/build/static/layout/Breadcrumb_cap_w.png

"Important" Patches Missing?

My company is just now starting to use the patching capabilities of the KBOX. To begin with, we're trying it out on a small deployment of Windows 7 machines in preparation for deploying Windows 7 next year. The KBOX has mostly done it's job with downloading critical patches and applying them in a time effective manner. There were a few hurdles and errors to get past, but they were solved.

However, I have noticed one glaring problem. It looks like any patch listed as "Important" by Windows Update, is getting skipped over by the KBOX. Specifically, yesterday I had to manually install KB2388210, KB2249857, KB2345886, and KB2398632. We also patched some of our servers using the KBOX, and while it got all the critical patches, it missed other patches labeled as "Important", many tied to Security Advisories like the above list. While the patches it has missed so far do not close immediate security loopholes, they often introduce performance enhancements or new functionality for the OS in question. Has anyone else noticed this? Is this normal behavior? If it is, that's disappointing because it means we will have to use 2 patching solutions or just not use the KBOX patching functionality altogether.

Thanks.

0 Comments   [ + ] Show comments

Answers (15)

Posted by: jkatkace 14 years ago
Purple Belt
1
Patches not listed as security-related are rolled up into service packs and cumulative patches.
Posted by: dchristian 14 years ago
Red Belt
0
wkucardinal,

This article may explain why these patches are missing:
[link]http://www.kace.com/support/kb/index.php?action=artikel&cat=6&id=741&artlang=en[/link]

Also how are you grouping your patches?

In the KBOX there are 3 possible values for impact: Critical, Recommended, and Software Installer (be careful with software installers).

If you are trying to automatically approve all OS patches (critical and Recommended) for win 7, try the following smart label.

Remember to test before deploying to you entire production environment. :)



Posted by: wkucardinal 14 years ago
Orange Senior Belt
0
Thanks for the reply. I had already read that article. It does not answer my question, since it says that, "Specifically for Microsoft, some patches are released as KB article and others are escalated as "security bulletins". According to Microsoft most patches do not qualify as security bulletins. The KBOX includes only critical or important impact patches and anything deemed security related (ie security bulletins) based on the listings available here: http://www.microsoft.com/technet/security/current.aspx"

The patches I mentioned in my original post were all listed as "Important impact patches" according to Microsoft. It's looking like if it's not a security bulletin you're not going to be able to use the KBOX to patch, which is extremely disappointing. For instance, all of the patches from the attached screen were missed by the KBOX. Were they downloaded to yours?

Posted by: wkucardinal 14 years ago
Orange Senior Belt
0
One other thing.. when patching with the KBOX, how come only sometimes do the patches show up as successfully installed in Windows Update? The machine with a patch in question will not detect that it needs the patch if it's already installed, but it won't show up in the list of recently installed updates, either.
Posted by: wkucardinal 14 years ago
Orange Senior Belt
0
Is this documented anywhere? I haven't seen that anywhere else.
Posted by: Swyfter 14 years ago
Yellow Belt
0
I've noticed this as well. Currently, on a Windows 7 x64 box fully updated by KBOX, three recommended updates and five un-catagorized updates are available. The files are dated September and October and are not listed in the KBOX patch listing. Is there something I'm possible missing?
Posted by: wkucardinal 14 years ago
Orange Senior Belt
0
No, it would appear that the KBOX does not obtain those patches. It basically only gets critical security patches or those labeled as critical/recommended by Microsoft. This means the other application updates that might be labeled "Important" will most likely not be available. This is extremely disappointing because it means the KBOX probably cannot be our total patching solution. It needs to be more inclusive of what Microsoft makes available through Windows Update.
Posted by: KevinG 14 years ago
Red Belt
0
These KB's are not listed here under http://www.microsoft.com/technet/security/current.aspx "Search by Knowledge Base article Number" so there are not considered "Security" patches
Posted by: wkucardinal 14 years ago
Orange Senior Belt
0
If it's available in Windows Update, it should be available in the KBOX - period. If it's not, we have to use 2 different solutions (KBOX + our existing solution) to patch our workstations. This essentially makes the KBOX patching function obsolete, because we can use our existing solution to patch both critical security applications and application patches that aren't security critical.
Posted by: TheKojukinator 14 years ago
Senior Yellow Belt
0
I would like to say that I agree with wkucardinal. We are trying to squeeze the most value out of our KACE appliances, and an essentially incomplete patching solution is somewhat disappointing. We were hoping to drop using WSUS, but currently it's resulting in better patched machines than ones managed by k1000. At this point it appears WSUS might be necessary for 100% OS patches, and k1000 will push application patches that are available.

Does anyone know if the k1000 patch catalog will evolve to a more complete solution?
Posted by: dyehardfan 14 years ago
Second Degree Blue Belt
0
Any moderator/admin/employee insight on this?

ORIGINAL: TheKojukinator

I would like to say that I agree with wkucardinal. We are trying to squeeze the most value out of our KACE appliances, and an essentially incomplete patching solution is somewhat disappointing. We were hoping to drop using WSUS, but currently it's resulting in better patched machines than ones managed by k1000. At this point it appears WSUS might be necessary for 100% OS patches, and k1000 will push application patches that are available.

Does anyone know if the k1000 patch catalog will evolve to a more complete solution?

Posted by: wkucardinal 14 years ago
Orange Senior Belt
0
Here is the response I got from tech support:

Please understand that this type of enhancement with have a major impact to the code. Also, it will increase the cost of the Kbox due to the manipulation of the code and the increased size of the hard drives.

It is possible for you to download the updates to a client, and then have the Kbox via Managed Install upload the updates, and then push them to the respective clients.
Posted by: dyehardfan 14 years ago
Second Degree Blue Belt
0
I would think the HD Size issue could be fixed by using Remote Shares to store the data. I am not a coder and do not know what it would take to chage that side of things. Personally, I would like Kace to offer more support for patching, collecting more patches/updates from more vendors, etc. but do not know where that falls in their priority list right now.

ORIGINAL: wkucardinal

Here is the response I got from tech support:

Please understand that this type of enhancement with have a major impact to the code. Also, it will increase the cost of the Kbox due to the manipulation of the code and the increased size of the hard drives.

It is possible for you to download the updates to a client, and then have the Kbox via Managed Install upload the updates, and then push them to the respective clients.



Posted by: Llee 13 years ago
Senior Yellow Belt
0
The Kace Appliance takes security critical patches as a higher priority over the important updates, if those recommended or important patches are needed in a faster manner I would suggest to request to Kace Support so we can request it so get it in to the Kace feed.

Also you may want to check out this FAQ: http://www.kace.com/support/kb/index.php?action=artikel&cat=6&id=1047&artlang=en

Please let me know if you have any questions.
Posted by: wkucardinal 13 years ago
Orange Senior Belt
0
So the solution is that I must request patches from KACE that Microsoft or other vendors list as "Important"? That's a LOT of patches and a lot of waiting. No thanks.
Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

Share

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ