Why are all patch management solutions terrible in one way or another

[-]

no_regerts_bob@reddit

I've never seen a solution that worked very well. winget is interesting and improving every time I look at it though.

Reply

[-]

the issue I've seen with winget is it's often behind latest releases by several versions sometimes. My understanding is it's publicly managed but MS basically just checks to make sure it's not malware etc. So you're stuck relying on someone uploading the newest version to winget, which doesn't seem to happen in a timely manner. Meanwhile MSFT will offer this solution within intune for an extra cost LOL. I am just fed up with how BS and insane it actually is to manage 3rd party application updates. It seems like to do it properly you truly needs someone dedicated to literally doing almost nothing else.

Reply

[-]

finobi@reddit

With Intune you still need to manually update 3rd party software packages, upload latest .msi etc. Only MS Apps have some automation. Winget uses public github repo where they accept manifests from software vendors: [https://github.com/microsoft/winget-pkgs/tree/master/manifests](https://github.com/microsoft/winget-pkgs/tree/master/manifests) For a free solution still better than some paid 3rd party solutions. I prefer with Intune WUfB even if it has pretty light features, because it offers decent nagging features to reboot computer etc so that user can do it when not having their 8 hours online meeting streak etc. Most issues have been with cleaning up registrykey mess that previous RMM or GPO has left behind.

Reply

[-]

RikiWardOG@reddit (OP)

they have the enterpise software stuff now its just winget integration so basically only things in their store

Reply

[-]

finobi@reddit

Ah its in Intune add-on suite, I've missed it

Reply

[-]

CaptainBrooksie@reddit

You could update the win-get repository with apps you care about.

Reply

[-]

RikiWardOG@reddit (OP)

which defeats that automation purpose of using such a product

Reply

[-]

sabertoot@reddit

We love Action1! Simple, lightweight, and you can push patches with immediate effect (take notes Intune and ManageEngine).

Reply

[-]

JankyJokester@reddit

I can push patches immediately with ManageEngine.....

Reply

[-]

sabertoot@reddit

Yes, but the effect is not nearly as reliable as A1.

Reply

[-]

JankyJokester@reddit

Ah your comment to me seemed to imply that you couldn't.

Reply

[-]

bbqwatermelon@reddit

Semantics because unreliable on demand deployment might as well be "can't."

Reply

[-]

JankyJokester@reddit

Yeah dunno mate. Use Manage Engine where I currently am. Wouldn't call it unreliable personally.

Reply

[-]

RikiWardOG@reddit (OP)

It's the same as the rest though. I've seen Action1 report incorrectly because of a random left behind registry key. they're doing nothing but using registry keys to determine if something is installed and what version is installed. Also their remote support piece is trash from what I saw. It's cheap & free for under 100 users which was nice but even when I asked their egineers it was clear that they seemed to not even fully understand how they're doing detection.

Reply

[-]

GeneMoody-Action1@reddit

Let me break that down if I may. I will certainly relay on the feedback on the product, I meant what I said, good bad and ugly, we welcome it all. We have to understand what people need and want to make better decisions on the future of certain features. The remote desktop does come up often as not being comparable to "other RMM offerings" but that's just it, it is not designed to be. It can be your preferred remote access and you can use it in any way you like, but it is not meant to supplant a RMM, as it is patch management, not an RMM. Basically take the desktop and see why a patch is not installing, or help someone. So when we get labeled not as robust as other RMMs we have to regularly remind we are not a lesser RMM, we are not an RMM at all, we are a patch management system. Did you take exception to its lack of comparable features, or did you actually have difficulty using it or stability issues? Either way I want to let our feedback team know. To the stray registry keys, this is one of the conditions I alluded to in my other post. How would you personally prefer a system react in a situation where there is \*potentially\* a system in a state unknown where you may or may not be vulnerable based on how much of it is really left behind anywhere? BE alerted to check and find out it is a false alarm due to another products failure to properly clean up, stay unaware and have a system remain \*potentially\* vulnerable depending on the extent of what was left behind, or be omnipotent by knowing of all states they system could possibly be in and make that decision for you? IN those cases Action1 (Or any other product) is not incorrectly reporting, it is correctly identifying traces of systems known to be vulnerable to various security issues. And letting you know, so you the admin can decide the best course of action. The fact those traces are there is not a state Action1 induced, it is just trying to help the end user correct it.

Reply

[-]

GeneMoody-Action1@reddit

Thank you for the shoutout u/sabertoot, we appreciate it. Action1 is trusted to patch millions of endpoints, but... It is not magic, like all patch management products there can exist conditions that could prevent it from functioning properly as well. These sorts of things will always exist outside the realm of what vendors can control. Take [KB5034441](https://www.action1.com/fixing-winre-update-issues-for-cve-2024-20666-and-kb5034441) as an excellent example, the PATCH failed, not the patch manager. Action1 developed a workaround and patched thousands of workstations while the rest of the world waited for a fix. So even if we did not cause it, we still do our best to help our customers. So I will not be all sales pitch and say Action1 will solve all your problems, I can only say Action1 is an excellent product according to our customers not just the company. We offer [free patch management](https://www.action1.com/patch-management/) for the first 100 endpoints, not time limited, not feature limited, just free, so you can give it a go and work through as many scenarios as you want, in your own time, without any obligation or clock to race. And.. IF you have any failures we would love to hear about them, if you encounter a condition we did not account for, we take all feedback good bad and the ugly. Pride has no place in product feedback, if we made a mistake, we would like to learn from it and not fail the next time. IF the scenario is beyond our control, we still have better support data on how to handle it is it happened to anyone else. If anyone has any questions, I am always here.

Reply

[-]

ROvAES@reddit

You have to invest your time into learning and making the most of the tools that you are using. Every platform has workarounds for achieving a functional patching strategy, but no tool will do everything for you without this investment. We have gotten to the point that our patching is almost fully automated using VSA X but it took some time to really know the product.

Reply

[-]

MushyWaff1e@reddit

In IT for 30+ years and I've never seen a patch management platform that didn't create a lot of work for the IT team. The ONLY way I've ever seen to 100% control pm is to use VDI's. That is costly and may not fit your architecture. Instead we use a different approach. We use a product like Fortigate EMS that gives us reports on a desktop's compliance and we make it the users responsibility to keep up to date. If they hit certain thresholds, they are blocked from connecting to our networks (it's amazing how fast this gets people's attention). We supply the reports to the users with the whats/hows/whys. For the users that are IT challenged, they can schedule an appt with IT to get handled. It took several months, but people are now conditioned to keep up on their maintenance. We've been using this method for years now and It's amazing how much smoother everything operates consistently and puts much less burden on IT. This also cuts down significantly on costs of running a PMS and yet still having to do the work the PMS fouls up. After years of doing this, I wouldn't want it any other way and our users are better for it.

Reply

[-]

BOFH1980@reddit

I'm intrigued. So how do you get past making them local admins? PAM solution of some kind?

Reply

[-]

MushyWaff1e@reddit

HAH, well now that is a larger Architectual discussion. One that can take a while (i'll just give a highlight). We as a company (I am the IT Director for a manufacturing tech company) had serious discussions around users & security regarding the company needs and expectations along with costs and repercussions. So buckle up it was a long & lively debate that didn't conform to the norm. In short, we built everything around not caring if a user is an Admin. I know I know, but ultimately we had to look at what really matters. We culturally are not into controlling users, we treat them all as adults and expect them to behave as such. Albeit, we monitor every process on every device, (not for spying though). Who has time to monitor or give a shit that Betty is on Facebook too much or John loves his gun sites? My department is Switzerland and it's up to departmental managers to request that info if they feel employee is not completing job requirements. (*IT only gets involved when they do something in clear violation of policy such as Torrents, warez, improper licensed media or other things they are not supposed to do and have all signed agreement for condition of employment*) That being said, we worked with Homeland Security on building an infrastructure that meets their standards for security of resources/data. It just isn't the standard way most IT people have been trained. Meeting their standards allows us to be fully insured for cyber attacks and qualifying for gov't contracts. As mentioned, on the security level, we monitor every process on every device to ensure a user never intentionally or unintentionally does something bad (whatever we determine that to be), they are immediately cut off and no spread of maliciousness can happen. (this is a different and longer discussion). We have redundant safeguards. So ultimately, we dont' give a squat if user is an admin because they cant' really do any harm other than inconvenience themselves on their own machine. If they do something that causes this (no harm to company), they and their manager are brought in and enlightened on how to remain employed. This freedom of having the company fully protected from a garbage user causing the company harm while making them responsible/engaged in their pc's own well being, is pretty amazing.

Reply

[-]

ExcitingTabletop@reddit

What do you use for process monitoring?

Reply

[-]

MushyWaff1e@reddit

Falcon Complete. It's not just a tool but a 24/7 endpoint AI and human monitoring and control. Best part is, we don't need to run any additional IT for it.

Reply

[-]

ExcitingTabletop@reddit

Yep, I've used it before. I liked it, but it's ungodly expensive.

Reply

[-]

stesha83@reddit

You can use Intune privileged endpoint management to do this

Reply

[-]

brownhotdogwater@reddit

For a pretty penny. We use admin on demand

Reply

[-]

MushyWaff1e@reddit

right, our solution doesn't put any additional cost, such as intune.

Reply

[-]

stesha83@reddit

Expecting end users to manage their own patching or fall foul of conditional access is certainly one way to do it. I can’t really picture any circumstance where what you’ve described doesn’t result in a massive attack surface but you’ve got cyber insurance so I guess it’s a lack of imagination. It couldn’t scale at all in the environments I’ve worked in due to end user IT literacy.

Reply

[-]

MushyWaff1e@reddit

Because we monitor every process ... look into Falcon Complete. 24/7 management with full endpoint control to shut down things before they become an issue.

Reply

[-]

stesha83@reddit

How many users have you got per tech, I have XDR in place, but too many users to give everyone admin access and sit back and wait. Likewise maintaining an MDR vendor product for thousands of endpoints is surely more expensive than stopping incidents from occurring in the first place? I’m just trying to understand.

Reply

[-]

MushyWaff1e@reddit

Well, it might help to have a little background. We build lasers for the military. We were attacked by Russians and everything in our infrastructure using that old methodology was wiped out. Instead of giving in, we worked hand in hand with Homeland Security in rebuilding everything from scratch. We face yearly deep pen-testing to keep our ability to continue mfg for military and municipalities nation-wide. We do not have to maintain a product, it's a service. Powered by AI and Human oversite. We used to have products, again, using that old school model.. yet they walked through Cisco and Carbon black like butter. We realized we needed 24/7 monitoring and remediation without an in-house staff. We run with smaller IT staff because they are free'd up. Lot of money is saved, it pays for the FC 6x over. That being said, you keep asking more and more, which is why I said there are deeper longer conversations, I was trying to keep on-topic for OP.

Reply

[-]

stesha83@reddit

Interesting, thanks for writing up. Always like to hear from those with interesting solutions to interesting problems. It wouldn’t scale for us as I’d have 500 tickets a day between a couple of techs asking how to update Adobe Reader. 😅

Reply

[-]

MushyWaff1e@reddit

hhahaa, yeah, the push has to come from top down. If the execs aren't being making people responsible, it can't happen. We document everything and have wiki's for people to look up how to do things such as adobe basics. But generally the reports we provide the end users using the Fortigate EMS, provides them with both the links and the information, so don't really have to look hard at all, they just have to read and put forth effort. The lack of effort on their part becomes their managers problem which take care of itself. I know, I know, holding users accountable in the IT world is difficult to fathom, but since it comes from the top, we only hire those that take the pressure. Starts with the Exec's and HR. I want to retire at this company because of all my previous experience, IT was over burdened and under appreciated.. but that attack changed everything.

Reply

[-]

stesha83@reddit

Most of my users are rural staff who spend most of their time with heavy machinery - it ain’t gonna happen! I bet that attack would make for an interesting story. But I won’t ask!

Reply

[-]

MushyWaff1e@reddit

yeah, it's a long one... I get what your saying, your use case would be difficult to implement this. Cheers mate :)

Reply

[-]

ForEverAloneNERD@reddit

I have been using Action 1 for patching Windows, firmware, drivers, and 3rd party apps for about 2 year now. It has been awesome, works perfectly 99% of the time and they are constantly improving their patching system. They recently introduced vulnerability scanning and reports back any open CVE's for your machines. It also doubles as an RMM tool. Having come from an MSP that was heavily Kaseya based and being the admin that maintained and administered the built in Kaseya patching system. Action 1 is hands down far better without all the extra nonsense and doesn't cost extra to patch 3rd party apps. And the first 100 endpoints are free for life.

Reply

[-]

GeneMoody-Action1@reddit

We appreciate the shoutout u/ForEverAloneNERD and thank you for being an Action1 customer. Our customers chiming in and recommending us with such positive vibes is a great reassurance of we must be less terrible than some others :-)

Reply

[-]

mrpoops@reddit

Ansible is a good option. Or PowerShell DSC. It’s simple, just apply the policy every so often and collect the reports somewhere centralized. If you use azure you have free access to the Azure Update Management stuff and it works great. I moved a big chunk of machines to that recently and it’s been flawless. It’s free for any azure VM, $5/mo for external machines.

Reply

[-]

13Krytical@reddit

I think it’s just a complicated subject that requires constant work to maintain and you’re seeing corporations that want to save $$ so the software isn’t kept tip top shape. Think about POSSIBLE ways to check for updates.. You can have various “detection methods” to check .dll and .exe properties, registry entries, existence of folders etc But if the apps themselves aren’t standardized, they could have any numbers of differences to cause issues. Asking any one company, to stay on top of that, is expecting a lot. As far as the other stuff, agents, reboots etc, I genuinely think that’s a result of H1B hiring causing lower quality work.

Reply

[-]

GeneMoody-Action1@reddit

There is merit in this. I try to explain it to people, imagine you went to buy something large, you needed to fit in your garage. The person building it is going off the blueprints to your house, 5 years ago, when you built it. And they know nothing about what you have stored in your garage now or the fact you converted half to a third bathroom... Wold you consider it their fault the thing they made did not fit when it got there? Two computers being exact clones of one another start taking diverging paths the instant they boot. Add users to the mix and they get wildly unique very fast. The amount of states a computer could be in are infinite. And the amount of error condition's you can account for are finite. Linux patching works entirety different than windows, and why it most often behave far better, but make no mistake, linux patching can and sometimes will go horribly awry as well. People making patch management try to account for everything that makes sense, and they may not understand something that was improperly interrupted during uninstall and left half a product's detritus, or another product altered files that were crucial to this other product, that the user ran a registry cleaner and checked yes to all recommended actions because the internet was slow... Or installed stuff because they did not know what it was. Or failed then reported it, but no one acted on it until months later when something else failed a s a result... I kid you not, I was once asked to repair a system where the person perceived the problem with their computer to be its haphazard organization, and had tried to make a folder called EXE, INI, DLL etc and put them all in one place! People are weird, and computers are obedient. The best thing about computers is that they try to do exactly what you ask them to, the worst thing about computers is that they try to do exactly what you ask them to. Any product, made for a large audience, gets 100 fold the testing in the first hours of release than it did in months of QA testing in the lab. And these things come out of the woodwork. Even the product you assume to have 100% control over the patching process, the OS, its OWN update process, is rife with issues. There are patch products that actually DO deliver higher levels of success than that... The day computers always work, without fail, regardless of what you ask or have done to them, is the day we will all be unemployed.

Reply

[-]

Ssakaa@reddit

> The day computers always work, without fail, regardless of what you ask or have done to them, is the day we will all be unemployed. Pretty sure that's about 3 milliseconds before the moment when a computer decides it needs to save the planet from the human plague.

Reply

[-]

GeneMoody-Action1@reddit

All my base are belong to them...

Reply

[-]

moffetts9001@reddit

It’s a ton of work to keep up on patches and vulnerabilities, especially when updates fail to install for no particular reason. Chasing down R7 or Tenable findings is a particularly massive time sink.

Reply

[-]

OsmiumBalloon@reddit

> Is it just that Windows architecture is shit so the only option is to scan the registry and you're stuck relying on vendors properly cleaning up the keys? In a word, yes. Patching on Linux is usually one command and you're done. A patch repository is just a shared file system. Centralized reporting and approval require scripting or more products, but even that is usually easy. It's so much smoother than Windows it's ridiculous. (Do note that that Linux has other pain points. This is just one of the areas where Linux blows Microsoft out of the water.) Of course, then you get commercial apps that have been ported to Linux from the Windows world, and they usually import the pain, too. So... feh.

Reply

Reply to Post

43 Comments