Hoping someone in here may be able to assist. Running into a brick wall with MSoft support.
I am looking at getting the relevant MSoft patches installed for the Meltdown/Spectre vulnerability, but for whatever reason, the specific patches are not showing as available on ANY of our endpoints (Windows7, 10, Server 2008 r2, 2012 r2, 2016).
I've installed the REG key via Kaseya script (https://automationexchange.kaseya.com/products/469#details) and also our version of Webroot supposedly auto adds the REG key anyway.
However, when we run Windows Update, the patch does not show, which in turn obviously means Patch Management does not find it.
I logged a support ticket with Kaseya, who said I need to log through MSoft, but i've had no luck.
Wondering if anyone has had success with installing the January security patches (as mentioned in this Kaseya page) - https://helpdesk.kaseya.com/hc/en-gb/articles/115003793172
Hey Marty James - We did have a small hickup during the deploy phase, but we're using Software Management to do it for us. Being generous, I would say it's not really a complete product yet. But, I have to add it does do the job for us enough to keep using it and test it for the time being.
For our customers we still use Patch Management and that is doing the job as well. So, you should be able to use that as well.
As a backup we also created two Agent Procedure that can reset Windows Update and run a Powershell version to update all pending critical patches.
Since Kaseya's default options communicate with Windows Update, those 4 options should all roughly do the same thing and that's detect patches and deploy them.
If those 3 options don't work, you've got something special and if running Windows Update locally doesn't do what's supposed to do. Talking to Microsoft to find what's blocking the process is the first step. You should look at the WindowsUpdate.Log file in your Windows folder. It's probably big, but should have a reason for what's going wrong....
Marty James - Oops, it takes some time to get my brain working on a Monday morning. This sounds like you're missing the registry key Microsoft decided to use on the January patches. You should know that your antivirus solution, if it's got Microsoft approvement, sets this key and in rare cases you have to set it yourself.
I don't have details handy at the moment, but googling that should make clear what you can check...
Again, good luck!
Hi, the January (and now February) patches have generally been detecting and installing correctly for us.
Are/were you running Symantec SEP? I ran into one customer that was previously running SEP where the January and February patches weren't showing up under Windows Update on multiple Server 2008 R2 systems. I tracked this down to remnant SEP folders and registry keys left behind after the uninstallation - it turns out that Windows Update checks for *more* than just the QualityCompat registry key. After removing these the detection and installation worked correctly.
Although it's a very long and meandering thread check out the posts by 'J Niland' and 'BSpies1' towards the end - social.technet.microsoft.com/.../servers-not-being-offered-security-patch-for-meltdownspectre
Our Patch Management does not have any of the Windows 10 Version 1709 (Fall Creators Update) cumulative updates. I opened a ticket and support told me that they and MS are looking into it:
"We have identified an issue with Microsoft's API for these patches and opened a case with MS to resolve. Our team is working directly with Microsoft to find a resolution for this issue."
It seems that KB4074588 is now available in our patch management but only for Finnish language OS.
I have already added the REG key (via Kaseya script), and our version of Webroot supposedly adds the key automaticaly anyway.
Our Windows Updates seem to be working (i.e I can most other updates), just seems to be those specific patches that for the Meltdown/Spectre vunerability.
Just odd that is on ALL our different versions of Windows/Winows Server.
Does anyone have a recommended support channel with MSoft? When I call them, they ask for our Software Assurance number (which we don't have), and when I ask for a call back, they only call back during the night when i'm in bed, no matter how many times I change the call back request time.
Interesting update - I found the February 2018 and March 2018 updates for Windows 10 Version 1709 have recently appeared in our VSA. I hunted down which machine was showing this patch as 'missing' (to try to understand why the scan was apparently 'working' on that machine) and found it was one single machine that has been doing *offline* scans. We didn't deliberately set it for offline scans but it would appear the offline scan method *does* allow the most recent updates for Windows 10 Version 1709 to be correctly detected.
Now the metadata is in our VSA perhaps I can work out a tricky way to make the March 2018 update 'missing' from all the other Windows 10 Version 1709 systems so it will actually deploy... hmmm..
I would recommend patchmanagement.org
Seems over time, the rolled up updates have appeard which includes the relevant patches, so seems we're back on track.
Any answer(s) back from support? I just put in a ticket for KB4074588 and KB4089848 that are not listed on my 1709 systems
I spoke to support. It seemed by the time we did testing, the following month's rolled up update included the said missing ones from previous month.
So unfortunatley support weren't able to find out WHY the patches were not showing, and once I could see later Cumalative updates were showing, I was happy enough (was too time poor to progress further with support).
Be interested to see how you go with support though. They mostly indicated the issue was on the Microsoft side, not Kaseya, but i'm not so sure.
I've had a ticket open with Kaseya about missing patches, but due to the slow response times, taking days for actual actions are taken, the missing stuff gets mysteriously found in the meantime.
Every month, for the past few months, we've seen missing patches without a real explanation. Kaseya points to the www.catalog.update.microsoft.com/Home.aspx and the need for a machine to want the patch and then it should automagically be added to the database.
I have asked about numbers, since we have about 16.000 or so patches in Kaseya at the moment. Is there any check to run if this is correct?. Due to the way it's set up that seems to be impossible, so I've serious doubts about this. Unfortunately Software Management is no alternative in it's current state, at least not for us and I guess for most of us with over a few hundred agents.
Does anyone have any updates on this? The only way we've been able to show machines needing this patch, or having it installed, is to run an offline patch scan. Online patch scans do not show this update as missing or installed.
Any help would be appreciated.
I was informed by support that the issue has been addressed in 9.5 and will NOT be addressed in 9.4. They happily told me about this being patched....in 9.5: help.kaseya.com/.../index.asp
That's pretty disappointing.
Despite claiming to support older VSA versions, I have lost count of how many bugs have been "fixed" but I have been told I have to upgrade to the latest version because they are not patching the one I am on. That's not what my support $$ are paying for.