Kaseya Community

Windows Updater, Patch Alerts & Reboot Action

This question is answered

Hello,

After discussing with my boss, we decided to configure the windows updater via Kaseya and set the agents to update at a specific time in the week. He also wanted to receive an email when an update fails and disable the reboot after an update (for servers).

I know this can be done for updates while pushing updates via Kaseya, but do the patch alerts and reboot action also work when doing the updates via Windows Updater ?

Sincerely,

JurgenC

Verified Answer
  • the patch alerts and reboot control do NOT work when using Windows Auto Update, at best you can control the time that patches are applied using the settings that mentioned below.

    We normally suggest that you have "one neck to choke" and either allow Kaseya to do patch management, or let Microsoft.   If you choose the former, then you will want to disable Windows Auto update.   If you choose the latter, then clear any settings under "Automatic Update", but still use Kaseya to audit.

    We have a patch training session on our ClubMSP site (no membership required for this one) that might help.  clubmsp.com/.../kaseya-patch-management-full-course

All Replies
  • you can control the reboot, but you're not going to be notified if a patch fails.

    check in the Patch Management > Configure > Windows Auto Update

    Look at the last option ("Configure - Force Windows Automatic Update configuration to the following settings:")

    You have some options to choose from which should assist you.

  • You should also be aware that if the Windows Update client is responsible for patch installations, Patch Policies are not honored.  Patch Policies apply only to Kaseya-installed patches, not those installed via other methods (including the local windows update client, local download/execute of patch installer, etc.).

  • You can setup some event log monitoring to watch for installation failures. This should alert you if something doesn't install correctly.

  • the patch alerts and reboot control do NOT work when using Windows Auto Update, at best you can control the time that patches are applied using the settings that mentioned below.

    We normally suggest that you have "one neck to choke" and either allow Kaseya to do patch management, or let Microsoft.   If you choose the former, then you will want to disable Windows Auto update.   If you choose the latter, then clear any settings under "Automatic Update", but still use Kaseya to audit.

    We have a patch training session on our ClubMSP site (no membership required for this one) that might help.  clubmsp.com/.../kaseya-patch-management-full-course

  • So if I don't check the "Force reboot if user is logged on", the pc won't restart after installing updates with Windows Auto Updater ?

  • Im just curious as to why you wouldnt utilize the patch mgmt feature of Kaseya. I cant think of any reason I would go Windows over Kaseya here. Patch Membership along with Patch Policies is extremely robust.

  • We known, but with Patch Management we have to approve the new updates.

    Windows update just downloads them and then Kaseya does a scan to check if the updates are installed/failed.

    That is the reason we chose for Windows Updates.

  • You can automatically approve for example all security patches. This is something you control via Patch Policies and "Default approval status".

  • I enabled it when i was testing the patch management, but there are still patches waiting for approval.

  • Default approval status applies to patches at the time they are first discovered.  If you change the Default Approval Status, any already-discovered patches keep the status they had,  You must change any patches that area already known to the VSA if you want existing patches to align to your new Default status.

    In your screenshot above, the patches in the Pending Approval column would have been discovered by your VSA before you set the Default Approval Status was changed to Approved.  Anything discovered from this point forward that fall into the classifications in your screenshot will be approved BUT the ones already in the pending approval status must be manually processed.  Click the hyperlink for the Pending approval patches to reveal the list of patches for that classification, click "select all" then click the "Approved" button.  Repeat this for each type of patch.

    As long as your Default Approval status is set to either Approved or Denied for all Classifications and all Products, any newly discovered patches will be automatically approved (or automatically denied) for this patch policy.