Kaseya Community

are you ALSO using WSUS with Kaseya?

  • I've thought about putting WSUS on my Kaseya box (that was its role before Kaseya anyway) as a way to make sure patches are working as I see that Kaseya doesn't have a real solid solution. I figure this way I would have less headaches.



    Is anyone else doing the same thing? comments????


    Legacy Forum Name: are you ALSO using WSUS with Kaseya?,
    Legacy Posted By Username: mmancini
  • Kaseya doesn't have a real solid solution? I don't want to get into a debate, but that is a real big statement. Have you tested the Patch Management thoroughly? What is not working for you?

    Legacy Forum Name: Patch Management,
    Legacy Posted By Username: raybarber
  • I was able to push out Exchange, SQL, ISA hotfixes, Office patches etc with more consistency and without people logged in, etc. Also, we can push out Defender definitions as well with WSUS. Or am I missing something?

    Legacy Forum Name: Patch Management,
    Legacy Posted By Username: mmancini
  • Here's our list of issues (I'm sure you've heard them all before, but you asked...):

    1) Missing patches - we (and others) have found patches missing from Kaseya. They have been added once reported but it causes a loss of trust if we're going to rely on Kaseya for patching. And we don't have the time to double-check all released patches.

    2) Patch timing - WSUS patches are released much more quickly than Kaseya patches. Kaseya is taking many days to release patches.

    3) As Mmancini mentioned (and as we've mentioned many times before), certain patches aren't even included. So if we want Exchange or Defender or hot fix updates. So we must use WSUS instead of Kaseya on all systems running Exchange and any desktops requiring Defender, or hot fixes. And if we must use WSUS on some system, it might be easier to manage one method of patching (via WSUS) rather than two different methods (WSUS + Kaseya).

    4) Office patches install more cleanly via WSUS than Kaseya. I don't recall getting prompted for end user acceptance or any buttons to press when using WSUS for Office patches but I'm not totally sure of this.I do know for fact thatKaseya's Office patches are definitely NOT silent to the user.

    5) If a Kaseya agent is installed on the KServer, it allows an administrator to accidentally install SQL patches which bring Kaseya to a grinding halt.

    6) Until recently, KServer received patches whenever you pushed patches to a Collection, even though KServer wasn't part of that Collection. This has been fixed but such a major flaw once again caused a loss of trust among of technical staff for using Kaseya to patch systems.

    7) We've found discrepencies where Kaseya claims things are patched but WSUS claims the patches aren't installed. We haven't had the time to research these differences (though we did report them to Kaseya Support). We need patching to just work flawlessly so that we don't have to worry about it.

    One thing that I really like about Kaseya patching? Initial update. We're used it on a few servers and although it took quite a while, we were truly able to walk away and let it update the server.

    Another thing we like is the ability to control Windows auto update. Because of the problems listed above, we set most desktops to "Automatically download and notify user for installation" rather than pushing patches via Kaseya. And we manually install patches on most servers. We mainly use Kaseya to monitor patch levels to make sure we don't have any systems that are way out of date. But we'd prefer to have a patch management system that really works for everything we need so we can rely on a single patch management system rather than juggling multiple approaches.


    Legacy Forum Name: Patch Management,
    Legacy Posted By Username: kentschu
  • My main gripe with Patch Management is the delay in getting the patch database updated when Microsoft releases them. The expectation is not clearly defined. If Microsoft releases them on Tuesday, can we expect to have them in our patch database on Wednesday morning if we schedule the refresh early on Wednesday?

    Other than that, I'm good with Patch Management.

    Besides, I'm not even sure how you would use WSUS in conjunction with Kaseya to manage patches for customers. Don't they need to be in the same network and domain? I apologize for not being as informed about WSUS as I should be.


    Legacy Forum Name: Patch Management,
    Legacy Posted By Username: vplaza
  • I was going to have wsus update the machines and NOT disable the windowsupdates in Kaseya and have them both push out updates and look to kaseya for the reporting.



    my big issue is Defender. It is a REALLY good spyware app and we cannot keep it updated.


    Legacy Forum Name: Patch Management,
    Legacy Posted By Username: mmancini
  • What about Exchange?

    Do your clients not use Exchange?


    Legacy Forum Name: Patch Management,
    Legacy Posted By Username: kentschu
  • mmancini wrote:
    my big issue is Defender. It is a REALLY good spyware app and we cannot keep it updated.


    Anti-spyware, anti-spyware, anti-spyware....it's all I hear. Let me guess all your users have local administrator rights? If so, why?


    Legacy Forum Name: Patch Management,
    Legacy Posted By Username: connectex
  • My problem with the Kaseya patch management program is this message:

    The patch file probably failed to download. Uncheck "Delete package after install" and schedule the patch again. Verify the following

    1. Check that the hard disk is not full.

    2. If downloading from the internet, verify the connection from this machine to microsoft.com is not blocked.

    3. Be sure curl-nossl.exe is not prevented from executing (by a security program).

    When I get an alert like this, I put it in a special folder in Outlook. Currently that folder has about 1500 messages in it. These alerts come in much faster than I can deal with them. I get them for both Windows and Office patches, across multiple clients and multiple agents. The one thing I know for sure is that the problem is NOT caused by any of the three conditions mentioned above. I wish I could get a little more specific information about exactly why the patches fail to install so I don't have to spend lots of time troubleshooting.


    Legacy Forum Name: Patch Management,
    Legacy Posted By Username: David_Schrag
  • connectex wrote:
    mmancini wrote:
    my big issue is Defender. It is a REALLY good spyware app and we cannot keep it updated.


    Anti-spyware, anti-spyware, anti-spyware....it's all I hear. Let me guess all your users have local administrator rights? If so, why?


    Every end user seems to want admin rights to their own computer.

    Bedamn best practice and all the rest.

    They need to have their egos stroked with admin rights... It makes them feel good and somehow completes them.Go figure. It validates to themselves that they are in control, and gives them the illusion of self reliance, which in turn increases their self-esteem, a littlesomething that most end-users desperately need to feel when working with technology.

    Every time I try to do "the right thing" and follow "best practice"by limiting admin rights to end-user computers, I end up with an unhappy and bitchy customer, which makes for high churn. Who needs that?

    Besides, an end-user with local admin rights only bolsters the need for support when they screw it up. At least they'll feel good about it. Cool




    Legacy Forum Name: Patch Management,
    Legacy Posted By Username: myArch-man
  • Our top level MSP offering includes unlimited support. Our top two MSP levels include virus and spyware removal. Since these are fixed costs per system offerings, we DO NOT allow local administrator rights. I don't care how much they beg, plead, or complain to the company's owner. I tell the owner it's a requirement of the program, no execeptions. I also mention, it is the first step to their havingmost secure, reliable, and performing environment possible. It's been suggested as much as 70% of threats (virus, spyware, rootkits, etc.) can be avoided by using a LUA(least user access) policy. A root kit infection will force you to rebuild the system. It will not affect my clients. Lock down the house before you rely on an alarm system.

    Legacy Forum Name: Patch Management,
    Legacy Posted By Username: connectex
  • mmancini wrote:
    I was going to have wsus update the machines and NOT disable the windowsupdates in Kaseya and have them both push out updates and look to kaseya for the reporting.



    my big issue is Defender. It is a REALLY good spyware app and we cannot keep it updated.

    Defender is very easy to script in Kaseya, i keep my own machine up to date and scan it regularly using defender, it also allows me to include the activity in my monthly executive report.

    Legacy Forum Name: Patch Management,
    Legacy Posted By Username: raybarber
  • kentschu wrote:
    Here's our list of issues (I'm sure you've heard them all before, but you asked...):

    1) Missing patches - we (and others) have found patches missing from Kaseya. They have been added once reported but it causes a loss of trust if we're going to rely on Kaseya for patching. And we don't have the time to double-check all released patches.

    2) Patch timing - WSUS patches are released much more quickly than Kaseya patches. Kaseya is taking many days to release patches.

    3) As Mmancini mentioned (and as we've mentioned many times before), certain patches aren't even included. So if we want Exchange or Defender or hot fix updates. So we must use WSUS instead of Kaseya on all systems running Exchange and any desktops requiring Defender, or hot fixes. And if we must use WSUS on some system, it might be easier to manage one method of patching (via WSUS) rather than two different methods (WSUS + Kaseya).

    4) Office patches install more cleanly via WSUS than Kaseya. I don't recall getting prompted for end user acceptance or any buttons to press when using WSUS for Office patches but I'm not totally sure of this.I do know for fact thatKaseya's Office patches are definitely NOT silent to the user.

    5) If a Kaseya agent is installed on the KServer, it allows an administrator to accidentally install SQL patches which bring Kaseya to a grinding halt.

    6) Until recently, KServer received patches whenever you pushed patches to a Collection, even though KServer wasn't part of that Collection. This has been fixed but such a major flaw once again caused a loss of trust among of technical staff for using Kaseya to patch systems.

    7) We've found discrepencies where Kaseya claims things are patched but WSUS claims the patches aren't installed. We haven't had the time to research these differences (though we did report them to Kaseya Support). We need patching to just work flawlessly so that we don't have to worry about it.

    One thing that I really like about Kaseya patching? Initial update. We're used it on a few servers and although it took quite a while, we were truly able to walk away and let it update the server.

    Another thing we like is the ability to control Windows auto update. Because of the problems listed above, we set most desktops to "Automatically download and notify user for installation" rather than pushing patches via Kaseya. And we manually install patches on most servers. We mainly use Kaseya to monitor patch levels to make sure we don't have any systems that are way out of date. But we'd prefer to have a patch management system that really works for everything we need so we can rely on a single patch management system rather than juggling multiple approaches.


    1) 2) and 7), I think these are old issues, as I have not heard this mentioned from any customers on this for some time.

    3) Kaseya doesn't ever claim to patch these systems. Feedback I have had from many MSP's is that they want to have manual control over this process for critical apps such as exchange ans SQL anyway, and would not leave this for WSUS it is to risky, you have no way to tell if it happened, and not fine enough control over the process. It only takes a few minutes to use the Patch Wizard to do a SQL or Exchange patch etc, and there are never as many as there are windows patches.

    4) Yes I hear you on the Office patches, fair enough. You can get it silent if you use the prescribed method elsewhere here on this Forum, but it does need to be setup.

    5) Sorry, if you have a proper patch management process as described during the Kaseya training, this would never happen.

    I think all of these things are perception like you say. But the customers I have seen successfully implement Kaseya patch management are offering their customers a much more streamlined and better controlled service to their customers than can be acheived with SUS, and it requires a lot less effort as they manage it all once across many sites and customers.

    If WSUS is really working for you, and you like that method fair enough, but I don't think your experience should put people off from trying to implement a solution with Kaseya, as I have seen it be a great way to manage patches.


    Legacy Forum Name: Patch Management,
    Legacy Posted By Username: raybarber
  • I can't wait for my next Executive Summary report as I have 284 machines with a 100% patch score! Thanks to WSUS! IOnce I get Beta3.0 working I can push out Defender updates too. Then I will be styling!!!!!

    Legacy Forum Name: Patch Management,
    Legacy Posted By Username: mmancini
  • Defender is very easy to script in Kaseya, i keep my own machine up to date and scan it regularly using defender, it also allows me to include the activity in my monthly executive report.


    Raybarber,

    Would you share with us the details of integrating Defender into your monthly reports? I'm working on doing the same with Spybot.

    Thanks!


    Legacy Forum Name: Patch Management,
    Legacy Posted By Username: dataservcorp