Patch / Update Management

Goal

Provide a routine patch / update management strategy for managed machines to include scanning and patching, patch approval policies, control over patching behavior and visibility of patch status/compliance for decision support and troubleshooting.

Overview

Kaseya Patch Management supports Microsoft Windows patching only. A machines patch status is detected through a Patch Scan, and patch deployment is accomplished through either Automatic Update, Initial Update, Machine Update or Patch Update scheduling. A Patch Scan detects patches that are missing and installed on a machine and so that decisions about how to proceed with the patching strategy can be made. Patches that are detected by a Patch Scan are presented in an array of Patch Policies which can then be used to control which patches are approved to be deployed to machines. Automatic Updates deploys approved patches to machines on a schedule and based on their Patch Policy membership. Initial Updates, Machine Updates, and Patch Updates provide one-off or manual scheduling capabilities to the overall patch strategy. To keep available patch status information about machines up to date so that deployment and approval decisions can be made related to patch, it is important to schedule the Patch Scans audits in some regularly recurring pattern. The deployment of patches on a regular basis is also critical to the goals of Patch Management, so scheduling Automatic Updates to take place is also important. Using the Patch Management content these recurring tasks can be scheduled. The Patch Management content also includes a set of Patch Policies to which different machines can be assigned either automatically or manually. With this Patch Management strategy, there must be easy ways to locate specific systems based on the details of patches installed and/or missing, quantity of missing patches, machines in certain Patch Policies and there must be ways of reporting and effectively acting on these groups of machines if needed. Additional content provided with the package offer some basic support for Macintosh Software Updates, and Linux Package Updates/Upgrades.

Policies

A set of Policies that apply recurring Patch Scan and Automatic Update schedules across the Windows machines supported within the IT infrastructure is provided. These policies enable the recurring detection of patches that are installed and missing across all machines as well as the scheduling of deployment of approved patches. Policies are also included to assign Windows servers and workstations to the appropriate Patch Policies and to support not patching certain machines or setting up a test group for deploying patches prior to a general approval and deployment of new patches. An additional policy that applies recurring Macintosh Software Update schedules across the Macintosh machines supported within the IT infrastructure is provided.

The policies included are located under [System].Core.Org Specific Policies.Patch / Update Management, and are described below.

Windows.Common Windows Patch Mgmt Settings
- Deny Patch Settings - Applies patch management settings to machines selected in the 'zz[SYS] Policy - Patch_Deny Patching Group' View. Sets Reboot Action to "Do not reboot after update". Sets Patch Policy membership to the 'Deny Patching' patch policy. Sets Patch Alerts to generate an Alarm and Email the 'Patch Alerts' email address when a "Patch install fails" or the "Agent credential is invalid or missing".
- Test Patch Settings - Applies patch management settings to machines selected in the 'zz[SYS] Policy - Patch_Test Patching Group' View. Sets Reboot Action to "If user logged in ask to reboot every 60 minutes until reboot occurs. Reboot if user not logged in". Sets Patch Policy membership to the 'Test Patching' patch policy. Sets Patch Alerts to generate an Alarm and Email the 'Patch Alerts' email address when a "Patch install fails" or the "Agent credential is invalid or missing".
- Disable Windows Automatic Update - Disables Windows Automatic Updates on machines that have Windows Automatic Update Enabled. If Windows Automatic Update is enabled and Kaseya Patch management is being used, then Windows Automatic Update may conflict with the Kaseya patch management strategy and may result in the deployment of patches that have been denied or are still pending approval in Kaseya.
- File Source Internet - Sets the File Source for patch management to the Internet for all Windows machines so that patches are downloaded directly from the Microsoft patch and download servers. This policy is the default and can be overridden with an alternate policy that is applied to specific orgs or machine groups and which has precedence over this policy.
Windows.Windows Workstation Patch Mgmt Settings
- Workstation Patch Settings - Applies patch management settings to Windows Workstations. Sets Reboot Action to "If user logged in ask to reboot every 60 minutes until reboot occurs. Reboot if user not logged in". Sets Patch Policy Membership to the 'Workstation Patching' patch policy. Sets Patch Alerts to generate an Alarm and Email the 'Patch Alerts' email address when a "Patch install fails" or the "Agent credential is invalid or missing".
- Daily Wkst Schedule for 10+ Patches (Auto Update M-F 6am-6pm/Power Mgmt) - Applies Daily Auto Update schedules to Workstation Patching Policy members that are missing 10 or more approved patches. Auto Updates are scheduled M-F each week from 6am-6pm. This policy is generally used when customers have machines that are missing quite a few patches and they want to get those systems up to date over the course of days rather than weeks or months. Once the machines are patched, then they will not need to be patched on a daily basis anymore. Auto Updates are performed in the daytime to handle customers where machines are generally powered off at night, but the power management option is enabled on these schedules so that any machines powered off during the day can be woken up prior to performing these operations.
- Weekly Wkst Schedule (Scan Tu 6am-6pm/Auto Update W 6am-6pm/Power Mgmt) - Applies Weekly Patch Scan and Auto Update schedules to Workstation Patching Policy members. Patch Scans are scheduled on Tue of each week from 6am-6pm and Auto Updates are scheduled on Wed of each week from 6am-6pm. This policy is generally used when customers want to take a more aggressive approach to patching to help minimize risk due to machines not being patched and thus want new patches deployed relatively quickly to machines. Auto Updates are performed in the daytime to handle customers where machines are generally powered off at night, but the power management option is enabled on these schedules so that any machines powered off during the day can be woken up prior to performing these operations.
Windows.Windows Server Patch Mgmt Settings
- Server Patch Settings - Applies patch management settings to Windows Servers. Sets Reboot Action to "Do not reboot after update", "When reboot required, send email to 'Patch Alerts' email address". Sets Patch Policy Membership to the 'Server Patching' patch policy. Sets Patch Alerts to generate an Alarm and Email the 'Patch Alerts' email address when a "Patch install fails" or the "Agent credential is invalid or missing".
- Weekly Srvr Schedule (Scan W 6pm-6am) - Applies Patch Scan schedule to Server Patch Policy members. Patch Scans are scheduled on Wed of each week from 6pm-6am. No patch Auto Update deployments are scheduled on servers by this policy.
Macintosh.Macintosh Workstation Software Update Settings
- Weekly Macintosh Workstation Software Update (Install Recommended W 6pm-6am) - Applies a Mac Software Update to run on Wed of every week that will install recommended Macintosh Software updates on Macintosh Workstations. Software Updates are performed in the daytime to handle customers where machines are generally powered off at night, but the power management option is enabled on these schedules so that any machines powered off during the day can be woken up prior to performing these operations.

Patch Approval/Denial Policies

Note: Patch approval/denial "policies" are a specialized type of policy in the Patch Management module that should not be confused with policies defined using Policy Management module. Policy Management policies have been created that specify predefined patch approval/denial policies.

A set of predefined Patch Policies is provided to control approval and denial of various Windows patches applicable to the supported Microsoft software and Windows operating systems.

Patch Policy Name	Description
zz[SYS] Deny Patching	Used for denying all patches in cases where machines must not be patched for particular reasons. The Default Approval Status for new patches of all Microsoft Security Classifications is set to Denied. See Managing Patch Policy Memberships for more information on how machines can be assigned to this Patch Policy.
zz[SYS] Server Patching	Used for approving and denying patches for Windows Servers. The Default Approval Status for new patches of all Microsoft Security Classifications is set to Pending Approval. All Windows Servers are made a member of this Patch Policy when Server Patch Management is enabled through Automated Systems Management.
zz[SYS] Test Patching	Used for approving and denying patches for machines that are to be used for testing patches prior to general deployment to Windows Servers and Workstations. The Default Approval Status for new High Priority Security and Critical Updates based on their Microsoft Security Classifications is set to Approved. All Windows Servers are made a member of this Patch Policy when Server Patch Management is enabled through Automated Systems Management. See Managing Patch Policy Memberships for more information on how machines can be assigned to this Patch Policy.
zz[SYS] Workstation Patching	Used for approving and denying patches for Windows Workstations. The Default Approval Status for new High Priority Security and Critical Updates based on their Microsoft Security Classifications is set to Approved. All Windows Workstations are made a member of this Patch Policy when Workstation Patch Management is enabled through Automated Systems Management.

Views

An array of predefined Views is provided which can be used in all aspects of IT service management and in support of the Patch /Update Management service. These Views provide the ability to filter machines across the system based on their patch configuration, quantity of patches missing, patch reboot status, and patch policy membership, and more. The following Views can be used on both reporting and operational activities.

View Name	Description
zz[SYS] Patch - Deny Patching Policy	Displays all machines assigned as members to the "zz[SYS] - Deny Patching" patch policy.
zz[SYS] Patch - Missing 10+ Approved Patches	Displays all machines that are missing 10 or more approved patches based on the machines patch policy memberships and and the approved patches within those policies.
zz[SYS] Patch - Missing 20+ Approved Patches	Displays all machines that are missing 20 or more approved patches based on the machines patch policy memberships and and the approved patches within those policies.
zz[SYS] Patch - No Policy	Displays all machines that are not assigned to any patch policy
zz[SYS] Patch - Pending Reboot	Displays all machines with a pending patch deployment related reboot
zz[SYS] Patch - Scan Failed	Displays all machines where the last patch scan failed for some reason
zz[SYS] Patch - Scan Not Scheduled	Displays all machines that do not have a patch scan scheduled
zz[SYS] Patch - Server Patching Policy	Displays all machines that are a member of the "zz[SYS] - Server Patching" patch policy
zz[SYS] Patch - Servers w No Policy	Displays all Server machines that are not assigned to any patch policy
zz[SYS] Patch - Test Patching Policy	Displays all machines that are a member of the "zz[SYS] Test Patching" patch policy.
zz[SYS] Patch - Windows Auto Update Enabled	Displays all machines with Windows Automatic Update Enabled based on what was detected during the last Patch Scan
zz[SYS] Patch - Workstation Patching Policy	Displays all machines that are a member of the "zz[SYS] - Workstation Patching" patch policy
zz[SYS] Patch - Workstations w No Policy	Displays all Workstations machines that are not assigned to any patch policy

Agent Procedures

Agent procedures are provided that perform customized automation in support of the Patch /Update Management IT service. These agent procedures are located under the System cabinet of the Agent Procedures > Schedule / Create page.

Create Patch Management System Restore Point - Runs as a pre-procedure for Automatic Updates. Restore points can be used during a recovery in the event that an installed patch/update causes problems.
- Location: System.Core.1 Windows Procedures.Desktops.Maintenance.Common Maintenance Tasks.System Restore.Create Patch Management System Restore Point
- Description: Uses WMIC to create a System Restore Point called Patch Management. This agent procedure can be called prior to a patch deployment through a Automatic Update Pre-Agent Procedure.
- Run by Policy: System.Core.Org Specific Policies.Patch/Update Management.Windows Workstation Patch Settings.Workstation Patch Settings
Mac Software Update - Install Recommended Updates and Retrieve/Log Results
- Location: System.Core.2 Macintosh Procedures.Software Update.Mac Software Update - Install Recommended Updates and Retrieve/Log Results
- Description: Installs recommended Mac software updates.
- Run by Policy: System.Org Specific Policies.Patch / Update Management.Macintosh.Macintosh Workstation Software Update Settings.Monthly Macintosh Workstation Software Update (Install Recommended 1st W 6pm-6am)