We've always had our monthly Windows server patch schedules run as Detect and Deploy. We also run a daily detect on those servers late afternoon and a nightly patch download at 1am.

It was recently suggested to me that there is no point to using Detect and Deploy when during the patch deployment because it won't get downloaded in time to patch during that run and then it will error with something like "Downloading". They said we only need to use "Deploy" since we run the daily detection. It was a Kace engineer who had assisted with some other things and he knew is way around Kace as well or better than most Kace Engineers I've worked with over the last decade.

Is that correct that Detect and Deploy doesn't work in time to download missing patches during during a given patch schedule?

0 Comments   [ + ] Show Comments

Comments

Please log in to comment

Answers

1
From what I understand and have experienced. doing a daily detect seems to be no more efficient than doing a weekly one if you are only patching once a month.  If you do a deploy only, you will complete faster, but it will only patch was is listed in the latest detect.  Doing a detect and deploy will take longer, but after each deploy, it reruns a detect to see if there are any more approved patches (maybe some required a previous patch to install first).  If more are found it will deploy them as well and repeat until you are patched fully to what is approved.  It does take longer but you will have a higher rate of fully patched.  If you were doing patches every week, you could probably do the detect once a week and only deploy once a week and stay pretty current.  You just run the risk of having a server or workstation potentially be missing patches during that time.
Answered 02/14/2018 by: DaveMT
Second Degree Blue Belt

Please log in to comment
1
The difference is as follows:
A Detect only deploys the patches to the machines until it needs a reboot. Then the patching job ends. After a reboot nothing happens.
If you run da D&D the reboot from the patching job triggers a new detect and a new deploy.

Answered 02/14/2018 by: Nico_K
Red Belt

Please log in to comment
0
That sounds a bit off to me, but you are duplicating effort, I think. The only reason that a schedule wouldn't be able to download all of the missing patches during a schedule is if you have it set to timeout too quickly. Also, if you are patching your machines daily, then why are you also patching monthly? Are the settings and included patches different?

Answered 02/14/2018 by: chucksteel
Red Belt

Please log in to comment
0
Hi Chuck. Thanks for the reply.

Sorry for the confusion. We only "detect" daily. We "Detect & Deploy" (D&D) monthly on these servers.

It didn't make sense that Kace would even have the option to D&D (in the same patch schedule), if new patches couldn't download during a patch schedule's run. There are occasional one off issues, but typically, a K1k should be able to detect & deploy while also downloading patches that are detected during the same schedule.

Thanks again.

Answered 02/14/2018 by: murbot
Tenth Degree Black Belt

Please log in to comment
Answer this question or Comment on this question for clarity