In our environment, we use MDT to deploy our Windows Devices. Our Task Sequence builds our the operating system by installing our base application and configure them according to our GPO policies. One issue got real time consuming is always updating application packages in the Task Sequence. For example, Firefox and Zoom loves to update their applications every 2 days (ridiculous) and to keep up with updating those packages is time I could use elsewhere for other projects/research. So below is an idea i came up with to patch new computers as they are deployed.
In my Task Sequence i have a the Kace agent installed on the machine. This generates a field in Kace called CREATED.
I decided to build a Smart Label Query that is based on this field.
- Inventory | Devices | Smart Label
- In Search Field, leave blank
- Choose Label - Name your Label. Mine was "Computers created in Last 24hrs"
- Go to Home | Label Management | Smart Label - Find the label you created
- Edit SQL and enter the query below which returns devices that were created within the last 24hrs.
SELECT NOW() AS 'Current Time',
TIMESTAMP(DATE(NOW()) - 1, TIME(NOW())) AS 'Yesterdays Time',
C.CLIENT_CONNECTED, UNIX_TIMESTAMP(now()) - UNIX_TIMESTAMP(LAST_SYNC) as LAST_SYNC_TIME,
UNIX_TIMESTAMP(LAST_SYNC) as LAST_SYNC_SECONDS
FROM ORG1.MACHINE m
LEFT JOIN KBSYS.KUID_ORGANIZATION O ON O.KUID = m.KUID
LEFT JOIN KBSYS.SMMP_CONNECTION C ON C.KUID = m.KUID AND O.ORGANIZATION_ID = 1
WHERE m.CREATED BETWEEN TIMESTAMP(DATE(NOW()) - 1, TIME(NOW())) AND NOW()
- Go to Security | Patch Management | Schedules
- Create a schedule that Detect and Deploys patches to the smart label created earlier (the settings below are catered to my environment. Change to your environment)
Force a reboot if you want
For the schedule, I wanted machines to be patched as soon as possible before it is sent to an employee. This means I needed the schedule to run as quickly as possible so it is configured to run every 30min. (do wish there's a way to trigger the runkbot.exe to force this schedule on-demand)
*/30 * * * 1-5 - Runs every 30mins between Sunday - Friday. (Would like to fine tune this to only run during work hours like 6am-6pm. If anyone can provide that schedule i'd appreciate it)
Save and then test.
If you have a machine that was imaged/created within 24hrs force an inventory so the machine falls into the smart label then it should trigger this Patch schedule.