"Important" Patches Missing?
My company is just now starting to use the patching capabilities of the KBOX. To begin with, we're trying it out on a small deployment of Windows 7 machines in preparation for deploying Windows 7 next year. The KBOX has mostly done it's job with downloading critical patches and applying them in a time effective manner. There were a few hurdles and errors to get past, but they were solved.
However, I have noticed one glaring problem. It looks like any patch listed as "Important" by Windows Update, is getting skipped over by the KBOX. Specifically, yesterday I had to manually install KB2388210, KB2249857, KB2345886, and KB2398632. We also patched some of our servers using the KBOX, and while it got all the critical patches, it missed other patches labeled as "Important", many tied to Security Advisories like the above list. While the patches it has missed so far do not close immediate security loopholes, they often introduce performance enhancements or new functionality for the OS in question. Has anyone else noticed this? Is this normal behavior? If it is, that's disappointing because it means we will have to use 2 patching solutions or just not use the KBOX patching functionality altogether.
Thanks.
However, I have noticed one glaring problem. It looks like any patch listed as "Important" by Windows Update, is getting skipped over by the KBOX. Specifically, yesterday I had to manually install KB2388210, KB2249857, KB2345886, and KB2398632. We also patched some of our servers using the KBOX, and while it got all the critical patches, it missed other patches labeled as "Important", many tied to Security Advisories like the above list. While the patches it has missed so far do not close immediate security loopholes, they often introduce performance enhancements or new functionality for the OS in question. Has anyone else noticed this? Is this normal behavior? If it is, that's disappointing because it means we will have to use 2 patching solutions or just not use the KBOX patching functionality altogether.
Thanks.
0 Comments
[ + ] Show comments
Answers (15)
Please log in to answer
Posted by:
jkatkace
14 years ago
Patches not listed as security-related are rolled up into service packs and cumulative patches.
Posted by:
dchristian
14 years ago
wkucardinal,
This article may explain why these patches are missing:
[link]http://www.kace.com/support/kb/index.php?action=artikel&cat=6&id=741&artlang=en[/link]
Also how are you grouping your patches?
In the KBOX there are 3 possible values for impact: Critical, Recommended, and Software Installer (be careful with software installers).
If you are trying to automatically approve all OS patches (critical and Recommended) for win 7, try the following smart label.
Remember to test before deploying to you entire production environment. :)
This article may explain why these patches are missing:
[link]http://www.kace.com/support/kb/index.php?action=artikel&cat=6&id=741&artlang=en[/link]
Also how are you grouping your patches?
In the KBOX there are 3 possible values for impact: Critical, Recommended, and Software Installer (be careful with software installers).
If you are trying to automatically approve all OS patches (critical and Recommended) for win 7, try the following smart label.
Remember to test before deploying to you entire production environment. :)
Posted by:
wkucardinal
14 years ago
Thanks for the reply. I had already read that article. It does not answer my question, since it says that, "Specifically for Microsoft, some patches are released as KB article and others are escalated as "security bulletins". According to Microsoft most patches do not qualify as security bulletins. The KBOX includes only critical or important impact patches and anything deemed security related (ie security bulletins) based on the listings available here: http://www.microsoft.com/technet/security/current.aspx"
The patches I mentioned in my original post were all listed as "Important impact patches" according to Microsoft. It's looking like if it's not a security bulletin you're not going to be able to use the KBOX to patch, which is extremely disappointing. For instance, all of the patches from the attached screen were missed by the KBOX. Were they downloaded to yours?
The patches I mentioned in my original post were all listed as "Important impact patches" according to Microsoft. It's looking like if it's not a security bulletin you're not going to be able to use the KBOX to patch, which is extremely disappointing. For instance, all of the patches from the attached screen were missed by the KBOX. Were they downloaded to yours?
Posted by:
wkucardinal
14 years ago
One other thing.. when patching with the KBOX, how come only sometimes do the patches show up as successfully installed in Windows Update? The machine with a patch in question will not detect that it needs the patch if it's already installed, but it won't show up in the list of recently installed updates, either.
Posted by:
Swyfter
14 years ago
I've noticed this as well. Currently, on a Windows 7 x64 box fully updated by KBOX, three recommended updates and five un-catagorized updates are available. The files are dated September and October and are not listed in the KBOX patch listing. Is there something I'm possible missing?
Posted by:
wkucardinal
14 years ago
No, it would appear that the KBOX does not obtain those patches. It basically only gets critical security patches or those labeled as critical/recommended by Microsoft. This means the other application updates that might be labeled "Important" will most likely not be available. This is extremely disappointing because it means the KBOX probably cannot be our total patching solution. It needs to be more inclusive of what Microsoft makes available through Windows Update.
Posted by:
KevinG
13 years ago
These KB's are not listed here under http://www.microsoft.com/technet/security/current.aspx "Search by Knowledge Base article Number" so there are not considered "Security" patches
Posted by:
wkucardinal
13 years ago
If it's available in Windows Update, it should be available in the KBOX - period. If it's not, we have to use 2 different solutions (KBOX + our existing solution) to patch our workstations. This essentially makes the KBOX patching function obsolete, because we can use our existing solution to patch both critical security applications and application patches that aren't security critical.
Posted by:
TheKojukinator
13 years ago
I would like to say that I agree with wkucardinal. We are trying to squeeze the most value out of our KACE appliances, and an essentially incomplete patching solution is somewhat disappointing. We were hoping to drop using WSUS, but currently it's resulting in better patched machines than ones managed by k1000. At this point it appears WSUS might be necessary for 100% OS patches, and k1000 will push application patches that are available.
Does anyone know if the k1000 patch catalog will evolve to a more complete solution?
Does anyone know if the k1000 patch catalog will evolve to a more complete solution?
Posted by:
dyehardfan
13 years ago
Any moderator/admin/employee insight on this?
ORIGINAL: TheKojukinator
I would like to say that I agree with wkucardinal. We are trying to squeeze the most value out of our KACE appliances, and an essentially incomplete patching solution is somewhat disappointing. We were hoping to drop using WSUS, but currently it's resulting in better patched machines than ones managed by k1000. At this point it appears WSUS might be necessary for 100% OS patches, and k1000 will push application patches that are available.
Does anyone know if the k1000 patch catalog will evolve to a more complete solution?
Posted by:
wkucardinal
13 years ago
Here is the response I got from tech support:
Please understand that this type of enhancement with have a major impact to the code. Also, it will increase the cost of the Kbox due to the manipulation of the code and the increased size of the hard drives.
It is possible for you to download the updates to a client, and then have the Kbox via Managed Install upload the updates, and then push them to the respective clients.
Posted by:
dyehardfan
13 years ago
I would think the HD Size issue could be fixed by using Remote Shares to store the data. I am not a coder and do not know what it would take to chage that side of things. Personally, I would like Kace to offer more support for patching, collecting more patches/updates from more vendors, etc. but do not know where that falls in their priority list right now.
ORIGINAL: wkucardinal
Here is the response I got from tech support:
Please understand that this type of enhancement with have a major impact to the code. Also, it will increase the cost of the Kbox due to the manipulation of the code and the increased size of the hard drives.
It is possible for you to download the updates to a client, and then have the Kbox via Managed Install upload the updates, and then push them to the respective clients.
Posted by:
Llee
13 years ago
The Kace Appliance takes security critical patches as a higher priority over the important updates, if those recommended or important patches are needed in a faster manner I would suggest to request to Kace Support so we can request it so get it in to the Kace feed.
Also you may want to check out this FAQ: http://www.kace.com/support/kb/index.php?action=artikel&cat=6&id=1047&artlang=en
Please let me know if you have any questions.
Also you may want to check out this FAQ: http://www.kace.com/support/kb/index.php?action=artikel&cat=6&id=1047&artlang=en
Please let me know if you have any questions.
Posted by:
wkucardinal
13 years ago
So the solution is that I must request patches from KACE that Microsoft or other vendors list as "Important"? That's a LOT of patches and a lot of waiting. No thanks.
Rating comments in this legacy AppDeploy message board thread won't reorder them,so that the conversation will remain readable.