Kaseya Community

Denied Patch failing to install

  • Hello,

    Patch KB960082 gave us a bunch of problems (failed to install) so last week I denied it. This week, as our servers are patching on their scheduled night, they are reporting that the same patch, KB960082, failed to install.

    Why the heck is it attempting to install after I've denied it?

    The Policy that it is denied in is "Servers" and all the servers are a member of that Policy.

    The patch scans run once a day. Not sure what other info is relevant.

    Basically, I'd like to know if there is something else I need to do to prevent this patch from trying, and failing, to install? ...did I miss something?

    thanks in advance

    Legacy Forum Name: Denied Patch failing to install,
    Legacy Posted By Username: pdxkid
  • I'd recommend you log a support ticket for this. To help us track it down, include the information above and an example of a machine it recently installed on.

    Legacy Forum Name: Patch Management,
    Legacy Posted By Username: dwalsh
  • Thank you Dominic

    PS. It is great seeing folks from Kaseya chiming in on the Forums and helping - thanks!

    Legacy Forum Name: Patch Management,
    Legacy Posted By Username: pdxkid
  • Patch kb960082 is actually showing on 5 occasions in my patch approval.
    I guess you have denied most of these but still have ONE patch approved.

    Jump into your patch approval policy and filter on kb article 960082. You should see all 5 patches and hopefully you will see at least one approved (which you can deny)

    Legacy Forum Name: Patch Management,
    Legacy Posted By Username: garry
  • In my experience, there are two steps to "stopping" a denied patch from installing.

    The first is to deny all instances of the patch, which in many cases is listed a number of times. The way I find it easiest to to this is to go into Patch Mgmt > Patch Policy > Approval by Policy, select your policy, and click the "Approved" header. I then Ctrl-F (Find) all instances of the KB number (in your case 960082), select the checkbox to the left and hit the [Deny] button at the top of the page, and keep repeating until there are no remaining instances of 960082.

    Then, with all the 960082's denied, the next step is to cancel the instances that have already made it through the approval process into the scheduler and been scheduled to install. This is done by going into Manage Updates > Patch Update, selecting KB960082's [Machines] button, selecting all applicable systems, and clicking [Cancel]. Do this for each of the 960082's you see listed under Manage Updates > Patch Update. Once each instance is cancelled, the patch denial policy denial will take effect for that instance of the patch and (again in my experience) it should stop trying to install from that point.

    -Dan

    Legacy Forum Name: Patch Management,
    Legacy Posted By Username: DNeuwir
  • When you deny a patch the pending flag should be cleared for all machines that have alrready had the patch scheduled for Automatic Update. We did previously have a bug where this was being missed, and this was addressed by a recent hotfix.

    If you are fully hotfixed it should not be necessary to manually cancel updates after denying a patch.

    Legacy Forum Name: Patch Management,
    Legacy Posted By Username: dwalsh
  • Thanks everyone, I will revisit this now with your suggestions. The help is much appreciated.

    Legacy Forum Name: Patch Management,
    Legacy Posted By Username: pdxkid