Naverisk simplifies patch management across your clients devices, allowing you to view available and missing Windows and Linux patches for an individual device, or across one or all of your clients. Patches can be installed on demand, or scheduled.
This guide covers managing and scheduling your patching as well as understanding the patch reports.
1.0 Patch Management Module
The Patching tab shows all patches and software updates missing from the selected client or group of clients.
You can view available patches for all devices, or create a targeted list using the available filters, for example show only Windows 10 patches or show Ubuntu patches.
You can also view patches for an individual device from Devices > Device Details > Patch Management, which indicates which software Updates are missing from this Device. It will show a list of Updates which could be installed but are not.
This scan can take some time; on clicking the Retrieve Information button, be prepared to wait for several minutes, or to come back to this package Tab later to view the results.
2.0 Disabling Windows Auto-Updates
By default, Naverisk does not change any existing Windows update settings. Devices that were configured to automatically download and install updates (Windows 10 default setting) will continue to do so after the Naverisk agent is installed. This ensures that devices will continue to receive updates until you start actively managing the patching in Naverisk.
It is possible to use Naverisk patch management without disabling Windows auto update. Devices will have updates installed when they are pushed out by Microsoft, with Naverisk being used to check for devices that have not received updates, and triggering the installation of any required patches.
Disabling automatic updates will allow you to have full control over the patching process. You can prevent users from installing patches and feature updates themselves, and gives you control over which updates are installed and when. This allows you, for example, to test new patches for compatibility with key applications before deploying them across all devices.
If you are managing domain-joined devices, you should use a domain GPO to disable windows updates. This is because any settings made locally on a device will be overwritten by the policies configured on the Domain Controller.
A script pack and device role are available in the Routine Store to allow you to easily disable Windows auto updates on non-domain computers. From the store, download the Disable Windows Updates script pack and the Disable Windows Updates Daily device role. Import the script pack and device role into Naverisk.
The script pack will disable auto updates, and also block the user from manually installing updates. This can be run as required on the desired device(s).
The Disable Windows Updates Daily device role can be applied to individual devices or to multiple devices by applying to one or more device types. This device role automatically runs the Disable Windows Update script each day. This ensures that the automatic updates remain disabled in the event that a user (or Microsoft) changes the settings. If you prefer to run the script less frequently, for example weekly, you can edit the script pack to specify a different frequency
3.0 Alerts: Outstanding Patches against a Client
If you navigate to the Patching Tab in Naverisk and select a Client, you will see a section relating to SLA settings for that Client.
Based on the Thresholds you select, Naverisk will raise Tickets with the appropriate SLA statuses for any Devices in that Client Group with outstanding Updates after the Threshold time period has passed.
The tickets that are raised as a result of these SLA Status Thresholds are special. They contain an extra button ‘Report Devices’ which opens an embedded report displaying missing patches which do not belong to any exception categories.
4.0 Manually Applying Patches to just One Device
- Navigate to the Device which you would like to Patch.
- Select Patch Management (one of the buttons underneath Device Details).
- Select which updates you would like to install from the list available Updates.
- If no Updates are listed, click 'Retrieve Information' to refresh the list of available Updates.
- Click Install Selected Updates to have windows Updates install these immediately.
5.0 Applying Scheduled Patches
- Navigate to the Patching Tab and select the Client for which you’d like to pre-approve for the Updates.
- Click Category Authorisations to select the Patches you would like to approve for installation.
- Category Exceptions is for marking Patches you would like exempt from installation.
- You can also select Individual Updates for approval.
- After you have made your selections click Save for Client.
6. Next, navigate to the Scheduling Tab and create a New Job.
7. The Job Action should be to install Patches. Populate the details for the Job Schedule and Job Title.
Click Select Device Filter to select the specific Devices which you would like to install Patches on. It is at this stage you can choose to Apply Updates to entire Client Groups or subsets of them (such as particular Device Types or specific machines in that Client Group).
9. On the right there's a box for selecting what categories you would like to update. This is like a final approval before Updates go ahead.
10. In the below image you will find the recommended configuration of the scheduled patch job, this configuration has been found to work the best:
11. After you press Save, the job will be Scheduled and Updates will run at the selected time.
12. It is advisable to Schedule Maintenance Mode to start prior to updating and turn it off again after the updating has finished in case services are restarted in the course of the Updates.
13. If a restart needs to be done (i.e. if you are installing critical Updates) then this should be scheduled to happen within your Maintenance Mode window as well.
6.0 Clients Reports - Patching
As it is often important to provide your Clients with a summary of their organisation’s Patching status, we have created a report called the Patch Summary Report (Reports > Client Facing > Patch Summary). This Report can graphically and numerically represent the outstanding Patches for a server or workstation respectively.
While you can run this Report manually, it is recommended that you automate this Report to be sent to you following Scheduled Patch installations. That way you can keep a running record of the Patching status for a company and easily present this to your Clients to show the value of your service.
If you’re planning to schedule the report to be sent out within 24 hours of the patch job, it is recommended to setup another scheduled job before this to run Windows update scan on these devices. This is to ensure the report is completely accurate with what patches have been installed/are still available.
To Schedule this, create a New Scheduled Job and time it to happen after your Scheduled Patches (and Device Reboot task if applicable). Example below:
To Schedule the report, create a New Scheduled Job and time it to happen after your Scheduled Package Scan.
Note that you need to specify which Devices you would like this Report to cover (using Device Filter) and the recipient of the Report (with Recipient Email).Example below:
7.0 Other Reports - in lieu of the Patch Summary
Patch Management - This Report is useful for displaying missing Updates for selected Devices and Clients.
Software Changes – this report can be used for displaying recently installed updates as well as application changes on selected devices and clients.
If you find that Patches are failing to install on Devices or Naverisk is reporting that a Patch has failed in the Scheduler, the first point of call is to check your Scheduled Job configuration. Using the recommended Scheduled Job configuration highlighted in an earlier section, you should not encounter a configuration issue and it would be down to the Device itself.
For a bit more detail, the Naverisk agent does not install updates. For Windows devices, the agent communicates with the Microsoft Windows Update Agent and tells it what updates to install. On Linux devices, the agent issues the appropriate shell commands to download and install the updates eg apt-get update.
Any patching related issues are caused by an issue with the Microsoft Windows Update Agent encountering issues and failing to check or install updates. To verify this, check the Windowsupdate.log file located in the C:\Windows directory. These errors can then be searched on to find a resolution.
As an example, here is an excerpt from the Microsoft generated Windowsupdate.log file:
Running a Search on this error has brought up the below Microsoft Technet link:
This error indicates an issue with the Windows Update Agent not being able to communicate with the Microsoft servers to retrieve a list of Windows Updates. In the particular example above it was found that the machine had a proxy set on the Device which caused an issue with communication.
If you still continue to experience issues after resolving the issues found in the Windowsupdate.log file and checking your Scheduled Job, please contact email@example.com for further assistance.