Systems Management Question

K1000 Windows OS Patching Labels

11/22/2016 4940 views
Hey guys,

I currently have a Detect All schedule running against my MS machines. However, what I want to do to deploy OS specific patches. How do I create a Label that is OS specific?

The reasoning behind it that I some servers run MS SQL, Exchange, SCCM and other MS products, and clients will have MS Office. We have to get approval from our CAB to push OS patches and application patches, but I am finding it difficult to design a label that filters out OS specific patches.

Please help. Thank you.
Answer Summary:
1 Comment   [ + ] Show comment


  • Use the Smart Label under Catalog and selection Operating System in the left drop down then like in the middle and then the OS you want on the right drop down.

Answer Chosen by the Author

I'll expand upon this further using my philosophy if you haven't yet resolved your problem.

You will need to create a patch catalog smart label for the systems you want to patch, and a devices smart label to narrow down target devices. Mine is setup using the following criterion:

patch catalog smart label (based on what I use):

OS is (my specific OS, in my case win 2k8 r2)
Category is (OS)
Publisher is (Microsoft Corp)
Type is (security)
Missing is (true)
Superseded is (no)
Name does not contain (service pack) - to prevent accidental SP distribution without being monitored.
Support Rollback is (true) - If something goes awry, the installed patches can be rolled back.
**note that this smart label intentionally prohibits the installation of certain types of patches, including some security patches, service packs, and recommended patches. I address the gaps in my patch management by defining them in separate catalog labels that are more closely monitored vs unattended patch distribution.

device smart label could be:

Name = Microsoft Windows Server 2008 R2 Standard x64
Software Titles does not contain (insert your specific title needs, 1 per line)

Once you have the smart labels tailored to your needs, create a patch schedule and only deploy the patches using the patch catalog smart label you create and only to the assigned device smart label you create.
Answered 11/30/2016 by: rrjustin
Senior Yellow Belt

Community Chosen Answer

Exactly like nshah stated - Create a Smart Label and use both OS and Category to narrow your choices.  We use OS of "Windows" and Category of "OS".  
Check out Kace master John Verbosk article "K1000 Patching - Setup, Tips & Things I Have Learned (LDAP, Smart Labels, SQL Reports)    This was the cornerstone to our success with Kace Patching.  
Answered 11/22/2016 by: Bob Vila
White Belt

All Answers

rrjustin got this on point, you can have superseded check on as well to make sure you don't get any superseded updates. 

Also, when you're creating a schedule, make sure you're detecting the same label as you're deploying or else it will detect  "all patches" in your environment and will report them missing even though you're not deploying them. 
Answered 12/02/2016 by: TechFreak
Senior White Belt

Much thanks to everyone's contribution.
And apologies to everyone for the late response, but I was out of office and out of Internet access since the msg was posted.

I'm gonna be back in office and will provide feedback then,
Answered 12/05/2016 by: egas
Senior Yellow Belt

Thanks guys!!
Selecting the OS category as Windows did the trick!
Answered 03/02/2017 by: egas
Senior Yellow Belt

  • My current patch label does not have this specified, and consequently I am downloading way too many patches (update for Microsoft works 9.0? Don't think I need that one...)
    But here's the thing. When I look at the patches in the catalog, there's nothing that shows what the category of the patch is. So this makes it very difficult to tell if a patch will still be included after I make this change. How can I view the category on a patch in the
    patch catalog?

    An hour or so later:
    I figured out that the easiest way to test this is to create an OS label only and then click through the installed patches on a recently patched system. If each patch has was caught by the category=OS label, then I know that patch will still be good to go.

    So far, I have found that I will lose .NET security updates this way. Does anyway have a good label to capture those?
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ