Patch Management FAQ [KSC for Windows]

[Antipova Anna]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

If you open KSC -> Advanced -> Application management -> Software Updates, there is a column Not assigned for installation (new version). Some computers may have this status or Not assigned for installation status. What does it mean?

• Installation status Not assigned for installation means that the update is applicable for this host (as a minor upgrade), but there is no patch management tasks for this host having an appropriate rule to install this update (update doesn't match any rule in any patch management task for this host). Column Not assigned for installation means number of computers having installation status Not assigned for installation.
• Installation status Not assigned for installation (new version) means that the update is applicable for this host (as a major upgrade - new version), but there is no patch management tasks for this host having an appropriate rule to install this update (update doesn't match any rule in any patch management task for this host). Column Not assigned for installation (new version) means number of computers having installation status Not assigned for installation (new version).

Some computers have in Installation status Not assigned for installation. Should anything be done?

Yes. Such updates should be analyzed, and if they should be installed, the administrator should decide, why it should be installed, and why it is not yes assigned for installation by any patch management task.

• if there is no patch management task at all, it must be created, etc.
• if this update should be installed because it fixes a vulnerability, then probably existing patch management tasks should have a rule to install all patches which fix vulnerabilities having certain vulnerability rating (such rule to install all updates fixing Critical vulnerabilities is created in default patch management task);
• if existing patch management task have a rule to install all manually approved updates (such rule is also created by default in default patch management task), then this update should be approved by administrator (the update approval state should be changed to Approved);
• if this update is a MS update of types Critical Update or Security Update, then it should also be installed by default and such rule should be created for a task (such rule is also created by default in the default patch management task by QSW);
• if you want to install, e.g., all patches for Java, or all updates published by "Adobe", appropriate rules also can be created, etc;
• by default, major updates (which increase major version) are not installed automatically; if you want to install major upgrades as well, the appropriate option should be set in the task properties; if major upgrades should be allowed for certain rules only (e.g., for Java updates or critical vulnerabilities fixes only), an additional patch management task should be created with appropriate rules and the option should to install major upgrades should be set for this task;
• the most inefficient way is to add certain updates to a rule with a direct list of updates to be installed; in certain test or emergency cases for small amount of updates such way can also be used, but in general it's better to use categorial rules (like mentioned above), and in case of updates not matching any common rules use the "approvement" mechanism (when having the default rule to install all "approved" updates).

How to update all of the software in Software Updates for the clients?

In this rare case a patch management task in the root administration group should exist, and it should have a rule allowing to install any applicable updates (except having "denied" approval state).