Kaseya Community

Failed Patches are Denied by Policy, Why are they failed?

  • We recently updated our Patch Management Policies and I denied several optional updates, however they are showing up under Failed Patches column and Missing Denied column under Patch Management. 

    I double-checked the memberships and verified that the Patch was denied by the policy, but its still showing up under both columns. Why would this be? And can I stop it?

  • This COULD occur if another VSA admin had gone to Machine Update and chosen to install all missing patches with the "Hide patches denied by Patch Approval" box unchecked.  Did you have any other admins working on patching recently?

  • We do, but only 1 other admin and he hasn't messed with this. Thanks for looking into it

  • ,

    Either someone tried to push this manually as suggested (scheduling via Machine Update or Patch Update, which allows admins to install patches even if they are denied) OR the patch was approved at the time it attempted to install but was later denied.  If the patch attempted to install, failed for any reason, and then the patch was changed from Approved to Denied, the patch would list as failed as a valid status since it DID attempt to install.  

    You can review logs to determine when the install attempted (assuming log retention history is long enough to capture the attempt) and then check the system log to see when patch approvals were changed.

    For the machine-side logs, check Agent Logs > Configuration Changes (which will show an entry for a manually-scheduled patch) and/or Agent Procedure (or Procedure History) log for installs via Automatic or Initial Update.  System > System Log will give you information regarding when a patch approval is changed.