Kaseya Community

Automatic Update vs. Windows Auto Update

  • Hello all!

    With regards to Patch Management, i was wondering what the differences are between Automatic Update vs. Windows Auto Update. Why use one versus the other?

    If Window Auto Update is used, do you know if the defined Patch Policies are followed?

    Thanks!

     

    RM

  • Auto Updates is controlled by kaseya - Windows Auto Updates is just that Windows controlled. If you are using kaseya you need to disable WUA from running. (I don't mean disable the service just the run every day at 3am part.

  • Thanks mmartin! So the Patch Policy set in Kaseya is not used in the Windows Auto Update?



    RM

     


    From: mmartin <bounce-mmartin@kaseya.com>
    To: community_bestpractices@kaseya.com <community_bestpractices@kaseya.com>
    Sent: Tue Jul 19 18:23:05 2011
    Subject: Re: [Kaseya Community: Best Practices] Automatic Update vs. Windows Auto Update

    Auto Updates is controlled by kaseya - Windows Auto Updates is just that Windows controlled. If you are using kaseya you need to disable WUA from running. (I don't mean disable the service just the run every day at 3am part.

     



    [edited by: rmorsli at 9:00 AM (GMT -7) on 7-26-2011] update contact info
  • The simple answer:

    Microsoft Update on the local machine does not allow you to manage large-scale deployments and does not support any functional kind of patch policy.  Kaseya Patch Management allows you to decide on a per machine, machine group, or organizational level what patches are approved (Patch Policy), when to check for new patches on a recurring basis (Patch Scan), when to install patches on a recurring basis (Automatic Update), install exceptions to patch policy (Machine Update, Patch Update), and make changes to any of these settings on the fly.  There's no need to log into a local machine to change an update schedule - it's all done from the VSA, providing a single pane of glass for your patching environment.

    The details:  

    The windows update program (the name varies based on the Operating System, but is usually called "Automatic Updates", "Microsoft Update", "Windows Update", or "Update My Computer and is found in the Programs menu and/or Control Panel) leverages Microsoft's Windows Update Agent (WUA.api) to negotiate all of the transactions between the endpoint and Microsoft's patch catalog.  This negotiation compares the patches that are applicable to the endpoint to those that are actually installed/missing on the endpoint.  When you run "Automatic Updates" on the local computer, you can choose the process to run with a Custom option so you can see which patches are missing and choose the ones you want to install.  This is all done manually from the local computer.  It requires you log in and manage which patches you want to install on a single machine at one time.  You can configure Automatic Updates to run to download and install patches on a schedule, but that, too, can require some manual intervention.

    When Kaseya manages patch scan, the wua.api is leveraged by Kaseya to do the job it does best - communicate with Microsoft to determine the missing patches.  The information is logged and parsed by the KServer.  The results of those scans populate the Patch Status page for each machine the lists of patches available to manage by Patch Policy within the environment.  Using either method, Microsoft is 'deciding' which patches are needed, but Kaseya allows you to manage those patches and gives you direct visibility into the patch status of each endpoint within your environment.  

    As previously mentioned, it is recommended that you disable Windows from managing patching on the local endpoint, but this does not mean that the Windows Update Service/Agent should be disabled.  In fact, the service is required in order for Kaseya to complete patching.  To disable Windows Auto Update (the program, no the service), navigate to Patch Management > Configure > Windows Auto Update, select the endpoints, select "Disable..." and click Apply.  This will ensure that you can manage all patching via Kaseya and that Windows Auto Update doesn't automatically install a patch that you've denied by policy.

    There are some services that must be running and websites that must be available in order for Kaseya to best manage patch scans and patch installations.  If you're have any difficulties with detecting patches, patch scans, missing results, or patch failures, KKB000781 outlines some useful information to help troubleshoot these issues.

  • Brande,

     

    Thank you so much. This is very helpful. So if I understand it correctly, it is recommended to go to CONFIGURE >  WINDOWS AUTO UPDATE  and set the configuration to DISABLE  (Disable Windows Automatic Update to let patch management control system patching).

     

     

     

    From: Brande Schweitzer [mailto:bounce-blschweitzer@kaseya.com]
    Sent: Thursday, July 21, 2011 1:18 AM
    To: community_bestpractices@kaseya.com
    Subject: Re: [Kaseya Community: Best Practices] Automatic Update vs. Windows Auto Update

     

    The simple answer:

    Microsoft Update on the local machine does not allow you to manage large-scale deployments and does not support any functional kind of patch policy.  Kaseya Patch Management allows you to decide on a per machine, machine group, or organizational level what patches are approved (Patch Policy), when to check for new patches on a recurring basis (Patch Scan), when to install patches on a recurring basis (Automatic Update), install exceptions to patch policy (Machine Update, Patch Update), and make changes to any of these settings on the fly.  There's no need to log into a local machine to change an update schedule - it's all done from the VSA, providing a single pane of glass for your patching environment.

    The details:  

    The windows update program (the name varies based on the Operating System, but is usually called "Automatic Updates", "Microsoft Update", "Windows Update", or "Update My Computer and is found in the Programs menu and/or Control Panel) leverages Microsoft's Windows Update Agent (WUA.api) to negotiate all of the transactions between the endpoint and Microsoft's patch catalog.  This negotiation compares the patches that are applicable to the endpoint to those that are actually installed/missing on the endpoint.  When you run "Automatic Updates" on the local computer, you can choose the process to run with a Custom option so you can see which patches are missing and choose the ones you want to install.  This is all done manually from the local computer.  It requires you log in and manage which patches you want to install on a single machine at one time.  You can configure Automatic Updates to run to download and install patches on a schedule, but that, too, can require some manual intervention.

    When Kaseya manages patch scan, the wua.api is leveraged by Kaseya to do the job it does best - communicate with Microsoft to determine the missing patches.  The information is logged and parsed by the KServer.  The results of those scans populate the Patch Status page for each machine the lists of patches available to manage by Patch Policy within the environment.  Using either method, Microsoft is 'deciding' which patches are needed, but Kaseya allows you to manage those patches and gives you direct visibility into the patch status of each endpoint within your environment.  

    As previously mentioned, it is recommended that you disable Windows from managing patching on the local endpoint, but this does not mean that the Windows Update Service/Agent should be disabled.  In fact, the service is required in order for Kaseya to complete patching.  To disable Windows Auto Update (the program, no the service), navigate to Patch Management > Configure > Windows Auto Update, select the endpoints, select "Disable..." and click Apply.  This will ensure that you can manage all patching via Kaseya and that Windows Auto Update doesn't automatically install a patch that you've denied by policy.

    There are some services that must be running and websites that must be available in order for Kaseya to best manage patch scans and patch installations.  If you're have any difficulties with detecting patches, patch scans, missing results, or patch failures, KKB000781 outlines some useful information to help troubleshoot these issues.

  • The recommendation is to disable Windows Auto Update.  You can do so from within the VSA. Once a machine is established on your VSA (agent installed), you can navigate to Patch Management > Windows Auto Update and choose the "Disable" option.   Please note that you will need to run a Patch Scan on the machine before you can change the Windows Auto Update setting via Kaseya.  This is because the configuration of this setting on the current machine must be known by Kaseya before it can be changed.  The current configuration is discovered during patch scan.  So once the endpoint is on the VSA, run a patch scan and then disable Windows Auto Update - all through Kaseya.

  • " This is because the configuration of this setting on the current machine must be known by Kaseya before it can be changed. " i have to say this annoys me - surely there is a way to say Disable Auto Updates full stop and then when kaseya figures out what the settings are of the machine it then just applies this information.

    It is another manual step that we have to do - when we do it everytime.  Surely whatever script it uses to do this could just be strapped onto the back of the Patch Scan - that way when you set it if somebody changes it back the next patch scan resets it.