Insights for better

Patch Management
In NinjaOne
How Users Setup Windows Patching with Ninja
Patch management is one of the most important
tasks an IT team undertakes. Businesses spend
significant resources on keeping their infrastructure
up-to-date, yet more than half of breaches could have
been prevented by installing available software and
OS patches.
In addition to the security implications, an effective
patching strategy ensures end-users have the most
current, feature-rich software with which to do their
work.
If some of the largest, most well-funded organizations
in the world are having difficulties with patch
management, however, what chance do small and
medium-sized businesses with limited IT support
have? Without the right tools, the process is time
consuming, complicated, disruptive to end-users, and
prone to errors.
Patch management software, such as that included
with NinjaOne, gives users a complete, centralized
view of their patch compliance rate and automates
the identification, downloading, and deployment of
patches across your managed devices.
Ninja gives you granular control over your patch
approval process, improves your first-pass patch
success rate, and drives down the time your
technicians spend on patching.
To create this guide, we worked with Ninja partners
to understand how they use NinjaOne’s patch
management capabilities and combined their
expertise with our own.
In this guide we share those insights so new partners
can get the most out of patch management.
 When to schedule scans
Scan Schedules Day of the week
Most Ninja partners schedule their patch scans for once per week. Fridays are by far the
Ninja policies enable users to most common patch scanning day. The next most common option is to run a scan every
schedule patch scans separately day. Daily patch scans utilize more resources but maximize the time partners have to
from the updating process. make ad-hoc changes to patches.
Scanning identifies all not-yet-
installed patches on a device and
sorts them into ‘Approved,’
‘Pending,’ or ‘Rejected’ Time of day
categories based on policy-based
The most common time to scan for patches is between 5:00 – 6:00 PM, device time.
approval settings.
Many users schedule scans for after 6:00 PM to avoid impacting end-users who work
later. While patch scanning is not resource intensive, most scans are scheduled after
By scanning hours or days prior typical work hours to avoid impacting end-users. Those users who schedule scans during
to running an update, you can work hours may do so to capture the greatest number of online devices.
manually adjust the approval
status of a patch which the
update process will then respect.
This is incredibly helpful for
manually-approved patches or to
Scan duration
avoid problem patches that Most Ninja users do not set a scan duration, allowing scans to take as long as necessary.
would normally be automatically For those that do limit duration, the most common options are 9 hours, 6 hours, and 3
hours. Scan durations may be used when you takeover a new infrastructure, or when
approved.
users from multiple time zones need to access a server and the patch window needs to
be shorter to minimize end-user impact.
Patches are not installed during
the patch scan process.

Update Schedules
The Ninja update schedule first
scans for available patches then
downloads and applies both
newly discovered patches and
those already identified via a
patch scan based on the policy’s
approval configurations and any
applicable overrides. Ninja patch
management then performs an
additional scan to finalize the
process.
When to schedule updates
Day of the week
Patches are most commonly applied on weekends to avoid interrupting end-users.
Fridays – usually after work hours – are also common. After the initial device onboarding,
many users also apply patches daily in an effort to minimize the time when endpoints
are vulnerable.
Time of day
The most common time to start the patch application process is between 5:00 – 6:00 PM,
device time. Many users schedule their updates after 6:00 PM to avoid impacting end-
users who work later. Since patch application is more resource intensive and often
requires a reboot, most updates are scheduled outside of work hours.

The policy-applied approval

status can be overridden for
individual devices or for entire
policies so long as a scan
identifies it before it is applied.
Update duration
Most Ninja users do not set a patch application duration, allowing updates to take as
Once a patch has attempted to long as necessary. For those that do limit duration, most limit updates to four hours or
less.
install during an update cycle, it
will be sorted into the ‘Installed’
or ‘Failed’ OS patch dashboard.
 Making up missed scans and updates
Missed Schedules Missed Scans
Almost half of Ninja users automatically make up any missed patch scans. This
Ninja enables users to make up feature is particularly helpful for those who normally scan outside of business hours
scans or updates if they are when more devices may be turned off.
missed. This most commonly
occurs if the device is turned off
when the scan or update was
scheduled to begin.
Missed Updates
Scan and update makeup
Making up missed updates is less common than making up scans. Off-schedule
options can be enabled
updates are more likely to interrupt end-users either due to resource utilization or
separately.
due to the need to reboot the device post-update.
Makeup scans and updates run
as soon as the Ninja agent checks
in with the server.
 Security Update Approvals
Patch Approvals
NinjaOne gives you the ability to
configure approval workflows for
each of the four Microsoft
Security Update Severity Ratings
and seven Microsoft Update
Categories. You can automatically
approve, automatically reject, or
manually approve / reject patches
based on their patch category.
Update Categories
Over the next few pages, we’ll
share the most common
patching profiles that Ninja users
apply to their devices.
Common
Patching Profiles
In NinjaOne
 Default Patching Profile
Patch Approval
Profiles
Ninja’s default patching profile is
leveraged by many of our
partners. This profile focuses on
balancing time-saving
automation with risk reduction.

Almost all approvals in this profile

are automated, approving
important updates and rejecting
optional updates to maximize
time savings. Optional and low-
priority patches are automatically
rejected to keep automation
high, but avoid operational risk.

Driver and feature updates are

disabled in this profile as these
types of updates are more prone
to cause issues for endusers.
 Full Approval Automation Profile
Patch Approval
Profiles
The full automation profile is the
second most common profile used
by Ninja partners. This profile
automatically approves all Microsoft
patches.

This profile ensures all devices

associated with the policy are
always up-to-date, but it does
expose devices to some level of
operational risk due to problem
patches.

Pairing this profile with frequent

patch scans allows technicians to
avoid operational risk by rejecting
problem patches when they arise
and before they are applied.

Pairing this profile with test devices

also allows you to observe the
outcome of patching before rolling
out to production machines.
 Low-Risk, Balanced Automation Profile
Patch Approval
Profiles
This profile prioritizes reaching
100% patch compliance while
attempting to minimize
operational risk by balancing
automation with manual
approvals.

This profile requires more manual

intervention to reach full patch
compliance, but with the added
benefit that problem patches
that are not critical for the
security or functioning of a device
can be avoided.

Technicians will need to review

and approve or deny manual
patches regularly to take
advantage of this profile’s
benefits.
 Low-Risk, Low Automation Profile
Patch Approval
Profiles
This profile also balances
automation with manual
intervention.

In this case, optional patches are

automatically rejected while
security and important updates
require manual approval.

This profile attempts to automate

away less-important patches
while minimizing operational
risks from problem patches.

Ninja partners using this profile

will need to regularly review and
approve pending patches to
ensure endpoint security.
 Full Manual Profile
Patch Approval
Profiles
The full manual patching profile
allows technicians to fully control
which patches are applied and
which are not.

Every patch made available for a

device will be listed as pending
until it is either approved or
denied.

While still far more efficient than

traditional patching, this profile
will be the most labor-intensive
patching profile in Ninja, and could
expose users to both security and
operational risks if patches are not
applied quickly enough.

Users who use this profile should

have SOPs to regularly check their
patching cadence.

Reboot Behavior
To complete Windows updates,
devices often need to be
rebooted.
Getting end-users to reboot their
device is nearly impossible, so
Ninja allows you to automate this
process.
Ninja policies allow for different
actions and schedules to be
applied for when a user is, or is
not, logged in.
User Not Logged In
Reboot Actions
The majority of Ninja policies reboot devices post-patching on a schedule. Because
there is no logged-in user, immediate reboots are more common than for when
users are logged in.
Reboot Schedule (Weekly)
The 12% of policies that reboot on a weekly schedule will reboot on the following
days:
Reboot Schedule (Daily)
The 85% of policies that reboot daily will reboot daily during the following times: