Windows Patch Management

What it Does

  • Build templates to apply Windows Update schedules to your Asset Policies.
  • View all missing patches on an asset.
  • View a history of recently installed patches (even from before Syncro was installed on the asset!).
  • Push a button to install all available patches for an asset in real-time.
  • Push a different button to install individual patches to an asset in real-time.
  • Click a KB number next to a patch to view Microsoft’s documentation on the patch.
  • View a report of all assets that are missing Windows Updates.
  • View a report of all patches that have not been installed on your assets.
  • Create saved asset searches to find assets that are missing specific updates, and have installed specific updates.
  • Checks for new updates every 24 hours.

What it Doesn't Do

  • Uninstall or remove existing patches.
  • Install feature updates, such as Windows 10 21H2.
  • Install updates for Microsoft products, such MS Office for Desktop.

Table of Contents

 

Building Windows Update Policies

First, head over to the Policies tab. Then in the upper right, click Policy Modules > Windows Updates. Here is what you can do on this screen.

  1. Create a new policy from scratch.
  2. Create a new policy with some predefined settings. The one you choose will appear in the list—click it to edit it.
  3. Go to other Policy Modules.
  4. Click a policy name to edit it.
  5. Click the pencil to edit a policy, or the red X to delete it.

Create a brand new update policy

  1. Click New Windows Update Policy.
  2. Give it a Name.
  3. Select the approval level you want for each severity category of Security Vulnerability patches. The default for all is Manual. The Other category is a catchall for anything that isn't contained within the other categories/severities. Same for the categories in step 5 below.
    • Approve: Any patches in a category, such as Critical, set to Approve will automatically be installed during the next scheduled install cycle.
    • Defer: These patches will delay being installed for the time period defined in the Deferred Patch Time Period below (default is 1 day). This gives you time to review any patches for problems before they get automatically installed during the next scheduled install cycle. They will show up in the Missing Patches section of assets.
    • Reject: These patches will never be installed as part of the scheduled patch cycle. This can be overridden by going to the Rejected Patches section of an asset and clicking Install by a rejected patch. This can only be done by global admins and those who belong to a Security Group with the Assets - Allow Installation Of Rejected Patches security permission turned on.
    • Manual: Patches with this setting will only get installed if you manually do so, either through an asset record or a Windows patching report.
  4. If desired, change the Default Deferred Patch Time Period for those categories you set to Defer above. You can set it up to 30 days or 52 weeks. The default is 1 day.

    Note that once the defer period has passed, any deferred updates will then be installed in the next scheduled install cycle, defined in Schedule Specification below, rather than immediately.

    For example, suppose the Default is set for 2 weeks and the Schedule Specification is set to every Tuesday. If a patch gets released on Saturday, it will sit there for two Saturdays so you can review it. After that, the patch will automatically get installed the following Tuesday.
  5. Select the approval level you want for each Windows and Microsoft Patch category. The approval options are the same as those for security vulnerabilities in step 3 above.
  6. You can change the Default Deferred Patch Time Period for the Defer selections. 1 day is the default setting.
  7. If offline, run at next boot: If you turn this on, enter the number of Delay minutes. Then if an asset is offline during the update window, the updates will be installed the number of Delay minutes after the machine boots.
  8. Set the time of day (in 24 hour format) to start installing patches and updates.
  9. Select the FrequencyDaily, Weekly, or Monthly—to install the updates. Then further define that in the following dropdowns.
    • Daily: Select the daily IntervalEvery day, Every Other day, Every Third day, or Every 4th day.
    • Weekly: Select which day of the week (in the second Run on a weekday dropdown) to install the updates, and the IntervalEvery Sunday, or Every Other Monday, etc. In the above screenshot, it is scheduled to run every other Saturday at 2:00 AM.
    • Monthly: Every dropdown opens up here. Here are two examples of what you can do.
      • Install the 2nd Wednesday of every other month: Set Run on a weekday dropdowns to Second WE and Interval to Every Other.
      • Install on the 8th every three months: Set Run on day of month to 8 and Interval to Every Third.
  10. Patch Exclusion List: If there are specific patches you never want installed, click Add Exclusion. Then enter the KB Number and a Description. That patch will override the approval settings above.
  11. Global Patch Exclusion List: You will see any global patch exclusions here. This allows you to exclude patches from ALL asset policies. Click Manage Global Exclusions to access them. You can also access them via More > Admin > RMM - Global Patch Exclusions.
  12. If an update has a reboot required: Select what you want to happen when this is the case.

    • Do not reboot: The Agent does not trigger any reboot action.
    • Forcefully reboot: The Agent will immediately reboot the Asset when the Windows Updates finish installing. Important: Do not select this option without entering a Reboot by time. If you leave the Reboot by time blank, Syncro will reboot the asset whenever is necessary to complete the updates—this can potentially shut down the machine when in use. You can always reboot the asset after installing updates at a different time via a script, task scheduler, etc. if you are unable to enter a Reboot by time.
    • Prompt the user for the reboot with a message: The Agent will present a pop up that will use the message you enter in the Reboot message field. If you leave it blank, it will display a default message: Updates were installed and the machine needs to update.
    • Prompt with message and attempt reboot at specified time: Just like the prior choice, it will display the Reboot message or default message, plus the Agent will reboot automatically at the time you select in the Reboot by dropdowns.
  13. Once you have made all your selections, click Save.

You are now ready to apply this to an asset policy!

 

Adding a Windows Update Policy to an Asset RMM Policy

Now that you have your Windows Update Policies created, you are ready to apply them to your Asset RMM Policies to get your assets up to date!

  1. Head over to the Policies tab to view all your asset RMM policies.
  2. Click one to edit it, or in the upper right, click New Policy and Name it.
  3. In the left hand nav, click Windows Updates.
  4. If there are no sections listed, click Select > Windows Updates.
  5. Click Add Windows Updates Policy.
  6. Click the Select dropdown and choose the Update Policy you want.
  7. If there are existing Update Policies, you can turn them on or off with the checkbox, click the dropdown to select a different one, or click the red X to delete one.
  8. You can add multiple Update Policies, but keep in mind the caveat displayed in yellow—Update Policies are not validated against each other.
  9. You can also click Windows Update Policies to add and edit the actual Update Policies as described in the above section.
  10. Make sure to click Save Policy once you are done!

 

Viewing Windows Updates

Now that you have your Windows Updates scheduled, let's view the current status of Windows Updates on an asset.

  1. Head to the Assets & RMM tab.
  2. Click a Windows asset to view its details.
  3. Click the Windows Patches tab.

You will see four sections here. For the first three, click Install to attempt installation.

Missing Patches

These patches had their approval in a Windows Update Policy set to Defer or Manual.

  • Click a KB number to view Microsoft’s documentation on the update.
  • Click Install by any patch to install it.
  • You can install multiple patches at once by turning on their checkboxes and then clicking Install Selected Missing Patches.
  • The external link icon (box with a diagonal arrow) will show Microsoft's update details.

Either install option will push the update in real-time, and you can watch the patch’s install progress on the Scripts tab on the asset. If the asset is offline, it queues it when it comes back online, just like if it were a script.

Failed Patches

Microsoft failed to install these patches for one reason or another. The same options found in Missing Patches will be available for installing patches and viewing documentation.

Rejected Patches

These patches had their approval in a Windows Update Policy set to Reject.

You will only see an Install button in this section if you are a global admin or you belong to a Security Group with the Assets - Allow Installation Of Rejected Patches permission turned on.

Notice the second update in the above screenshot, which is a driver. Since it does not have a KB #, you cannot specifically exclude it, but you can set the category of Drivers to Reject in a Windows Update Policy, and then selectively install the ones you want.

Recently Installed

Successfully installed patches. View Records will show History for the KB.


Windows Update Reports

There are two RMM Reports that give Windows Update information. To access them, go to More > Admin > Reports. They are in the RMM section. Click each one below to learn more.

Vulnerable Systems
Missing Patches By KB


Saved Asset Search Tools

The Saved Asset Search lets you search assets for missing and installed Windows Updates by KB # to make finding the assets you need that much easier.


Supported Operating Systems

Windows 7, 8.1, 10, and 11 (Pro versions and above)
Windows Server 2008 R2, 2012, 2016, 2019, and 2022


FAQs

When do updates actually reboot assets?

Reboots only happen if the Update requires a reboot. If an update requires a reboot, the reboot will happen as you have defined in the Patch Policy. If an update does not require a reboot, that asset will simply not reboot regardless of the reboot setting in the policy.

Why haven't my patches installed?

Have you rebooted the asset? If the asset does not reboot, you may not see the patches as installed, as many patches require a reboot to successfully install.

Why didn't the asset reboot at the "Reboot by" time?

Usually, in these cases, the asset simply has not finished installing the specified updates by the "Reboot by" time, which causes the agent to skip it.

Why is the same update showing as available and installed?

This is most likely the same KB receiving a version update from Microsoft, such as with a Windows Defender definition update.

Do you support managing Feature Updates like Windows 10 21H2?

We do not currently manage Windows Feature Updates. Those will need to be manually installed on the asset itself.


Tips

Scheduling too many updates at once can cause issues such as missing the "Reboot by" time. For example, you shouldn't schedule a month worth of updates with several categories to install, with only a few hours to do it—this task may not have enough time to complete successfully.

Reboot by

It's important to have scheduled downtime for Servers in which updates can be applied to prevent issues with server inaccessibility.

It may take some tweaking to get a Windows Update schedule that works for you. It's good practice to test the schedule and patches on noncritical systems initially.

IMPORTANT NOTE: Pending Reboot will not clear for assets with Windows 8 and higher with a shutdown, you need to actually restart the asset. This is because of "Fast Startup" which essentially puts the computer into a deep hibernation mode. A restart will actually clear the RAM, processor cache, and kill all processes.

2 posts were split to a new topic: Support for Windows 11 Pro, Server 2019

Can you please update the taskbar icon that appears when the reboot message is displayed?
image
Allow it to be whitelabelled, or if nothing else put the SyncroMSP icon there.

Please don’t leave it to be the default icon that Visual Studio applies to applications. It looks unprofessional IMHO.

2 Likes

So this will disable Auto Updates and then Syncro won’t install feature updates?!

Correct, no RMM can natively do Feature Updates, there is no EULA accept/skip switch on the KB file. Thank MS for that one. Feature Updates are scripted via the Windows Update Assistant. Other RMMS will build this in, that’s why they can do them, but Syncro hasn’t. Instead, there’s scripts available you can use to apply and you can filter via saved asset searches to know who needs it.