Submit a ticketCall us

Quickly Address Software Vulnerabilities
Patch Manager is an intuitive patch management software which extends the capabilities of WSUS and SCCM to not only patch Windows® servers and workstations, and Microsoft® applications, but also other 3rd-party applications which are commonly exploited by hackers. Learn more about our patch management solution.


Home > Success Center > Patch Manager > SQL account permissions for Patch Manager

SQL account permissions for Patch Manager

Created by Interspire Import, last modified by MindTouch on Jun 23, 2016

Views: 66 Votes: 2 Revisions: 8

When you install Patch Manager, you have the option of using a local SQL server or a remote server for the Patch Manager database. In either case, Patch Manager requires two accounts to interface with the SQL server:

  • Service account: The Patch Manager service account creates the Patch Manager database on the SQL server, and then maintains communication between the Patch Manager server and the database. If you choose to use a local SQL server, you have the option to specify a particular service account, or accept the default local service account, which Patch Manager creates during the installation.
  • Reporting account: When Patch Manager creates the database, it also creates the ewreportuser account in SQL Server. Patch Manager uses this account to run reports, and you cannot change the account or define an alternative one.

Requirements for the Service Account

Patch Manager requires the following of the service account, depending on the deployment option you choose.

  • If you choose to use a remote SQL server, the service account must be a domain account with access to a remote SQL server.
  • The service account must be a member of the SysAdmin group in SQL Server during installation and upgrades. This requirement allows the service account to create and modify the Patch Manager database.
  • The service account does not require ongoing SysAdmin permissions in SQL Server. After it creates the Patch Manager database, it becomes the database owner (DBO), which waives any requirement for elevated SQL permissions.

Note: If you choose to run Patch Manager with a remote SQL server, Patch Manager has the additional requirement noted in this list. This allows the service account to maintain a connection to the remote SQL server.

Mixed-mode Authentication (not required)

Some users have questioned whether Patch Manager requires the remote SQL server to have mixed-mode authentication enabled. Patch Manager does not have this additional requirement, despite the fact it utilizes both a Windows account and a SQL account. The reporting account is a least-privilege account that only requires permission to connect and execute SELECT statements. Since it does not require SysAdmin permissions, mixed-mode authentication is not necessary.

Last modified
01:18, 23 Jun 2016