MS and KACE do not agree on patch impact
Hello, I am having a major issue with our current patch deployment. The problem is that when I image a new machine, run a patch schedule from the K1000, and then check the machine using Windows Updates, there are 20+ patches that got overlooked. I looked these patches up and they are in the patch listing of the K1000, but they are not getting downloaded because they are not "Impact: Critical". I set our patch download settings up to only allow Critical OS patches and would like to keep it that way. However, I also have Windows Update set to not "Give me recommended updates the same way I receive important updates" so this should be fine.
It seems that there is some disconnect in how MS and Lumension (I think that is what KACE uses for patching) classify the impact of a patch. I know that one thing I could do would be to create a "dumb" patch label to white list the problematic patches, but I think this could get unmanageable pretty quickly. I reached out to KACE support, but am having a hard time getting them to understand what is happening. Is anyone else having this issue or has anyone found a work around?
Any help would be great!
Community Chosen Answer
I finally got a good answer from KACE support. It seems that MS and Lumension take different approaches altogether. Lumension focuses only on OS critical updates which will have a negative effect on the operation of the system if not applied. MS on the other hand, has bundled OS and application updates together and labels patches as important if it is something that fixes problems for a subset of people, but is easier to just push to everyone because it doesn't hurt anything. For example, someone responded to my post on sevenforums (where I posted the same question and gave 2 examples of patches showing my problem) with the following,
"The KB2533552 patch is one which really only applies to RTM - any machine produced since SP1 released would have had that installed already. It's really only application in limited circumstances, but MS pushed it out to everyone to reduce further support problems.
The KB286116 is really only a cosmetic thing - but it can make troubleshooting a lot easier."
KACE support also said that they recommend either using KACE patching (and accepting that some semi-importantish updates won't be installed) or just using some other update manager like Windows update or WSUS. This finally makes some sense and I think we will take the first approach and just do the updates through KACE patching.