Kaseya Community

Don't Want Servers Patching Through Kaseya - Want to Continue Patching Client Machines Through Kaseya Though

This question is answered

I want to add Kaseya to our servers however I do not want them to be updated through Kaseya. We prefer to do the patching on our own. I am under the impression that if I add these new agents and don't assign them a patch policy that they will update through Patch Management still due to the message below that I found while browsing in the Patch Management membership section. 

Each machine must be a member of at least one patch policy in order to install only approved patches via Initial Update and Automatic Update. All patches will be installed regardless of policy settings if a machine is not a member of a patch policy.

So if I don't assign a patch policy what happens to these servers? Is anyone currently not updating their servers through Kaseya Patch Management but continue to update their client machines through Patch Management?

Verified Answer
  • In Patch Management > Patch Policy > Approval by Policy we have the preset zz[sys] - Server Patching pollicy with everything set to manual approval and deny superseded patches.  It's probably the simplest way I think.

All Replies
  • You would have to schedule the Initial update or Automatic Update to patch through kaseya. So to answer your question, if you do NOT put them in any patch management policy or schedule a Initial Update or Automatic update, it will NOT be patched through Kaseya.

  • I would recommend creating a "no patch" policy assign it to the servers in question. Set the patch schedule to a previous date. Uncheck the automatic update as well this policy. I believe Kaseya may already have a no no patching membership so that is one less step to create.

    The other question to consider is why don't you want VSA to manage your patches for the servers?

  • Thanks! So just to confirm -  if I just install the agent on the servers and let it go, no updates through Kaseya will take place?

  • Hey Chase, it's just not something we want to do at this point in time. I'm not saying we won't do it in the future but apparently there were issues with this before I even started.

    When you say no patching membership where can I find that? Is it already in the VSA? Thanks

  • Its easy to Confuse Patch Policy with regular policy.  If you do not assign a "Patch Policy" it will install everything if you have automatic update scheduled.  If you create a kaseya policy that has automatic update off for servers, that will ensure you don't patch them.

    We have a couple clients like this where Have this excat policy to still to turn of patch scanns and automatic update and its applied with our "Servers" view.

  • Thanks Corey - I made a new policy called Servers - Deny Patching - now where would I go about changing the settings for that policy once it's made?

  • By settings do you mean what device it is applied to or changing the settings of the policy directly?  Changing settings are done the same way you created it. Policy Management > Configure > Polices.  After you make changes make sure you hit "Save and Apply"  (The policy icon will be yellow if it is not applied).  Then to assign it to machines you can do it two ways. Assiging to the machine directly, or assign the policy to a machine group.  This is done Through Policy Management > Assignment.  If you choose Orgs / Machine groups, you simply find the policy on the right and drag it into the machine group on the left.  (Think of it like Group Policy Objects)  If you want to assign a single server to the policy use the "Machines" tab, select the machine from the list, and click assign at the top and find your policy.

  • So patching has gotten a little more complicated with the introduction of Software management.   The bottom line is that UNLESS you have somehow configured a policy and assigned it in Policy Management, no patching is done just because you load the agent.

    You will want to go to Patch Management->  Manage Machines - Automatic Update and make sure there is no schedule in there.   It should be blank.

    Do not worry about the "Not a member message"   If you want to play it safe, you can certainly create a Deny Patching Membership group and assign the servers to that, but "Automatic Update" is the only place in Patch Management that can trigger a patch update.

    If you have Software Management, just make sure there are no "Deployment" policies assigned.

    That being said, now I get to push back....    I have worked with many partners over the past 10 years that I have been training on Kaseya, and have heard the same refrain about wanting to manually patch.   My answer is always the same... Give technology a chance.      Whatever you are doing manually, it is not going to scale as you get bigger.

    I agree that there are some servers that are temperamental, and that is fine.    Do those manually if you must, but what about all the other servers that can be patched and rebooted with no problems?    What exactly are you doing manually that is so unique??      I hear all kinds of excuses and reasons, but very few of them can't be solved by automation.      For example, I had a partner that has a server that when it reboots, certain services to not always start.    OK, so we figure out the services, and we wrote an Agent procedure to a) check to see if the service is running, b) if not running, start it, c)  Wait 2 min and if it still doesn't start, send an email out.    We then take that Procedure and put it in the post-reboot actions, and you have now eliminated the need to baby-sit it forever.

    All I am saying is think about your recent experiences with patching these servers...  How many actually gave you problems?   Chances are few to none.   Go ahead and setup the ones that are OK and patch them through automation.  Claim your life back!  :)

  • I agree - we never use a "no patching" patch policy to "deny all" internally or at any of our MSP customers. That's just one more patch policy to manage than what's necessary.

    For servers with manual patch requirements, we use a patch code of "NONE" that applies a policy specifically sets the Patch Update schedule to none. The standard Patch Configuration policy does apply so that we still perform Patch Scans (for reporting).


  • In Patch Management > Patch Policy > Approval by Policy we have the preset zz[sys] - Server Patching pollicy with everything set to manual approval and deny superseded patches.  It's probably the simplest way I think.