Ask a question
We are always available to answer your questions. Send us an email at and we’ll get back to you as soon as we can. firstname.lastname@example.org
Frequently Asked Questions
Check the FAQ section for common questions
SnaPatch is an application that bridges the gap between System Center Configuration Manager, VMware and HyperV. It provides companies with a way to deploy patches to their windows fleet and removes the risk of those patches causing problems. It does this by ensuring a snapshot is taken before any patches are deployed. This allows a quick roll back to a previous point in time, before the patches were deployed and to a fully operational state. SnaPatch also has a number of settings, notifications and preferences that you may configure to customise to suit your environment.
Step by Step Installation
Below you will find a step by step guide on installing SnaPatch.
Ensure you meet the minimum OS requirements and you are a local administrator, then launch the executable.
The Prerequisites Wizard will confirm that all the requirements are installed. Click Next to begin.
This process may take some time depending on how may prerequisites need to be installed. A reboot may also be necessary. The wizard will determine which prerequisites are required to be installed. Click Next to begin the installation of any prerequisites and follow the prompts.
Once all the prerequisites have been installed and the server has rebooted, the SnaPatch installation wizard will appear.
Click Next to begin the install and follow the prompts. Once the install has finished, double click the SnaPatch shortcut on the desktop.
As this is the first time launching SnaPatch you will be presented with the configuration wizard. Click Next to begin.
Enter the username, password and domain of the service account. This account will be used to access, communicate and retrieve update information from remote servers. This is the account that will interrogate servers to determine if the patches have been installed. You may also use this account to access SQL, VMware and Configuration Manager.
Pressing Next will prompt you to test the service account. Enter the name or IP address of a remote server which can be tested using the service account. The service account must be a member of the local administrators groups on all target computers to be able to execute remote WMI commands.
Enter the details required to connect to the SQL database containing the configuration manager database. The account only requires read access.
Enter the names or IP addresses of your vCenter and / or System Centre Virtual Machine Manager (SCVMM server for HyperV) servers and an account that has at least “Snapshot Management” permissions.
Enter your configuration manager details and a user account that is a member of at least the “Application Manager” and “Software Update Manager” roles. The account must also be a member of the local administrators group.
Enter connection details to send email notifications. We recommend you send a test email before proceeding.
Select which tasks you would like to be notified for, and whether or not you want to be notified before snapshots are deleted – and if so, how many days prior.
Review the options and select your preferences. Click the blue question mark to get more information regarding each setting.
Tick the checkbox to confirm you have verified that the system date, time and regional settings are correct. Enter your license key and click on Activate to enable the license. Click Finish to complete the configuration process
Launch the application using the shortcut on the desktop
SnaPatch has a number of requirements to function correctly. Below you will find the minimum requirements for both hardware and software.
- 2 vCPU
- 4GB RAM
- 10GB free space
- Windows Server 2008R2 SP1 or above
- Microsoft .NET Framework 4.5
- Powershell 4
- Microsoft Database Engine
- VMware vSphere PowerCLI
Note: The server on which SnaPatch is installed must be a member of the same domain as the Configuration Manager server.
SQL Database Requirements
SnaPatch requires a connection to the SCCM database. It does not make any changes to the data in any way and only requires read-only access. The SQL server must be running at least SQL 2005.
VMware vCenter 5.0 is required as a minimum. The current version of SnaPatch allows connections for up to 5 vCenter servers. The account used to connect to the vCenter servers must have permissions to create and remove snapshots. This can be managed from within vCenter under the roles and permissions section. Typically we suggest using an account that is a member of the built-in “Virtual Machine Power User” role.
Configuration Manager Requirements
System Center Configuration Manager 2012 R2 is required as a minimum. The account used to connect to SCCM must be a member of the local administrators group on the SCCM server. The account must also be a member of the “Application Administrator” and “Software Update Manager” roles within SCCM.
The SCCM server must also have the following configured/enabled:
- Remote Powershell enabled
- WinRM Enabled
- Powershell execution policies set to “remote signed” for both x64 and x86
- Powershell 4.0
Note: The installer will automatically attempt to confirm the above settings.
Service Account Requirements
The service account is used to access, communicate and retrieve update information from remote servers. This is the account that will interrogate servers to determine if the patches have been installed.
The service account used by SnaPatch must be a member of the local administrators group on all target computers to be able to execute remote WMI commands.
You may also use this account to access SQL, VMware and Configuration Manager.
In order to receive email notifications you must have access to an SMTP server and an account that is allowed to relay through the service.
The Dashboard provides you with an up to the minute view of currently running jobs and their state. It also provides a list of all the previously executed jobs and their results. The charts at the bottom of the dashboard also give you a quick view of the overall success rates for both snapshots and patching. The current number of active and scheduled jobs are also displayed within the green and orange triangles.
Creating a SnaPatch Job
Click on the SnaPatch action from the home screen to begin. The main SnaPatch window will appear and show you a list of all the collections and servers within those collections. Place a tick in the checkbox against each server you want to target and press the “Add >> ” button to place them in the Target List. Any servers you have in the target list will be highlighted green.
Note: Changing collections will untick any servers you may have ticked in the previous collection, so make sure to add them to the target list before moving to another collection.
When you have finished adding all the servers to the target list you have the option to create a new computer group. A computer group is a collection of machines you have added to the target list. Creating a computer group allows you to recall that list of computers rather than finding and adding them to the target list every time. Once you have all the computers in your target list, click on the green arrow to proceed.
New computer group
To create a new computer group, add all the computers to the target list and click on
A new window will appear with all the computers from your target list. Provide a name for the computer group and a description. Press Create Group to complete the group creation.
Use an existing computer group
To use a computer group you created previously, click on
Note: If you have already added computers to the target list, recalling a computer group will replace any computers currently in the target list.
Create and deploy an Update Group
The next step after adding your computers to the target list is to decide which updates you want to deploy. You may create a new update group or use an existing update group created from SCCM. This section details how to create and deploy a new update group.
To begin, select the updates you want to deploy by placing a tick in the checkbox against the update. Once you have selected all the updates, press the “Create & Deploy Update Group” button.
You will be prompted to provide a name and description for the new Update Group.
Note: All the updates must be downloaded for an Update Group to be created. If you have selected an update that has not yet been downloaded you will be allowed to create the Update Group but not deploy it.
Deploy an existing Update Group
If you have already created an update group from within SCCM that you want to deploy, click the “Deploy existing Update Group” button. You will be presented with a list of update groups that currently exist.
Note: You may only select an update group if all the updates within that group have been downloaded. Any group containing updates still to be downloaded will have a red mark against them and you will not be able to select it.
Schedule the Job
Once you’ve selected to create a new update group or use an existing update group, the next step will be to schedule the job. You will be presented with the task scheduler window to create a new “trigger”. Click the “New” button.
The new trigger window will appear allowing you to set a schedule.
Note: We strongly advise that you do not schedule multiple jobs to run at the exact same time. To avoid any possible contention issues, we recommend that you schedule jobs to run a mimimum of 5 minutes apart.
Set a Maintenance Window
A maintenance window determines when the updates can be installed. The maintenance window also allows the servers to restart to complete the patching process. The start date and time are taken from the schedule, so all you need to determine is how much time to allow for the patches to be installed.
Note: Setting too short a window may not provide enough time for all the patches to get installed.
Press “Finish” to complete the process. The job will execute as per the schedule set.
Create an auto-deploy, set and forget SnaPatch Job
SCCM allows you to create “automatic deployment rules” which download and deploy patches based on a schedule and criteria you specify. The steps below will go through the process of creating a rule and having it deployed through SnaPatch. This will allow you to automatically deploy updates on a regular basis while having SnaPatch protect your servers.
Note: The steps below only include screenshots of the areas that are required to create the SnaPatch auto-deploy job.
Launch the Configuration Manager console and create a new Automatic Deployment Rule.
Provide a name and description.
Select “Add to an existing Software Update Group”
Untick “Enable the deployment after this rule is run”
Click Browse and select a collection – although this collection will not be used by SnaPatch to deploy updates, we suggest that you select an empty collection. This will ensure that SCCM or an administrator does not inadvertently deploy updates to machines.
Press Next to continue
Ensure “Automatically deploy all software updates found by this rule, and approve any license agreements” is checked and press Next.
Specify the criteria that will be used to add updates to the Update Group. In the below example the Product selected is “Windows Server 2012” and the Update Classifications selected are “Critical Updates” or “Security Updates”. Press Next to proceed
Set the evaluation schedule to “Run the rule after any software update point synchronization” and press Next
Leave the default settings for the “Deployment Schedule”, “User Experience”, “Alerts” and “Download Settings” as they will not be used. SnaPatch will recreate these settings based on your deployment schedule.
Create a deployment package. You may choose to deploy to an to existing package or create a new deployment package. In the below example we have created a new package
Configure deployment to all the distribution points (or as per your company policy)
Set the Download Location to “Download software updates from the internet” (or as per your company policy)
Specify the languages for the software update files that you want to download and press Next.
Review the Summary and press Next to create the auto deployment rule.
From the Automatic Deployment Rules window, find and right click the newly create rule. Select Run Now.
You will be shown a message stating that the rule has now been initiated and new updates found by the rule will be added to the Software Update Group
Allow some time for the system to process the request and create the Update Group.
Confirm the Update Group has been created by selecting “Software Update Groups” from the Config Manager console. Look for the name of the update group specified in Step1. You can tell which is the update group by viewing the “Created By” column and looking for “AutoUpdateRuleEngine”
If the update group has been created we are now ready to create the job from within SnaPatch.
Launch SnaPatch and select the computers you want to target. Add them to the target list or recall an existing computer group. Proceed to the Update selection window and click on the “Deploy existing Update Group” button. If you are not sure on how to get to this step please click here and follow the step by step guide on creating a SnaPatch job
From the existing update groups window, select the Update Group created earlier. In this example, it’s Windows Server 2012.
Set a schedule and maintenance window and SnaPatch will deploy any updates in the Update Group to the servers in the target list.
Manage Scheduled Jobs
SnaPatch jobs can be managed by clicking on the “Scheduled Jobs” action from the home window.
All the jobs that SnaPatch has scheduled, whether they have already been run, or are scheduled to run will appear here.
From this window you may;
- View and edit jobs – This lets you reschedule jobs if required
- Delete a single job
- Delete all the jobs – it will confirm that you want to delete ALL the jobs
- Enable or disable a job – this is useful if you want to keep the job but not execute it
- Abort a running job – do this by right clickin on the job and select Abort
- Manage the snapshot auto-delete job – this job is set to run at 11pm every day and will remove any snapshots older than the retention period specified.
Create an Update Group
An Update Group is a container for a list of updates. Update Groups are deployed to collections for installation onto the members of those collections. Update Groups are typically created from within SCCM, however SnaPatch allows you to create them during a job creation or directly from the home screen.
Click on the Windows Update action to view all the available updates.
You may apply a filter to display only the updates and operating system you specify. By default all available updates are displayed.
Updates are colour coded to make it easier to determine their class.
To view more details for any update, right click on the update and select “Details”. A new window will appear providing more information regarding that update.
Place a tick in the checkbox of the updates you want to include in the Update Group and press the “Create Update Group”. A window will appear asking you to give the Update Group a name and description.
Note: You will not be able to deploy an update group that includes an update which has not yet been downloaded. Only update groups where all the updates have already been downloaded will be available for deployment.
Configure SQL / Database Settings
SnaPatch requires a connection to the SQL database containing the configuration manager database. You can access the SQL settings from the home window.
From this window you may configure your connection to the SQL database.
- Select which authentication mode to use, Windows Authentication or SQL Authentication using the drop down option.
- Enter the SQL server name and the database name.
- Enter the user account to use when accessing the database – the account requires read-only access as it does not make any changes to the database.
- You may also use the Service Account to access the database
- Click on the Test Connection button to ensure you are able to connect and read the database. If the test passes, press Apply to store the settings.
Configure Hypervisor Settings
You may view, update or change your vCenter server and or your Microsoft System Centre Virtual Machine Manager (SCVMM for HyperV)settings by clicking on the VMware action from the home screen. You must list all your vCenter servers to allow SnaPatch to communicate with and access all your virtual machines. The user account must have at least “Snapshot Management” permissions.
Press Apply when complete. SnaPatch will attempt to communicate with the vCenter servers you have listed to ensure it can access them.
Configure SCCM Settings
You may view, update or change your Config Manager server settings by clicking on the Config Manager action from the home screen. You must provide the server name or IP address of your config manager server along with the site code. The account must also be part of the “Application Manager” and “Software Update Manager” roles within SCCM.
Press Apply when complete. SnaPatch will attempt to communicate with the server to ensure it has access.
Configure Service Account Settings
The Service Account is used to access, communicate and retrieve update information from remote servers. This is the account that will interrogate servers to determine if patches have been installed. You may also use this account to access SQL, VMware, SCVMM and Config Manager.
The service account used by SnaPatch must be a member of the local administrators group on all target computers to be able to execute remote WMI commands. Without this access SnaPatch will not be able to determine that status of patches installed.
Once you have provided the account details, press the Test button to confirm the account has the required level of permissions. You will not be able to apply the settings without testing the account.
Configure Email Settings
The email settings can be accessed from the main home screen. You may configure the SMTP server, ports and SSL settings. Along with a source address, credentials and two recipient email addresses. The recipient email addresses will receive email notifications on the status of running jobs, any scheduled tasks and reminder emails (such as snapshots to be deleted).
We recommend you send a test email to confirm the settings are correct.
Include computers running non-server operating systems The default scan setting is to only include computers running Server operating systems such as Windows Server 2008, 2012, etc. You may however change this setting so that the scan also searches for computers running non-server operating systems, such as Windows 7, Windows 8, etc.
This setting can be managed by clicking on the General action from the home screen.
Note: Changing this setting requires a restart of the application.
Configure VM snapshot settings
The default snapshot setting is not to include VM memory as part of the snapshot. Choosing not to include VM memory results in a much faster snapshot process, however restoring the snapshot will return to a VM to a powered off state. You may change this setting, however the snapshot process will take significantly longer. Choosing to include VM memory as part of the snapshot will allow you to restore to an active, running point in time.
The snapshot timeout period sets the maximum amount of time in minutes that a snapshot can take. The default settings is 30 minutes but you may set this anywhere between 15 – 120 minutes. Any virtual machines that have not had snapshots taken within this period will be marked as “snapshots failed” and will not be patched. Note: Be cautious not to set the timeout too low as you may not give the system enough time to take the snapshot.
Configure Snapshot auto-delete settings
The Snapshot auto-delete setting is enabled by default. This setting combines with the snapshot retention period in days to determine when and if to delete snapshots. If the auto-delete function is enabled it will delete any snapshots older than the snapshot retention period. Note: You may configure the system to notify you a set number of days before snapshots are deleted. This setting can be found under “Notifications”.
Exclude Servers from the snapshot auto-delete policy
By default no servers are part of the exclusion policy, however you may have a need to manually control when snapshots are deleted for some sensitive servers. The exclusion list is under the General actions window, directly beneath the “Snapshot Retention” section. Click on an empty row and enter the name of a server you wish to exclude from the snapshot auto-delete policy and click Apply to save the changes.
The notifications settings are access from the main home screen. You may disable task notifications or enable it and specify which tasks to be notified on. The options for notifications are:
- Scheduled jobs starts – enabling this option will send an email to the recipients specified in the email settings stating that a scheduled job has started and listing all the servers which are part of the job.
- Snapshots are completed – enabling this option will send an email to the recipients specified in the email settings stating the result of the snapshots for each of the servers that are part of the job.
- Patching is completed – enabling this option will send an email to the recipients specified in the email settings stating the result of the patching process for each of the servers that are part of the job.
Snapshot Retention Notifications
You may enable or disable notifications around snapshots being automatically deleted. If you enable this setting an email will be sent to the recipients specified in the email settings informing them about which servers and which snapshots will be deleted. You may also specify the number of days to be notified before the snapshots are deleted.
Administration Applying a license key
License keys are applied and managed using the licensing action from the main home screen. Selecting it brings up the license manager where you can view your current key information along with its limitations. If you are using a trial key, the expiration date will be displayed. If you are using a production license, it will display the server limit. The server limit stipulates the amount of servers the application will accept during the initial scan, any servers above the license limit will not be displayed and therefore will not be available from the patch window. Before applying the key you must confirm that the system date, time and regional settings are all correct. If they are not correct the key may become invalid or function incorrectly. It is very important that these settings are correct. Only once you confirm these settings are correct will you be able to enter and apply a key.
Checking for Updates
You may check for new versions of the software by clicking on the About action from the main home screen. Within that window you will find a “Check for Updates” button. The server on which SnaPatch is installed must have internet access to check for updates. See screenshot below for the location of the button.
Find current version
The About action from the main home screen will display the current version you have installed.
Below you will find some troubleshooting tips if you come across any issues, but please feel free to contact us if you need any help.
Jobs are not starting
If jobs are not starting, go into the Scheduled Jobs and ensure the jobs are not disabled and that they have a valid start date and time.
A timeout error has appeared
If the SQL server does not respond quickly enough to SnaPatch’s request, a timeout error may appear. It may be that the SQL server is too busy to respond. Close SnaPatch and try launching it again.
Jobs fail after snapshots are taken
Check that nothing has changed on the config manager server. Ensure the powershell execution policies haven’t changed and that the account still has access. Open the Config Manager settings and attempt to re-apply the connection settings. SnaPatch will reconnect to the config manager server and ensure all the permissions and settings are still valid.
Check the log file
The log file can be found in the snapatch.log file.