Windows patching is NOT working consistently

Multiple machines across multiple clients are NOT getting their existing Windows update policy applied.
I am having to go through several (far far too many) at each client and manually approve KB5014699

Yes, I have verified the effective policy is in place for the impacted endpoints and they SHOULD have the update already approved and installed.
Doing so manually works so what is going on here ?

Interestingly enough, most of my workstations are also not installing KB5014699.

You can run a patch report (Missing Patches By KB) and click Install from there instead of one at a time.

Yah, thanks but that is doing nothing.
I did try it including a couple days ago checked on it just now including machines that have been up and online the entire time

There are a few known patches that are bug and or require a bit more work to get going. Its possible this is one of them. In that case, its not an issues with Syncro but an issue with the patch/Windows it self.

PSWindowsUpdate to the rescue.
Glad for Syncro to be able to quickly get that implemented for this,
notably disappointed that Syncro’s “Brand New, All Wonderful” Windows patching is already stumbling on something that should be standard.

Nothing is perfect. I’ve had issues with every RMM platform I’ve used, which has been quite a few.

With that said, they definitely need to figure out the issue and fix. I submitted a Support request and did receive verification this morning that it’s being bumped up to the developers.

Hey David - I looked into this for you. We have confirmed the patching module is working as expected. In this instance Microsoft did not classify this security patch with a severity, meaning it then defaults to the catch-all “Other” severity. Your “Other” severity is set to manual, which is why these aren’t installing. As a result, this KB should be appearing in individual asset record’s Windows Patches tab and can be manually installed. If you wanted to automate those, you could set the “Other” category to something other than manual to handle those.

Sounds like this answers my question/support request as well. Though I haven’t heard back from them.

@Andy The other issue I’m seeing is when clicking “Install” from the Missing KB report, it doesn’t seem to actually install the KB. Any thoughts there or should I open another support request for that? Having to do it manually or script another way to do it across all machines is a pain.

Edit - It would be awesome if we could see a list of KBs in general, when they are displayed on the asset and on the missing patches by KB report, and have it list the “category” that Syncro placed it in. In this case, Other. If that was listed, I would have known immediately based on my policy why that didn’t install.

1 Like

I would open a ticket at so they can look into that further.

The second part is a good suggestion. I made a note.

1 Like

Hi Andy. Thanks for the follow-up on this, much appreciated ! :slight_smile:

The strange thing about what you’ve reported is that when I leveraged PSWindowsUpdate to get this KB applied, running it (PSWindowsUpdate) with a check for 'Critical Updates', 'Security Updates'
did find and queue said KB…

Np. So that is likely due to how Microsoft classifies them. There are “Quality” updates which are further broken down by Category, and there are “Security” updates that are further broken down by Severity. I believe in your query you included every Security update, and then further included Critical Updates, which is a Severity type of Security updates.

At any rate, you might want to consider approving “Other” for Security updates, and leaving it to Manual for Quality updates.

Yea, this is probably because that module is choosing to classify them itself based on various conditions.

I actually just ran my script to directly query the Windows Update API, and sure enough, this KB comes through as “optional”, it’s not listed as critical or even important. I’ve seen other RMM platforms just throw these non-classified ones into Critical, and at the end of the day, not sure I like that approach. I’d much rather have visibility on it.

As long as the “install” from that report would work, this wouldn’t be too much of a pain (I know I script it too) but you get my point.

Either way, knowing is half the battle and I’m glad that the patching isn’t broken.

1 Like