How to Install and Configure ManageEngine Patch Manager Plus

install and configure patch manager

As we continue our Home Lab series, I wanted to include an article on Patch Management. There are several different ways to handle this, and in a home lab, you may or may not want Patch Management. For my use case, I’m still trying to configure my home lab to mimic that of a small business, so I think it makes sense to include patch management. ManageEngine’s Patch Manager Plus tool is perfect for this use case. It is free for under 10 connected devices, which is ideal for our home lab.

This will allow us to begin to configure things like our patch management practice. ManageEngine does have a more robust solution that includes Patch Management, called Endpoint Central, but that is more than what I am looking for in my home lab.

DISCLAIMER

Please understand that the content herein is for informational purposes only. This existence and contents shall not create an obligation, liability or suggest a consultancy relationship. In further, such shall be considered as is without any express or implied warranties including, but not limited to express and implied warranties of merchantability, fitness for a particular purpose and non-infringement. There is no commitment about the content within the services that the specific functions of the services or its reliability, applicability or ability to meet your needs, whether unique or standard. Please be sure to test this process fully before deploying in ANY production capacity, and ensure you understand that you are doing so at your own risk.

Project List

  1. Download and Install vSphere (ESXi)
  2. Install and Configure OPNsense Firewall
  3. Download and Install Windows Server 2022
  4. Download and Install FreeNAS or Configure Synology (TBD)
  5. Install Windows Server and Configure Veeam Backup Server
  6. Install Windows Server and Configure ManageEngine Patch Manager
  7. Download and Configure MFA solution (Duo or KeyCloak)
  8. Evaluate Home Lab against initial requirements list
  9. Write Lessons Learned Blog post
  10. Plan Next Steps for Home Lab including Expansion

Table of Contents

Prerequisite Information
Install Patch Manager Plus
Set Up Client for Installation
Configure Automatic Patch Cycle
Conclusion

Prerequisite Information

There are a few things to know before we begin. First, we will need a server to run this on. It can run on a Windows 10 machine (if licensing was a concern). However, since this is a home lab, and the trial version of Windows Server can be extended way longer than Windows 10, we will be using the server version. This will be virtual, in our ESXi environment. I covered how to install Windows Server 2022 trial edition in a previous post.

I am configuring this server with these specs:

  • 2 Cores
  • 8 GB memory
  • 1x 90GB OS Hard Drive
  • 1x 1TB Storage Drive

Be sure to install all missing patches, assign a static IP address, and add it to the domain prior to installing ManageEngine. These things will make this process much easier.

Missing Drive…

When you are configuring Windows Server for this use case, you might notice after installation that the second drive isn’t showing in File Explorer. You need to go to Disk Management, and perform a few steps to get the disk recognized by Windows.

Image of the Unrecognized Disk in Disk Management
Image of the Unrecognized Disk in Disk Management

If this is the case for you, please perform these steps (in this order) to bring the disk online and ready to use. Also, be sure to hit enter to apply a command (wherever it says to type a command).

DiskPart

  1. Open Command Prompt (or PowerShell) as Administrator
  2. Type ‘DiskPart‘ and hit enter to open DiskPart
  3. Type: ‘List Disk
  4. Then type: ‘Select Disk 1‘ (or whichever disk is your missing one.
  5. Next type: ‘Online Disk‘. (You should see a success message)
  6. Then it should show in Explorer. If you are unable to Right-Click format the disk from there, continue on.
  7. Type: ‘attrib disk clear readonly‘ to clear the ReadOnly attributes from the drive.
  8. If you are still unable to bring up the disk, continue to this next step.
  9. Initialize the disk by typing: ‘Convert MBR‘. This should bring this disk fully online and initialize it for use.
  10. Type ‘Exit‘ to leave DiskPart. You can now close the shell window.
DiskPart in Action
DiskPart in Action

Now you should be able to format the disk like normal. I would leave it all as a single partition, as we are using the entire drive for storage.

Install Patch Manager Plus

At this point the server should be ready to go. In that case, we will need to first download Patch Manager Plus. You can find the link to Patch Manager Plus here, where you can sign up for the free trial. The free trial is not time based, but rather is device count based. So we will be able to live on our “free trial” for as long as they offer it. Navigate to the site, and download the installer. We want the “On Premises” edition for this installation.

Patch manager plus installer

Run the installer as admin, and begin clicking through the menus. Accept the EULA and leave the default ports (unless they are conflicting with another service you have installed) and click Next. For this, you can allow it to install in the default Program Files directory, as we will have the updates moved to the second drive.

Networking and Ports

default ports for Patch Manager Plus
Lets just leave these as Default for now

As you continue through the installer you will have a chance to register for free technical support. Totally up to you, I skipped it since it is a home lab. Finally, we can click Finish, leaving the box checked to start Patch Manager. It may open in Internet Explorer, at which point, you can close it and reopen it in Edge. It takes about a minute or two for the service to start fully (depending on available resources) so it may not be available right away. However, the initial web address will be (from the server) http://localhost:8020. Default login is U: admin & P: admin

start page for patch manager plus on first launch

On first login, you will be asked for an email address, and time zone. Configure these details, and hit OK. You will also see recommendations for set up at the top. Each of these is pretty self explanatory and you can work through the ones you want to configure. For now, I am going to focus on getting clients installed.

Change Admin Login

So you have the option to configure SAML authentication with Active Directory. I may do this at some point, but for now I think it is best to just change the local admin password, and go from there.

Click on your user in the upper right hand corner, and choose “Personalize” from the menu. The dialog box that comes up should have an option to change your password. Change that here so you can ensure it isn’t the default login.

Set Up Client for Installation

  1. At the top of the screen, click on the Agent tab, and then choose to “Download Agent” using the button on the right hand side.
  2. You will see a screen pop up. For now, Local Office is fine as we haven’t established any sites yet. Click “Download Agent” to confirm the download.
download agent dialog box
  1. Once the Agent downloads, the easiest place to start is by installing the agent on the server where it is running. At some point we will probably want to create a share where we can access the agent to install on other devices, but for now we are starting with this server.
  2. Run through the installation as you would any app. There is a captcha type experience where you have to type in a number, but that is only for the manual installation.
  3. Once the agent is installed, we can click on the Systems tab, and see our new server. You’ll need to let it scan the server, to find out what may be missing, but within a few minutes, data should be available.
our first systems showing in Patch manager plus

Patch Download Location

Since we installed this application to the default C:\Program Files location, we need to change where the Patches get downloaded too. We don’t want to fill up the C: Drive after all!

  1. First, open File Explorer. Navigate to our second drive, and create a new folder. Can be called anything, I called mine “Patch Repository”.
  2. Next, click on the Patches tab. Choose “Downloaded Patches” and navigate to Settings –> Download Patch Location. Since we haven’t downloaded anything yet, we can change the path here without needing to move any files. Replace the existing path with the one you created for the new drive.
  1. Once you change this and hit save, it will ask you to move any existing files, and then restart the central server. You can do this by right clicking the icon in the task bar, and choosing “Stop Service” waiting for it to stop completely. Then once it is stopped, repeat the process to “Start Service” and get it going again.

Client Deployment

Finally, we will want to ensure that all other devices in the domain get the client installed as well. If you have SCCM or PDQ or another deployment tool, you can use that to push out the app. Since this is a small home lab, I will be installing the client manually. There are instructions within the console that describe other options for accessing various methods of installation automation. To make all this easier though, I recommend creating a share where the agent installer can be access from anywhere in the domain.

  1. Navigate to our spare drive, and create a new folder called “Agents”. Copy whatever installer you intend to use into that directory.
  2. Right click the Agents folder, and go to Properties.
  3. Click the sharing tab, and hit the Share button.
  4. Make sure you add Everyone (or authenticated users) to the list. Read access should be fine for this as long as Administrators has Read/Write.
  5. Save the changes, and hit OK through any remaining prompts.

Now this file can be accessed from any server or system in the domain. This will make installations much easier.

Configure Automatic Patch Cycle

Now we are getting ready to start using the tool. We want to create an automated patch plan to start. We can focus on specific plans and details later (based on individual use cases).

For now, we are going to create a plan that meets the following criteria:

  • At least 1 week after patch Tuesday (to allow for bugs and pulled patches)
  • Only during a late night deployment window (outside of business hours for our fictional business)
  • Only on Tuesday, Wednesday, or Thursday night (to avoid surprises after a long weekend of failed patching)

Automate Patch Deployment

  1. In Patch Manager, click on the Deployment tab, and click on Automate Patch Deployment.
  2. Click Automate Task, and it should take you to the configuration screen.
  3. Click on the “edit” button in the Upper Left corner to give this policy a name
assign a name to our patch manager policy
Easy step to miss – set the Policy Name!
  1. Next, click in the Microsoft Updates section. Choose what you feel is appropriate. I chose the options listed in the image below. Click off of that menu, and you will see the option to patch all applications or specific ones. For now, just leave it at all applications.
patch manager microsoft updates policy
My preferred patch choices for our base policy
  1. Then, you can perform the same steps for Third-Party applications, Anti-Virus updates, and Driver updates. Since this is a home lab, I’m going to check the Anti-Virus updates (lab is using Defender), and leave the rest unchecked. We can configure these policies separately.
  2. Next it is asking for a deployment time frame. In our criteria we said 1 week after patch Tuesday, however there is a better way to set this. So leave this number as 0. I’ll explain this more later. Hit Next to continue.

Configure Patch Deployment and Schedule

  1. The next step is to pick a deployment policy. Patch Manager gives you an option to create a custom policy if you have specific requirements on deployment times and maintenance windows. Since we have specific criteria, click “Create/Modify Policy
  2. You have the option to create a policy from scratch, or to make a new one. Click “Create Policy” so we can make a new policy.
  3. Go ahead and give this policy a name, like we did out deployment plan. Then under “Specify when patches should be deployed..” change the option to “Based on Patch Tuesday” (This is the better option I was talking about.

*NOTE*

Since Patch Tuesday (second Tuesday of the Month) can fall on the first or second (occasionally third) calendar week in any given month, it is difficult to always ensure that patching cycles are easily calculated. Using the Based on Patch Tuesday option allows us to dynamically change the deployment window based on when Patch Tuesday actually occurs.


  1. Next, we want to choose “First week after Patch Tuesday” and “Tues, Wed, & Thurs” for our days of the week. Set the deployment window to 00:01 to 04:00 (uses the 24-hour clock if you aren’t doing late night patching). We can leave the bottom choices as default, as they are reasonable for what we are trying to accomplish. Hit Save & Continue
patch manager deployment configuration
  1. On the next page, you can configure Wake on LAN, a pre-deployment reboot, or custom actions. For now, we will leave this alone, and hit Save & Continue.
  2. Next configure notifications if you wish. We haven’t configured the SMTP server settings, so this won’t work yet, but that is fine. Choose Save & Continue.
  3. On the last page, we can determine if we want it to reboot automatically, or not. Click “Post Reboot/Shutdown” and drag it to the box indicated on the left.
  4. Specify whether you want it to Reboot, notification settings, and how long of a time out you want, and choose Save & Continue when you are done.
Deployment policy settings for patch manager complete
  1. Finally, preview the policy, and save it if you are happy. This will take us back to the deployment page. In your browser, go back to the tab that has our Automate Patch Deployment. Refresh the Deployment policy options and choose the policy you just created.
continue deployment policy

Define Targets and Notification Settings

  1. On the targets, you have to choose a location. Since we haven’t configured an domain settings, choose local office. Click the filter icon on the right-hand side. In the include section, change the dropdown to “Dynamic Custom Group“. Click in the box beside it, and choose Windows Servers. This will ensure that new servers will automatically get caught by the base policy.
  1. Hit next to move to the notification settings.
  2. Since we haven’t configured any mail settings, we will leave this off. Hit save to activate the policy.

Conclusion

There you have it! You have the basics configured to keep your home lab up to date! Obviously there is a LOT more that can be configured in ManageEngine Patch Manager Plus, but part of the fun of a home lab is experimenting and learning! Give it a shot, and take a snapshot of the VM if you really think you are going to break it. This tool is great for the home lab because of the cost, and the learning friendly configuration. Is this something you think you want to implement? It is a pretty robust tool, and it may even be useful for a real small business.

I hope you find value in this series. It is helpful for me to go through these things writing as I go. It helps me remember the steps, and document my journey as I build a new home lab for myself. As always, I’m open to suggestions, and willing to update this as I go, so if you have suggestions on what I missed, please let me know.

As always, hit me up on Twitter @SeeSmittyIT to let me know what you thought of this post. Thanks for reading!

Smitty

Curtis Smith works in IT with a primary focus on Mobile Device Management, M365 Apps, and Azure AD. He has certifications from CompTIA and Microsoft, and writes as a hobby.

View all posts by Smitty →