- To ease up the process of patch management, the Patch Management filter head, under View Definitions, lets you further refine a machine ID / machine group filter based on different patch status attributes/conditions, as seen below:
- View filtering can be applied under allfunction pages by selecting a specific View from the drop-down list or Create New.
- Click “Edit” on the required Kaseya View and under “Patch management” you can select diverse options to view only the desired machines with specific attributes. For example: Only machines which have failed patches on them.
Various options/filters are available to choose from, and either one or multiple attributes can be selected for desired results. The top 7 “must have” views for better management and gaps identification for patching are as below:
- Machines that have no patch scan results (unscanned) - List machines that have not been scanned for missing patches
One of the most critical factors for patch management is to identify the list of missing patches, and the basis to which the VSA pushes out the patch identified as missing on a machine is a result of such scans.
Patch scans make WUA agents on machines run a complete scan comparing what’s available vs what’s installed to help look for the latest information on installed/missing patches. Selecting this option will help in filtering out machines on which the patch scan has not been running. Until this is fixed, machines will not be able to get any patches through VSA.
- Machines missing greater than or equal to “N” patches - List machines missing a specified number of Microsoft patches.
Example: To extract machines with 10+ missing patches, select this filter and enter 10 in the provided space and check the option “Use Patch Policy” to avoid the denied set
- Machines with patch installation failures – List machines on which patches are failing to execute/install.
Patches can fail during execution due to various window’s error codes. Working on these failed patches is the most important aspect of patch management as some of the patches are dependent on the previous set of patches, so to push them, issues with previous patches need to be fixed.
- Machines with Patch Test Results - List machines with the selected patch test result.
Patch Test – It provides admins the ability to execute a sample patch cycle to identify likely issues within the patching process. The success of this is a strong indication that patch process will be successful.
We can create a filter for machines with failed patch tests to identify the issues where the communication between a VSA and Machine is broken.
- Machines missing a specific patch (identified by the patch's 6-digit KB Article ID) - Lists machines missing a specific patch
Example: To filter out machines missing with a specific KB required for an emergency vulnerability fix.
We can enter the KB article ID in the specified field to get the machines on which this specific patch is missing to schedule a push on them accordingly.
- Machines with an installed patch (identified by the patch's 6-digit KB Article ID) - Lists machines which have a specific patch installed.
Vice-versa of above, we can also filter out those machines on which a specific patch is installed, which is sometimes required to identify the machines installed with a specific patch that has a bug and is causing issues.
We just need to enter the KB article ID in the specified field to get the required list of machines and push out the uninstalls to fix the issues.
- Windows Automatic Update is either enabled/disabled - Lists machines on which windows automatic update is either enabled or disabled.
It is necessary to keep the windows automatic update disabled on all of the managed machines in order to allow VSA to take control of the patch configuration and follow the defined settings. This is one of the major reasons identified for an unplanned patching and reboots.
To avoid these issues along with others, like installation of a denied set of patches, we can filter out the machines on which windows automatic update is enabled, and we can disable them to retain control of the patch management process through VSA.
It is important to create and frequently check these views, so that you can identify and plan to fix these issues for optimum results, and then you are able to create better patch compliance across your client base. If you need help with configuration of these views and remediations, please get in touch.