Frequently Asked Questions

These are the questions asked during Patch Management Training

1. If Microsoft "pulls" a bad patch, in the new distributed model, how can Patch Manager Plus remove it?

   It is recommended to use "Test and Approve" feature, which can test the patches on lab machine and then approve it automatically before deployment. We also have patch removal/roll back option, which can be used to handle these situations.

2. Can I schedule a reboot for a specific time after patches are installed? For servers as well as desktops?

   We do support reboot scheduling in deployment policy with "Reboot Window/ Specify Reboot Time" for Force Reboot. This feature is available in Patch Manager Plus build versions 10.0.405 and above.

3. Is there a way to be alerted about when zero day patches become available to download so we can ensure to get those pushed instead of having to wait for the scheduled policy?

   You can create a separate "Deployment Policy" for such requirements and get them deployed automatically.

4. How often should the patch scan be ran, is there a manual setting?

   It depends on the number of computers, the internal security requirement and related compliance. All systems are scanned automatically after the patch database synchronization which happens everyday at the user specified time. In addition to this, patch scan can also be initiated manually when required.

5. Should the computer need to be connected to admin account, for getting the patches deployed? Or can it be regular user account?

   Managed computers can be use regular user account, since the agent is running in the system account it would have the privilege to install the patches.

6. How to specify languages for patches?

   Patch Manager Plus will automatically detect the language based on the operating system.

7. What will happen when the patches was installing and user accidentally turns off the computer?

   Patch Manager Plus will retry to install the patch during the subsequent deployment window and the installation status would be updated.

8. I didn't catch the part about, patch approval. Is there a way to automatically approve patches or you have to approve the patch manually?

   It is about testing the patches before deployment. You can choose to approve the patches automatically or manually. We also have the feasibility to test the patches before approving them automatically. The tested patches can be approved automatically after specified number of days if no failures found. Alternatively, you can manually approve it based on the result.

9. The patch management solution that we are using currently tells us what we need to download and then we manually download the patches. After the patches are deployed we can remove the downloaded patches which we no longer need. But this is manually done. How Video Patch Manager Plus handle this requirement?

   Patch Manager Plus will allow you to automate the complete process. You can create an APD task, which will automatically scan computers, detect missing patches, automatically download the required patches and deploy it to the target computers. You can configure "Patch Clean up settings, to automatically delete the unwanted patches.

10. Can you limit patches to just laptops or desktops?

    Yes, you can. You can target machines based on system type such as laptops and desktops. You can also create a custom group with system type as criteria.

11. Do we have the feasibility to split the scan & download from the patch deployment?

    You can create separate APD task for scanning and downloading the patches. You will find four different options such as scan, download, draft and deploy. You can choose any of them based on your requirement

12. When there are patches in "yet to apply" status, is there a way to get notified about the patches, after deployment/failure?

    You can configure notification settings for the APD task which can send you the status report multiple times based on the different status including scanning, downloading and deployment of patches Yes, Patch Manager Plus supports them.

13. When you initiate patch scanning, does it start scanning all the computers at a same time or does it scan them incrementally?

    Scanning will be initiated incrementally in order to avoid bandwidth bottlenecks.

14. Is it possible to schedule the patches to be installed and then the computer rebooted and then shut down after the reboot?

    Deployment Policy can be used to schedule the patch and reboot/shutdown. However, if you want to shut down after reboot, you can use the remote shutdown/reboot tool to perform this operation.

15. Right now we use WSUS for MS patches. What is the best way to switch over to Patch Manager Plus?

    You can disable auto-updates from WSUS and install Patch Manager Plus agent on the computers to be managed, scan the computers and start deploying the patches.

16. I need to deploy the newest Mozilla updates to certain computers but exclude some, how do I do this?

    You can create a custom group with the computers which you wanted to exclude. Decline the application from, Patch Mgmt -> Decline Patch -> Decline Patch for Group -> specify the application.

17. How would I automatically download and deploy the latest flash updates as they are released?

    You should configure “Automated Patch Deployment Task” and ensure that the schedule is run every day to keep your computers up-to-date.

18. How to ensure the individual computers do not download patches from the Internet? I do not want any 3rd party application in our organization to take the updates from the Internet?

    You can see the “Installed Time”, against the patch, if it is installed using Patch Manager Plus. If you do not find the “Installed Time”, then it could be patched using automatic updates. In such cases, you will have to disable auto-updates from, Configurations -> Script Repository ->Templates tab -> Search for AutomaticUpdates.exe -> add to repository. Create a configuration, select the target computers and deploy it.

19. Will there be a feature to pull local logs of failed deployments from the Patch Manager Plus site?

    Yes, you can pull local agent logs from remote computers and upload it to support for analysis from, Support -> Create Support File.

20. Is the ability to create a test group of several computers and giving them patches before they are made available to all the computers in company?

    You can create a custom group and test the patches before deploying them to all computers in the company. Ability to "Test and deploy" patches, will be available at the end of this quarter.

21. Is there a way to configure the lists of computers, etc., permanently display more than 25 at a time?

    You can customize the count of computers, displayed. The changes you make will persist only for the technician and the view.

22. If I want to schedule patches to run in the next 20 minutes, is there a way to force the Patch Manager Plus agent on client machines to talk to the server, thus getting that task quicker than the 90 minute policy refresh? (Example - McAfee anti-virus has a feature called "wake up agent" that tells the agent to pull down fresh)

    You can achieve this by using “deploy immediately option”, whenever you deploy a patch configuration. This will wake up the target computer on-demand, to perform the task initiated by Patch Manager Plus.

23. When viewing the results of an "Automate Patch Deployment", is there a way to see the history of what patches were installed by previous runs of this task?

    You can view the status of the “Automate Patch Deployment Task” from, Patch Mgmt -> Automated Patch Deployment Tasks. You can also generate reports of these tasks and schedule it.

24. I do not see where I can push Anti-virus definitions using Patch Manager Plus.

    You can deploy definition updates using Patch Manager Plus from, Patch Mgmt -> Automate Patch Deployment -> Schedule Anti-Virus Task

25. Java updates -- is it possible to allow update for compatibility with app X and preserve legacy version for compatibility with app Y or app Z?

    You can create a dynamic custom group and choose to decline the patches for the specific application like JRE. By doing this, you can maintain multiple versions of the JRE in your network.

26. Which are all the ports to be made free for Patch Manager Plus Cloud?

    In Patch Manager Plus Cloud, the port configuration is not necessary for the server. For the Distribution Server and agents, there are a few domains that are necessary for their functioning, which is explained in this document: https://www.manageengine.com/patch-management/help/domains-required-for-agent-communication.html. You need not do the port configuration since these domains are communicated using the default port 443. When you create a remote office, you can configure the port you want, with which the Distribution Server and agents communicate.

27. What changes should I do, in my firewall and proxy to patch computers?

    Refer this article to find the list of domains , which need to be excluded https://www.manageengine.com/products/desktop-central/patch-download-failure-error-403.html

28. I have the patches set to automatically deploy how can I check the deployment since it is not making a configuration deployment?

    Automated patch tasks are not regular configurations. You can view the status of the You can view the status of the "Automate Patch Deployment Task -> System View". You can also configure notification settings, Patch Mgmt -> Automate Patch Deployment -> Notification Settings, to receive email updates, whenever there is any change in the status of the task.

29. How do you make a separate policy that is specifically for server OSs and does not automatically restart the server?

    This can be achieved by configuring the deployment policy and excluding servers from reboot, Patch Mgmt -> Deployment Policies -> Create Deployment Policy ->Deployment Window -> Reboot Policy -> Exclude Servers from Reboot

30. We currently use McAfee encryption on some of our devices. We are trying to figure out how to continue auto deployment after hours once everything is encrypted. Does Patch Manager Plus have a method of handling this?

    This can be achieved by configuring the deployment to happen after the encryption time window. You can configure it from, Patch Mgmt -> Deployment Policies -> Create Deployment Policy -> Deployment Window

31. I want to patch computers which are not live. How does "wake-up & deploy" work?

    You can wake up the computers and deploy the patches by configuring, Patch Mgmt -> Deployment Policies -> Create Deployment Policy -> Turn on computers before deployment.

32. Under all patches, I don't have "filter" option, decline patch option is shown , install patch, download patches, decline patch are the only options. there is no "mark as option" Nor "filter". How do I approve patches?

    “Mark As” - option, will be available only when you choose to approve patches Manually, Patch Mgmt-> Settings -> Approval settings - > Approve Patches -> Manually. If you have chosen to approve all patches automatically, all the patches will be marked as approved by default.

33. How come I have not seen updates for Windows 10 or MS 2016?

    Both Windows 10 and Microsoft Office 2016 are supported by Patch Manager Plus. You should ensure that your Patch Database is successfully synchronized in the recent past. Verify it from, Patch Mgmt -> Update Vulnerability DB -> Last update time.

34. Can I use Patch Manager Plus to manage 3rd Party applications?

    Yes, Patch Manager Plus supports managing 3rd party applications. Find the list of supported 3rd party applications: https://www.manageengine.com/products/desktop-central/patch_management_supported_application.html.

35. Can I create a report for systems that need patches older than 30 days?

    You can, create a report from, Patch Mgmt -> All Patches -> Missing Patches Tab -> Computer View and create a filter based on the “Release Date”

36. Can you install the Patch Manager Plus server in the cloud and have remote clients grab updates from that server to conserve bandwidth at the home office?

    Yes, you can sign-up, create an account and start using Patch Manager Plus Cloud version.

37. Is it possible to set patch deployment Policy schedule to run every 3rd Sunday of the month?

    Yes, when you create an APD task, under scheduler select Monthly option and choose 3rd Sunday.

38. Why are dynamic custom groups not always available?

    Dynamic custom groups are evaluated on the client side during deployment based on the criteria you have defined.

39. Can you disable windows automatic updates?

    Yes, under Patch Mgmt->Disable Automatic Updates, choose templates and disable.

40. If I want to scan computer for missing patches during the day to approve the patches for deployment overnight, how would I schedule that?

    You might need to create 2 separate APD tasks as below to achieve this: • Create the first task to just scan the computers and schedule this at 10 AM. This will complete by 12 noon and you will get the list of missing patches, which you can choose and approve • Create a second task scheduled to run at 3PM (assuming that you would approve the patches by then). For this task, define a Deployment policy with o Deployment Window with start and end times as required, say start at 8 PM o Select this option “Download Patches/Software during subsequent Refresh Cycle”The second task will start at 3 PM and scan the computers again and download the necessary patches to the agents. Assuming that all the target computers are up, this will complete and keep things ready for deployment by 6 PM. The deployment will begin at the scheduled deployment window, 8 PM.

41. We currently have a large number of Laptops which need to be updated. These laptops are rarely connected to the domain, and when they are it is via a VPN. How do we push patches to these laptops without impacting user experience or poking holes in our firewall?

    When these computers connect to the network via VPN, the deployment will be initiated during the next refresh cycle (90 minutes).

42. Are all patches released by Microsoft available for patching via Patch Manager Plus?

    Yes, almost all patches that have a download URL will be supported. You can get the list of patches that we support from here: https://www.manageengine.com/products/desktop-central/patch-management/microsoft-security-bulletins.html

43. What is the average turn around for patches to be updated by you guys? For instance the latest flash patch took until the next day to come out.

    We usually support within 24 hours

44. How much disk space does a Distribution Server need to have to cache patches?

    It depends on the number of systems and patches that are maintained, maybe up-to 1 GB. It is recommended to configure patch cleanup settings to remove older patches automatically. This will also cleanup the distribution server.

45. If you do the cleanup and then put a newer machine and it needs an older patch what will happen?

    It will automatically be downloaded and installed.

46. How do I know which updates to run and the order to run them?

    Patch interdependencies and sequencing will be automatically be taken care by Patch Manager Plus.

47. After the initial agent deployment, will patch management scan subnets for new machines that do not have the agent going forward?

    No, agent should be deployed prior to scanning. You can define SoM Sync Policy to automatically identify new computers added to Active Directory and install agents on them.

48. Can you send a process on how to disable windows 10 creep update for Windows 7 computers?

    Under Configuration Templates, we have a template to disable windows10 creep update (Disable Windows 10 Notification)

49. Can one distribution Server support multiple remote offices?

    Yes, it is technically possible if all the remote offices use the same agent and if all the remote office computers can reach the Distribution Server. However this is not applicable for Patch Manager Plus cloud, since every remote office needs a unique Distribution Server.

50. Is it possible to deploy patches to specific computers?

    Yes, the ideal way to do this is go to the All Systems View, select the computer and install all missing patches to this computer.

51. If distribution server is stopped so whether client will be able to communicate to main server?

    Yes, the agents will contact the server to post the failure messages. But, no deployment will happen.

52. What happens when my trial expires? or What happens when I move from the Trial Edition to Free Edition?

    Once the 30-day trial expires, you can either extend you trial, purchase the product or move to Free edition. After the trial, you will be automatically moved to the free edition, where move to the Free edition, you are allowed to choose the computers(up to 25) that you want to manage. Click here to view the edition comparison matrix

53. How to purchase PMP cloud?

    On the PMP server, navigate to Admin tab and select Subscription, under Global Settings. Click Manage Plan, you will be redirected to. Zoho Store page. Purchase or Renew your license here. On successful completion, your PMP Cloud license will be activated immediately. In case the has expired, click on the Buy Now to proceed with the reactivation.

54. What are the types of payments supported by PMP Cloud?

    Payments are securely done using Zoho Store. PMP Cloud supports payment via Visa, MasterCard, American Express and PayPal. You can also purchase offline(Non-Store), by mailing to sales@manageengine.com.

55. How do I modify my PMP Cloud license?

    Modify your license by navigating to this link (sign up with the Zoho account, if need be). Click on Manage Plan, which re-directs you to Zoho Store. Hovering on the plan, lets you add/remove the number of computers to be managed. Similarly, hovering on technicians and multi-language support, lets you add/remove technicians and unsubscribe multi-language support respectively Assume you want to add more computers for management. Click on the plan and specify the number of devices you want to manage. On specifying the additional devices, the required cost to be paid is displayed. You can then continue with the payment and finish the purchase.

56. How to change payment method from offline(Non-Store) to online?

    On the PMP server, navigate to Admin tab and select Subscription, under Global Settings. Click Manage Plan, which redirects you to Zoho Store. Click Payment Method link. Provide credit card details and click on Update, to modify your payment method.

57. How do I add users(technicians) to manage devices?

    You can add users from Admin -> User administration -> Add user. You can associate users to either pre-defined roles or create roles and associate them. Additionally, you can modify the users, their roles and even delete them.

58. If distribution server is stopped so whether client will be able to communicate to main server?

    Yes, the agents will contact the server to post the failure messages. But, no deployment will happen.

59. Why am I unable to sign up with PMP Cloud service?

    If you encounter an error stating that "you are part of another organization" such as "Access denied for this service. Please contact your Org administrator, it implies that you are already registered for Zoho Services. A super admin assigned for Zoho Services, is the only person/profile who can sign up for any additional Zoho service including PMP Cloud. You will have to request the super admin to add yourself as a technician to use PMP Cloud. In case you want create an independent account, or evaluate PMP Cloud, you can use an alternate e-mail address to sign up and use the service.

60. What are the URLs that have to be white-listed for DS and agents to contact the PMP Cloud server?

    The URLs to be white-listed for DS and agents to contact the PMP Cloud Server are given below:
    For US : https://www.manageengine.com/patch-management/help/domains-required-for-agent-communication.html
    For EU : https://www.manageengine.eu/patch-management/help/domains-required-for-agent-communication.html

61. What should I do when I get an error message like "Patch Download Failure - Error 404", or "Download Failed. Contact Support"?

    Refer to this document. Identify the cause of the error and follow the resolution as given in that document.

62. What should I do when the Dependency patch download fails?

    Refer to this document. Identify the cause of the error and follow the resolution as given in that document.

63. Does PMP Cloud support Feature Pack Deployment?

    Yes, it is supported. To know about Feature Pack Deployment in detail refer https://www.manageengine.com/patch-management/how-to/cloud-windows-10-feature-pack-deployment.html

64. How to deploy Older version (6, 7) Java patches?

    To deploy Older version (6,7) Java patches refer https://www.manageengine.com/patch-management/help/workaround-for-java.html

65. How to move DS from one drive to another?

    To move Distribution Server from one drive to another follow the steps given in this document

66. Will the APD task retry in subsequent deployments?

    If patches are missing and not already installed, the Automatic Patch Deployment (APD) task will attempt to deploy them again. In cases where there is an installation error at the machine level, the APD task will halt after two unsuccessful attempts to deploy the patches. However, if the issue is network-related, the APD will continue retrying until the patches are successfully deployed.

67. How to identify servers? Are all Linux machines considered servers?

    Currently, if the operating systems meet any of the following criteria, we consider them as server machines:

    • If the operating systems' name contains the keyword "server"
    • If the machine with Red Hat Enterprise Linux OS has a Server subscription
    • If the machine has Oracle Linux OS

    We recommend purchasing server licenses for any Linux machine when deploying them as servers within the organization.

68. How to identify servers from the Patch Manager Plus web console?

    Navigate to Agent --> Computers in the console interface. Create a filter for Operating System with tags "server" and "Oracle". The Red Hat Enterprise Linux OS server machines cannot be identified using the web console as its subscription has to be checked.

     

    

69. How many servers can be managed with the free edition?

    The free edition allows management of any number of servers, as long as the total number of endpoints does not exceed 25.