Jump to content
jklein68

Patch Manager Centralization

Recommended Posts

Was just told by Automate support that Patch Manager requires all Windows devices to have unrestricted access to Windows Update via the internet to get patch inventory.  I know that Automate uses the WUA for patching.

I have reviewed the content here for caching but still not 100% on inventory.

 

1.  Is this information correct?

2.  Is there a way to provide patch inventory without internet access?

 

We have Windows desktops that have very limited access to the internet for security purposes.  We were told that Automate managed the patch inventory and was able to distribute the patches.

 

Thanks.

Edited by jklein68

Share this post


Link to post
Share on other sites

The answer you received is essentially correct.

The Automate Patch Manager acts as a front end for the Windows Update API, which is exposed by the Windows Update Agent (WUA), which in turn is a Windows component that resides on the managed endpoint. The WUA is the behind-the-scenes Windows Component that the Windows Updates Control Panel in Windows interfaces with. The patches that the Automate Patch Manager displays are the aggregated cumulative results that Automate discovers by querying each endpoint's WUA with two questions:

  1. What patches are already installed on this machine?
  2. What patches are available for this machine?

Automate's business logic massages the data and presents it in a centralized, mass-manageable form, but without sourcing that data from the WUA, it's no more than a computerized Jon Snow - it knows nothing.

Thus, your options are either:

  1. Whitelist all the required Windows Update internet sources in your ACLs - https://social.technet.microsoft.com/Forums/en-US/90843d78-47a0-4136-9c1f-d5450ea8cd80/need-windows-update-servers-ip-address-range-to-allow-in-firewall?forum=systemcenterupdates has an unofficial list provided by an official Microsoft resource,
  2. Continue to use WSUS to, at a minimum, source the patches, and bear the pain of integrating Automate with WSUS, or
  3. Drink the Micro$oft KoolAid and implement Microsoft SCCM alongside Microsoft WSUS for truly managed WSUS patching.

Good luck!

  • Thanks 1
  • Haha 1

Share this post


Link to post
Share on other sites

Thanks @MetaMSP, this is quite helpful.  I understand the current state of the product now.

Purely for discussion, wouldn't it make more sense for Automate to centrally inventory the patches and then have the WUA query LT for what patches are available?  This is what WSUS does as well as other patching solutions.  Regardless, if we can get WSUS to integrate we'll be moving the right direction.

Jason

Share this post


Link to post
Share on other sites

Not an expert, but coming off of one RMM and into another RMM, my general impression is that basically you're either relying on a Microsoft system (WUA) to get your patch info & installation done, or you're relying on a Microsoft system (WSUS) to get your patch info and... you get the idea.

Kaseya tried to do the "we're going to maintain our own DB and shut out WUA" trick, which was unwieldy as heck AND basically became untenable once MS switched a lot of patches to "Internet install only." Eventually they punted to more-or-less what Automate's doing (albeit not nearly as well), which is just querying and triggering actions via WUA. It's Microsoft's world, we just try to get by in it.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×