Patch management is the process of obtaining, testing, and installing patches for software on devices. The K1000 enables you to automate patch management, which helps to improve software functionality and protect devices and networks from vulnerabilities. With patch management you can detect and deploy the latest security patches and software updates for Windows and Mac devices that use the K1000 appliance.
The purpose of this article is understand how patching works and apply best practices to accomplish better results without impacting system performance (clients and K1000 Appliance respectively)
NOTE: The Patch Management component is supported on Windows and Mac devices only. Patch Management is not available for Linux devices.
Before creating patching task, there are some pre-requirements that need to be checked:
1. Ports and URL’s
Websites that must be accessible to the K1000 appliance – Patch download requires ports and URL’s to be whitelisted. For additional information and details review web resources listed below.
· Which network ports and URLs are required for the KACE K1000 appliance to function? (111775)
2. Patch-subscription workflow and Download settings
How to apply Patch subscriptions prior downloading patches (patch signatures and packages). Patch-subscriptions allows selection of desired patches (based on publishers); prior proceed with patch downloads. For additional details review link below.
3. Patch Smart Labels - Using Smart Labels for patching
You can use Smart Labels to automatically group patches, filter patches by category and severity; Using Smart Patch Labels help to address patching tasks quicker; Patch Smart labels are used for detect and deploy respectively.
How to create and use smart labels, please check web resource below:
4. Create Smart Labels to organize devices by type, such as desktop, server, and laptop. Restrict the patch actions to the devices in the labels that you select. Limiting the run to labels, especially Smart Labels, helps to ensure that patches are applied appropriately.
More about patch smart labels:
5. Configuring patch schedules
Detect, deploy and rollback task selection take place in patching schedule configuration; appropriate and balanced schedule configuration provide best patching results and faster patching completion time.
Details about patch schedule configuration:
6. Patching process and different stages
During patching process different type of activities take place, each activity counts as a unique stage, these are handshake, detect, deploy, verify, or rollback depending on type of activity selected (patch schedule).
For each stage agent (client or computer) communicates back with K1000 (upload logs) to then continue with the next activity or stage; however sometimes upload logs can result as an error preventing patching activity to complete.
For this type of situation please review:
What does "Error (Log Upload Failed)" mean in the Current Phase of the schedule? (204675)
7. List Patching error codes and common issues
A List of Failed Error Codes for Scripting or Patching (Detection or Deployment Phase) in K1000 Server (111687)
Error Message: Your patch subscription has expired. Please contact support for assistance. (146363)
What items to check for when getting "HANDSHAKE error" during a scheduled patching job? (128241)
K1000 Patch Status Showing Downloading (147748)
8. Other patching useful resources – Best practices and tips.
KACE SMA Patching - Best practices and recommendations (206616)
Administrator Guide - Best practices for patching
Supported applications and operating systems for K1000 patching (112030)
K1000 Patching is great and complete feature that allow system administrators keep system safe of potential vulnerabilities, understanding the options and resources available is important to optimize patching results. Issues, questions or suggestions feel free contact Kace Support.