Kaseya Community

Machines failing on office updates

This question is not answered

We have multiple machines that are failing on Office 2007 updates, and I am not sure why.  The Patch management settings for the machines themselves are fine, the windows patches intall but not the Office patches.  Looking in the "Office Source" section, it says:

"Only machines with Office 2000, XP, or 2003 or an associated Office component application installed are displayed on this screen. Office 2007 is not displayed on this screen because an alternate installation source is not required. "

The machines have Offie 2007 Pro on them, installed and working.  I don't see anything obvious, and not sure where to look to dig deeper.

As an example, last night a machine updated with all the windows updates, but failed on all the oiffice udpates:

KB2289158  Security Update for Microsoft Office 2007 System (KB2289158)
KB2344875  Security Update for the 2007 Microsoft Office System (KB2344875)
KB2345043  Security Update for the 2007 Microsoft Office System (KB2345043)
KB2412171  Update for Microsoft Office Outlook 2007 (KB2412171)
KB953331  Microsoft Office Compatibility Pack Service Pack 2 (SP2)


Any ideas are much appreciated.



All Replies
  • I've been struggling with this for a while. The patches will fail and if I try to run them manually at the workstation it will tell me that either the correct product version is not installed or the patch itself is already installed. I had to resort to running Microsoft Update manually on newly added machines, then once they were up to speed everything seemed to work properly.

    Then I received this advice from Kaseya support and it worked for a few machines I tested it on last week:

    "A easier step that a developer refreshed me on was to  set File Source to "Download from Internet" temporarily and schedule Kaseya Automatic Update (has to be Automatic Update, not Patch or Machine Update), WUA API will be used to download and install the patch."

    It's a bit tedious, but I'm thinking that I may set the templates to Download from Internet for newly onboarded machines, then move them to the local file server once they're fully patched. And notice that it has to be Automatic Update...I didn't try this with Initial Update yet, but I'm hoping that will work too.

  • Thanks, I will give that a try.  I have a ticket open with support for this, I'll post back if I get an answer.


  • I will provide some background information to help troubleshoot this...

    Microsoft provide two ways to install their updates: -

    1) using the Windows Update mechanism (which also reports on missing/installed updates)

    2) most updates also have a downloadable install file, which can be used to auto-deploy updates over a network or install to machines which don't have internet access

    Wherever possible, Kaseya Patch Management uses the downloadable installer to deploy patches. This is to support "File Source" configurations where patches are sourced via a LAN share or the K server. The only exceptions are where there is no downloadable install file available from MS, and in these cases the patch is marked in Kaseya as "internet-based install only". These patches are deployed by Kaseya using the Windows Update mechanism (which we control with an API which is also used for the patch scan), and require the machine you are patching to have internet access. File Source policy is ignored for these patches.

    Going back to the problems reported in this thread, we have seen cases where after a patch has been installed using the downloadable install file, Windows Update (and consequently the Kaseya patch scan) still detects it as missing. This is why when you run the installer again, it reports that it is already installed. It prominently seems to affect Office 2007 patches.

    From a Kaseya perspective, there are two ways to approach this: -

    1) set the ignore flag for the patch (go to Patch Update, locate the patch, click the Machines button, select machines and click "Set Ignore"

    2) flag the patch as "internet-based install only" - to do this, go to Patch Location, find the patch and click the remove button. Now the next time you install the patch it will use the Windows Update API instead of the downloadable installer. Please note this function is only available for on-premises Kaseya products.

    3) as described in previous post, temporarily set File Source to "Download from Internet" and run an Automatic Update - all missing approved patches will be installed using Windows Update API

    [edited by: dominic.walsh at 9:54 AM (GMT -8) on 1-26-2011] Edited to clarify situation for SAAS Kaseya products
  • Thank you for this information Dominic...it sounds like a better long term solution than what I'm doing, but I can't find the "Patch Location" you are referring to. (I am using IT Center, if that makes a difference).

  • Jerry

    It may be that Patch Location is not available to you as an IT Center user because the configuration is global and it would impact other customers. Could you send me a PM with your ticket ID so I can check out the specifics of your case?

  • Tried this:

    "2) flag the patch as "internet-based install only" - to do this, go to Patch Location, find the patch and click the remove button. Now the next time you install the patch it will use the Windows Update mechanism instead of the downloadable installer."

    And it worked fine.  Thanks for the help!

  • It turns out that this is currently not an option in IT Center. If you're using IT Center and stumped by this, maybe what I'm doing will help you...

    When onboarding a client or series of machines, I use a template with Automatic Updates disabled and File Source set to Internet. Then I schedule Automatic Update for a few test machines and verify that all patches apply properly. Then I turn the rest loose (staggered to avoid a major hit on internet bandwidth) until all are up to date. Once I'm at a stable state, I configure a local location to store the patches and point File Source at that share. It's not ideal, but at least it's a solution that yields completely patched machines without manual intervention.

  • An alternative method if bandwidth is constrained and machines have a lot of missing patches: -

    1) configure template with desired File Source

    2) run Initial Update or Automatic Update once

    3) if there are some failures, flip File Source to internet only and run another Automatic Update

    4) switch back to desired File Source

    Its one extra step, but means that all patches are installed from File Source which can be.