Kaseya Community

Out of Band patch - KB3079904

This question is not answered

Since Microsoft released this patch outside of the normal schedule and various resources are supporting that it should be installed pretty quickly, we were planning to push it out this weekend.

In prepping, Kaseya has it listed as "Internet based install only".  That's painful.

Anyone have another method to get that individual patch pushed out?

All Replies
  • ,

    As long as the endpoints have access to the internet, the install should not be "painful."  When patches are flagged as internet-only, it indicates that Windows Update Agent (WUA) must be leveraged to perform the install.  Kaseya can (and regularly does) leverage WUA through its .api.  WUA.api is used by Kaseya for all patch scans and some patch installs (all internet-only and any automatic or initial update processes for endpoints with a file source of "from internet").  

    To push this patch out to all machines, run a patch scan on all endpoints (so each endpoint can 'report' the need for the patch) and then run Automatic Update.  If you want to push the patch out before your next AU cycle and don't want to edit the schedules, do the following:

    1.  Navigate to Patch Management > Patch Update

    2.  Uncheck the two boxes at the top of the page ("Hide Machines..." and "Hide Patches...")

    3.  Locate the patch in the list (the page will refresh; this may take a while, depending on the number of patches known to your VSA).  You may have multiple entries for the same KB number.  This indicates there are multiple versions, or "flavors," of the patch.  You'll need to repeat the next steps for each version of the patch.

    4.  Click the Machines... button next to the patch in question

    5.  Select all machines to which you want to deploy the patch.  Note that you CAN select machines where the patch is denied and, if you do so, the patch WILL attempt to install on the machine where the patch is denied.  If you do not want this, select only machines where the patch is approved.

    6.  Click the Schedule button and select your preferred schedule/distribution window

    The patch will be scheduled and attempt to install, leveraging WUA, on each of the selected machines.  If there are multiple version of the patch, return to the main Patch Update page, select the Machines... button for the next version, and repeat steps 5 and 6.  

    If your endpoints do NOT have general access to the internet (can browse the web, get to MS sites), the approach is different.  That explanation can be a bit involved because there are a number of variables, depending on how MS has released the patch.  If you're in a position where you need that info, let me know and I'll provide some pointers.  Otherwise, as long as the endpoints have basic web access, you should be able to accomplish the above without doing anything "special."

  • "In prepping, Kaseya has it listed as "Internet based install only".  That's painful."

    The point of pain, is usually having 000's of machines all downloading the same patch. Especially if you have limited bandwidth, metered connection, limited patch window, etc.

    An exaggerated example, but imagine if Windows 8.1 KB2919355 had to be rolled out to 100 machines. You have a 6Mb fibre feed and a 4 hour patch window each night. You also have a 50Gb/month data cap.

    This is a 690Mb download. x 100 machines. in 4 hours. over a thin pipe. With "install from internet" you're going to:

    1. congest the pipe, which will lead to slow downloads, and lots of fails/retries, and

    2. blow your download limit (invoking $$$ excessive use fees and/or speed capping), and

    3. miss your patch window,

    4. leave your machines vulnerable

    *That's painful*

    I have noticed that many patches are "internet based install only" the first day or two, but suddenly can be distributed by Lancache a few days later.

    Perhaps you might comment in some more detail as to what exactly changes that suddenly permits distribution via Lancache, and/or how the VSA determines the need for "internet based install" in the first place.

  • ,

    This has been covered before, and I believe there are KB articles on internet-only patches (I'll verify tomorrow and create one if one no longer exists/has been retired).  KBs list as internet-only for the following reasons:

    1.  An admin removed the Patch Location URL for the patch (only available for on premise installs only).  If the URL is removed (or manually edited), Kaseya will not overwrite the admin's changes to the patch location.  No URL for patch location will always trigger the patch to become internet-only.

    2.  Microsoft has not yet released a distributable version of the patch (an .msi, .msu, or .exe)

    3.  MS has not provided sufficient detail for Kaseya to determine the target machine (ie, patch is for win7 but doesn't specific 32 or 64 bit and both are available; patch is language specific but the reported detail does not include the language needed, etc.)

    4.  Kaseya has not yet updated the patch location in the master file.  This is a semi-manual process and requires that the Kaseya parse through the new patch reports from all VSAs globally.  In order for Kaseya to update the download URL, Microsoft must have already released a distributable version of the patch AND the patch detail reported must include sufficient detail to determine the appropriate target machine (items 2 and 3 above).  Assuming items 2 and 3 have been successfully provided by MS, Kaseya processes the new patch reports regularly (usually daily) to populate a master file, which is automatically downloaded by KServers every 4 hours as part of a standard background process of the KServer.  This master file is parsed by the KServer and the patch locations are updated within the VSA UI.  

    Microsoft does not always immediately release distributable versions of patches.  Often an .msi, .msu, or .exe is released in parallel with the Windows Update (internet-only) patches, but that is not always the case.  If there is a several day or several week delay between the release of the WU and distributable versions of the patches, you'll see the patch noted as internet-only for quite some time and then, shortly after release of the distributable version (or update of the patch information to include the detail necessary to determine the target machine platform/OS/language/etc.), the patch location will populate and the patch will no longer list as internet-only (unless an admin edits the patch location for an individual patch). In some cases, MS never releases a distributable (or appropriately detailed) patch.  In those cases, the patches will remain internet-only.

    This is most visible on Patch Tuesday and the day following, as the sheer volume of new patches take time to semi-manually process to locate the download URL and installation switches.  Because MS does not include the URL or switch detail in the patch reporting information third parties can automatically gather through the Windows Update Agent (WUA) .api, we automate the process to gather the URL to some extent, but there are portions of the process, and some individual patches, that must be dealt with manually. Patch Tuesday/Wednesday are usually the busiest days for this processing since the volume of patches is so great, but we have seen periods where MS has re-released hundreds of patches in a very short window (outside of patch Tuesday) which have required time to work through the process.

    Admins of On-Premise installations always have the option to update the Patch Location URL by locating the correct URL for the correct version (32 v 64 bit, matching OS types, matching languages, etc.) and applying the download URL to the correct version of the KB.  The Patch Location function is available On Premise for Master users only.  Again, once a patch location is manually edited by an admin, if any subsequent updates to the location are released in the master patch file from Kaseya (based on any changes from Microsoft), Kaseya will NOT overwrite the URL an admin has edited (or removed).  Essentially, the admin's edit sets a flag for that patch's location, and K will skip over that patch.  This cannot be 'reset', so any efforts to manually edit the URL should be done with the utmost care.