Is anyone else seeing an influx of extremely old patches coming into their environment for approval? I'm seeing a number of them with a changed date of June 20th of this year - I'm wondering if I'm the only one.
I see a few that popped up from 2017, but nothing older than that. To be honest though I can't confirm that they only showed up this month.
Also keep in mind I think (and could be wrong) that Patch Management only shows patches that are detected by a patch scan. So if you onboard a machine that runs a patch scan and detects it needs patches your VSA has never seen before then you could see extremely old patches show up to be approved depending how your policies are set up. Again I could be wrong about how that works.
I saw this article - I'm thinking this may be related to what I'm seeing www.pindrop.com/.../microsoft-releases-patches-for-older-versions-of-windows-warns-of-nation-state-attacks
Eric Nemchik is spot on. If a machine was recently scanned that needed those older patches (for example, a machine that's been sitting on a shelf for some time checks in and runs a patch scan), the VSA will display the patches associated with that machine, provided they are still published by MS (in the MS patch catalog). Once no machine associated with your VSA is eligible for older patches (for example, a patch for Win XP but all XP machines have been removed from your environment), those unneeded patches will be hidden from the patch pages within the VSA. The patch record will remain in the database, but they won't clutter the patch list within the UI.
To your point in your second post, if MS releases a host of old patches into their catalog and you have managed endpoints that are eligible for those patches, they will show up within your VSA UI.
Hope that helps.
Thanks Eric and Brande! So these patches would not install for all the Windows 7 machines in our environment? Just the ones that need them? Is there any way to tell where the patches would be deployed? Thanks again!
They will deploy to any machine where patch scan indicates:
a) the machine is eligible for the patch (this is based on whether MS determines the endpoint is eligible)
b) the patch is "approved" in all patch policies associated with the eligible machine
c) the machine is scheduled for a patch install cycle
It could be that an 'older' patch might apply to a win7 machine - it just depends on what MS determines the eligibility criteria to be. Since Kaseya Patch Management leverages the windows patching infrastructure (Windows Update Agent), the patch is only considered eligible if MS says it is.
If you want to figure out which specific machines are eligible for a specific patch, navigate to the Patch Update function of the Patch Mgmt module and select the specific patch from the list (click the hyperlink). A list of all eligible machines will be returned, along with whether the patch is approved, denied, or pending approval for each machine.
Thanks! I signed in today and they had been magically approved - I didn't approve them. I had specifically not approved them and had them sitting in Pending Approval to test with a smaller group of users. Opened a ticket with Kaseya and started a new forum post to see if this has happened to anyone else. Hopefully this doesn't cause issues. Luckily, a majority of our users are now Windows 10 and it's a much smaller sampling of those that are still on Windows 7 which is what most of those updates were targeting in the first place.
I have a mess of 'em rising from the grave, date listed under Changed varies over the course of several days in October. Published dates going back to TWO THOUSAND SEVEN.
Boy howdy I was looking forward to another nice quiet month of quickly dashing out the few new approvals we get in this fun new regime of Only Cumulative Bundles Ever Again, but no. No, I have to deal with ~1500 "new" patches.