Kaseya Community

Simplest way to auto-approve Security Updates ?

  • Hi,
    I'm just beginning to experiment with Kaseya's PM module.

    What would be the easiest way to use PM to *automatically* approve every patch that has a Classification of Security Update(all levels)? I recall this being rather simple and effective with WSUS, and would like to have the same capability in Kaseya.

    My initial thought was to:
    a) Create/Delete: create a policy named Security Updates

    b) Approval by Policy: set view to Classification, then Set default status to Approved for each of the 5 categories of Security Updates (e.g. Critical, Important, Moderate, Low and Non-rated).

    c) Membership: assign my new Security Updates policy to all Windows machines

    Is there any downside to this approach?

    One concern I had was that PM would attempt to apply inappropriate Security patches (e.g. a Windows XP machine would not need a Windows Server 2003 patch). Does Kaseya's PM have enough smarts to not attempt inappropriate patches based on operating system?

    I also am concerned that a machine might download inappropriate/unneeded patches - which would waste KServer, LAN & disk resources.

    Lastly, how does PM deal with superseded patches? e.g if a machine has Win XP SP3, will PM be smart enough to ignore all patches noted with "Superseded By: KB936929 Windows XP Service Pack 3 (KB936929)"

    I guess my last 3 questions are really asking if Kaseya PM has the smarts - or do I have to define everything?

    TIA,
    -Mike

    Legacy Forum Name: Simplest way to auto-approve Security Updates ?,
    Legacy Posted By Username: ReedMikel
  • First problem, if an agent is a member of multiple policies, the most restrictive will apply. So you can approve these, however anywhere else where they arent approved, they will not apply.

    Kaseya DOES have the smarts to differentiate by OS.

    I believe only the required patches are downloaded to the file source and then installed from there.

    Superseded patches are only installed if required Smile

    Hope this helps!

    Legacy Forum Name: Patch Management,
    Legacy Posted By Username: LANWorx
  • Thanks LANWorx!

    How about this scenario:

    Say we have an XP SP2 machine. What happens if our PM policies have approved both Windows XP Service Pack 3 as well as lots of patches that are notated "Superseded By: KB936929 Windows XP Service Pack 3 (KB936929)". Is Kaseya PM smart enough to skip all the superseded patches?

    In my earlier example the machine was already a XP SP3 machine. And you stated PM would be smart enough to know that a machine that was already SP3 did not need these superseded patches. But what about the scenario where some Approved patches are superseded by another approved patch?

    Also, is there any way to test what patches will be applied to a given machine based on the machine's current policy(s) - without actually doing the patch?

    Legacy Forum Name: Patch Management,
    Legacy Posted By Username: ReedMikel
  • Yes to all (you can stop reading here if you wish! Wink ).

    The order in which patches are done is this (simple version):

    OS Service Packs, OS security patches, OS optional.

    So techincally, superseded patches should be skipped.

    Yes, you can view what patches will be applied to a given machine by opening up the agent details box and viewing the 'Patch Status' tab.

    If I can be any clearer, let me know!

    Legacy Forum Name: Patch Management,
    Legacy Posted By Username: LANWorx
  • You are being CRYSTAL clear - thanks!

    Being a programmer, I question everything Smile And I assume nothing Smile

    Legacy Forum Name: Patch Management,
    Legacy Posted By Username: ReedMikel
  • Good call Smile

    Now, that is technically the order in which patches are applied, so technically it should skip them. I haven't tested it though!

    Legacy Forum Name: Patch Management,
    Legacy Posted By Username: LANWorx
  • Thanks for clarifying that you have not tested these issues!

    Are there some Kaseya docs on this subject that you are basing these assumptions on?

    Legacy Forum Name: Patch Management,
    Legacy Posted By Username: ReedMikel
  • Yes, under the initial update tab of your Patch Management module, you will see the following information listed:

    Automatically applies all service packs and patches according to the Patch Approval policy. Service packs and patches are installed in the following order: (1) Windows Installer, (2) OS related service packs, (3) OS update rollups, (4) OS critical updates, (5) OS non-critical updates, (6) OS security updates, (7) Office service packs, (8) Office update rollups, and (9) All remaining Office updates. 


    Glad to help.

    Legacy Forum Name: Patch Management,
    Legacy Posted By Username: LANWorx
  • Hmmm, what happens if one never uses the the Initial Update function? Does Kaseya use this same logic when it applies patches as part of PM's Automatic Updates?

    Legacy Forum Name: Patch Management,
    Legacy Posted By Username: ReedMikel
  • Going back to my opening post:

    I created a policy named Security Updates and then approved all 5 levels of Security Updates. I then assigned my Security Updates policy to a machine. If I now review the Patch Status screen for this machine - I see all the security updates listed as expected - great...

    I then created another new policy named XP Workstations. Now I approved several patches for it, such as XP SP3. I then added this new policy to the same machine. I then check Patch Status for this machine and now NO patches show as approved Sad

    I guess the problem is that the most restrictive setting wins (e.g. security updates are approved in one policy, but pending in the other? If that's the case, it sounds like my idea of having one Patch Policy just for the approval of all Security Updates will not work under PM?

    Any suggestions as to how to accomplish this? Again, my goal is to simulate WSUS's feature where you can automatically approve patch categories, such as Critical Security Updates. In WSUS, automatically approved patches always win - regardless of any other patches you may have approved or denied...

    I guess one answer is to stick to a single policy for any given machine? That would mean I'd take my XP Workstations policy and approve all 5 types of Security Updates.

    Why is this so mind numbing ? Smile

    Legacy Forum Name: Patch Management,
    Legacy Posted By Username: ReedMikel
  • We generally have two policies, we don't get too in depth with this side of things.

    One is servers, one is workstations (big surprise here eh?) and we generally approve/deny things based on these.

    Our process for workstations is to leave patches a week or two (we have a calendar reminder each time we need this done) and then find if any patches have caused any issues. If they haven't, we approve all pending patches and push them out.

    Our process for servers is to again leave patches for a week or two, then look for patches we know that do not cause problems and approve those. We're then a little more selective in the others and will generally approve these a few at a time I believe.

    If you think this is mind numbing, just wait until you receive weird errors that neither you nor Support can explain, random patch install failures and recurring KB numbers that you approved just yesterday. It's great fun and keeps me employed!

    Legacy Forum Name: Patch Management,
    Legacy Posted By Username: LANWorx
  • I just started delving into PM, so I may not have thought this thru enough. But my first impression is that PM policies are too restrictive. I do not think a policy's patch setting of "Pending Approval" should override another policy's setting of "Approved" for the same patch.

    When 2 or more policies are assigned to the same machine, I would think it should work as follows:
    Deny overrides Approved
    Deny overrides Pending Approval
    Approved overrides Pending Approval

    I'd argue that the current implementation where Pending Approval overrides Approved makes little sense and severely limits what can be done with *multiple* policies...

    But I am a newbie at PM, so I'll keep sifting thru this forum and post some support tickets as well...

    Legacy Forum Name: Patch Management,
    Legacy Posted By Username: ReedMikel