KACE 1000 – Upgrade plan
In order to back up KACE you need to take a download of 2 files and you need a copy of the appliance setup files (Quest will provide in case of emergency).
To get the files you need to login to https://K1000/admin as an Admin user.
Then go to “Settings > Control Panel > Backup Settings
When in this screen you will see 2 lists of files these are the backups, there should be a list of two types of files:-
This is the file that contains all the config and settings we have set, all the differences from the standard out of the box settings. This includes accounts and permissions.
This is mainly the packages and the items we have either uploaded or created. This includes script and software deploys and reports.
You will need to get a copy of both of these files, the DATES HAVE TO MATCH OR THEY ARE USELESS. To download them just left click them.
Are all the machines Agents on the latest version (6.4.519), if not then we need to upgrade them separately outside of this process. Depending on how many there are this may be a point to stop and consider options.
There are a number of upgrades needed, but the biggest issue with going to 7.0 from 6.4 is not doing the 6.4.120822. But as this is where we are now we are in a good position. We will need to download the patches below as doing it manually has shown better experience in the past just in case the package is blocked by any other system.
Systems Management Appliance server version 7.0.121306
- Minimum server: 6.4.120822
- Minimum agent: 6.3.314
Systems Management Appliance server version 7.1.149
- Minimum server: 7.0.121306
- Minimum agent: 6.4.180
Systems Management Appliance server version 7.2.101
- Minimum server: 7.1.149
- Minimum agent: 7.0.763
Systems Management Appliance server version 8.0.318
- Minimum server: 7.2.101
- Minimum agent: 7.1.62
NOTE – due to a vulnerability that I have seen compromised in the past we need to ensure we go to version 8.0. See this for more information https://www.cvedetails.com/cve/CVE-2017-12567/
Partial (There is considerable informational disclosure.)
Partial (Modification of some system files or information is possible, but the attacker does not have control over what can be modified, or the scope of what the attacker can affect is limited.)
Partial (There is reduced performance or interruptions in resource availability.)
Low (Specialized access conditions or extenuating circumstances do not exist. Very little knowledge or skill is required to exploit. )knowledge or skill is required to exploit. )
Not required (Authentication is not required to exploit the vulnerability.)
Inform team – confirmation of the schedule
As KACE will be unavailable for the majority of a day (possibly 2) as some of the patches take a long time to apply particularly 7.0, we will need to make sure this doesn’t impact any other work.
First check all downloads are available to the tech per the above downloads section. Now ensure that the client machine can be available for the next 2 hours, it is for this reason it is best performing the update from a Server desktop not form a client machine. The upgrade will continue but you lose the reporting window and hence the ability to see if the update has failed.
These checks need to be done after each upgrade
Check service is up
If the upgrade has worked you will need to check you can log in to the https://K1000/admin address and then check to see if it can see the agents.
Check deploy works
As long as you can see a client agent you now need to check that a deploy works to the agent. If this doesn’t contact Quest immediately, waiting at this stage can mean it takes a considerable amount of time to fix. This is due to any mis-config can cause the KACE database to become corrupted.
Check reports work
Very similar to the above. Can you generate and download a report, does the email section work. If not contact Quest immediately.
Check patches are downloading
Is the link to Lumension working and is the system downloading the patches. Again contact Quest if not.
Check KACE agent needs update
There is a strong chance the KACE agent needs updating, if this is the case we typically use GPO to do this, see below.
Check deploy is working
Make sure to test the deploy on a test machine with no admin accounts. Before it goes out to any users.
Deploy new update via GPO
There is a walkthrough guide to do this. Open https://K1000/admin go to Settings > Provisioning > Agent Provisioning Assistant this will then bring up the guide.
This is the GPO tool that will help https://support.quest.com/download-install-detail/6083840
Follow this guide to do this: https://support.quest.com/kb/133776
Update K1000 agent on server (after each version upgrade)
CAUTION: Never manually reboot the K1000 server during an update.
1) Back up your database and files. For instructions, see the K1000 Administrator Guide, http://documents.software.dell.com/kace-k1000/6.4/administrator-guide/.
2) Go to the appliance Control Panel:
a) If the Organization component is not enabled on the appliance, click Settings.
b) If the Organization component is enabled on the appliance: Log in to the K1000 systemui: http://K1000/system , or select System in the drop-down list in the top-right corner of the page, then click Settings.
3) On the left navigation bar, click Appliance Updates to display the Appliance Updates page.
4) Click Check for updates.
a) Results of the check appear in the log.
5) When an update is available, click Update.
6) The Service Pack is applied, and the K1000 server restarts automatically.
IMPORTANT: During the first ten minutes, some browsers might appear to freeze while the update is being unpacked and verified. Do not navigate away from the page, refresh the page, or click any browser buttons
Confirm new version is working (send at version 8.0)
Send a email to team confirming that the software has been packaged and is working.
Distribute new documentation to team and store on Knowledge Base
Make sure everyone is aware of any new documentation and they know where to locate it.
[i] Cyclic Deploy problem is where the software, for example Microsoft Office 2013, is deployed to the machine. But the software attached to the software deploy is Microsoft Office 2016. This will mean that the final check that KACE does will return that Microsoft Office 2013 is not installed and it will try to install again but as it still only has Microsoft Office 2016 it will start the process again. This was an extreme example, although not one that is rare, in fact any small change in the version it is trying to deploy from the version it is deploying will cause KACE to redeploy the software over and over again.