Barracuda RMM includes two pre-built patch policies that are configured to patch manage Microsoft applications on Windows workstations and Windows servers. You can use these patch policies as-is, or you can modify the settings as needed.
The following table provides an overview of the two Microsoft patch policies available in Barracuda RMM:
| Patch Policy | Description |
|---|---|
| Microsoft Windows Server Patching |
|
| Microsoft Windows Workstation Patching |
|
To activate Microsoft patch management using one of these policies, you must:
- Add the policies to a service or service plan, or apply the patch policies directly to a device or group of devices. See About Service Plans.
- Approve the patches for installation. You can do this automatically by setting up approval rules, or you can approve patches and groups of patches manually. See also: Approving Microsoft Patches for Installation and Automatically Approving Microsoft Patches for an Approval Group.
To set up Microsoft patch management for a device, follow these steps:
- You discover a new device that isn’t patch managed.
- If an existing patch policy doesn't apply to this device, create a patch policy. Set the rules and apply the policy to the device through services and service plans, or by applying the policy directly to the device. See Creating a Microsoft Patch Policy.
- When a patch policy is first applied to a device, Onsite Manager configures the Windows update agent on the target device so that the device becomes patch managed by Barracuda RMM. The target device reports patch status to Barracuda RMM within the detection frequency timeline as defined in the Windows update agent.
- Optionally, configure which Microsoft updates to synchronize, where updates are stored and how often to check for updates. See Setting Which Microsoft Updates to Synchronize and Setting Whether to Store Microsoft Patches Locally or Not Locally.
- Optionally, you can set up automatic approval, such as automatic approval for revisions to patches that you've already approved for installation. See Automatically Approving Microsoft Patches for an Approval Group.
Process for Approving Microsoft Patches
To approve a patch, follow these steps:
- Check the Patch Management Overview page once or twice a day for new patches not yet approved. Microsoft releases patches on a weekly basis, usually on Tuesdays. Some patches, notably definition updates or critical security patches, may be released more frequently.
- Review the patches available in the Patch Approval window and research the update. See Reviewing Microsoft Patches.
- Do you want to approve the update? Is it applicable for all computers? If not, do you need to approve it for a subset of computers? If so, you need an approval group that includes that subset. See Setting Up Microsoft Patch Approval Groups.
- By default, patches are set to Not Approved. Set how you want to handle the patch: approve for installation (Install), approve for removal, decline, or leave as Not Approved. See Approving Microsoft Patches.
- Once a decision about the patch has been set, the action is retrieved by all Onsite Managers and Device Managers.
When patch caching is enabled, the patch is downloaded to the update cache folder on the Onsite Manager machine only if the approved patch is needed by a device at the site. The settings in the patch policy define how and when an approved patch is installed.
Device Managers configure Windows with the settings in the patch policy, and a helper application downloads needed patches directly from Microsoft. Based on the choices made when configuring a patch policy, users on the Device Manager computer may or may not be notified about download or installation activity. If they are notified, the user can select which patches to download and install.