Kaseya Community

Block Windows 7 SP1

  • Hi,


    Just trying to block windows 7 sp1 from being installed on our agents via kaseya. I cant seem to find it in the list of pending patches on my system. When researching the KB article I came accross KB976932 and when putting that in the patch overide it says that this KB article is not known.


    If anyone could provide instructions I would be very grateful.



  • I haven't seen it yet either, but I have my Service Packs classification group set to Pending Approval.

  • That specific patch has not yet been added by Microsoft to the MS Update Catalog (MUC).  You can check the catalog here:  catalog.update.microsoft.com/.../Home.aspx (use IE to accurately view this page).  If you search for the KB number and it isn't yet in the MUC, Kaseya won't have a way to know about it.

    However, you do have a couple of options.  As Jerry mentioned, you can set your SP classification to Pending Approval so SPs won't be deployed in your environment without your explicit approval.  Alternatively, you can set Win7 patches (or any product patches) to Pending Approval (within the Approval by Policy function, change the View dropdown to "Product").

    Finally, you can deny a patch for your entire environment based on the KB number even if the MUC hasn't been updated.  To do this, select the KB Override function on the Patch Management tab and enter the KB article number (just the number; omit "KB") into the "KB Article" field (add override notes if you wish) and click Deny.  You'll be notified that the article doesn't exist in the system; click Continue if you're sure you want to include the KB as an override.  The catch here is that if you have an inaccurate KB number for any reason, you the patch you think you're denying won't actually be denied (if the article number is 123456 but you inadvertently enter 213456, the article you intend to block will still be processed based on the Patch Policy and 213456 would be denied even if it's actually a valid patch).

    I hope that information helps.

  • I see that Windows 7 Service Pack 1 is available via Windows Update.  Is there an estimate on when it will made available in Kaseya patch management?


  • It should be visible on your KServer once available in the MUC after the first Machine Scan of an endpoint in your environment that can make use of the patch.  That is, if it is available in the update catalog, you will then need to scan a Win7 machine in your environment that does NOT have SP1 installed in order for the patch to list on the Kserver.  If you run patch scan weekly and you have Win7 (non SP1) machines as part of that weekly scan, it should show up within a week of being added to the MUC.  If you scan monthly, it would show up within a month of being added to the MUC.

  • thanks brande, that was helpful.

  • Still not showing in the MUC, yet it's been available for some time now on Windows Update.  Weird.  Wish it would show up so we could run the patch in our test environment.

  • Looks like it's SCHEDULED to hit WSUS and the catalog today.  We'll see if it happens. . .

  • Win7 SP1 is offically in the catalog.  Still not showing in K after re-scanning, it is showing  in Windows updates.

  • KB976932 is the right KB number but you need to enter it as : 976932  and then confirm you want to add it to the deny list

  • I'm still not seeing this in Kaseya...

  • I am not either, I created a support ticket.

  • Same here. Made a ticket, got the usual response.  The short version of my ticket - "I see SP1 in the catalog, verified it was available for this machine via Windows Update, I then did a patch scan in K and it didn't show."

    K's response - do a patch scan.  I'm still holding my breath.

  • There was an issue with some of the coding for this patch between Kaseya and Microsoft.  This has been updated and should be resolved as of this morning.  An automated script will need to run on your VSA (this is scheduled to occur automatically every four hours).  Once that runs, you will need to scan a Windows 7 machine that does not have SP1 installed for the patch to appear in the VSA.  Wait four hours (it might occur sooner depending on when the automated script is scheduled for your system), then run a scan against a Win7 machine without SP1.  If you still do not see the patch, please open a ticket with support to we can help to troubleshoot the issue.

  • Brande,

    That didn't work.  It's been four hours.  Did a new scan, nothing.  I already have a ticket open, but haven't gotten a response in a day or so.