KACE Product Support Question

Command line to run a patching schedule?

06/06/2018 959 views

We deploy PCs using Microsoft Deployment Toolkit (MDT), one of the last tasks we would like the task sequence to do is Windows patching. I know that a script can be run via command line, runkbot.exe 123 0.

Is there any way to get a client to kick off a patching schedule, i.e., 'Post Build Detect and Deploy'?

Or, does anyone have a creative solution for kicking off patching immediately on newly built PCs? Please confine answers to MDT built devices, we do not have, do not plan to have the K2000.

Thank you!
3 Comments   [ + ] Show comments


  • We do not use a script to do this, but we do use a detect & deploy patch schedule to handle this, in our environment.

    We use a smart label that identifies machines that have had an OS deployed to it within the last 4 hours (we didn't use the wizard to create this label, but use SQL for it). Because our inventorying runs once an hour, we set this label to OS's deployed in the last 4 hours, in case the machine takes a bit to inventory for the first time.

    We have the patch schedule to detect all patches and to deploy all patches. This patch schedule is set to run once every hour, do forced reboots, and run on next connection if the agent is offline.
  • I've got two methods setup. All of our new desktop and laptop computers initially go into the same OU, then after they're ready to go on a user's desk we move them to the appropriate OU depending on which office they'll be managed by. During the initial install of KACE, the support person had us install a Custom Field piece of software "Active Directory Distinguished Name (CIF)". The custom inventory rule is a 1-liner
    RegistryValueReturn(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine, Distinguished-Name, TEXT)
    We then have a Smart Label called "Computers in KACE OU", which has
    "Active Directory Distinguished Name (CIF)" "ends with" "OU=KACE,DC=Company,DC=Local"
    Then we have a patch Detect and Deploy which runs every 4 hours on the computers with the Smart Label. This allows us to deploy new computers deployed using the K2000 and get them updated fairly quickly, but doesn't affect computers installed manually or added to a different OU (servers and VMs primarliy).

    I also have a Smart Label "Computers Added in Last Day", which is set to
    "Created" "is within last" "24 hours"
    You could use that Smart Label with a patch detect and deploy, but it would affect ALL computers added to KACE, which we don't want to do.
    • good good, that is what I call using the KACE features in harmony!

      -Patch Schedules
      -Custom Inventory Rules
      -Device Smart Labels
      -LDAP (to query the Active Directory for info.)
  • A custom label like this will give you machines that have newly installed OS


    You can have a separate schedule that detects and deploys patches to this smart label, machines will automatically fall out of this label and hence will no longer be a target.

Be the first to answer this question

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login


This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ