One of the data elements we attempt to retrieve from the patch scan data obtained via the Windows Update Agent (WUA) API is the download link for the patch. Usually, this is a link to a single stand-alone executable (*.exe, *.msi, *.msu) used to apply the patch. In some cases, no link is provided or multiple links are provided. It is in these cases where patches will display the "Manual Install Only" or "Windows Update Web Site Only" warnings because we have no data to use for patch installation.
To mitigate this, Kaseya provides a free and automatic service to locate and provide a suitable download link for a single stand-alone executable if one can be identified. When patch scan results are processed, patch-specific data is collected for those cases where no link is provided or multiple links are provided. Additionally, patch-specific data is collected for those cases where the download link is for a CAB file. The CAB file is a patch installation package that can only be processed using the WUA API for download and installation. A background process will routinely collect this data and submit an email to Kaseya. These emails are collected and processed every workday by a Kaseya engineer. A tool aggregates this data so the engineer can use it to try to locate a single standalone executable (*.exe, *.msi, *.msu) for the patch download link. Using the collected patch data, if a single stand-alone executable is identified by the engineer, it is entered into our tool along with its command line switches. If a single stand-alone executable cannot be identified, the engineer then sets a flag to indicate how the patch is to be treated. If the original download link is a CAB file, we leave it as is. In version 5.1 and later, patch installation scripts will automatically use the WUA API to download and install patches having a CAB file in the patch download link. For those cases where no link is provided or multiple links are provided, the engineer will either set the flag to indicate "Manual Install Only" or "Windows Update Web Site Only" is required. In general, "Manual Install Only" is selected when the KB article or the Microsoft download page provides multiple possible download links that cannot be resolved based on the provided patch data. For example, a download page might include different links for different editions of a product where the provided patch data gives no clue as to which edition of the product was identified. In general, "Windows Update Web Site Only" is selected when the KB article or other web page does not provide a download link and states that the update is available from Windows Update. Once the engineer processes all provided patch data, the tool is used to regenerate an XML file that contains these location override links or the "Manual Install Only" or "Windows Update Web Site Only" flags. This XML file is then placed on a Kaseya FTP site. All customer systems have a background process that runs every 4 hours to download this XML file. If it has changed in the last 4 hours, it is processed and the override data is loaded into the customer's Kaseya database, overriding the patch download link or the "Manual Install Only" or "Windows Update Web Site Only" flags for each patch as appropriate. Subsequent patch scans will use this override data in order to keep your systems current. Beginning in K2, the Internet-based Install Only warning is used rather than "Manual Install Only" or "Windows Update Web Site Only". In these cases, patch installation scripts will automatically use the WUA API to download from the Internet and install the patch thereby eliminating the need to take manual steps to install the update. Please refer to the Patch Installations Overview thread in the Patch Management forum for details. A word about security of these system-generated emails is in order. The emails contain ONLY patch data collected from the WUA API. NO OTHER DATA is collected. There is no identifying data of any kind that could be used to identify any machine or any customer. The from email address is a Kaseya address, so we have no way to determine which customer's system even sent the email. Below is a copy of one such email. Fromatchnotification@kaseya.com [email@example.com] Sent: Thursday, July 15, 2010 8:25 AM To:firstname.lastname@example.org Subject: Patch Location Notification <?xml version="1.0" encoding="ISO-8859-1" ?> <PatchLocationNotification> <UpdateItem kbArticleId="971644" updateId="568d80cc-bfee-42a4-b0fb-cf517b482aa8" updateRev="101" bUpdateId="00000000-0000-0000-0000-000000000000" bUpdateRev="0" updateClass="220" bType="MultiFile" langName="Language Neutral" updateTitle="Platform Update for Windows Vista (KB971644)" productGuid="26997d30-08ce-4f25-b2de-699c36a8033a" productName="Windows Vista" /> </PatchLocationNotification> Should you decide that you do not want your system to send out these notifications to Kaseya, you can turn them off on the System -> Configure page by unchecking the checkbox for “Enable Invalid Patch Location Notifications.” Joe Paquette Sr. Software Engineer Kaseya Patch ManagementLegacy Forum Name: Patch Location Overrides Service OverviewLegacy Posted By Username: Joe Paquette