Blog Posts tagged with Systems Management

Ask a question

How-To: Schedule Scripts for the Nth Weekday of the Month

As mentioned in the below posts, the CRON scheduler (custom schedule) on the K1000 does not support scheduling for the Nth weekday of the month (Ex. 2nd Tuesday of the Month)

While nothing can be done about that except for an update to the K1000, I have come up with a way to work around this in scripting (see darkhawtman's answer in the first link above for a workaround with patching).

In my organization, we need to run a cleanup script on all of our virtual machines the Sunday before patch Tuesday. Due to the CRON limitations, I wrote a Powershell function (see below) that will return specified weekday sequences.

The function can be used in multiple scenarios and has a lot of options - see the help section for details and examples.

All I had to do was add the function and an if/else statement to my script and I'm in business.

In my situation, this is what I did: 
    1. Upload a ps1 (mine is named CheckDate.ps1) to the Kscript with the below code

    2. Schedule the script to run every Sunday at 1:00 AM

    3. In the Verify section do the following: 
            Launch a program


            -NoProfile -ExecutionPolicy Bypass -File $(KACE_DEPENDENCY_DIR\CheckDate.ps1))

    4. Put the cleanup script in the On Success section and a Date validation failed log message in the Remediation section.

Some explanations:

1. Why not just do the 2nd Sunday of the month?
    The second Sunday of the month is not always the Sunday before the 2nd Tuesday of the month.
        Ex. If the 2nd Tuesday of the month is the 8th, then the 2nd Sunday would be the week after that, not before (See August 2017)

2. Why is format D required for this?
    The default format of a DateTime object (Get-Date) includes the time - we only need to validate the day - if the time is in the validation, then it would return false negatives.

Function Get-WeekdaySequence {

    This function will return the nth weekday of the input month (default is current month). For example, it can return the 2nd Tuesday of the month (Patch Tuesday).
    There are several parameters to expand this functionality listed below.
    Built from C Ashish's post on TechNet:

.PARAMETER WeekdaySequence
    Accepts values 1-5, determines which day of the month to return 1=1st weekday of the month, 2=2nd weekday of the month et cetera, will fail if there are not enough weekdays in the specified month
    i.e. Cannot cross months

    Accepts weekday strings as values

    Accepts DateTime objects (Get-Date returns a datetime object), defaults to the current date

    Accepts integers between -6 and 6, will return the specified weekday sequence + or - the number of days specified, can cross months (see examples)

    Accepts a string specifying the date format desired, defaults to 'F'. See for Get-Date formats.

Return the 2nd Tuesday of the month (Microsoft Patch Tuesday)
    Get-WeekdaySequence -WeekdaySequence 2 -Weekday Tuesday

Return the 2nd Tuesday in the month of 12/2018
    Get-WeekdaySequence -WeekdaySequence 2 -Weekday Tuesday -Date (Get-Date 12/2018)

Return the Sunday before the 2nd Tuesday of the month
    Get-WeekdaySequence -WeekdaySequence 2 -Weekday Tuesday -OffsetDays -2

Return the Thursday after the 3rd Tuesday of the month
    Get-WeekdaySequence -WeekdaySequence 2 -Weekday Tuesday -OffsetDays 2

Return the Sunday before the 2nd Thursday of 11/2030 in the LongDatePattern format
    Get-WeekdaySequence -WeekdaySequence 2 -Weekday Thursday -Date 11/2030 -OffsetDays -4 -Format D

    Param (
        [Parameter(Mandatory=$true,HelpMessage="1 for 1st Weekday of the month, 2 for 2nd weekday of the month, etc.")]




        [Parameter(HelpMessage="Specify the Get-Date format desired")]



    while ($MonthBegin.DayofWeek -ine $WeekDay) {
        $MonthBegin = $MonthBegin.AddDays(1)


    $ReturnDate = $MonthBegin.AddDays(7*($WeekdaySequence-1))

    if ($ReturnDate.Month -ne $Date.Month) {

        return (Write-Error -Exception "Invalid Sequence Number" -Message "There are not $WeekdaySequence $($Weekday)s in $($Date.Month)\$($Date.Year)")


    if (!$OffsetDays) {
        Return (Get-Date $ReturnDate -Format $Format)


    else {
        Return (Get-Date ($ReturnDate.AddDays($OffsetDays)) -Format $Format)



if ((Get-WeekdaySequence -WeekdaySequence 2 -Weekday Tuesday -OffsetDays -2 -Format D) -eq (Get-Date -Format D)) {

    Exit 0


else {

    Exit 98

Be the first to comment

Applying Windows 10 Feature Updates with KACE

Here is how I did it. I am sure there are 1000 ways to skin this cat. Hopefully this helps somebody.

Environment Details

WAN devices on approx 20 different remote sites with links from 1MB to 100mb connection speed.

Requirements for my project

  1. Update all windows 10 from x to Windows Version 1703 (OS Build 15063.729). We had multiple versions of Windows 10 ranging from 1511 to 1607.

  2. Upload the 4GB install files to WAN locations only once.

Important info/lingo/links for Windows 10 upgrading.

Windows 10 Version Info -

Pay attention to difference in Version and Build.

Step 1 - Download ISO and copy to WAN Locations

  1. Download the ISO for 1703 (or version you are trying to update to). You can use the Windows Media Creation Tool or if you want to download directly you can do this trick. Extract the contents of ISO to a folder of your choice.

  2. Copy the entire contents of the folder above to each replication share. If you don't use replication shares this can be just a shared drive on a device in the same location as the device you want to upgrade. This is strickly for bandwidth reasons. If you are not concerned with bandwidth (and time to transfer 4gb) to each location then skip this step. Just make sure that whatever you setup your script in the “Windows Run As” has read Share and NTFS permissions.

Step 2 - Apply Labels to target Devices

Apply a Manual Label to each device you want to upgrade. I used Win10Upgrade-Nov1, Win10Upgrade-Nov7 etc so that you could easily go back and tell by the label when the upgrade was applied. Then after all was good and no issues removed all the manual labels.


Step 3 - Create the Script that does the work

Create Script that will do the actual upgrade. I will not give every script options here but here are the key ones.

  1. Under Deploy Section select Microsoft Windows and choose your labels or devices to target. Again I used manual Labels created in Step 2 above.

  2. Under Tasks Add a task and choose “Run a batch file…” with this as the bat file text. This is straight from this TechNet article. I used a bat file because I store the %kacelocalrepo% as a system variable that is set via GPO for other upgrades that are to large in size for Managed Installs.

    1. %kacelocalrepo%\Win10Build15063\setup.exe /auto upgrade /installfrom %kacelocalrepo%\Win10Build15063\sources\install.wim /dynamicupdate disable

Step 4 - Run the Script

Either use the “Run Now” feature or schedule the script to run once at a specific time. Just personal preference here. There is probably some way to silently do this but I choose to allow the users to cancel because I would rather them cancel the install (its graceful) rather than power off the machine and corrupt the upgrade.

Step 5 - Go fishing! Most Important Step!

Go fishing in your favorite watering hole and come back to upgraded Windows 10 devices. Use KACE GO app to make your boss think you're doing this from land.

Side Notes

I did not use the Windows 10 media creation tool. I used the trick to download the ISO manually. The disadvantages (I think) of this are it installed 1703.0 during this process. Then after that I had to install Cumulative Update for November which is another 932 MB install. Granted at this point “Patch Management” does all my Cumulative Updates and the files are already on the replications shares, but you could have done this all in one task via Using the “Add updates to customized Windows images”. Is installing the Version upgrade separately than the Cumulative upgrade easier to troubleshoot? Sure it is… just throwing that out there as this minimizes downtime for your end users by doing Upgrade instead of doing an Upgrade and then an Update.

View comments (1)

KACE UserKon 2018

KACE UserKon, the only conference dedicated exclusively to KACE users like you, is returning in May 2018! That’s why we’re seeking your input to influence the agenda. For example, do you want sessions on topics like:


  • Integrating and automating with LDAP integration?

  • Maximizing reporting?

  • Managing Windows 10 updates?

  • Managing your mobile devices?

  • Enhanced security and compliance?


Let us know in this 5-minute survey

We look forward to seeing you at KACE UserKon 2018!


View comments (8)

Announcing KACE Systems Management Appliance 8.0 General Availability

We are excited to announce a new version of KACE Systems Management Appliance is now available for download.

Look what's new:

  • Role Based Access Control – Establish control over who has access to which devices. Improve security and oversight.
  • Wake on LAN Improvements – Designate one agent to wake endpoints in a remote subnet. Increase productivity by performing off hour tasks in remote locations.
  • IPv6 Appliance Support - Agent can provide inventory to the Systems Management Appliance via IPv6. Mixed IPv4/IPv6 is supported to meet compliance requirements for government and other organizations.
  • Contract Management - Create & import hardware & software license contracts. Control and reduce non-compliance risk and fines.
  • Knowledge Base editor enhancements – Embedded HTML editor to create rich Knowledge Base articles.

Check out this helpful knowledge article:

 Upgrading a KACE Systems Management Appliance that is Multiple Versions Behind

KACE SMA 6.4 is now in discontinued support. To determine the current support phase of your product, please refer to the KACE SMA life cycle table.

Be sure to check out the KACE SMA Product Support page to find solution articles, tips and tricks, tutorials, documentation, notifications, life cycle tables, training, and a product user forum.

Download Now
Be the first to comment

Agents not checking in! Best troubleshooting practices

Endpoint system management is a critical component of KACE SMA and its understanding play an important role for using side features that rely on device periodic inventory.

Let’s get started by reviewing the ports required for KACE Agent to communicate with KACE SMA:

·        Port 80 – Agent check-in

·        Port 443 – Agent check-in (Mandatory for KACE 8.0)

·        Port 139/445 – Agent/Client provisioning

·        Port 52230 – Agent AMP Persistent connection (6.4 and lower Only).

Note: For additional information please check the following article - Which network ports and URLs are required for the KACE?

KACE Agent performs a number of periodic activities based on communication settings schedules (Settings | Provisioning | Communication Settings); for this configuration, KACE Support recommends to keep the number of connections per hour under 500. The reason for this is to allow KACE SMA manage the different activities on schedule without major delays.

Note: For multi-org KACE SMA this value will apply to all the organizations in total. Example, if KACE SMA has 5 organizations, that would mean each organization should be under 100 connections per hour.

Another value that needs attention is “Load average Score” (Settings | Provisioning | Communication Settings); this particular value should not exceed 8 – 10 rate. In case that this number is high, it would be recommended check communication settings.

What would be the next step?

The next point to be considered is checked how are the services running. A service under failed status will create a direct impact on the agent proper communication; How do we check KACE SMA Services status?

Settings | Support | Run Diagnostic Utilities | Select “Services” Hit Run.

Important Note: If any of services are appearing as” Failed” Status contact KACE Support immediately for assistance.

Additional items to be checked:

A misconfiguration in communication settings, for example, if the schedules exceed 500 connections per hour or let’s say that multiple tasks (Patching, Scripting, etc.) were launch simultaneously these most likely may generate high congestion or a high agent task traffic; in those cases, it will be necessary to see the number of activities being handled by the agents.

How do we find these agent activities? And What specifically we are looking for?

·        Click on Settings | Support | Display Agent task status

·        Use “View By: In Progress”

·        Under “Timeout” column look times showing as negative

If that would be the case, proceed to remove all those showing negative numbers under “Timeout”. Wait for the next inventory cycle and wait for the results.

Let’s review troubleshooting steps and integrate some additional solutions.

What to do when the check-in issue is happening to all or most of the devices?

·        Check that all services are up and running

·        Check communication settings and make proper adjustments – KACE recommends no more than 500 connections per hour overall.

·        Check Agent Tasks – Look if there are activities showing negative numbers

·        Check Device Smart labels: Labels within labels, labels assigned to software and device metering may become corrupted and generate delays or prevent agents to check in.

Other KB articles to take in consideration for troubleshooting:

·        How fast can the KACE SMA appliance complete different tasks per machine? -   

·        Agent Communication Issues Checklist (190297) -

·        Troubleshooting Agents That Are Not Checking In Windows (112029) -


What to do if inventory issue is occurring with only one system or a particular system?

-        Check the number of license nodes and devices in used

-        Is inventory.xml file created, does it show 0 KB, is it updating? - Check C:\ProgramData\Quest\KACE

-        Are the agent services running?

-        Is “amp.conf” file containing the right KACE SMA hostname? – Check C:\ProgramData\Quest\KACE

-        Are PEM cert files correct or present? – Check C:\ProgramData\Quest\KACE – Folder should contain two *.pem files.

Note: In some cases, it will be required to apply a re-trust if PEM files are corrupted. How to apply re-trust command, check following article AMPTOOLS.EXE Command Switches (146458) -

-        Check that required ports are opened and KACE folders are not affected by antivirus software (whitelist - C:\ProgramData\Quest\KACE and C:\Program Files (x86)\Quest\KACE)  - For additional details see - Which directories and executables do I need to whitelist for the SMA agent? (111785)

-        See if HDD space in the machine is not full, a full disk will make agent services to fail.

-        Look for WMI related errors. For additional information check the following resources.

·        How to repair or fully rebuild Windows WMI Repository (231983)

·        WMI Isn't Working!

·        WMI Diagnosis Utility


Several important features in KACE SMA make use of the agent inventory cycle and its correct functionality is essential for all the activities to properly run.

What features depend on Agent inventory?

·        Managed installations

·        File Synchronization

·        Replication Shares

·        Smart Labels

What should we know about KACE Agent 8.0?

·        KACE 8.0 exclusively communicate via port 443 - Using KONEA Technology.

·        IPv6 Appliance Support - Agent can provide inventory to the Systems Management Appliance via IPv6

Visit our Website KACE Support where you will be able to find additional documentation, videos, and tutorials.  Need additional assistance, contact KACE Tech Support.

View comments (2)
Showing 331 - 335 of 343 results

Top Contributors

Talk About Microsoft Windows