About the Patching Dashboard
Table of Contents
The Patching Dashboard consolidates and helps you visualize the data that Syncro collects about patch-enabled Assets across your fleet.
The Patching Dashboard features:
- Actionable insights for viewing patching compliance, patching coverage, and critical missing patches on your devices.
- A dedicated patch instances table for you to view the status of available Windows patches on your devices and take action on them.
You'll efficiently be able to:
- Identify problem systems that are failing to update and troubleshoot as needed,
- Determine whether adjustments need to be made to OS patch approval settings or scheduling windows,
- Generate one-time or recurring reports to demonstrate OS patching compliance, and
- Validate that problematic patches are rejected or excluded per policy settings.
Note: The Patching Dashboard is currently in EA (Early Access). Click here to participate.
Prerequisites
For an Asset to be eligible to display in the Patching Dashboard, it must have the Syncro Agent Installed and be running the Windows OS. (In other words, this dashboard does NOT include manually-created assets nor those running MacOS.)
Security settings drive whether Syncro Users can see the Patching Dashboard and what, if any, actions they can take on the rows displayed in the Patching Instances table. See Security Permissions Reference for more information.
Overview
To view the Patching Dashboard, click the Patching tab/module.
By default, the dashboard displays all patching data for all (Customer) Organizations over the past 7 days. However, you can change the included (Customer) Organizations, Patch Categories, and timeframe the Patching Dashboard displays. See Adjust Patch Data Settings for instructions.
Tip: Syncro displays the active settings for the dashboard immediately below the “Windows Updates” page title.
The top portion of the dashboard contains several summary sections:
Compliance & Coverage
These two blocks on the left let you know how you're doing.
The Compliance section displays the percentage of assets that are fully up to date on patches. It also shows the specific number of assets that have no missing patches for the selected Patch Categories vs. the total number of assets (i.e., "125 of 127 Assets").
The Coverage section displays the percentage of assets are covered by a Windows Updates policy. It also shows the number of assets that have coverage for the selected Patch Categories vs. the total number of assets (i.e., "125 of 127 Assets"). See also: Windows Update Management.
Note: Since no action is required, the Patching Dashboard does not display compliant nor covered devices in the Patch Instances table.
Missing Patch Instances, by Status
This interactive pie chart helps you visualize what patches you should act on. It displays any missing patches by their Status: Failed, Needs Reboot, Needs Review, and Pending. It excludes devices with Rejected and Excluded statuses as well as Unmanaged devices (regardless of their status).
You can click a pie slice to filter the Patching Instances table at the bottom of the page. You can undo the filter by clicking a different pie slice, or using the table header row.
See Patch Statuses.
Non-Complying Assets, by Patch Category
This interactive table shows what you should do immediately. It shows you the total number of assets that currently have at least one Patch Instance (of each Patch Category listed) that likely should, but hasn't yet been, installed. These are the “non-complying” assets.
Patch Categories are listed in descending order, based on priority. The icons are also displayed as indicators in the KB column of the Patch Instances table. You can hover over any Patch Category to be reminded of the description.
You can click one of the hyperlinked numbers to filter the Patching Instances table at the bottom of the page. You an undo the filter by clicking a different number, or using the table header row.
Patch Instances Table
The bottom portion of the page is the Patches Instances table, which displays columns for the KB number, associated Asset, (Customer) Organization, Age, and date/timestamp for when the instance was Last Evaluated.
- Age is the number of days since the patch was seen by the Syncro agent. Initially it will match the installation date, but then will change to the first time the Syncro agent detected a patch on the asset.
- The Asset column also tells you whether the Asset is online (green) or offline (gray), and contains a hyperlink to the Windows Patches subtab of the Asset's Details Page.
The Patch Instances table defaults to showing those with a Failed status at the top, followed by others in descending order based on KB severity. However, you can always pin, filter, group, show/hide, and sort the columns in ways most helpful to you. See Patch Statuses for details.
In the upper right of the Patch Instances table you can also search (for example, enter a specific KB number, then press Enter). Your search is automatically scoped to your Patch Data Settings.
The Manage button menu in the upper right provides the following options:
- Export: Exports the Patch Instances table (as it's currently filtered in the Patch Data Settings) to a CSV file.
- Install Selected: Installs the patches for one or more selected rows in the Patch Instances table. See Manage Approvals for instructions.
- Reboot Selected: Reboots the assets for one or more selected rows in the Patch Instances table. See Reboot Assets for instructions.
Patch Statuses
The following Statuses are listed in descending order, based on severity:
- Failed (red): A patch that failed during an installation attempt by the Syncro agent. Syncro reports the Windows failure reason along with the summary and error code.
- Needs Review (orange): A patch that requires evaluation by a Syncro User before installation. This is because the Windows Updates policy module specified "Manual" in the "Security Vulnerabilities Patch Severity Approvals" section. See Manage Approvals for instructions.
- Needs Reboot (yellow): A partially-installed patch, where a reboot is required to complete installation. See Reboot Assets.
- Pending (pink): A patch that’s pending Syncro agent evaluation, automated or manual patch installation.
- Rejected (dark blue): A patch that's rejected because the Windows Updates policy module specified "Reject" in the "Security Vulnerabilities Patch Severity Approvals" section.
- Excluded (light blue): A patch that's excluded because the Windows Updates policy listed the patch in either the Patch Exclusion List or the Global Patch Exclusion list. For example, if you learn a particular patch is causing blue screens and you want it to be low priority for mission critical systems.
- Unmanaged (gray): A general patch status for assets not covered by a Windows Updates policy.
See also: Windows Update Management.
Adjust Patch Data Settings
To adjust what displays in the Windows Patching Dashboard, follow these steps:
- Beneath the “Windows Updates” page title, click the gear (
) icon.
- In the Patch Data Settings pop-up that appears, make any adjustments:
- (Customer) Organization: Select All or a single (Customer) Organization.
- Patch Categories: Select one or more Patch Categories.
- Rejected & Excluded Patch Instances Discovered Within: Select a timeframe of 7, 30, 60, or 90 days. (Syncro will display these patches ≥ the timeframe you select.) Alternatively, select “Custom” to select your own timeframe.
- Include Unmanaged Assets: Optionally, check this box to include unmanaged assets in the dashboard. (“Unmanaged assets” are Syncro devices running Windows, but without an associated Windows Updates policy.)
- Click Load Data to save your changes.
Manage Approvals
To manually approve patch instances, follow these steps:
- If you haven't already, filter the Patch Instances table based on the “Needs Review” status. If desired, you can also Group By the KB column.
- Check the boxes next to one or more Patch Instances. Tip: If you select the parent row of a Group, each individual row in that group is also selected.
- From the Manage button menu, choose “Install Selected.” Syncro displays a message letting you know installation has started for your patch instances.
Reboot Assets
Tip: If you see that an Asset is online and its during normal business hours, you may want to initiate a Chat with the End User to make sure they're not in the middle of something.
To reboot patch instances, follow these steps:
- If you haven't already, filter the Patch Instances table based on the “Needs Reboot” status.
- Check the boxes next to one or more Patch Instances. Tip: Select the header row to quickly check all the boxes.
- From the Manage button menu, choose “Reboot Selected.” Syncro displays a message letting you know reboots have begun for your patch instances.
Manage KBs Known to be Problematic
Some KBs are known to be problematic, but you can easily manage them from the Patching Dashboard by following these steps:
- In the search bar above the Patch Instances table, enter the number of the problematic KB. The Patch Instances table displays results matching that KB.
- Click any hyperlink in an Asset column to navigate to the Windows Patches subtab of the Asset's Details Page.
- If you see a patch in the Recently Installed section that you want to remove, click the Remote Access button to remotely uninstall it.
Security Settings
There are security settings that Global Admins can use to specify whether other Syncro Users (e.g., Admins or Techs) can see the Patching Dashboard, and/or take actions on rows in the Patch Instances table.
- Navigate to Admin > Syncro Administration - Security Groups, then click Edit for the desired security group.
- To allow Syncro Users access to the Patching Dashboard:
- Scroll to the Assets section, then check the “List/Search” box.
- Scroll to the Patching Dashboard section, then check the “View” box.
- To allow Syncro Users to take actions on rows in the Patch Instances table, scroll to the Assets section, then check any of the following boxes:
- Allow Installation of Rejected Patches
- Reboot
- Install Windows Patches Manually
- Click Update Group to save your changes.
- Then, make sure any desired Syncro Users are in that security group!
See also: Configure Security Groups and Add & Assign Users to Security Groups.