Kaseya Community

Transition from WSUS to Kaseya Patch Management

  • We're rapidly approaching the point where we can go live with Kaseya patch management.  We are currently using WSUS to manage Windows patches and this is enforced through group policy.  If my logic is correct we should be able to set the main group policy object to turn off Windows Automatic Update which would make it match the settings I have for Kaseya.  I will also need to remove GPO setting for each branch where it is specifying the local WSUS repository.  Reboot everything a few times let it tun a day or two and then kick off Auto Update in Kaseya patch management.  Eventually I will remove WSUS from each server but I don't think that is necessary out of the chute.

    Am I missing anything here? 

  • That's about it.  You can run patch scans now while WSUS is still enabled to see where you stand with patching without it interfering with WSUS.  I just wouldn't try to push anything out with WSUS enabled.  If it doesn't work out, you can just put the policy back to enable WSUS.  Alternatively, you could disable the policy for a test group to make sure Kaseya patching is working as expected before enabling it across the board.

  • I'm already starting to do that.  We have 12 branches and after tonight half of them will be in the nightly scan and after this week they will be in the nightly scan schedule.  I've also got my policies set for approval, pending, etc. We're thinking on the same page because my plan was to also turn on auto update slowly in Kaseya.  One branch day one, another two branches day two, and so on until all are onboard.  I've had a Kaseya procedure blow up in my face before so I'm trying to learn from that mistake.

  • I would recommend you verify the necessary access is available - there are a few websites that need to be allowed via firewall rules/whitelisting.  Additionally, if any of the sites are using proxies, you may need to configure the endpoints (at the OS level) AND within Kaseya to be able to access the external patch sites via the proxy.  Check KKB000900 for details on the firewall/webfilter access, as well as proxy configuration.

  • Barth .. one special note with regard to managing the GPO for the WUAgent configuration. The GPO sets registry values, but merely removing the GPO will not remove those registry values. What you'll actually need to do is configure the GPO with the opposite value and refresh group policy to disable the WUAgent. Specifically you'll want to set two policies: Specify intranet update service location should be DISABLED and Configure Automatic Updates should be DISABLED. The former will unmake the system as a WSUS client; the latter will disable the AU functionality completely.