NinjaOne Patching: Windows OS Patch Management

Topic

This article describes the operating system (OS) patch management features available for Windows endpoints managed by NinjaOne. It also explains how to activate, configure, and view patching activity.

Environment

NinjaOne Patching
Microsoft Windows

Description

NinjaOne Patch Management allows you to create patching policies that automatically scan for and apply new OS patches for your Windows endpoints.

View additional tutorials in our video library.

Select a topic to continue.

Important Considerations
Activating Windows Patch Management
Configuring OS Patching Settings
Viewing OS Patch Scan and Installation Attempts
Configuring a WSUS Server to Use with Windows Patching

Important Considerations

Older Windows Versions

Due to Microsoft discontinuing an outdated Windows Update service endpoint, Windows Vista and many versions of Windows 7 and Windows Server 2008 do not support NinjaOne Patch Management.

You can update devices running Windows 7 SP1, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2 to work with NinjaOne Patch Management. Refer to the following Microsoft article for more information: Windows Update SHA-1-Based Endpoints Discontinued for Older Windows Devices (external link)

System Messaging and Option Gating

When OS patching is activated, a message stating, "Some settings are managed by your organization," may appear locally on the machine's Windows updater.

When OS patching is activated, the Give me updates for other Microsoft products when I update Windows option may be greyed out in Windows Update settings on local machines. You can manage updates for Microsoft products through the third-party patching tool. Refer to Pending Reboots article for more information.

If a reboot is pending, the patch scan and apply functions will not occur for this device until the reboot is completed and the pending reboot message is no longer displayed.

Activating Windows Patch Management

You must activate Windows OS Patch Management before using it to manage your Windows OS patching.

In NinjaOne, navigate to Administration → Policies, then choose a Windows policy from the Agent policies list.

**Figure 1**: Administration → Policies (*click to enlarge*)

The policy configuration page will open. Click the OS Patching option, then activate the Status toggle. NinjaOne does not apply changes until you save the policy.

**Figure 2**: Enabling OS patching (*click to enlarge*)

Configure OS patching settings, then click Save. Refer to the Configuring OS Patching Settings section of this article for more information.
- After saving, NinjaOne pushes a custom executable named NinjaOrbit.exe to all endpoints in the policy, which controls patch management for those machines.
- Once the endpoint devices install the custom executable, they run a silent scan. NinjaOne does not generate Activity feed entries for this initial silent scan.

Configuring OS Patching Settings

OS patching settings include options for configuring scanning and patching, and required software installation and maintenance. When you finish your configuration, click Save to apply the new settings.

**Figure 3**: OS patching settings (*click to enlarge*)

OS Patching (Non-Approval) Settings

The settings in the upper portion of the screen include configuration options for scanning, patching, and running automations before and after updates. When you finish your configuration, click Save to apply the new settings. The following table describes each setting.

Setting	Description
Mode	NinjaOne offers two modes for Windows patch management: NinjaOne manages OS patches: NinjaOne fully manages patching scan and update schedules, patching category approval states, and patching overrides. We recommend this mode for enforcing patching compliance across devices in the policy. Configure Windows Update settings through NinjaOne: Set NinjaOne to push Windows Update settings to devices through registry settings. If you select this setting, NinjaOne will replace the other visible OS patching configuration options with the following Windows Update options: Download recommended updates, but allow the user to choose when to install Download recommended updates and install on a schedule Notify user of recommended updates, but don't download Turn off Windows Updates If you set your policy to Configure Windows Update settings through NinjaOne, NinjaOne cannot install patch updates on the device. To run patch updates, change the policy to Control Windows Patch Management.
Scan schedule	This parameter set determines when the device will scan for available new patches. Schedule: Use the drop-down menu to choose the scan frequency. Days: If your scan interval is longer than daily, select which days of the week the system should perform the scan. NinjaOne only patches devices on the days chosen. If you do not select any days, the system will display an error message. Time and Time Zone: Select the time of day and the appropriate time zone to perform the scan. By default, scans start at 8 A.M. local device time, and updates start at 5 P.M. local device time. These defaults only apply to new policies. Stagger over: Set a stagger interval to distribute patch installation times across your devices and avoid simultaneous updates. For more information, refer to NinjaOne Patch Management: Load Balancing Patch Installations With the Stagger Feature. Duration: Specify how long the scan actions will run before NinjaOne terminates them. Run scan immediately, if missed: Select this option to run a scan immediately if the system misses a scheduled scan. Automatically wake up system: This option turns the system on for scan and application cycles. When activated, a Windows API function sets a wake-up time for devices in a sleep state. The system must have wake timers activated in order for this feature to work.
Update schedule	These settings specify when NinjaOne should apply the updates it finds when scanning. Schedule: Use the drop-down menu to choose the update frequency. Days: If your update interval is longer than daily, select which days of the week the system should perform the scan. Devices are patched only on the days chosen. If you do not select any days, NinjaOne will display an error message. Time and Time Zone: Select the time of day and the appropriate time zone to perform the scan. By default, scans start at 8 A.M. local device time, and updates start at 5 P.M. local device time. These defaults only apply to new policies. Stagger over: Set a stagger interval to distribute patch installation times across your devices and avoid simultaneous updates. For more information, refer to NinjaOne Patch Management: Load Balancing Patch Installations With the Stagger feature. Duration: Specify how long the update actions will run before NinjaOne terminates them. Run update immediately, if missed: Select this checkbox to run an update immediately if the system misses a scheduled update. Automatically wake up system: This option turns the system online for patching and applying cycles. When activated, this option uses a Windows API function to set a wake-up time for devices in a sleep state. The system must have activated wake timers in order for this feature to work. Pre-stage updates before the scheduled start: Select this checkbox to have the system prepare and position updates ahead of the scheduled update time. Driver updates do not support pre-staging. Skip on metered connections: When activated, NinjaOne displays an error in the Activity feed if an update cycle is attempted on a device that uses a metered connection. Maintenance Mode: Suppress notification: Select this option to prevent NinjaOne from sending alerts caused by actions occurring during the update (such as device reboots). You can refine this setting by selecting the Suppress condition alerts and Suppress notification channels checkboxes. Refer to NinjaOne Platform: Maintenance Mode for more information.
Pre-automation and Post-automation execution	This setting lets you add automations that will run before (pre) or after (post) patch installation. Use pre-patching scripts to validate prerequisites or prepare the system before patching begins. Use post-patching scripts to perform cleanup or verification tasks afterward. Click Add to select automations from the Automation Library. Refer to NinjaOne Policies: Scheduled Automations to learn more. Select Cancel the patch update if the pre-script returns a failure message to cancel the patching job automatically if the pre-script fails.
Update notifications	Choose how NinjaOne notifies users when it needs to update software that it cannot patch in the background. The current setting will show as a link in this section. Click the link for the following additional options: Notify the user, then close the software and update Automatically close software and update Do not close open software
Reboot options: Logged-in user	These settings let you specify reboot behavior and prompting for users who are logged into a newly-patched device: Prompt to reboot until reboot accepted: NinjaOne will display an on-screen prompt instructing the user to reboot and allow the update to complete. Use the scheduling options to determine the prompt frequency. Select the Force reboot after checkbox to set the number of prompts before NinjaOne automatically reboots the device. Select the Custom reboot dialog checkbox to replace the default prompt with your own text. Notify the user, then reboot: Choose this option to send the user a notification, then automatically reboot the machine and complete the update. Refer to NinjaOne Endpoint Management: Notification Channels and Alerts for more information. Use the scheduling options to determine how long NinjaOne should wait before sending the notification and triggering the reboot. Automatically reboot: This option tells NinjaOne to reboot the device after the update installation is complete. Use the scheduling options to determine how long NinjaOne should wait before rebooting the device. Do nothing: NinjaOne will not perform any automatic reboot actions on the device. Period: If you selected Prompt the user to reboot until reboot accepted, use these fields to specify the prompt frequency. Select the checkbox to force a reboot after a specific number of prompts. Reboot Dialog: Select this checkbox to add custom text to the reboot prompt. If an end user interacts with a reboot prompt, NinjaOne will display an activity in the Activity Feed. Refer to Device and System Activity Notification Feed for more information.
Reboot options: No logged-in user	These settings let you specify reboot and prompting behavior for newly-patched devices with no users logged in: Attempt to reboot until successful: NinjaOne will continue to attempt to reboot the device, even if reboots fail, until the action is completed. Use the scheduling options to determine the reboot attempt frequency. Reboot immediately: NinjaOne will reboot the device when the update is ready. Do nothing: NinjaOne will take no action to reboot the device.

Approval and Override Settings

The settings in the lower portion of the screen include options to:

Set automatic approvals for security updates and general updates.
Set advanced update approval states for device drivers and Windows features.
Activate Patch Intelligence AI approval overrides.
Add approval overrides to the patching policy.

Approval Setting Options

Each patch type has the following approval options: Approve, Manual, and Reject.

Approve: This option automatically approves all patches for that category for installation in the next update cycle.
Manual: When found, patches in this category will appear pending, requiring manual approval or rejection (either for the device or the entire policy).
Reject: This option automatically rejects all patches for that category, so NinjaOne will not install them on the device.

OS Patching Approval Settings Explained

Use the table below to learn more about each setting.

Setting	Description
Security update approvals	Configure approval settings for product-specific, security-related vulnerabilities. Microsoft categorizes security vulnerabilities in its security bulletin as Critical, Important, Moderate, or Low. We recommended applying Critical and Important fixes immediately. For Moderate fixes, we advise reading the related KB before patching. Click Edit to set NinjaOne to approve, reject, or require manual patch approval automatically.
General approvals	Configure approval settings for bugs that are not security-related by Microsoft-designated category. Refer to Microsoft's article on software update terminology (external link) for more information. Click Edit to set the following parameters: Important patches/updates: Set each category to Approve, Reject, Manual, or to Approve after a specified time span, in days. We recommend setting important updates to Approve, which allows NinjaOne to auto-apply all patches. Optional patches/updates: Set each category to Approve, Reject, or Manual. We recommend setting optional patches and updates to Reject. Many optional patches require user input, which will cause installation to fail if executed from web patch management. These patches are still available on specific machines if you want to apply them.
Advanced approvals	Activate and set approval status for device drivers and Windows feature updates, which may include complete Windows version upgrades. Advanced approval updates require an additional setting to be activated. In addition, you must activate the toggles for the update type (Drivers or Feature Updates). Otherwise, NinjaOne will not attempt to patch these updates regardless of the selected approval status. As an alternate method for deploying feature updates, you can install the following custom script: Custom Script: Upgrade Windows 10 Build.
Patch Intelligence AI approvals overrides	Activate approval status changes for patches that the Patch Intelligence AI considers known issues, or for patches with a Caution status. Refer toNinjaOne Patching: Patch Intelligence AI to learn more.
Approval overrides	Set NinjaOne to override your patching policy for specific patches. Click Add to open the Edit approval overrides dialog box, then search for the patch name. Use the second drop-down menu to select whether to approve or reject the patch. Examples of scenarios in which patches would appear in the Overrides section: If the category approval is set toManual, and you then approve or reject the patch for the policy. If the category approval is set toApprove, and you then manually reject the patch for the policy. If the category approval is set to Reject, and you then manually approve the patch for the policy. Patches with statuses you choose to override appear in the Overrides section. Click Add in the Overrides field to add and remove overrides as necessary. Use caution when viewing the patching policy's Overrides page with filters in place. If you use a filter and then click the Clear All button, this action will clear all overrides (both rejected and approved), not just the ones that are filtered.

Viewing OS Patch Scan and Installation Attempts

You can view patches found and patches installed in the Dashboard → Patching → OS patches tab. Use the flyout menu to filter by patch status (Pending, Approved, Rejected, Installed, or Failed).

Once a patch has attempted to install during an update cycle, the system logs it in the OS Patches tab of the dashboard as either Installed or Failed.

**Figure 4**: Dashboard → Patching → OS patches (*click to enlarge*)

Viewing Applicable Devices for a Patch

At the System or Organization dashboard level, you can click the number in the Devices column to generate a list of the devices to which the patch status applies. For example, clicking the number for a patch in the Approved tab shows the devices for which NinjaOne has approved it, but not yet installed it

**Figure 5**: The Patch list in the dashboard (click to enlarge)

Configuring a WSUS Server to Use with Windows Patching

A Windows Server Update Services (WSUS) server can help to reduce the network traffic associated with patching.

Ensure WSUS Group Policy Objects (GPOs) are deactivated when using NinjaOne policies. Otherwise, NinjaOne will defer to GPO settings. Also, ensure that patching is activated at the policy level.

In NinjaOne, click Administration → Organizations, then choose an organization from the list.

**Figure 6**: Administration → Organizations (click to enlarge)

Click the Patching configuration tab, then click Edit.

**Figure 7**: Patching → WSUS Settings (*click to enlarge*)

The WSUS Settings dialog box will open. Click Use the following WSUS server, then use the IP Address/DNS name field to target the server. This action resets the current registry keys in WindowsUpdate and inputs the WSUS server.
- If the NinjaOne Agent is installed on the WSUS server: Click Select, then choose the WSUS server from the list.
- If the NinjaOne Agent is not installed on the WSUS server: enter its IP address or DNS name.

Configure your protocol and port, then select whether you would like to use Microsoft's default update server if WSUS is not reachable for patching. When finished, click Save. Your newly configured WSUS settings will show in the UI.

**Figure 8**: The WSUS Settings dialog box (*click to enlarge*)

Enabling the WSUS Server per Location

You can set up WSUS servers at different locations to optimize bandwidth and service delivery speed.

In the Organization editor, click the Locations tab, then click Add Location.

**Figure 9**: Locations → Add Location (*click to enlarge*)

In the Add Location window, select WSUS, then click Use organization-level settings. The server will use the WSUS settings you previously configured.

**Figure 10**: The Add Location dialog box (*click to enlarge*)

Using Other Location-Based WSUS Server Settings

You can set device-specific settings for a WSUS server at another location.

Use default Microsoft update server: Click this selection to use the default Microsoft update server. If you choose this option, NinjaOne will reset the existing settings and ensure the device uses the cloud for patching. NinjaOne will not patch devices through a WSUS server.
Use the following WSUS server: Select this option to configure these settings for the location. When chosen, additional settings will open in the Add Location window. Configure the IP Address/DNS Name, Protocol, and Port. Select the Use default update server if WSUS is not available checkbox to receive updates directly from Microsoft if the system cannot reach your WSUS server.