Hi Everyone,

So we are starting to use the K1000 to patch our servers. Initially we just want to apply critical OS patches.

My problem is that OS as a category is not granular enough and includes SQL, Exchange, Office, Sharepoint. (Found this out during our TEST environment patching)


So I have tried two ways to try to exclude those patches:

1. Smart label for those apps I want to exclude, then the last line, for patch label names not equal to BLOCKED. 
2. Static label for those apps I want to exclude, then the same last line (in case of some weird smart label issue).

Then I load the Critical_OS_Servers patch label and search the the patches to find it does not exclude those. They still show in the list and I do not want to arbitrarily patch my live Exchange against our BES without some more planning.

Any tips to get this working properly? Thanks in advance.

EDIT: Thanks, I  spoke to support and found simple labels are far better to narrow down what I want.

For those interested, we are trying to do security patches for OS.
Label is:
Publisher = Microsoft
Severity is Critical
Operating System is Win 2K8.R2
Name contains Windows Server

Doing one for each OS and applying to patch schedules as needed.
0 Comments   [ + ] Show Comments


Please log in to comment


Besides trying to build a better patch label I don't think there's too much you can do. I manually update servers that are business critical (Exchange, SQL, RDS, etc...) and use KACE for the rest.
Answered 06/26/2015 by: h2opolo25
Red Belt

Please log in to comment
Answer this question or Comment on this question for clarity
Nine Simple (but Critical) Tips for Effective Patch Management
This paper reviews nine simple tips that can make patch management simpler, more effective and less expensive.