K1000 Windows OS Patching Labels
Hey guys,
I currently have a Detect All schedule running against my MS machines. However, what I want to do to deploy OS specific patches. How do I create a Label that is OS specific?
The reasoning behind it that I some servers run MS SQL, Exchange, SCCM and other MS products, and clients will have MS Office. We have to get approval from our CAB to push OS patches and application patches, but I am finding it difficult to design a label that filters out OS specific patches.
Please help. Thank you.
1 Comment
[ + ] Show comment
-
Use the Smart Label under Catalog and selection Operating System in the left drop down then like in the middle and then the OS you want on the right drop down. - nshah 7 years ago
Answers (5)
Answer Summary:
Please log in to answer
Posted by:
Bob Vila
7 years ago
Exactly like nshah stated - Create a Smart Label and use both OS and Category to narrow your choices. We use OS of "Windows" and Category of "OS".
Check out Kace master John Verbosk article "K1000 Patching - Setup, Tips & Things I Have Learned (LDAP, Smart Labels, SQL Reports) This was the cornerstone to our success with Kace Patching.
Posted by:
rrjustin
7 years ago
Top Answer
I'll expand upon this further using my philosophy if you haven't yet resolved your problem.
You will need to create a patch catalog smart label for the systems you want to patch, and a devices smart label to narrow down target devices. Mine is setup using the following criterion:
patch catalog smart label (based on what I use):
OS is (my specific OS, in my case win 2k8 r2)
Category is (OS)
Publisher is (Microsoft Corp)
Type is (security)
Missing is (true)
Superseded is (no)
Name does not contain (service pack) - to prevent accidental SP distribution without being monitored.
Support Rollback is (true) - If something goes awry, the installed patches can be rolled back.
**note that this smart label intentionally prohibits the installation of certain types of patches, including some security patches, service packs, and recommended patches. I address the gaps in my patch management by defining them in separate catalog labels that are more closely monitored vs unattended patch distribution.
device smart label could be:
Name = Microsoft Windows Server 2008 R2 Standard x64
Software Titles does not contain (insert your specific title needs, 1 per line)
Once you have the smart labels tailored to your needs, create a patch schedule and only deploy the patches using the patch catalog smart label you create and only to the assigned device smart label you create.
Posted by:
TechFreak
7 years ago
rrjustin got this on point, you can have superseded check on as well to make sure you don't get any superseded updates.
Also, when you're creating a schedule, make sure you're detecting the same label as you're deploying or else it will detect "all patches" in your environment and will report them missing even though you're not deploying them.
Posted by:
egas
7 years ago
Posted by:
egas
7 years ago
Thanks guys!!
Selecting the OS category as Windows did the trick!
Selecting the OS category as Windows did the trick!
Comments:
-
My current patch label does not have this specified, and consequently I am downloading way too many patches (update for Microsoft works 9.0? Don't think I need that one...)
But here's the thing. When I look at the patches in the catalog, there's nothing that shows what the category of the patch is. So this makes it very difficult to tell if a patch will still be included after I make this change. How can I view the category on a patch in the
patch catalog?
An hour or so later:
I figured out that the easiest way to test this is to create an OS label only and then click through the installed patches on a recently patched system. If each patch has was caught by the category=OS label, then I know that patch will still be good to go.
So far, I have found that I will lose .NET security updates this way. Does anyway have a good label to capture those? - MichaelMc 7 years ago