Just curious how many of you have taken action to ensure all your managed Windows boxes are patched with this latest RDP critical vulnerability? If you've taken action, tell us your story. We would love to hear how you pushed the patch to affected machines and how you've measured its deployment.
This vulnerability was a pretty big one. If you haven't heard here's the bulletin from Microsoft.
more details on that burger please?
I use adito vpn so I haven't RDP directly exposed to the internet..
2484 Servers patch forced out of patch policy using Patch Update - workstations pending = Customers more secure
The first problem is that when you try to find one patch to roll out, you are faced with a list of ALL the patches that you have not denied. No filtering, no search, no sort capability. Worse, all superseded patches also show up, and there is no way to filter those out. Trying to find one set of patches that way is awful. What were you guys thinking?!
Then there was the usual stupidity with the scheduling module. We have a fair number of server that are not on automatic update, so I scheduled it with a fairly large window of time. Because I wanted to make sure that the patch was actually going out, I scheduled if for the day. Firstly, you don't get any confirmation that the patches are scheduled, nor is there any quick way to tell how many machines are actually scheduled for something like this, because it's technically multiple patches. What is worse is that the scheduler does some very strange stuff when actually scheduling anything. What seems to have happened (I cannot say for sure, because Kaseya doesn't show what has been scheduled), s that kaseya grouped a very large group of upgrades together, which slowed the system down to the point that it might as well have crashed. I had to cancel the update and schedule for the night.
I'm not impressed. It's a shame, because this could chine, if it were done right.
Kayza - one option is to use Patch deploy under agent procedures.
One thing I found is that I don't see that in my system when I go under approval by patch and filter by the kb article (2671387) it doesn't find anything
I would assume it should show up by now in my patch list...I have all my machines scan on Wednesday so it should be there...
@Kayza - agree it is a nuisance. What would be nice is if there was an option when these critical updates appear that you could just select the patch and tell the system to apply it to all machines that require it quickly.
@Mark - look for KB2621440
Hi @Alistair !
Am I missing something here? Isn't that exactly what should happen? Ok, it's a two step process, policy then deploy, but it should just be:
1. Go and override the approval for all policies: fkQkYCKfIN
2. Go via patch deploy and make sure that filters are un-ticked: 5ya8luRTB
Ok, so you will have to pick all the products that have KB2621440, but even in a busy system that'll probably be about 10 items, takes about 1 minute. It does of course rely on the fact that one has been regularly scanning machines and has all the reboot and file source settings in place. But as long as one has been keeping on top of all of the patching every month then getting this patch out to 10 or even 10,000 machines should be no more than a few minutes work?
anyone got an agent procedure for this they can post
Hi Niknaks456, you can use Patch Management for this, saves creating an Agent Procedure. Of course you may want to customise the process to allow for some certain environmental conditions, thats when a specific AP can be useful.
Just go to Agent Procedures->Installer Wizards->Patch Deploy and follow the instructions. This will create a installer for the patch which you can then customise if you want to add other steps, or download from a central source etc.