My company is just now starting to use the patching capabilities of the KBOX. To begin with, we're trying it out on a small deployment of Windows 7 machines in preparation for deploying Windows 7 next year. The KBOX has mostly done it's job with downloading critical patches and applying them in a time effective manner. There were a few hurdles and errors to get past, but they were solved.

However, I have noticed one glaring problem. It looks like any patch listed as "Important" by Windows Update, is getting skipped over by the KBOX. Specifically, yesterday I had to manually install KB2388210, KB2249857, KB2345886, and KB2398632. We also patched some of our servers using the KBOX, and while it got all the critical patches, it missed other patches labeled as "Important", many tied to Security Advisories like the above list. While the patches it has missed so far do not close immediate security loopholes, they often introduce performance enhancements or new functionality for the OS in question. Has anyone else noticed this? Is this normal behavior? If it is, that's disappointing because it means we will have to use 2 patching solutions or just not use the KBOX patching functionality altogether.

Thanks.
0 Comments   [ + ] Show Comments

Comments

Please log in to comment

Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.

Answers

0
wkucardinal,

This article may explain why these patches are missing:
[link]http://www.kace.com/support/kb/index.php?action=artikel&cat=6&id=741&artlang=en[/link]

Also how are you grouping your patches?

In the KBOX there are 3 possible values for impact: Critical, Recommended, and Software Installer (be careful with software installers).

If you are trying to automatically approve all OS patches (critical and Recommended) for win 7, try the following smart label.

Remember to test before deploying to you entire production environment. :)



Answered 11/12/2010 by: dchristian
Red Belt

Please log in to comment
0
Thanks for the reply. I had already read that article. It does not answer my question, since it says that, "Specifically for Microsoft, some patches are released as KB article and others are escalated as "security bulletins". According to Microsoft most patches do not qualify as security bulletins. The KBOX includes only critical or important impact patches and anything deemed security related (ie security bulletins) based on the listings available here: http://www.microsoft.com/technet/security/current.aspx"

The patches I mentioned in my original post were all listed as "Important impact patches" according to Microsoft. It's looking like if it's not a security bulletin you're not going to be able to use the KBOX to patch, which is extremely disappointing. For instance, all of the patches from the attached screen were missed by the KBOX. Were they downloaded to yours?

Answered 11/12/2010 by: wkucardinal
Orange Senior Belt

Please log in to comment
0
One other thing.. when patching with the KBOX, how come only sometimes do the patches show up as successfully installed in Windows Update? The machine with a patch in question will not detect that it needs the patch if it's already installed, but it won't show up in the list of recently installed updates, either.
Answered 11/12/2010 by: wkucardinal
Orange Senior Belt

Please log in to comment
1
Patches not listed as security-related are rolled up into service packs and cumulative patches.
Answered 11/12/2010 by: jkatkace
Purple Belt

Please log in to comment
0
Is this documented anywhere? I haven't seen that anywhere else.
Answered 11/12/2010 by: wkucardinal
Orange Senior Belt

Please log in to comment
0
I've noticed this as well. Currently, on a Windows 7 x64 box fully updated by KBOX, three recommended updates and five un-catagorized updates are available. The files are dated September and October and are not listed in the KBOX patch listing. Is there something I'm possible missing?
Answered 11/15/2010 by: Swyfter
Yellow Belt

Please log in to comment
0
No, it would appear that the KBOX does not obtain those patches. It basically only gets critical security patches or those labeled as critical/recommended by Microsoft. This means the other application updates that might be labeled "Important" will most likely not be available. This is extremely disappointing because it means the KBOX probably cannot be our total patching solution. It needs to be more inclusive of what Microsoft makes available through Windows Update.
Answered 11/15/2010 by: wkucardinal
Orange Senior Belt

Please log in to comment
0
These KB's are not listed here under http://www.microsoft.com/technet/security/current.aspx "Search by Knowledge Base article Number" so there are not considered "Security" patches
Answered 11/21/2010 by: KevinG
Purple Belt

Please log in to comment
0
If it's available in Windows Update, it should be available in the KBOX - period. If it's not, we have to use 2 different solutions (KBOX + our existing solution) to patch our workstations. This essentially makes the KBOX patching function obsolete, because we can use our existing solution to patch both critical security applications and application patches that aren't security critical.
Answered 11/22/2010 by: wkucardinal
Orange Senior Belt

Please log in to comment
0
I would like to say that I agree with wkucardinal. We are trying to squeeze the most value out of our KACE appliances, and an essentially incomplete patching solution is somewhat disappointing. We were hoping to drop using WSUS, but currently it's resulting in better patched machines than ones managed by k1000. At this point it appears WSUS might be necessary for 100% OS patches, and k1000 will push application patches that are available.

Does anyone know if the k1000 patch catalog will evolve to a more complete solution?
Answered 11/23/2010 by: TheKojukinator
Senior Yellow Belt

Please log in to comment
0
Any moderator/admin/employee insight on this?

ORIGINAL: TheKojukinator

I would like to say that I agree with wkucardinal. We are trying to squeeze the most value out of our KACE appliances, and an essentially incomplete patching solution is somewhat disappointing. We were hoping to drop using WSUS, but currently it's resulting in better patched machines than ones managed by k1000. At this point it appears WSUS might be necessary for 100% OS patches, and k1000 will push application patches that are available.

Does anyone know if the k1000 patch catalog will evolve to a more complete solution?

Answered 12/08/2010 by: dyehardfan
Second Degree Blue Belt

Please log in to comment
0
Here is the response I got from tech support:

Please understand that this type of enhancement with have a major impact to the code. Also, it will increase the cost of the Kbox due to the manipulation of the code and the increased size of the hard drives.

It is possible for you to download the updates to a client, and then have the Kbox via Managed Install upload the updates, and then push them to the respective clients.
Answered 12/08/2010 by: wkucardinal
Orange Senior Belt

Please log in to comment
0
I would think the HD Size issue could be fixed by using Remote Shares to store the data. I am not a coder and do not know what it would take to chage that side of things. Personally, I would like Kace to offer more support for patching, collecting more patches/updates from more vendors, etc. but do not know where that falls in their priority list right now.

ORIGINAL: wkucardinal

Here is the response I got from tech support:

Please understand that this type of enhancement with have a major impact to the code. Also, it will increase the cost of the Kbox due to the manipulation of the code and the increased size of the hard drives.

It is possible for you to download the updates to a client, and then have the Kbox via Managed Install upload the updates, and then push them to the respective clients.



Answered 12/08/2010 by: dyehardfan
Second Degree Blue Belt

Please log in to comment
0
The Kace Appliance takes security critical patches as a higher priority over the important updates, if those recommended or important patches are needed in a faster manner I would suggest to request to Kace Support so we can request it so get it in to the Kace feed.

Also you may want to check out this FAQ: http://www.kace.com/support/kb/index.php?action=artikel&cat=6&id=1047&artlang=en

Please let me know if you have any questions.
Answered 12/29/2010 by: Llee
Senior Yellow Belt

Please log in to comment
0
So the solution is that I must request patches from KACE that Microsoft or other vendors list as "Important"? That's a LOT of patches and a lot of waiting. No thanks.
Answered 01/04/2011 by: wkucardinal
Orange Senior Belt

Please log in to comment
Answer this question or Comment on this question for clarity