Jump to content

Patch Manager Centralization

Recommended Posts

Was just told by Automate support that Patch Manager requires all Windows devices to have unrestricted access to Windows Update via the internet to get patch inventory.  I know that Automate uses the WUA for patching.

I have reviewed the content here for caching but still not 100% on inventory.


1.  Is this information correct?

2.  Is there a way to provide patch inventory without internet access?


We have Windows desktops that have very limited access to the internet for security purposes.  We were told that Automate managed the patch inventory and was able to distribute the patches.



Edited by jklein68

Share this post

Link to post
Share on other sites

The answer you received is essentially correct.

The Automate Patch Manager acts as a front end for the Windows Update API, which is exposed by the Windows Update Agent (WUA), which in turn is a Windows component that resides on the managed endpoint. The WUA is the behind-the-scenes Windows Component that the Windows Updates Control Panel in Windows interfaces with. The patches that the Automate Patch Manager displays are the aggregated cumulative results that Automate discovers by querying each endpoint's WUA with two questions:

  1. What patches are already installed on this machine?
  2. What patches are available for this machine?

Automate's business logic massages the data and presents it in a centralized, mass-manageable form, but without sourcing that data from the WUA, it's no more than a computerized Jon Snow - it knows nothing.

Thus, your options are either:

  1. Whitelist all the required Windows Update internet sources in your ACLs - https://social.technet.microsoft.com/Forums/en-US/90843d78-47a0-4136-9c1f-d5450ea8cd80/need-windows-update-servers-ip-address-range-to-allow-in-firewall?forum=systemcenterupdates has an unofficial list provided by an official Microsoft resource,
  2. Continue to use WSUS to, at a minimum, source the patches, and bear the pain of integrating Automate with WSUS, or
  3. Drink the Micro$oft KoolAid and implement Microsoft SCCM alongside Microsoft WSUS for truly managed WSUS patching.

Good luck!

  • Thanks 1
  • Haha 1

Share this post

Link to post
Share on other sites

Thanks @MetaMSP, this is quite helpful.  I understand the current state of the product now.

Purely for discussion, wouldn't it make more sense for Automate to centrally inventory the patches and then have the WUA query LT for what patches are available?  This is what WSUS does as well as other patching solutions.  Regardless, if we can get WSUS to integrate we'll be moving the right direction.


Share this post

Link to post
Share on other sites

Not an expert, but coming off of one RMM and into another RMM, my general impression is that basically you're either relying on a Microsoft system (WUA) to get your patch info & installation done, or you're relying on a Microsoft system (WSUS) to get your patch info and... you get the idea.

Kaseya tried to do the "we're going to maintain our own DB and shut out WUA" trick, which was unwieldy as heck AND basically became untenable once MS switched a lot of patches to "Internet install only." Eventually they punted to more-or-less what Automate's doing (albeit not nearly as well), which is just querying and triggering actions via WUA. It's Microsoft's world, we just try to get by in it.

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...