I pushed out KB3115322 last week as one of the Security updates. After I had pushed it out I was informed last Friday that it is causing some issues for people using Excel. I have blocked this patch from being pushed out further. I have gone to the machines that had this patch installed and I have manually uninstalled and rebooted these machines. When I check back the next day they are installed again. How do I stop Kaseya from pushing this patch?
Patch Management -> Patch Policy -> KB Override -> Deny will permanently stop that KB from ever being pushed out to your environment again.
That said, you may want to make sure your patch scans and latest audits are both up to date. Depending on where you're checking from, that information may simply be stale.
Hi Mcconnell - As I stated in my post. I have gone in and done a kb override. I know the override is working because I built a machine today and did a initial load using Patch management and this patch was denied. I have the machines scanned twice a day early am and early pm. I removed this patch yesterday from this machine and when I checked back today it was reinstalled. I just was not sure if once Kaseya pushed out a patch it would reinstall it if it noticed it was uninstalled.
Kaseya shouldn't be deploying patches with a deny on them. Are you 100% sure windows updates aren't scheduled to run on the computer itself rather than from the patch management system?
Patch Management -> Configure -> Windows Auto Update -> Disabled should be set on every computer you're managing via Kaseya patching. If it's set to the default "daily" setting then your workstation patches are coming from two different sources (Kaseya and Microsoft).
mcconnell is absolutely correct. Kaseya will not execute a new patch process to install a patch which has been denied for a particular machine, and you need to ensure that another source (MS or any other third-party software) is not executing the patch install. That said, there are three things to consider:
1. If a patch install process was already running when the patch was denied, that process will continue until complete. If the patch in question was part of that running patch process, it will attempt to install on that machine during that specific update cycle. Any future update cycles would not include that patch.
2. KB Override ONLY applies to machines that are a member of at least one patch policy. The KB Override function overrides patch policies. If no patch policy is assigned to the machine, there is nothing to override. The patch denied by KB Override WILL still attempt to install on those machines without an assigned patch policy. You should ensure that ALL machines are members of at least one patch policy. If you have machine(s) where you want all patches to be installed, create a patch policy which approves all patches and assign that policy to those machines. This way, any patches you deny via KB Override will be blocked for the machines.
3. If the endpoints are Windows10, Microsoft may have deemed the patches as required and may be installing them on its own, outside of Kaseya Patch Management - fully disregarding any Windows Auto Update configuration. This is specific to Windows 10 and is due to the service change MS has made with regard to how it treats patching on Win10 OS. Win10 OS will eventually install ANY patch MS deems required for the machine, regardless of any third-party or individual configurations. The patch community-at-large (fully independent of Kasyea) has a number of discussions regarding patch and Win10. If this is a concern, I recommend you research MS patch processes for Win10 (there is a lot of info available via a web search).