Windows Patch Management

Table of Contents

What it Does

  • Build templates to apply Windows Update schedules to your Device Policies
  • View all missing patches on a device
  • View a history of recently installed patches (even from before Syncro was installed on the device!)
  • Push a button to install all available patches for a device in real-time
  • Push a different button to install individual patches to a device in real-time
  • Click a KB number next to a patch to view Microsoft’s documentation on the patch
  • View a report of all devices that are missing Windows Updates
  • View a report of all patches that have not been installed on your devices
  • Create saved asset searches to find devices that are missing specific updates, and have installed specific updates

 

What it Doesn't Do

  • Block or hold a specific Windows patch from installing (You can block categories of patches by not selecting them in your Windows Patch policy; See Supported OS here for more info)
  • Uninstall or remove existing patches

Supported Operating Systems

Note: Downloads of the updates will continue on the device, but they will not install.

Windows 7: Our registry changes disable Windows auto-updating and block Windows Update settings changing from the Control Panel (the user gets “Some settings are managed by your system administrator.” message) when he tries to change the settings in the Control Panel.

Windows 8.1, Windows Server 2008 R2, Windows Server 2012: Our registry changes disable Windows auto-updating and block Windows Update settings changing from the Control Panel (the user gets “Some settings are managed by your system administrator.” message) when he tries to change the settings in the Control Panel.

Windows 10/11 Professional, Windows Server 2016/2019: Our registry changes disable Windows auto-updating and block Windows Update settings changing (the user gets “Some settings are managed by your organization” message) when he tries to change the settings in Settings -> Update & Security -> Windows Update dialog. However, the user can check and install Windows updates manually from Windows Update dialog.

 

Non-Supported Operating Systems

Windows 10 Home: Our registry changes will not affect this Windows edition.

IMPORTANT NOTE: Pending Reboot will not clear for devices with Windows 8 and higher with a shutdown, you need to actually restart the device. This is because of "Fast Startup" which essentially puts the computer into a deep hibernation mode. A restart will actually clear the ram, processor cache, and kills all processes.

 

Building your Windows Update Management Policy

First, head over to “Policies” and click the “Policy Modules” dropdown to select “Windows Updates”.

Here, you’ll see a couple starting templates to give you an idea of what you can do. You can edit, delete, or use them yourself. You can also create your own from one of our examples as a template, or make a brand new Windows Update Management Policy from scratch.

Click “+ New Windows Update Management Policy” to create a new policy. Here, you can give it a name, edit the update schedule, and choose whether to run the updates on next boot if the device is offline during the update window.

There is a category list drop down that you can click to tell the Policy what Update categories are ok to install.

Here are your choices for each setting:

  1. Start updating at - When do you want Windows Updates to begin?
  • 24-hour clock ranging from 0-24 hours
  • Minutes are set for 00, 15, 30, and 45.
  • Freq - How often do you want to run Windows Updates?
    • Daily
    • Weekly
    • Monthly
  • Run on weekday - Do you want to run updates on a specific day of the week?
    • If you chose “Monthly” as your frequency, you can choose to run updates on the First, Second, Third, Fourth, or Last chosen weekday of the month.
    • If you chose “Weekly”, you will only be able to choose the weekday (Sunday - Saturday)
    • If you chose “Daily”, this will run every day, so you do not need this option :)
  • Run on day of month - Do you want to run updates on a certain date?
    • Only available to “Monthly”, and lets you choose a date from 1-31.
    • If you choose 31, it will always run on the last day of the month.
  • Interval - Do you want to skip a Windows Update frequency?
    • Every - Never skip an interval (ex: Run every day)
    • Every Other - Skip one interval (ex: Run every other day)
    • Every Third - Skip two intervals (ex: Run every third day)
    • Every 4th - Skip three intervals (ex: Run every fourth day)
  • If offline, run at next boot - Do you want this to run when the device starts if it missed the update window?
    • If enabled, you can “Delay minutes” if you want Windows Updates to start a certain number of minutes after the computer boots (to help boot times)

     

    Here is an example Windows Update Management Policy that is set to run every other first Sunday of the month, starting at 9:30 PM. If the device is offline at 9:30 PM, run when it boots next after a 10 minute delay.

     

    Reboot Specifications

    If an update has a reboot required:

    Do Not Reboot: The Agent does NOT trigger any reboot action.

    Forcefully Reboot: The Agent will immediately reboot the Asset when the Windows Updates finish installing.

    Prompt the user for a reboot with a message: The Agent will present a pop up that will use the message specified in the Windows Patch Policy. The default message if that is blank is that Updates were installed and the machine needs to update.

    Prompt with message and attempt reboot at specified time: When the Windows updates complete installing, the Agent will present the message specified in the Windows Patch Policy. Default message if left blank is that updates were installed and the machine needs to update. The Agent will reboot automatically at the specified time that is entered in the Windows Patch Policy.

     

    Once you click “Save”, you are all ready to apply this to a device policy!

     

    Adding your Windows Update Management Policy to an Asset RMM Policy

    Now that you have your Windows Update Management Policies created, you are ready to apply them to your Asset RMM Policies to get your devices up to date!

    Head over to “Policies” to view all your asset RMM policies. Click on any to edit them, and scroll down to “Windows Updates” to select any of your Windows Update Policies that you created before. You can also click on the “here” link to edit and create Windows Update Management Policies should you need to make any changes. Just make sure to save your Asset RMM Policy once you are done!

    Viewing Windows Updates

    Now that you have your Windows Updates scheduled, it is time to view the current status of Windows Updates on a device.

    Head to “Assets & RMM” and click on a Windows Device to view its details. You should now see a “Windows Patches” tab to view the device’s current Windows Patch status. You can view the KB number of the patch, and clicking on this number will direct you to Microsoft’s documentation on the update for more information.

    The missing patches section will allow you to “Install All Available Patches” shown in the list, or you can use the “Install” button next to the missing patch to install them individually. Either install option will push the update in real-time, and you can watch the patch’s install progress on the “Scripts” tab on the device. If the device is offline, it will push it when it comes back online, just like if it were script.

    Windows Update Reports

    With the inclusion of Windows Updates Management in Syncro, we decided you would need additional reporting to go along with it. We’ve added two new reports (Vulnerable Systems and Vulnerable Patches), and updated two older reports to include this new information (Customer RMM and Executive Summary). You can find these reports under the “Customers” section in your Reports (marked with a green “New” tag).

    Vulnerable Systems Report

    This report will show you your assets that are missing the most patches. You can filter the report to a certain customer, ignore new patches, ignore assets that have not been online in the last “X” amount of days (where X is any number of days you would like), and filter by different categories. You can also schedule this report to run as often as you would like and export a PDF of the report.

    Selecting the 'Install' button next to each asset will allow you to install all missing patches for that asset. You can also select multiple assets and bulk install all missing patches for those selected assets.

    Vulnerable Patches Report

    This report shows you the Windows Updates that are missing on the most devices and gives you a count and list of which devices are missing each update. You can filter the list by customer, and ignore assets that have not been online in “X” amount of days. Selecting 'See All' will open a new tab showing you which assets are missing the patches.

    You can also schedule the report to run as often as you would like, export a PDF of the report, and save the report as a favorite.


    Selecting the 'Install' button next to each individual patch will allow you to install the KB for all assets missing the patch. You can also select multiple patches and bulk install each individual KB for those assets missing the KB.

    Customer RMM Report updates

    This report now includes a new section at the bottom that details the percentage of devices that are completely up to date, and how many updates that have been installed during the date range for that customer’s devices. There is also a list of devices for the customer that have updates pending that are over a week old.

     

    Executive Summary Report updates

    This report also includes the new bottom section that details the percentage of devices that are completely up to date, and how many updates that have been installed during the date range for that customer’s devices.

     

    Asset Saved Search Improvements

    The asset saved search has also been improved, and now allows you to search devices for missing Windows Updates, and installed Windows Updates to make finding the assets you need that much easier.

     

    FAQ

    When do updates actually reboot assets?

    Reboots only happen if the Update requires a reboot. If an update requires a reboot, the reboot will happen as you have defined in the Patch Policy. If an update does not require a reboot, that asset will simply not reboot regardless of the reboot setting in the policy.

    Why haven't my patches installed?

    Have you rebooted the asset? If the asset does not reboot, you may not see the patches as installed, as many patches require a reboot to successfully install

    Why didn't the asset reboot at the "Reboot by" time?

    Usually, in these cases, the asset simply has not finished installing the specified updates by the "Reboot by" time, which causes the agent to skip it.

    Why is the same update showing as available and installed?

    The is most likely the same KB installing a newer definition

    What does the system consider "new", when checking the "Ignore new patches" option?

    The system will ignore all patches less than a week old

    Tips

    Do not "Forcefully Reboot" without entering a "Reboot by" time. If you do this, Syncro will reboot the asset whenever is necessary to complete the updates - this can potentially shut down the machine when in use. (see screenshot below)

    Reboot Specification

    Scheduling too many updates at once can cause issues such as missing the reboot by time. For example, you shouldn't schedule a month worth of updates with several categories to install, with only a few hours to do it - this task may not have enough time to complete successfully

    You can always reboot the asset after installing updates at a different time via a script, task scheduler, etc. if you are unable to enter in a "Reboot by" time.

    It's important to have scheduled downtime for Servers in which updates can be applied, to prevent issues with server inaccessibility.

    It may take some tweaking to get a Windows Update schedule that works for you. It's good practice to test the schedule and patches on noncritical systems initially.

    2 posts were split to a new topic: Support for Windows 11 Pro, Server 2019