ConnectWise Automate Patch Manager – Missing Patches

ConnectWise Automate Patch Manager – Missing Patches

ProVal Tech’s MSP Consultant Alex talks to you about Patch Manager in ConnectWise Automate and why your patches may not always line up with expectations. Alex goes in-depth about ConnectWise Patch Manager and why it only scans the OS for what is installed only when patching cycles happen, and only when it installs (or tries to install) patches. This means that it is a good idea to patch as often as possible, so your machines are getting scanned and updated appropriately. If you install patches manually or upgrade Windows Builds manually to a feature upgrade, the patches in ConnectWise Patch Manager WILL NOT line up until the next patches in Patch Manager get applied to that machine's queue. Click on ‘Show More’ to follow the step by step with the video.

Step by Step:

  1. One thing to note about Windows 10 patching is that there are way less patches installed in any previous Windows version including Windows 8, Windows 7, and prior.
  2. First, pull a list of installed patches using the PowerShell commandlet git hotfix on the left-hand side with a windows 8.1 machine showing 170 patches installed.
  3. On the right we have a Windows 10 machine, but we only have eight patches. This is because most of Windows 10 patches are rolled up in the cumulative updates.
  4. At any given time, you're looking at a minimum of four patches, the average seems to be about 12 up to about 14 patches at any kind of maximum time for Windows 10 patches.
  5. From here you want to look into making sure those patches are approved and that they're applied to the machine that will show up because the patch manager uses the Automates tables, to get everything aligned with the agent. That's why those offline agents will show missing patches and that number goes up the longer they are offline.
  6. Another troubleshooting step you want to do is running an update configuration on the agent.
  7. From there when that completes do a recent patch inventory and this will get you all of the recalculated patches on the Automate database only.
  8. Once the update command and patch inventory command completes (sometimes this shows new patches) usually, it'll show anything either detected or installed, however, it is not the same list that you would run if you ran a git hotfix through PowerShell.
  9. For example, if I open up a command prompt and I run a tilde git hyphen hotfix if you did not know, the tilde is the quick version to run PowerShell through this command-line interface. If I hit enter and let that run all right now that command is completed.
  10. We can grab all of these KBS (Knowledge Based System) and as we see there is more, usually it's less than detected in patch manager however, in this case, we can verify which ones match and in fact it looks like none of them are.
  11. One thing to note about this discrepancy between the two is that Automate native functionality is to only scan the machine when patching occurs, so the only time to really understand if it's working or not is by looking in the patch job tab.
  12. You’re looking for the last time in any patch downloaded and installed and from there the Automate functionality is to scan the whole OS for any of these installed patches and it does that using a get hotfix style PowerShell.
  13. Next, grab the lists and then update the patch manager with what is installed, and from there once it's updated and installed it should clear out any of these older patches that don't match what is currently installed on the machine.
  14. One thing to note with Automates patching, if you update the machine outside of Automate. (i.e running a script or running something that causes the machine to upgrade its feature build or anything like that or do it manually) ConnectWise automates patch manager will not detect any of those patches until the next patching cycle.
  15. There are likely opportunities in your environment to show no patch inventory or no new patch inventory for those machines. This is a known functionality of Automate, the only time that that will happen is the next time the patching cycle comes down and there's any approved patches pending on those machines it will download the patch, install it, reboot the machine as its normal patching cycle, and continue to scan the OS that way.

Extra Information about the creation of the video:

  • Alex thought it would be a good idea to put out a video just to let everybody know why patches are going missing especially after manually using a Windows upgrade assistant. Where it does upgrade a feature build and then the patch manager shows either a zero inventory or there's a gap between a June update or a prior update and then there's just nothing until the next cumulative update.
  • A good idea especially if you're running monitors to detect if patches are installed is to use a remote monitor and running some PowerShell that way and parsing the results to grab those KBS (Knowledge Based System) that you're looking for otherwise at this very moment while we are in transition of getting Windows kind of upgraded to the latest feature build. The patch manager tables may not be as reliable as they once were.