Topic
To create this guide, we worked with NinjaOne partners to understand how they use NinjaOne’s patch management capabilities and combined their expertise with our own. In this guide, we share those insights so that new partners can get the most out of patch management.
Environment
NinjaOne platform
Patch management
Description
- How NinjaOne Users Setup Windows Patching
- Scan Schedules
- Update Schedules
- Missed Schedules
- Patch Approvals
- Common Patching Profiles
- Reboot Behavior
How NinjaOne Users Setup Windows Patching
Patch management is one of the most important tasks an IT team undertakes. Businesses spend significant resources on keeping their infrastructure up-to-date, yet more than half of breaches could have been prevented by installing available software and OS patches.
In addition to the security implications, an effective patching strategy ensures end users have the most current, feature-rich software with which to do their work.
If some of the largest, most well-funded organizations in the world are having difficulties with patch management, however, what chance do small and medium-sized businesses with limited IT support have? Without the right tools, the process is time-consuming, complicated, disruptive to end users, and prone to errors.
Patch management software, such as that included with NinjaOne, gives users a complete, centralized view of their patch compliance rate and automates the identification, downloading, and deployment of patches across your managed devices.
NinjaOne gives you granular control over your patch approval process, improves your first-pass patch success rate, and reduces the time your technicians spend patching.
Scan Schedules
NinjaOne policies enable users to schedule patch scans separately from the updating process. Scanning identifies all not-yet-installed patches on a device and sorts them into "Approved," "Pending," or "Rejected" categories based on policy-based approval settings.
By scanning hours or days before running an update, you can manually adjust a patch's approval status, which the update process will then respect. This is incredibly helpful for manually approved patches or to avoid problem patches that would normally be automatically approved.
When To Schedule Scans
Day of the week
Most NinjaOne partners schedule their patch scans once per week. Fridays are by far the most common patch scanning day. The next most common option is to run a scan every day. Daily patch scans utilize more resources but maximize the time partners have to make ad-hoc changes to patches.
| Sun | Mon | Tue | Wed | Thu | Fri | Sat | Daily |
|---|---|---|---|---|---|---|---|
| 3% | 3% | 5% | 10% | 7% | 40% | 7% | 25% |
Time of day
The most common time to scan for patches is between 17:00 and 18:00, device time. Many users schedule scans after 18:00 to avoid impacting end users who work later. While patch scanning is not resource-intensive, most scans are scheduled after typical work hours to avoid impacting end users. Those users who schedule scans during work hours may do so to capture the greatest number of online devices.
| 00:00 – 8:50 | 9:00 – 16:59 | 17:00 – 23:59 |
|---|---|---|
| 16% | 24% | 60% |
Scan duration
Most NinjaOne users do not set a scan duration, allowing scans to take as long as necessary. For those that do limit duration, the most common options are 9 hours, 6 hours, and 3 hours. Scan durations may be used when you take over a new infrastructure or when users from multiple time zones need to access a server, and the patch window needs to be shorter to minimize end user impact.
| 1 hour | 2 hours | 3 hours | 4 hours | 5 hours | 6 hours | 7 hours | 8 hours | 9+ hours | ∞ |
|---|---|---|---|---|---|---|---|---|---|
| 0% | 0% | 1% | 1% | 1% | 3% | 0% | 0% | 10% | 85% |
Update Schedules
The NinjaOne update schedule first scans for available patches, then downloads and applies both newly discovered patches and those already identified via a patch scan based on the policy’s approval configurations and any applicable overrides. NinjaOne patch management then performs an additional scan to finalize the process.
The policy-applied approval status can be overridden for individual devices or for entire policies so long as a scan identifies it before it is applied.
Once a patch has attempted to install during an update cycle, it will be sorted into the "Installed" or "Failed" OS patch dashboard.
When to schedule updates
Day of the week
Patches are most commonly applied on weekends to avoid interrupting end users. Fridays—usually after work hours—are also common. After the initial device onboarding, many users also apply patches daily to minimize the time when endpoints are vulnerable.
| Sun | Mon | Tue | Wed | Thu | Fri | Sat | Daily |
|---|---|---|---|---|---|---|---|
| 19% | 4% | 5% | 9% | 10% | 15% | 19% | 19% |
Time of day
The most common time to start the patch application process is between 17:00 and 18:00, device time. Many users schedule their updates after 18:00 to avoid impacting end users who work later. Since patch applications are more resource-intensive and often require a reboot, most updates are scheduled outside of work hours.
| 00:00 – 8:50 | 9:00 – 16:59 | 17:00 – 23:59 |
|---|---|---|
| 33% | 18% | 48% |
Update duration
Most NinjaOne users do not set a patch application duration, allowing updates to take as long as necessary. For those that do limit duration, most limit updates to 4 hours or less.
| 1 hour | 2 hours | 3 hours | 4 hours | 5+ hours | ∞ |
|---|---|---|---|---|---|
| 3% | 5% | 4% | 5% | 10% | 74% |
Missed Schedules
NinjaOne enables users to make up scans or updates if they are missed. This most commonly occurs if the device is turned off when the scan or update is scheduled to begin.
Scan and update options can be enabled separately.
Missed scans and updates run as soon as the NinjaOne agent checks in with the server.
Making up missed scans and updates
Missed Scans
Almost half of NinjaOne users automatically make up any missed patch scans. This feature is particularly helpful for those who normally scan outside of business hours when more devices may be turned off.
| Make up scan | Do not make up scan |
|---|---|
| 51% | 49% |
Missed Updates
Making up missed updates is less common than making up scans. Off-schedule updates are more likely to interrupt end users due to resource utilization or the need to reboot the device post-update.
| Make up update | Do not make up update |
|---|---|
| 60% | 40% |
Patch Approvals
NinjaOne allows you to configure approval workflows for each of the four Microsoft Security Update Severity Ratings and seven Microsoft Update Categories. You can automatically approve, automatically reject, or manually approve or reject patches based on their patch category.
Over the next few sections, we’ll share the most common patching profiles that NinjaOne users apply to their devices.
Security Update Approvals
| Severity | Description (from Microsoft) |
|---|---|
| Critical | A vulnerability whose exploitation could allow code execution without user interaction. These scenarios include self-propagating malware (e.g. network worms), or unavoidable common use scenarios where code execution occurs without warnings or prompts. This could mean browsing a web page or opening an email. |
| Important | A vulnerability whose exploitation could compromise the confidentiality, integrity, or availability of user data or the integrity or availability of processing resources. These scenarios include common-use scenarios where the client is compromised with warnings or prompts regardless of the prompt's provenance, quality, or usability. |
| Moderate | Factors such as authentication requirements or its applicability only to non-default configurations significantly mitigate the vulnerability's impact. |
| Low | The characteristics of the affected component comprehensively mitigate the impact of the vulnerability. Microsoft recommends that customers evaluate whether to apply the security update to the affected systems. |
Update Categories
| Severity | Description (from Microsoft) |
|---|---|
| Critical | A widely released fix for a specific problem that addresses a critical, non-security-related bug. |
| Regular | A widely released fix for a specific problem that addresses a non-critical, non-security-related bug. |
| Update Rollup | A tested, cumulative set of hotfixes, security updates, critical updates, and updates that are packaged together for easy deployment. |
| ServicePack | A tested, cumulative set of all hotfixes, security updates, critical updates, and updates. Additionally, service packs may contain additional fixes for problems found internally since the product's release. |
| Feature Pack | New product functionality that is first distributed outside the context of a product release and that is typically included in the next full product release. |
| Definition Pack | A widely released and frequent software update that contains additions to a product's definition database. Definition databases are often used to detect objects that have specific attributes, such as malicious code. |
| Drivers | Software that controls the input and output of a device. |
| Feature Update | Specifies an upgrade for Windows 10 features and functionality. |
Common Patching Profiles
Select a profile type to learn more:
- Default Patching Profile
- Full Approval Automation Profile
- Low-Risk, Balanced Automation Profile
- Low-Risk, Low Automation Profile
- Full Manual Profile
Default Patching Profile
Many of our partners leverage NinjaOne’s default patching profile, which focuses on balancing time-saving automation with risk reduction.
Almost all approvals in this profile are automated. Important updates are approved, and optional updates are rejected to maximize time savings. Optional and low-priority patches are automatically rejected to keep automation high but avoid operational risk.
Driver and feature updates are disabled in this profile as these types of updates are more prone to cause issues for end users.
| Security Update Approvals | Approval Status |
|---|---|
| Low | Reject |
| Moderate | Manual |
| Important | Approve |
Critical | Approve |
| Approvals | Important | Optional |
|---|---|---|
| Critical Updates | Approve | Reject |
| Regular Updates | Approve | Reject |
| Update Rollups | Approve | Reject |
| Service Packs | Approve | Reject |
| Definition Packs | Approve | Reject |
| Advanced Approvals | |
|---|---|
| Drivers | Disabled |
| Feature Updates | Disabled |
Full Approval Automation Profile
The full automation profile is the second most common profile used by NinjaOne partners. This profile automatically approves all Microsoft patches.
This profile ensures all devices associated with the policy are always up to date, but it exposes devices to some operational risk due to problem patches.
Pairing this profile with frequent patch scans allows technicians to avoid operational risk by rejecting problem patches when they arise and before they are applied.
Pairing this profile with test devices also allows you to observe the outcome of patching before rolling it out to production machines.
| Security Update Approvals | Approval Status |
|---|---|
| Low | Approve |
| Moderate | Approve |
| Important | Approve |
| Critical | Approve |
Approvals | Important | Optional |
|---|---|---|
Critical Updates | Approve | Approve |
Regular Updates | Approve | Approve |
Update Rollups | Approve | Approve |
Service Packs | Approve | Approve |
Definition Packs | Approve | Approve |
Advanced Approvals | ||
|---|---|---|
Drivers | Enabled | Approve |
Feature Updates | Enabled | Approve |
Low-Risk, Balanced Automation Profile
This profile prioritizes reaching 100% patch compliance while attempting to minimize operational risk by balancing automation with manual approvals.
This profile requires more manual intervention to reach full patch compliance, but with the added benefit that problem patches that are not critical for the security or functioning of a device can be avoided.
To take advantage of this profile's benefits, technicians must regularly review and approve or deny manual patches.
Security Update Approvals | Approval Status |
|---|---|
Low | Manual |
Moderate | Manual |
Important | Approve |
Critical | Approve |
Approvals | Important | Optional |
|---|---|---|
Critical Updates | Approve | Manual |
Regular Updates | Approve | Manual |
Update Rollups | Approve | Manual |
Service Packs | Approve | Manual |
Definition Packs | Approve | Manual |
Advanced Approvals | ||
|---|---|---|
Drivers | Enabled | Manual |
Feature Updates | Enabled | Manual |
Low-Risk, Low Automation Profile
This profile also balances automation with manual intervention.
In this case, optional patches are automatically rejected, while security and important updates require manual approval.
This profile attempts to automate away less-important patches while minimizing operational risks from problem patches.
NinjaOne partners using this profile will need to regularly review and approve pending patches to ensure endpoint security.
Security Update Approvals | Approval Status |
|---|---|
Low | Manual |
Moderate | Manual |
Important | Manual |
Critical | Manual |
Approvals | Important | Optional |
|---|---|---|
Critical Updates | Manual | Reject |
Regular Updates | Manual | Reject |
Update Rollups | Manual | Reject |
Service Packs | Manual | Reject |
Definition Packs | Manual | Reject |
Advanced Approvals | ||
|---|---|---|
Drivers | Enabled | Manual |
Feature Updates | Enabled | Manual |
Full Manual Profile
The full manual patching profile allows technicians to fully control which patches are applied and which are not.
Every patch available for a device will be listed as pending until it is approved or denied.
While still far more efficient than traditional patching, this profile will be the most labor-intensive patching profile in NinjaOne. It could expose users to both security and operational risks if patches are not applied quickly enough.
Users who use this profile should have SOPs to regularly check their patching cadence.
Security Update Approvals | Approval Status |
|---|---|
Low | Manual |
Moderate | Manual |
Important | Manual |
Critical | Manual |
Approvals | Important | Optional |
|---|---|---|
Critical Updates | Manual | Manual |
Regular Updates | Manual | Manual |
Update Rollups | Manual | Manual |
Service Packs | Manual | Manual |
Definition Packs | Manual | Manual |
Advanced Approvals | ||
|---|---|---|
Drivers | Enabled | Manual |
Feature Updates | Enabled | Manual |
Reboot Behavior
To complete Windows updates, devices often need to be rebooted.
Getting end users to reboot their devices is nearly impossible, so NinjaOne allows you to automate this process.
NinjaOne policies allow different actions and schedules to be applied depending on whether a user is logged in or not.
User Logged In
Reboot Actions
Most NinjaOne users will not use policies to force a reboot on end users after patching; instead, they will prompt the user to reboot the machine. Many policies do not automatically reboot at all. A small percentage of policies do force reboots.
Action | Description | Frequency |
|---|---|---|
Prompt User | Prompt the user to reboot until reboot is accepted | 65% |
Notify User | Notify the user, then reboot after a period of time | 10% |
Auto Reboot | Automatically reboot after a period of time | 4% |
None | Do nothing | 20% |
Reboot / Prompt Timeout
The most common time period between prompts, between prompt and reboot, or between patch completion and reboot is 5 minutes. As the reboot action becomes more aggressive, so too does the timeline.
Duration | Prompt | Notify | Auto Reboot |
|---|---|---|---|
5 Minutes | 65% | 41% | 76% |
5 – 59 | 9% | 37% | 18% |
60 – 239 | 14% | 13% | 4% |
240+ | 12% | 9% | 6% |
User Not Logged In
Reboot Actions
The majority of NinjaOne policies reboot devices post-patching on a schedule. Because there is no logged-in user, immediate reboots are more common than when users are logged in.
Action | Description | Frequency |
|---|---|---|
Reboot on Schedule | Notify the user, then reboot after a period of time | 67% |
Reboot Immediately | Reboot the device immediately | 18% |
None | Do nothing | 14% |
Reboot Schedule (Weekly)
The 12% of policies that reboot on a weekly schedule will reboot on the following days:
Sun | Mon | Tue | Wed | Thu | Fri | Sat |
|---|---|---|---|---|---|---|
46% | 5% | 5% | 3% | 5% | 8% | 27% |
Reboot Schedule (Daily)
The 85% of policies that reboot daily will reboot daily during the following times:
00:00 – 8:50 | 9:00 – 16:59 | 17:00 – 17:59 | 18:00 – 23:59 |
|---|---|---|---|
19% | 2% | 57% | 22% |