N-central Help

Patch Setup Wizard

The Patch Setup Wizard guides you through the steps to create maintenance windows that define the patch rule. Rules are the tools that enable you to centrally control all aspects of patch requirements and the scheduling of detection, downloading and installation of patches. The Patch Setup Wizard enables you to quickly and completely configure the rules.

When setting up maintenance windows, immediate and scheduled window times should not overlap. If an immediate maintenance window is initiated while a scheduled window is active, the immediate maintenance window will not run. SolarWinds MSP recommends to only use a single immediate window or one or more scheduled windows.

You need to configure a proper filter first before running the wizard and ensure it is assigned to the correct sites.

  1. At the Service Organization or Customer level, click Configuration > Patch Management.
  2. In the Patch Setup Wizard area, click Create a New Patch Configuration.
  3. Complete each screen and click Next. Details about each screen is outlined below.
  4. Click Finish on the final screen. SolarWinds N-central will not save the rule until you click Finish.

When using a Hyper-V host/guest setup, install an agent on every virtual machine. This way, Patch Manager will patch each VM as a physical server. When rebooting, schedule the VMs first, then the host an hour later. This ensures all VMs complete their patching cycle before the host is rebooted.

Patch maintenance windows

The Patch Wizard walks through the following patch maintenance windows to create the patch rules.

Profile Configuration screen

Select a profile. A patch profile is a collection of patch management configuration options that determine how Patch Manager interacts with a device and the Windows update server. With a profile, you can apply similar settings across devices and even across multiple customers or sites. For more information, see Patch Management Profiles.

Detection screen

The Add Detection Maintenance Window specifies when, and for how long, devices check for new updates and communicate this information to SolarWinds N-central. The default detection window is twice daily at midnight and 4 pm. This is important for workstations and servers hosted in virtual environments, where detection can result in cumulative loads and slower performance overall.

Adjust the frequency of maintenance windows to match the frequency of software patches, For example, if a server is patched only monthly or quarterly, you can reduce the detection frequency.

Detection can cause momentary CPU utilization spikes on Win7 and Server 2008 R2 devices.

Pre-download

The Pre-download Maintenance Window defines the period when you want to download approved patches to the device for installation. A best practice is to download at least one to two hours before you plan to install the patch, or download during the night prior to the day when you want to patch. The default is for a duration of 60 minutes at 1 am every day.

The pre-download window and patch cache are optional. If you decide not to have a pre-download window, patches will be downloaded immediately prior to installation, which can increase your installation time requirements.

Installation

The Installation Maintenance Window defines the period when devices install approved patches, or to install them as soon as they are approved. You can use the install maintenance window to select which patch classifications to install and when. For example, you can have a patch install maintenance window during the day for low impact updates such as drivers, and for higher impact updates, such as security updates and service packs, you can run the installs during off-peak work hours.

The default window duration is for 180 minutes at 2 am on Saturday.

When setting up maintenance windows, immediate and scheduled window times should not overlap. If an immediate maintenance window is initiated while a scheduled window is active, the immediate maintenance window will not run. SolarWinds MSP recommends to only use a single immediate window or one or more scheduled windows.

Reboot

The Reboot Maintenance Window defines the period when the device can be rebooted if required by the Patch Status service and whether the user can delay the reboot until a later time. If the patch does not require a reboot, Patch Manager will not reboot the device. If you want to always reboot, configure a Scheduled Reboot maintenance window.

This Maintenance Window reboots devices where SolarWinds N-central Patch Manager has installed patches. Any devices where patches were installed manually, that is, not by Patch Manager, and require a reboot, will not be rebooted during this maintenance window. The reboot must be performed manually.

  • The reboot countdown times gives the user a grace period to save their work and close applications before the reboot occurs.
  • The reboot downtime option is only for the duration of the reboot. This means you will not have any false positive notifications when the device reboots.
  • The time you choose is not a reboot at that time. It is only if the device has requested a reboot due to patch management. To verify, check the Patch Status service on a device. The device may or may not reboot at that time.
  • Choosing selected days is not required as it will only reboot when needed. This is for maintenance scheduled for servers, such as weekends only.
  • Use the Force Device out of Downtime After option if the device does not come back online after a reboot. For example, the device will be rebooted after the initial hour countdown timer. The downtime will last about five minutes it takes to reboot. Once the SolarWinds N-central server receives a response from the agent, it brings the device out of downtime. If SolarWinds N-central does not receive any response, it will bring the device out of downtime in the defined time frame. Workstations by default remain in a disconnected state once they are offline due to unscheduled downtime.
  • The period the maintenance window should last for is largely dependent on if you want the user to delay the reboot. A longer maintenance window is required if you want a longer countdown period.
  • Do not pick a time that coincides with patch install times. The device will reboot if the device has requested so from patching. If anything interrupts a patch install it will not resume.

The default window duration is for an 180 minutes at 3 am on Saturday.

After a window cycle completes it will not restart after a reboot, even if the window duration has not expired. For example, if there is a one hour installation window, and a reboot occurs halfway through, the system will not check for new patches after the reboot. If the task assigned to that window has completed, it is done until the next exclusive install window schedule.

If you select the Reboot Method to Allow user to postpone beyond the maintenance window, the user will still be prompted every four hours for a reboot, which they can continually postpone.

Rule Configuration

The Rule Configuration page enables you to enable third party patching and add a filter to target specific systems and sites. For example you can include a filter for all Windows-Workstations for a specific customer site to have patch enabled.

If you do not specify any customers on this page, the rule becomes a "staged" patch rule that you can add the customers to later in Configuration Monitoring Rules.

Summary

The Summary Window provides an overview of the schedules and rules you configured.