Kaseya Community

Patch Policy & Windows Update

  • Via Kaseya patch management you can assign a machine to a Patch Policy AND configure Windows Auto Updates to Automaticallly download notify the user for installation (for example). Should this two ever be used together?

    Also if you set windows updates to download and notify the user to install, will the reboot action after install (reboot at 3am - for example) only kick in after the user installs the update?

    Legacy Forum Name: Patch Policy & Windows Update,
    Legacy Posted By Username: ellen@keycomputing.com
  • There are few scenarios where you would use both. Normally, when setting up a machine or group for patch management, you disable Windows Automatic Update (WAU), as WAU has no knowledge of your patch approval policies, and will, if left on, install patches that you've blocked.

    Just set the policy for WAU to "do not check for updates". When Kaseya scans for available updates, it will invoke WAU to get a list of what's available for that machine, which you can then review (in patch policy) and approve or deny.

    Best practice is to use disable WAU and use Kaseya for patching. If WAU is left on, it will undermine your patching policy by installing potentially incompatible updates (the selling point of patch management, IE7 anyone?).

    The only reason I could see you wanting both, is if you wanted to be able to trigger an optional update, without actually managing the machine.

    Legacy Forum Name: Patch Management,
    Legacy Posted By Username: dwujcik
  • In Kaseya - Windows Automatic Updates the options are
    - disable
    - user control
    - Force WAU - Notify user; Auto Download & Notify, Auto Download and Schedule install AND Auto Updates required but user config.


    So when you indicated "Do not check for updates" you mean Disable?

    Legacy Forum Name: Patch Management,
    Legacy Posted By Username: ellen@keycomputing.com
  • Best if you use the below:

    - WAU should be disabled as the legacy windows auto-updates has nothing in general to do with Kaseya patch managment.
    - Use the reboot option as notify through email for servers.
    - Use automatic updates as they use patch policy approved patches only.
    - Design patch policies in way that they allow you to block patch for single Kaseya group or category (servers/ wks) and one to allow across Kaseya board so that they can be controlled in better way.
    - Use patch report to know the patches misses, invalid credentials while patching and auto-update option changed on machine.
    - Use scripts to do the missed patches or do them manually.

    Thanks,
    Mandeep Nagra.

    Legacy Forum Name: Patch Management,
    Legacy Posted By Username: mnagra