Kaseya Community

Patch Scans are not reporting, machines aren't getting patched.

  • OK so a lot of our machines have no patch scan results. We looked up the agent procedure error and it was Windows Updates not being about to get to the site or whatever.

     

    So basically, we are enabling Windows Updates to User control and running a batch on the machines file to:

    sc config wuauserv start= auto

    sc config bits start= auto

    net start wuauserv
    net start bits

    then I patch scan again and now they get results. So much for Disabling Windows Updates.

  • "So much for Disabling Windows Updates?" why did you disable in the first place?

  • Have seen this behaviour on our 5.1 servers.  Like you we disable windows updates so we're controlling what gets installed and nothing is returned from a machine.  As soon as you switch it on it all works again.  Only happens sporadically so it's no big deal but it is annoying.

  • They are disabled to allow Kaseya to handle patching, but that was returning 800+ machines with no patch scan results. They had various issues with connecting to Windows Automatic Updates and after we enabled them, we were then seeing results and machines that were 'FULLY PATCHED' were actually far from that.  SIIIIIIIIGHHHHH

  • disabling windows update via kaseya does not stop the service it only stops windows from automatically checking..... if it is disabling the service then something else is at work.

    Kaseya relies on Windows update service so it would make no sense that kaseya would disable it.

  • Dantheman

    They are disabled to allow Kaseya to handle patching, but that was returning 800+ machines with no patch scan results. They had various issues with connecting to Windows Automatic Updates and after we enabled them, we were then seeing results and machines that were 'FULLY PATCHED' were actually far from that.  SIIIIIIIIGHHHHH

    silly question but are you accounting for your deny policy's? Servers in Kaseya will show fully patched but still have patches waiting to install b/c of the Patching policy. Check you membership and the "Hide Policy" while reviewing your machine up to date patching. 

     

    As for the patch scanning not working, I'm not 100% sure about this but there's an xml list on each machine agent temp, (patchscn, patchscn2). What happens if you delete those and rescan? 

  • You make a valid point, but we use policy management and patch management. We have no reason to disable these services. Just run Windows Updates on a Fully Patched machine and see what it tells you....lol.

  • I'd like to try to clarify a few things regarding this.  Kaseya does rely on the Automatic Update service for all patch scans and some patch installations (depending on file source configuration).  However, there is a lot of confusion when it comes to patching because there are a number of terms that are used interchangeably.  The main ones are Automatic Update(s), Microsoft Update(s), and Windows Update(s).  Here's the kicker:  each of these potentially refers to a service or to a program.  The service, wuauserv, must be enabled and started for Kaseya to invoke the Windows Update Agent (WUA.api) for scans and some installations.  However, the program that causes the notification bubble within the system tray (or that automatically checks for and installs missing patches) can be disabled.  The name of the service and the program will vary depending on the OS.  

    You can (and it is recommended you do) disable the program from checking for updates.  This can be done via the VSA under Patch Management > Windows Auto Update.  Setting this to "Disabled" disables the program but not the service.  

    The service wuauserv (Windows Update or Automatic Update, depending on OS) should be enabled and started (via services.msc):

     

    But it is recommended that the program (usually accessible via the Program Menu or Control Panel) be disabled:

     

    If the service wuauserv is disabled or not started, patch scans and installs will fail.  I should also note that the service called BITS, or Background Intelligent Transfer Service, is another Microsoft service that is needed for patching.  This service should be enabled and, ideally, set to started.  However, BITS is configured such that if it is enabled but not started, BITS should start when leveraged by another system/service.

    Thanks,
    Brande 



    [edited by: Brande Schweitzer at 8:50 AM (GMT -8) on 2-6-2012] spelling
  • Both of your questions are non-factors when all I had to do was enable updates and start those services to show me patches IN KASEYA to be installed. No files or policies affected this, I changed none of those.