MS and KACE do not agree on patch impact
Hello, I am having a major issue with our current patch deployment. The problem is that when I image a new machine, run a patch schedule from the K1000, and then check the machine using Windows Updates, there are 20+ patches that got overlooked. I looked these patches up and they are in the patch listing of the K1000, but they are not getting downloaded because they are not "Impact: Critical". I set our patch download settings up to only allow Critical OS patches and would like to keep it that way. However, I also have Windows Update set to not "Give me recommended updates the same way I receive important updates" so this should be fine.
It seems that there is some disconnect in how MS and Lumension (I think that is what KACE uses for patching) classify the impact of a patch. I know that one thing I could do would be to create a "dumb" patch label to white list the problematic patches, but I think this could get unmanageable pretty quickly. I reached out to KACE support, but am having a hard time getting them to understand what is happening. Is anyone else having this issue or has anyone found a work around?
Any help would be great!
Answers (5)
I finally got a good answer from KACE support. It seems that MS and Lumension take different approaches altogether. Lumension focuses only on OS critical updates which will have a negative effect on the operation of the system if not applied. MS on the other hand, has bundled OS and application updates together and labels patches as important if it is something that fixes problems for a subset of people, but is easier to just push to everyone because it doesn't hurt anything. For example, someone responded to my post on sevenforums (where I posted the same question and gave 2 examples of patches showing my problem) with the following,
"The KB2533552 patch is one which really only applies to RTM - any machine produced since SP1 released would have had that installed already. It's really only application in limited circumstances, but MS pushed it out to everyone to reduce further support problems.
The KB286116 is really only a cosmetic thing - but it can make troubleshooting a lot easier."
KACE support also said that they recommend either using KACE patching (and accepting that some semi-importantish updates won't be installed) or just using some other update manager like Windows update or WSUS. This finally makes some sense and I think we will take the first approach and just do the updates through KACE patching.
Comments:
-
Thanks for the update. I've been through 32 hours of training and I still don't grasp how KACE patching works! :) Everyone says it's so simple but I can't find a good guide or flow chart that really answers questions like this. - Ultimation 10 years ago
-
I was in the same boat as you. Through all of my research I came across this blog post http://www.itninja.com/blog/view/k1000-patching-setup-tips-things-i-have-learned-ldap-smart-labels-sql-reports which was very helpful for me. Hopefully you can find something worthwhile there too. - horstj 10 years ago
horstj,
If I am understanding your question, you have contradictory settings. In WindowsUpdate, you've asked it for both Critical AND Recommended patches, but in the K1000, you've only asked it for Impact=Critical patches. If that is true, then you are getting exactly what you are asking for.
If you include both Critical AND Recommended patches in the K1000, then you'll be comparing apples to apples. Hope this helps.
Ron Colson
KACE Koach
Comments:
-
Thanks Ron, but I actually have the option unchecked on all of our Windows 7 machines to "Give me recommended updates the same way I receive important updates." That is why it seems that there is a disconnect between what Windows sees as critical and what KACE sees as critical. The patches listed in my last comment above all show up as being needed by Windows (again, only looking for critical updates), but KACE says they are recommended and therefore none are being downloaded. - horstj 10 years ago
horstj,
Sorry, I misread that. Ok, then there may be a discrepancy with the dates, then. See, Lumension performs testing of all patches, after the vendor releases them, BEFORE your K1000 could ever get them. If they don't pass muster, they don't release them.
K1000 - Patching - Availability Matrix
So, that's where I'd look first. Also, if patches are marked as Inactive, perhaps because they are superseded, then they won't be detected.
Ron Colson, II
Comments:
-
I'm not 100% sure that the date is the problem. For example, patch with ID KB2506014 shows up in my patch listing with the following specs:
Title (short): Updates for Windows (All Languages)
Release Date: 04/12/2011
Type: Non-Security
Impact: Recommended
Severity: None
Reboot: Required
*Green check*: 51
*Yellow ?*: 1
*Red triangle*: 0
Size: 0
The date seems like it wouldn't be a problem in this case and it even detects that we have 51 machines that need the update. I hate to keep pounding this point, but the only thing I can think is that KACE thinks Impact = Recommended even though Windows thinks it's Critical. - horstj 10 years ago
horstj,
Based on your last comment, the K1000 definitely has it listed as Impact=Recommended. You'll probably need to open a ticket with KACE Support, so they can follow-up with Lumension and verify the patch meta-data. Please update this thread with the results.
Ron Colson
KACE Koach
Comments:
-
That's what I was afraid of. I have an active ticket open with them, but they are unfortunately not being of much help. I will post back any solution we come up with. Thanks for your help. - horstj 10 years ago
select UID from KBSYS.PATCHLINK_PATCH where (((( (((1 in (select 1 from KBSYS.PATCHLINK_LST, KBSYS.PATCHLINK_LST_PATCH_JT where KBSYS.PATCHLINK_PATCH.UID = KBSYS.PATCHLINK_LST_PATCH_JT.PATCHUID and KBSYS.PATCHLINK_LST_PATCH_JT.LST_ID = KBSYS.PATCHLINK_LST.ID and KBSYS.PATCHLINK_LST.ID in (201,203,205,204,206,207,208,209,215,217,218,214,202,211,212,100,301,303,305,304,306,307,308,309,315,317,318,314,302,311,312,101,32,33,36,38) )) ) and ((1 in (select 1 from KBSYS.PATCHLINK_LST, KBSYS.PATCHLINK_PACKAGE, KBSYS.PATCHLINK_PACKAGE_OS_TYPE_JT where KBSYS.PATCHLINK_PATCH.UID = KBSYS.PATCHLINK_PACKAGE.PATCHUID and KBSYS.PATCHLINK_PACKAGE.FILENAME = KBSYS.PATCHLINK_PACKAGE_OS_TYPE_JT.FILENAME and KBSYS.PATCHLINK_PACKAGE_OS_TYPE_JT.OS_TYPE_ID = KBSYS.PATCHLINK_LST.OS_TYPE_ID and KBSYS.PATCHLINK_LST.ID in (201,203,205,204,206,207,208,209,215,217,218,214,202,211,212,100,301,303,305,304,306,307,308,309,315,317,318,314,302,311,312,101,32,33,36,38) )) ))) AND KBSYS.PATCHLINK_PATCH.IMPACTID = 'Critical') AND KBSYS.PATCHLINK_PATCH.IS_APP = '0') AND KBSYS.PATCHLINK_PATCH.IS_SUPERCEDED = '0')
Not sure where all of those numbers come in, but here is what I set up when I created the smart label:
Operating System = Win 7
AND Impact = Critical
AND Category = OS
AND Superseded = No
Now that I am looking at it like this, I see that part of the problem might be the "Category = OS" as some of the patches are listed as "Operating System = Applications Win x86 English". However, patches such as MS 2533552 Update for Windows 7 and Windows Server 2008 R2 (All Languages) (Rev 3), MS 2506014 Update for Windows (All Languages), Update for Windows 7 x64 (KB2718704), Update for Windows 7 x64 (KB2868116), etc. are all "Important Updates" in Windows, but the kbox shows them as "Impact = Recommended". - horstj 10 years ago