Patch Management

Keep devices up to date with Naverisk Patch Management.

Updated over a week ago

Introduction

Naverisk simplifies patch management across your client's devices, allowing you to view availability and missing Windows and Linux patches for an individual device, or across one or all of your clients. Patches can be installed on-demand or scheduled.

This guide covers managing and scheduling your patching as well as understanding the patch reports.

1.0 Patch Management Module

The Patching tab shows all patches and software updates missing from the selected client or group of clients. Please see the below images for the location of the patching module. They will be different depending on your installed Naverisk release.

2021 R2 release or prior

2022 R1 release or higher

You can view available patches for all devices, or create a targeted list using the available filters, for example, show only Windows 10 patches or show Ubuntu patches.

You can also view patches for an individual device from Devices > Device Details > Patch Management, which indicates which software Updates are missing from this Device. It will show a list of Updates that could be installed but are not.

This scan can take some time; on clicking the Retrieve Information button, be prepared to wait for several minutes or to come back to this package Tab later to view the results.

2.0 Disabling Windows Auto-Updates

By default, Naverisk does not change any existing Windows update settings. Devices that were configured to automatically download and install updates (Windows 10 default setting) will continue to do so after the Naverisk agent is installed. This ensures that devices will continue to receive updates until you start actively managing the patching in Naverisk.

It is possible to use Naverisk patch management without disabling Windows auto-update. Devices will have updates installed when they are pushed out by Microsoft, with Naverisk being used to check for devices that have not received updates and triggering the installation of any required patches.

Disabling automatic updates will allow you to have full control over the patching process. You can prevent users from installing patches and feature updates themselves, and gives you control over which updates are installed and when. This allows you, for example, to test new patches for compatibility with key applications before deploying them across all devices.

If you are managing domain-joined devices, you should use a domain GPO to disable windows updates. This is because any settings made locally on a device will be overwritten by the policies configured on the Domain Controller.

A script pack and device role are available in the Routine Store to allow you to easily disable Windows auto-updates on non-domain computers. From the store, download the Disable Windows Updates script pack and the Disable Windows Updates Daily device role. Import the script pack and device role into Naverisk.

The script pack will disableauto-updatess, and also block the user from manually installing updates. This can be run as required on the desired device(s).

The Disable Windows Updates Daily device role can be applied to individual devices or multiple devices by applying to one or more device types. This device role automatically runs the Disable Windows Update script each day. This ensures that the automatic updates remain disabled if a user (or Microsoft) changes the settings. If you prefer to run the script less frequently, for example, weekly, you can edit the script pack to specify a different frequency

3.0 Alerts: Outstanding Patches against a Client

The location for the OS patch tab is under the settings page as below. Here you can Configure OS Patch settings, SLA-based alerting, and Patch Category rules. Please note this is for 2022 R1 and higher releases.

Based on the Thresholds you select, Naverisk will raise Tickets with the appropriate SLA statuses for any Devices in that Client Group with outstanding Updates after the Threshold period has passed.

The tickets that are raised as a result of these SLA Status Thresholds are special. They contain an extra button ‘Report Devices’ which opens an embedded report displaying missing patches which do not belong to any exception categories.

4.0 Manually Applying Patches to just One Device

  1. Navigate to the Device which you would like to Patch.

  2. Select Patch Management (one of the buttons underneath Device Details).

  3. Select which updates you would like to install from the list of available Updates.

  4. If no Updates are listed, click 'Retrieve Information' to refresh the list of available Updates.

  5. Click Install Selected Updates to have windows Updates install these immediately.

5.0 Applying Scheduled Patches

1. Navigate to the Settings page (OS Patches) to configure Patch Category rules for each client

2. Navigate to the OS Patches tab of the Device page to configure Patch rules for Client and Devices

3. Select a patch and click the Add Authorisations option in the Task dropdown to authorize a patch for an entire client.

4. Enabled scheduled jobs must run on the next scheduled date or now if the last scheduled date was within an hour of re-enabling that scheduled job

Note: Devices can be excluded from this Client rule by adding an exception from the Patch Management tab of that Device.

6. Next, navigate to the Scheduling Tab and create a New Job. 

7. The Job Action should be to install Patches. Populate the details for the Job Schedule and Job Title.
Click Select Device Filter to select the specific Devices on which you would like to install Patches. It is at this stage you can choose to Apply Updates to entire Client Groups or subsets of them (such as particular Device Types or specific machines in that Client Group).

9. On the right there's a box for selecting what categories you would like to update. This is like a final approval before Updates go ahead.

10. In the below image you will find the recommended configuration of the scheduled patch job, this configuration has been found to work the best:

11. After you press Save, the job will be Scheduled and Updates will run at the selected time. 

12. It is advisable to Schedule Maintenance Mode to start before updating and turn it off again after the updating has finished in case services are restarted in the course of the Updates.

13. If a restart needs to be done (i.e. if you are installing critical Updates) then this should be scheduled to happen within your Maintenance Mode window as well.

6.0 Clients Reports - Patching

As it is often important to provide your Clients with a summary of their organization’s Patching status, we have created a report called the Patch Summary Report (Reports > Client Facing > Patch Summary). This Report can graphically and numerically represent the outstanding Patches for a server or workstation respectively.

While you can run this Report manually, it is recommended that you automate this Report to be sent to you following Scheduled Patch installations. That way you can keep a running record of the Patching status for a company and easily present this to your clients to show the value of your service.

If you’re planning to schedule the report to be sent out within 24 hours of the patch job, it is recommended to set up another scheduled job before this to run the Windows update scan on these devices. This is to ensure the report is completely accurate with what patches have been installed/are still available. 

To Schedule, this, create a New Scheduled Job and time it to happen after your Scheduled Patches (and Device Reboot task if applicable). Example below:

To Schedule, the report, create a New Scheduled Job and time it to happen after your Scheduled Package Scan.

Note that you need to specify which Devices you would like this Report to cover (using Device Filter) and the recipient of the Report (with Recipient Email).Example below: 

7.0 Other Reports - instead of the Patch Summary

Patch Management - This Report is useful for displaying missing Updates for selected Devices and Clients.

Software Changes – this report can be used for displaying recently installed updates as well as application changes on selected devices and clients.

8.0 Troubleshooting

If you find that Patches are failing to install on Devices or Naverisk is reporting that a Patch has failed in the Scheduler, the first point of call is to check your Scheduled Job configuration. Using the recommended Scheduled Job configuration highlighted in an earlier section, you should not encounter a configuration issue and it would be down to the Device itself. 

For a bit more detail, the Naverisk agent does not install updates. For Windows devices, the agent communicates with the Microsoft Windows Update Agent and tells it what updates to install. On Linux devices, the agent issues the appropriate shell commands to download and install the updates eg apt-get update.

Any patching-related issues are caused by an issue with the Microsoft Windows Update Agent encountering issues and failing to check or install updates. To verify this, check the Windowsupdate.log file located in the C:\Windows directory. These errors can then be searched to find a resolution.

As an example, here is an excerpt from the Microsoft generated Windowsupdate.log file:

Running a search on this error has brought up the below Microsoft Technet link:

This error indicates an issue with the Windows Update Agent not being able to communicate with the Microsoft servers to retrieve a list of Windows Updates. In the particular example above it was found that the machine had a proxy set on the Device which caused an issue with communication.

8.1 Installed updated information in Windows 10

Windows 10 displays the patching in two locations. The Installed update information is displayed in the Software tab and the update history information is displayed in the Patch management tab. These two are not always the same.

If you continue to experience issues after resolving the issues found in the Windowsupdate.log file and checking your Scheduled Job, please contact support@naverisk.com for further assistance.

Did this answer your question?