I discovered this morning that although some servers are fully patched according to Kaseya, if I did a patch scan on the server itself, many .NET patches were not installed but available. In checking the Denied list in Kaseya, they were all there. The patches are listed as being for Windows 7, although they apply to all operating systems. Most are listed several times. For example:


KB2832414 - Product Windows 7

Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 SP1 x86 (KB2832414)

KB2832414 - Product Windows 7

Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2 for x64-based Systems (KB2832414)

Note that my Servers Patch Policy to which these servers belong has Default Approval Status for Windows 7 set to DENY and Status for Windows Server 2008 (and other affected servers) set to Approve. I also have Security Update (Critical), which these .NET patches belong, set to Approve.

There were about 15 or so. I was able to approve them by searching for them in the Denied list, then re-apply them. It seems that if the .NET patch applies to multiple products, Kaseya only recognizes it as a Windows 7 patch and denies it.

Has anyone else noticed this, and how are you managing it? Should I not bother auto-denying Windows 7 patches since supposedly they'll not be applied anyway?