Hey all, I'm looking for some help with the newer Software Management module for MS patching.
First, I'm not a MSP... I'm a Sys Admin for a corporation. I have a little over 800 workstations in Kaseya and I was wanting to setup simple plan to scan all workstations for MS important/critical patches and then patch the machines up on Thursday and Fridays.
I setup the scan/analysis profile to scan every 2 days. The deployment profile was set to deploy patches at 10am on Thursdays and Fridays via the Kaseya Update method
Today at 10am, our network was brought to its knees with all our sites coming back to the Kaseya server getting patches. We waited a couple hours and it was getting worse, so we eventually shutdown our Kaseya server to get our network performance back so our company could operate.
We currently have Kaseya shutdown and won't bring it back up until this evening and hope things will workout over the weekend.
I thought with the new system, not all computers would try to get their patches at the same time. I noticed there is no "distribution window" option available like there was in the old patching which would prevent all agents trying to get updates all at the same time.
Do I have any options here?
Ideally it would be great to have control over patches (being able to approve, deny, force reboot reminders, etc) but have the computers get the updates from the internet, not the Kaseya server. ... and not all at the same time. Is that possible?
How do you currently set up your scan and deployment profiles? Are they set up according to machine groups or some other structure?
You should be a set a schedule in place to minimize network impact. again this is based on machine groups
We started migrated from the old patch management to Software Management. There are override profiles available for you to approve/deny patches. As I understand it, the new Software Management module will try to grab patches from other machines first before trying to go out over the internet to recieve their patches.
Software Management works well with policies. We have a number of policies in place that control reboot and have certain patches denied. Have you set up Software Management with a policy???
Thanks for the responses. I had one policy that basically enrolled all workstations to the same scan/analysis and deployment profiles.
The idea is I wanted "All Windows Workstations" assigned to the same profiles so ensure all new/future computers would be auto enrolled to get updates.
I just got off the phone with support and it sounds like because there is no distribution window, I will have to create about 30 to 40 different deployment profiles. ... sounds like a huge pain! Each of those profiles would have to be assigned to groups or something like that. I'm not sure I fully understand how to do that. Much of our Kaseya environment are broken up into actual physical offices. If one of the offices has 150 computers, that's probably not going to work either as all 150 computers would try to apply patches at once.
He said he though they are working on putting in the distribution window option, but he doesn't have a timeframe.
An additional approach is to schedule QoS on the network layer and apply it to the VSA server. You'd be able to manage how much bandwidth is used during the deployment period.
In addition to the window distribution concept that you were explained, there will be additional enhancements that will include better queue management during scan and deployment and eventually a way to manage bandwidth so you wouldn't have to go through the extra steps of configuring QoS.
Thanks Jeffrey! QoS might be an option... I'll talk to our network guy. Would that slow down other things though such as remote control?
Ideally deployment would run during off hours where employees and techs aren't usually in the office. If so, no one should really be affected.
But assuming your team works overnight and depending on how you assign QoS, the impact should be minimal. Initial connection may be slightly delayed (relay) but will automatically switch to P2P (direct) connection which will provide you high throughput and low latency.
Make sure the admin (or endpoint) machine has access to stun.kaseya.com for P2P to occur (help.kaseya.com/.../reqs). And in case your satellite offices uses SonicWall, make sure consistent NAT is enabled (helpdesk.kaseya.com/.../229012808-KRC-cannot-get-P2P-connection-through-Sonicwall).
I have spent alot of time with the Kaseya Dev and product team using software management module. Some tips
1. I would not scan all servers at same time it will probably hit your network traffic badly.
2. In deployment I would break it up into groups of 100 servers its easier to manage.
3. Also what we have noticed is that on devices with a larrge number of patches outstanding you will take a serious hit on storage.
4. the scan and anylsis profile is pretty god but does not distinguish between OS or app for this you use the advanced over rides. We have 2 per customer. 1 is to deny all 3rd party patching and the other is to deny non OS patches and service packs (we manage these in a different patch process due to issues that could arise)
5. Keep in mind that the SM module is not actually the full product from what I have heard that will be in 9.5, it still has a number of teething issues which has caused me lots of grey hairs but I find that sometimes you need to push Kaseya to get help.
6. Advanced over-rides are a problem if you use deny and approve together on same machine as you need to consider the wieghts. So I just use denys all round.
see my reply on this similar topic: community.kaseya.com/.../23691.aspx
Hey jeffrey.odolski - not sure how we're going to manage running patching outside normal office hours.
The bulk of all machines for our customers is notebooks and tablets, so they go in sleep mode a lot of the time and spend their evenings in all sorts of bags. It's practically very difficult to reach agreements about turning on their machines in home locations to get patching downloads done. So, that's a nice way to discribe the premise for Software Management, but not something that'll actually work that way.
So, in practice, outside just a few customers, we do our patching during the day. Although we are only using that on our own machines so far. we do notice it'll be next to impossible to manage, since all patches will be downloaded from the Kaseya server and having some 200 customers using Patch Management at the moment, that'll be massive and I can only hope our internet line can keep up. We'll be upgrading from 100 to 200 Mbit after Christmas, that should help.....
I haven't heard that Software Management as it is now in 9.4 is less complete than it will be in 9.5 - could you comment on that, please? This module is officially released and supported in 9.4 as I understand it.
Yes its offically supported but is in a controlled release as I understand it they are adding features/changes based on feedback. Its not in beta or anything but it does have teething issues, which is normal on any new product and Kaseya have been pretty good on acting on my feedback.
See comment under 9.5 for software management at following link. community.kaseya.com/.../roadmap.aspx
I get that patches should be rolled out during non business hours. However, like OudjesEric, over half of our environment will be offline in the middle of the night. I'm assuming that would mean when everyone gets back in first thing in the morning, deployment of patches would go crazy and I would be right back where I was.
I supposed changing the patches to something like 1am would at least cut the amount of computers that would need patches during the day in half.
I wish there was a way to have control over the patches, but tell the computers to go to the internet to get them instead of coming back to the Kaseya server. In other words, still give me the control for approvals/denials and timing, but go to Windows update to get them.
I'll be playing some more with it and doing testing. I'm just no matter how much testing I do in small batches, it will still be a problem once I setup patching for the whole environment.
zimbo2000 You hit it right on the nail. Software Management is ready to go and is available in 9.4 and 9.5. However enhancements are going to continuously be added to improve performance and account for additional workflows.
ddudenhoeffer To answer a couple of things:
1. We plan to introduce a "Skip if offline" option to Software Management to prevent force-deploying on machines the moment they come back online.
2. We also plan to introduce Wake on LAN as a built-in functionality of SM down the road so you don't have to schedule them separately. For now, consider scheduling WOL prior to deployment for always-connected workstations.
3. But OudjesEric is right -- WOL wouldn't fly for mobile devices. As mentioned earlier, we're working on improving performance overall so it'd be less of an issue during day patching.
3. I hear your point about having a way to get downloads from WU directly. We'll look into it.