. 

The folder template is updated and the Folder Templates screen appears. 

Note: This operation can also be carried out at the Customer level for individual folders. For more 

information, refer to Editing Folders. 

After you enable Patch Management on a device and apply a profile, the N-central agent will configure 

the settings for the device and then connect to the specified WSUS server so that the device can be 

placed in the correct computer groups. 

Approving and Declining Patches 

After the configuration of the WSUS system is complete, you can begin approving patches for deployment. 

In N-central, patches can be deployed using one of two methods: 

• automatically using Automatic Patch Approval rules (for more information, refer to Automatically 

Approving Patches on page 27), or 

• the Patch Deployment Wizard. 

Through the Patch Deployment Wizard, N-central allows you to efficiently deploy patches across a 

number of Windows devices (regardless of the customer that they belong to) by completing the following 

steps: 

1. Filtering and searching available patches to determine which should be deployed. 

2. Selecting the approval status to be assigned to patches. 

3. Setting a patch deployment deadline (if applicable). 

4. Accepting EULAs (End User License Agreements) on a individual patch basis or all at once (if applicable). 

5. Confirming your selections. 

- 22 -


To display the list of patches waiting for deployment 

• On the menu bar, click Setup > Patch Management > Deploy Patches. 

The Select Patches screen appears. 

Current Status and Approval Reported for Patches 

The list of available patches displayed on the Select Patches screen includes the following information 

for each patch: 

• KB (Knowledge Base) Number 

• Patch Name 

• Date 

• Classification 

• Severity 

• Status 

• Approval 

The Status of each patch will be a combination of the individual Status values of that patch across all 

applicable devices. The combined Status value can be one of the following (listed in order of importance): 

1. Failed 

2. Needed 

3. Installed 

4. Not Needed 

- 23 -


The highest-ranked of these statuses found on any applicable device will be reported as the combined 

Status for the patch. For example, if one device had a status of Failed for this patch, while two other 

devices have a status of Needed for this patch, the patch would have an overall combined Status of 

Failed. 

Patches with the status Needed will be displayed with the following icon: 

Clicking on this icon will display all of the devices that are reporting the Needed status for this software 

patch. This allows you to better understand which devices will be installing the patch after it has 

been approved. 

The Approval value of each patch will be a combination of the individual Approval values of that 

patch across all computer groups. The Approval values are combined as follows: 

• Declined + any other Approval value = Declined 

• Approved for Install + Not Approved = Approved for Install 

• Approved for Install + Approved for Removal = Mixed 

• Approved for Install + Not Approved + Approved for Removal = Mixed 

• Not Approved + Approved for Removal = Mixed 

To filter the list of patches 

Depending on your configuration, the list of available patches can be quite long and may require filtering 

in order to provide a manageable amount of patch information. 

1. On the menu bar, click Setup > Patch Management > Deploy Patches. 


2. In the Classification column, select the classification of patches you want to display from one of 

the following: 

• Critical Updates 

• Definition Updates 

• Drivers 

• Feature Packs 

• Security Updates 

• Service Packs 

• Tools 

• Update Rollups 

• Updates 

3. In the Approval column, select the current approval setting of patches you want to display from 

one of the following: 

• Approved for Install 

• Approved for Removal 

• Declined 

• Mixed 

• Not Approved 

- 24 -


4. In the Severity column, select the severity rating of patches you want to display from one of the 

following: 

• Critical 

• Important 

• Low 

• Moderate 

• Unspecified 

5. In the Status column, select the current status of patches you want to display from one of the 

following: 

• Failed 

• Installed 

• Needed 

• Not Needed 

Tip: You can use Ctrl-click or click-and-drag to select multiple criteria within a column. 

6. In the Enter text to search for field, type information to use to filter the patch list including 

the name of the patch, Knowledge Base number, or other criteria. 

7. Click Filter. 

Note: You can use Reset Filter to undo any selections you have made and display the entire list 

of available patches. 

To deploy patches 

1. On the menu bar, click Setup > Patch Management > Deploy Patches. 


2. If necessary, filter the list of displayed patches as described above. 

3. Select the check box next to the patch (or patches) you would like to deploy. 

Tip: You can select the check box next to the KB Number column to select all of the patches in 

the list that is currently displayed. 

4. Click 2. Approve Patches or Next Step to proceed. 

The Approve Patches screen appears. 

5. Select the criteria for Set selected patches to from one of the following: 

• Approved for Install 

• Approved for Removal 

• Declined 

Note: Declined is only available as an approval criteria for Product Administrators or SO Administrators 

if there are no product-level WSUS servers available in N-central. Approved for 

Removal is only available for software patches that support this feature. 

- 25 -


If you selected Approved for Install, you will need to Specify your target devices (or 

device groups) by navigating through the list of folders and choosing the service organization, 

customer and folder (or folders) for which the associated devices will have the patch installed. 

Note: The target devices tree is hierarchical in nature so that selecting a folder at one level will 

apply the patches to matching folders at all levels below the one that is selected (including 

new devices as they are added). Icons in the target devices tree indicate selections as follows: 

Approved for 

Install 

Not Approved 

No Change 

Indicates that approved patches will be installed on all devices associated 

with the folder. 

Indicates that approved patches will not be installed on all devices associated 

with the folder. 

Indicates that existing patch approvals should not be altered for devices 

associated with the folder. 

6. Click 3. Set Installation Deadlines (if applicable) or Next Step to proceed. 

If applicable, the Set Installation Deadline screen appears. If no deadline setting is available, 

skip to step 11. 

7. Specify the deadline options for the patches from one of the following: 

• None 

• Custom 

If you selected Custom, you will need to specify the Date and Time that will be the deadline by 

which all approved patches must be installed. Click in the respective fields to select Date and 

Time values. 

8. Click 4. Review and Accept EULAs (if applicable) or Next Step to proceed. 

If applicable, the Review and Accept EULAs screen appears. If no EULAs are provided for the 

accepted patches, skip to step 11. 

9. Click EULA beside the name of the patch to read its End User License Agreement. 

When the EULA is displayed, click Accept or Decline in the dialog box to indicate acceptance or 

refusal of the agreement. You can also select the check box next to the patch (or patches) to 

accept a EULA without displaying it. 

Tip: You can select the check box next to Accept EULA to indicate acceptance of the EULAs for 

all of the patches. 

10. Click 5. Confirmation (if applicable) or Accept EULA and Approve Patches to proceed. 

The Confirmation screen appears. 

11. Click Finish. 

- 26 -



Note: At any time during the Patch Deployment Wizard, you can click Back to review previous 

stages of the procedure. 

Automatically Approving Patches 

Creating Patch Approval Rules allows N-central to automatically approve patches for you that meet specific 

criteria – saving you and your technicians time and effort. 

Note: Patch Approval Rules are stored and run on the N-central server. They are not passed on as an 

automatic approval rule to the WSUS server. Patch Approval Rules are created and applied 

through N-central which then passes the approval to the WSUS server. 

Automatic Patch Approval Rules can be created at the Product Administrator, Service Organization and 

Customer levels. Editing and deleting rules is restricted by the level at which they are created: 

• Rules created at a higher level can be used but not edited or deleted by lower level accounts. 

• Rules created at a lower level can be edited or deleted by higher level accounts. 

It is important to note that patches that require EULA consent cannot be approved using Automatic 

Patch Approval Rules; those patches must be approved manually so that the EULA can be reviewed and 

accepted. 

Rules can be enabled or disabled to allow further temporary suspension. N-central also allows you to run 

a Rule on-demand. The Rule status will be indicated by one of the following icons: 

Enabled 

Disabled 

Warning - This automatic approval rule has no groups associated. 

This warning is displayed when a rule is not associated with any valid 

groups (for example, if a group has been removed after the rule was 

created). The rule will not be applied and must be edited to associate it 

with a valid group. 

To add an Automatic Patch Approval rule 

1. On the menu bar, click Setup > Patch Management > Automatic Approvals. 

The Automatic Patch Approval Rules screen appears. 

2. Click Add. 

The Add Automatic Patch Approval Rule screen appears. 

3. Configure the properties of the rule: 

Name 

A unique identifier for the rule. 

- 27 -


Description 

Approve 

Patches 

for 

A personalized summary of the rule that should identify what it does. 

Used to identify how the rule will be applied based on the following criteria: 

• Products - either Local Publisher or Microsoft (with the option to 

select individual products within each category). 

• Classifications - selected from one or more of the following: 

• Critical Updates 

• Definition Updates 

• Drivers 

• Feature Packs 

• Security Updates 

• Service Packs 

• Tools 

• Update Rollups 

• Updates 

• Groups - for selecting multiple devices by folder. 

Note: 

The criteria displayed in the Product and Classifications lists are 

provided by data accessed through the WSUS Servers screen. If a 

Product or Classification has not been enabled in the WSUS server 

profile, it will not be available in the Add Automatic Patch 

Approval Rule screen. 

Specify 

the deadline 

options for 

the 

patches 

Select from one of: 

• None - no deadline applied. 

• Custom - used to specify how many days after approval that the patch 

should be installed and by what time on the deadline date. 


When the rule is first created, a Do you Want to Run this Rule Now? prompt will appear to 

verify whether you want the rule to be run immediately or later. 

Note: If you choose to run the new rule immediately, it will be applied against all of the software 

patches that your WSUS server currently manages as well as any new software patches 

from this point on. If you choose not to run the new rule immediately, it will only be 

applied to future software patches that your WSUS server downloads from Microsoft. 

5. Click Yes - Run the Rule Now or No - Do Not Run the Rule Now based on your current 

needs. 

If you selected Yes, the rule will be applied and software patches approved. If you selected No, the 

rule will not be applied. 

The Automatic Patch Approval Rules screen appears and the new rule is displayed. 

To delete an Automatic Patch Approval rule 


- 28 -



2. Select the check box next to the rule that you would like to delete. 

Tip: Selecting the check box at the top of the column heading will select all of the rules. 


A Confirm Delete prompt appears. 


The Automatic Patch Approval Rules screen appears and the rule is no longer displayed. 

To edit an Automatic Patch Approval rule 

Note: Modifications made to existing rules will only be applied to new software patches that are downloaded 

after the changes have been made. 



2. Click the Name of the rule that you would like to modify. 

The Edit Automatic Patch Approval Rule screen appears. 

3. Modify the properties of the rule as needed. 



To enable an Automatic Patch Approval rule 



2. Select the check box beside each of the rules that you want to enable. 

Tip: Selecting the check box at the top of the column will select all of the rules. 


A Confirm Enable prompt will appear confirming whether you want to enable the rule (or rules). 


A will appear in the Enabled column beside the name of the rule (or rules) that has been enabled. 

To disable an Automatic Patch Approval rule 



2. Select the check box beside each of the rules that you want to disable. 



- 29 -


A Confirm Disable prompt will appear confirming whether you want to disable the rule (or 

rules). 


An will appear in the Enabled column beside the name of the rule (or rules) that has been disabled. 

To run an Automatic Patch Approval rule 



2. Select the check box beside each of the rules that you want to run. 


3. Click Run Rule Now. 

A Confirm Run Now prompt will appear confirming whether you want to run the rule (or rules). 

4. Click Run Rule Now. 

The rule will be applied and the Automatic Patch Approval Rules screen appears. 

- 30 -


Viewing Installed Patches 

The Windows Agent will automatically discover all installed patches on the device when the agent is first 

installed as well as when the agent runs its daily asset discovery. This includes information such as 

patch details, installation date, and installation status. This information is then made available in the N- 

central UI on the device's Asset tab and is also included in the Patch Status Report and Patch Inventory 

Report. 

Patch Information on the Asset tab 

- 31 -


Patch details in the Patch Status report 

- 32 -


Patch Management Reporting 

A key element of N-central's Patch Management feature is the ability to provide effective reporting. The 

patch management reports are designed to be highly flexible in order to support a variety of use cases. 

Specifically, there are several key reports that you can deliver: 

Patch Status Report 

• Missing Patches (by system) 

• One, several, or all devices 

• One, several, or all categories 

• Patches older than a certain age 

• Installed Patches (by system) 

• One, several, or all devices 

• One, several, or all categories 

• Patches installed in the last many days 

• All Patches (installed and missing) 

Patch Inventory Report 

• Missing Patches (by patch) 

• Installed Patches (by patch) 

• Which computers are missing a specific patch 

• Which computers have a specific patch 

• Report on patches by name or KB article or other criteria 

Missing Patches Report 

• Show (per customer) the number of missing patches (by type) 

• Show top customers by missing patches 

• Click through to show individual customer details 

WSUS Status Report 

• WSUS servers (up to a maximum of 20) that have the largest number of assigned devices 

• Indicate the WSUS level, version, number of customers, number of devices and details on synchronization 

for each WSUS server 

• Indicate customer assignment, update products, and update classifications for WSUS servers 

• Indicate device assignment, update products, and update classifications for WSUS servers 

Leveraging these reports, N-central can support a wide range of needs including: 

• helping a technician understand the software patches that need to be deployed or the devices on 

which a bad patch needs to be rolled back, 

• showing a customer their patch status, 

• showing a customer the work that was done, needs to be done, or 

• demonstrating to an auditor that patch management SLA’s are being met. 

- 33 -


Upgrading Patch Management from N-central 7.0 

While N-central 7.0 provided patch management using integration with Microsoft WSUS 3.0, the features 

included in N-central 7.0 were quite different in both architecture and scope. Due to these 

changes, any existing N-central patch management configuration options will not be upgraded. 

To use your existing patch management configuration in N-central 7.2 

1. Upgrade your N-central server to 7.2. 

2. Uninstall the N-able Connector from the WSUS server. 

3. On your domain controller, remove all patch-related group policy settings. 

4. Install a 7.2 agent on the WSUS server. 

5. Promote the WSUS server to the SO-level. 

6. Configure the WSUS options to match the settings that suit your needs and environment. 

7. Enable the WSUS server. 

8. Create a patch profile at the SO-level: 

a. Specify the patch management settings. 

b. Set the WSUS server to Best Available. With only one server (at the SO-level) all devices will 

use it. 

9. Enable Patch Management on all devices for which you want to manage patches. You can use your 

folder templates to simplify this task. 

This will cause all devices that you have enabled for Patch Management to check into the WSUS server. 

N-central will automatically create the groups and manage the devices. 

Note: It can take several hours for all of the devices to register with N-central and be displayed. 

At this point in time, there will be no approved patches. All existing patches that were installed on 

devices will remain but all other patches will be Not Approved so that no changes should take place. 

Going forward, you simply have to approve any patches that you wish to have applied. 

- 34 -


Appendix: Patch Installation and Approval Status 

The list of available patches displayed on the Select Patches screen includes the following information 

for each patch: 

• KB (Knowledge Base) Number 

• Patch Name 

• Date 

• Classification 

• Severity 

• Status 

• Approval 

The Status of each patch will be a combination of the individual Status values of that patch across all 

applicable devices. The combined Status value can be one of the following (listed in order of importance): 

1. Failed 

2. Needed 

3. Installed 

4. Not Needed 

The highest-ranked of these statuses found on any applicable device will be reported as the combined 

Status for the patch. For example, if one device had a status of Failed for this patch, while two other 

devices have a status of Needed for this patch, the patch would have an overall combined Status of 

Failed. 

Patches with the status Needed will be displayed with the following icon: 

Clicking on this icon will display all of the devices that are reporting the Needed status for this software 

patch. This allows you to better understand which devices will be installing the patch after it has been 

approved. 

The Approval value of each patch will be a combination of the individual Approval values of that patch 

across all computer groups. The Approval values are combined as follows: 

• Declined + any other Approval value = Declined 

• Approved for Install + Not Approved = Approved for Install 

• Approved for Install + Approved for Removal = Mixed 

• Approved for Install + Not Approved + Approved for Removal = Mixed 

• Not Approved + Approved for Removal = Mixed 

- 35 -

Disclaimer 

This document may include planned release dates for service packs and version upgrades. These dates are based on our current 

development plans and on our best estimates of the research and development time required to build, test, and implement each of 

the documented features. This document does not represent any firm commitments by N-able Technologies Inc. to features and/or 

dates. N-able Technologies will at its best effort, try to meet the specified schedule and will update this document should there be 

any significant changes. N-able Technologies reserves the right to change the release schedule and the content of any of the 

planned updates or enhancements without notice. Publication or dissemination of this document alone is not intended to create and 

does not constitute a business relationship between N-able Technologies and the recipient. 

Feedback 

N-able Technologies is a market driven organization that places importance on customer, partner and alliance feedback. All feedback 

is welcome at the following email address: feedback@n-able.com. 

About N-able Technologies 

N-able Technologies is the global leader in remote monitoring and management software for managed service providers and IT 

departments. N-able’s award-winning N-central platform and complementary toolsets, backed by best-in-class business and technical 

services, are proven to reduce IT support costs, improve network performance and increase productivity through the proactive 

monitoring, management and optimization of IP-enabled devices and IT infrastructure. N-able is 100% channel-friendly and maintains 

operations in North America, the U.K., the Netherlands and Australia. 

Copyright © 2011 

N-able Technologies 

All rights reserved. This document contains information intended for the exclusive use of N-able Technologies' personnel, partners, 

and potential partners. The information herein is restricted in use and is strictly confidential and subject to change without notice. 

No part of this document may be altered, reproduced, or transmitted in any form or by any means, electronic or mechanical, for any 

purpose, without the express written permission of N-able Technologies. 

Copyright protection includes, but is not limited to, program code, program documentation, and material generated from the software 

product displayed on the screen, such as graphics, icons, screen displays, screen layouts, and buttons. 

N-able Technologies, N-central, and N-compass are trademarks or registered trademarks of N-able Technologies International Inc., 

licensed for use by N-able Technologies, Inc. All other names and trademarks are the property of their respective holders.

Providing Patch Management With N-central - N-able Technologies

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?