Kaseya Community

Meltdown/Spectre - Kaseya VSA Patch Management

  • Hi All,

    I am sorry for creating a new post but I didn't want to hijack another person's thread.

    As I understand it, prior to having the update available you need a REG Key on your machine. Not taking credit for this as this procedure was posted on the forums by Douglas Sanchez:https://automationexchange.kaseya.com/products/469 (thank you). 

    I have tested on a few Windows 10 machines and I can confirm that this installs the REG key without a hitch and afterwards the patch which wasn't available was found and installs automatically. This update was done outside of Kaseya using the inbuilt Windows Update.

    After installing the patch, running a patch scan and an audit (figured why not) I cannot see the patch in Kaseya against the agent on my machine - it doesn't show that it is an installed patch as far as Kaseya is concerned. I can 100% confirm in Windows Update History it is there.

    So my question: What is the process to deploy the patch through Kaseya whether we are talking about Windows 10, 7 or Server OS? Once the Reg key is inserted and a patch scan run against machines - will this show up in the patching module for us to deploy?

    Windows 10 may take care of itself we all know the issues with stopping Windows Update with that OS, but our Server and Windows 7,8 machines are told to only deploy through Kaseya VSA.

    Looking forward to an answer if anyone could help.



  • John_DJC,

    We are experiencing the same problem, but as far as we can see only Windows 10 1709 is affected.

    According to our distributor (Upstream - the people behind the Kaseya Power Pack), Kaseya is aware of this problem and working on a solution.

  • Hi John,

    If the patch you installed was KB4056892, then what I think may be happening is that Kaseya is unaware of that patch.

    The reason? When Windows 10 endpoints contact the Microsoft Update Catalogue to establish which patches they require, they'll not be offered KB4056892 but, instead, KB4056891 - the Jan 2018 Cumulative update that included the Meltdown patch along with the other new updates/fixes. As a result, Kaseya never bothers with KB4056892 as no machine says it needs it. A similar situation evidently exists for Win 7, 8.1, 2008 and 2012 as Microsoft released the monthly roll-up packs a week early for these machines and they also include the Meltdown patch.

    I'm happy if anyone can confirm or clarify this as I've been asked the same question by managers.

    Typo corrected
    [edited by: Mark_N at 11:27 PM (GMT -8) on Jan 9, 2018]
  • Any updates? I'm about to create an agent procedure that installs these patches that are missing from Kaseya Patch Management.

  • According to Kaseya themselves blog.kaseya.com/.../how-to-not-have-a-meltdown-over-meltdown the patch/regkey thing is doe to antivirus isuses.

    I don't see kaseya indicating if KES, KAM, KAV etc are compatible?

  • We tested our KAV machines with a win 8.1 and 1709 (fall creator's update) win10 machine. Both had the registry key and in one of my tickets it was confirmed this is as expected and tested by Kaseya. Since we also run KAM on our machines, I can't be 100% sure it was KAV that set the key.

    We didn't want to wait on Software Management (we are in the process of testing on our own machines), so we ran the Agent Procedure published on the Automation Exchange, by Eugene: automationexchange.kaseya.com/.../472. This works for Win7, 8.1 and W10 (version 1709).

    Since doing this on a few machines we did run Software Management regulated updates and that seems to go OK, but that's not easy to see as Software Manegement doesn't know about patches you install outside of it. So, patches added by Windows Update or manually aren't indexed and that makes it complicated to manage. You need to go for complete, 100% Software Management control if you expect to manage this from Kaseya...