Can someone please confirm to me the best way to configure Patch Management so that we can monitor the patch status of machines, but actually allow the patching to be performed by WSUS on customer sites?
We have a lot of organisations where we are using Kaseya only on system servers, but WSUS is used to patch the rest of the LANs, therefore it makes sense to allow WSUS to also patch the servers. We want to ensure that the patching is carried out (reporting via Kaseya Exec Summary for example) but want to ensure that patching itself is not performed by the kagent.
How should we configure the patch management policies and Windows Auto Update/File Source etc to ensure that Kaseya reports on machine compliance without actually doing the patching itself? Is this possible? I want to ensure I understand how this works 100%
Kaseya does not support the use of WSUS server for patch management at this time. However, with that said, you may be able to accomplish what you're trying to do by leveraging only those functions within Kaseya Patch Mgmt that would be needed to discover and categorize the patches.
Patch won't install any patches if you don't use the installation functions. First, run a patch scan on the endpoints so Kaseya can "discover" which patches are missing from the endpoints in your environment. This will populate the various patch data pages within your VSA - if you don't first run scans, you won't be able to move onto the next step, creating patch policies. You would need to create appropriate patch policies that match what you're deploying via the WSUS product (within Kaseya, approve those patches that you plan to install via WSUS and deny those you plan to not deploy). Assign the policies to the endpoints using the Policy Membership function. Schedule a patch scan (Patch Management > Scan Machine) on the endpoints so the scan can discover which patches are missing from the endpoints. Set the schedule to run regularly (i.e., once per week).
As long as the Patch Management Automatic Update schedule is not configured, Kaseya will not automatically install patches. You would need to ensure your admins do not use the Patch Update, Machine Update, or Initial Update functions as these can be used to manually install patches via Kaseya. If you choose, you can remove the "schedule" option for non-Master admins by referring to the instructions for enabling scheduling (just deselect the appropriate check box): community.kaseya.com/.../enable-scheduling-function-for-user-roles-with-limited-rights-to-the-vsa.aspx. Note that this will remove the scheduling feature for ALL functions throughout the VSA.
The patch scan that Kaseya runs leverages the Windows Update Agent .api to perform the scan. The .api determines the results which are handed back to Kaseya. Kaseya is not directly involved in the actual discovery of patches, just in processing the data returned by the Microsoft-based scan. An overview of the scan process is available here: community.kaseya.com/.../951.aspx.
Thank you Brande! That's precisely what I had suspected and had hoped that you would say. :-)