N‑central Patch Monitoring Best Practices and Recommendations

The best part about patching in N‑able N‑central is the ability to fully automate the process, but even if that is accomplished correctly there is still a need to have the right amount of sensitivity of patch monitoring in place. I have always monitored patches in terms of age, I did so with WSUS v3 (15 years ago) and have always done so in N‑central. Knowing a critical is missing on day one isn’t always an issue, but knowing that a critical or security update is missing after 10 days absolutely is. I think we all know that some patches will fail, but with the right frequency of maintenance windows and automatic approvals we can set key automated routines to help ensure patching success.

Between doing updates, roll ups, upgrades, and security updates, things can get unnecessarily noisy in patch monitoring. If you want to setup your patch monitoring correctly, so that you are not deluge with alerts but get a good balanced view into whether you are patching systems correctly, then I suggest the following.

Recommended Configuration for N‑central Patch

Under the Service Template locate Patch Status v2, the under the details tab configure your determined Patch Priority based on High, Medium, and low (and set anything you do not patch to Not Monitored).

Additionally, configure your Monitor Patch by age settings. When I was the Systems Architect for an MSP, these were the settings I used but you can equally move them higher or lower.

N‑central Patching Best Practice Tip: Always ensure that your Maintenance Windows for Detection are set to scan twice daily, and that the Download Maintenance Windows are configured to happen immediately based on your automatic approvals.

Disable the following by turning the thresholds off:

The Monitoring Service item called ‘Notify me if a new Patch has not been actioned in (x) Days’ will tell you if any patch hasn’t been installed. The default amount of time is usually set to zero, so this can be rather noisy.

1. High Priority Patches: notify me if a new patch has not been actioned in (x) days
2. Medium Priority Patches: notify me if a new patch has not been actioned in (x) days
3. Low Priority Patches: notify me if a new patch has not been actioned in (x) days

Additionally, decide whether you need to know every time a patch fails. This will depend on your operating model. Ultimately, patches will fail and sometimes you need real-time alerting on this. If this is the case then you can leave this one alone. Alternatively, I recommend setting a threshold for (x) days so that if a patch isn’t installed 10 days later, I know my team must troubleshoot the issue.

Disable the following by turning the thresholds off:

1. High Priority Patches: Were Any Approved Patches Not Successfully Installed During the Last Patch Installation Window?
2. Medium Priority Patches: Were Any Approved Patches Not Successfully Installed During the Last Patch Installation Window?
3. Low Priority Patches: Were Any Approved Patches Not Successfully Installed During the Last Patch Installation Window?
   

The N‑central Patch Management Engine is something I really enjoy working with, I enjoy setting it up with our partners and, most importantly, I enjoy knowing I am helping keep evolving threat actors from attacking our partners and their customers. We’ve recently introduced some cool features for offline patching, which allow you to patch systems that wouldn’t otherwise have access to the internet, as well as being able to choose whether you want to use the Generally Available (GA) version or the Release Candidate (RC) versions of PME.

One more thing, my Head Nerd colleague Paul Kelly has completely revamped the Patch Management bootcamp for Q2 2023, it will include new content and a more prescriptive methods to ensure Patching Success. You can keep an eye out for this on our Head Nerds Events Page.

Jason Murphy is the Head Nerd for N‑central and Efficiency at N‑able. You can follow him on reddit on r/nable or Twitter at @ncentral_nerd.