Kaseya Community

Patch Management Reports patches applied although they have not been applied

This question is answered

Our company used to use Kaseya that was provided by a Managed Services company, so I am hoping someone might still be able to answer my question.

Our Management Reports were showing all of our systems as receiving patches monthly, but when checking this with the Microsoft MBSA scan tool, the patches were reported as not applied. At the time we did not have WSUS and the patches had been getting applied correctly since 2009 until October of 2010.

Has anyone found a time when Kaseya would report Windows patches being applied although they have not actually been applied?

If so, please point me to the forums, as I have not been able to find any information in the forums showing that Kaseya has ever reported that Windows patches have been applied to systems when in fact they had not been applied.

Even more helpful would be information for such an issue during the time period of October 2010 through June of 2011.

We stopped using Kaseya as a result of such problems with a combination of others and the only information I have been able to find to date is the standard reasons Kaseya would report incorrectly, but only for things such as:

  • Patch Scan fails
  • Patch Status shows no patch data (only dashes) even after patch scan
  • Patch Status shows no missing patches but you believe there should be some
  • Patch Status numbers do not appear to be changing over time when you believe they should
  • Patches show as Missing or Failed in Kaseya but are installed on the endpoint
  • Patches show as Missing or Failed in Kaseya they are not missing according to Microsoft Update

All of the above mentioned had been checked and confirmed as not being and issue with Kaseya being configured correctly, services running properly and access to all of the MS Update sites was working.

Verified Answer
  • dlopez,

    Kaseya leverages the Windows Update Agent (WUA) to determine the status of patches on a per-machine basis.  WUA will report all patches that are applicable to an endpoint and then report whether the patch is installed or is not installed.  Kaseya uses this information to provide patch status information.  Because of this, it is not possible for Kaseya to report a patch as "Installed" when WUA does not report the patch as "Installed."  It is possible for Kaseya to not reflect a patch as "Missing" when a local scan or a MBSA scan does report the patch as missing.  This occurs when the scan is not completing against the primary data source (Microsoft's online patch catalog) but when the local (or non-Kaseya) invoked scan does complete against the online catalog.  Other third party tools that do not use WUA as the scan source may reflect a status different than what you find in Kaseya, but these would not be accurate comparisons.

    The MBSA tool will sometimes reflect that a patch is not installed BUT Kaseya (completing against the online data source) might NOT show that patch as missing/not installed.  This occurs when MBSA is reporting on patches that have been superseded.  If a patch has been replaced by a newer patch, the older patch is not installed but the newer patch is installed, there are times when MBSA will report the older patch is missing but Kaseya will not reflect this patch as missing because the newer patch is present.  Running a scan on the local machine via Control Panel > Windows Update (scanning for all products, not just OS-level patches) OR via Program Menu > Microsoft Update should return the same results as the Kaseya results since the same utility is being used for both scans.

    As a note, Kaseya does not currently support device drivers or definition updates (MS Defender defintions, Forefront defintions, etc.), so these will not show within Kaseya as either installed OR missing.

All Replies
  • dlopez,

    Kaseya leverages the Windows Update Agent (WUA) to determine the status of patches on a per-machine basis.  WUA will report all patches that are applicable to an endpoint and then report whether the patch is installed or is not installed.  Kaseya uses this information to provide patch status information.  Because of this, it is not possible for Kaseya to report a patch as "Installed" when WUA does not report the patch as "Installed."  It is possible for Kaseya to not reflect a patch as "Missing" when a local scan or a MBSA scan does report the patch as missing.  This occurs when the scan is not completing against the primary data source (Microsoft's online patch catalog) but when the local (or non-Kaseya) invoked scan does complete against the online catalog.  Other third party tools that do not use WUA as the scan source may reflect a status different than what you find in Kaseya, but these would not be accurate comparisons.

    The MBSA tool will sometimes reflect that a patch is not installed BUT Kaseya (completing against the online data source) might NOT show that patch as missing/not installed.  This occurs when MBSA is reporting on patches that have been superseded.  If a patch has been replaced by a newer patch, the older patch is not installed but the newer patch is installed, there are times when MBSA will report the older patch is missing but Kaseya will not reflect this patch as missing because the newer patch is present.  Running a scan on the local machine via Control Panel > Windows Update (scanning for all products, not just OS-level patches) OR via Program Menu > Microsoft Update should return the same results as the Kaseya results since the same utility is being used for both scans.

    As a note, Kaseya does not currently support device drivers or definition updates (MS Defender defintions, Forefront defintions, etc.), so these will not show within Kaseya as either installed OR missing.

  • Thank you Brande for the outstanding and quick response! This is exactly what I understood in terms of how Kaseya works and is the response I was hoping for.

    Just an FYI, MBSA does in fact have the capability to report using the same utility as Kaseya and Microsoft Update as it is an option that may be selected or not depending on whether WSUS is deployed or other circumstances.

    When we encountered the problem I mentioned, I ran MBSA with the MS Update/WUA option as well as the Microsoft Update option from the control panel in order to confirm my results.

    The point of this was to prove that Kaseya did and does work properly and to determine whether we were provided with inaccurate information by our former Managed Services Provider.

    Thank you so much for clearing things up for us.