Software Deployment Question

KACE K1000 attempts to re-deploy Firefox that has been patched

05/22/2016 1752 views

I'm looking for feedback on the best way to handle deploying software that is also patched via KACE.


Example of patching issue:

A new workstation 'PC1' has the 'SOE - Standard' label added.

A distribution package for 'Mozilla Firefox 45.0.2 ESR' exists and has the 'SOE - Standard' label associated to it.

'Mozilla Firefox 45.0.2 ESR' is deployed to 'PC1' as it has the 'SOE - Standard' label associated to it.

The following day 'PC1' has Firefox update to 'Mozilla Firefox 45.1.0 ESR' due to KACE patching.

Next time 'PC1' is inventoried it detects 'Mozilla Firefox 45.0.2 ESR' is missing and re-installs the older version.

*Repeat cycle of patching and downgrading*

So to combat this I have a smart label assigned to the distribution package  'Mozilla Firefox 45.0.2 ESR':

Device Smart Label: Distribution - Firefox 45

Label Names = SOE - Standard AND

Software Titles does not contain 'Mozilla Firefox 45' OR

Label Names = 'Software - Mozilla Firefox 45' AND

Software Titles does not contain 'Mozilla Firefox 45'

If the PC then has the the label (SOE - Standard or Software - Mozilla Firefox 45 ) AND does not have a version of Firefox 45 already installed then the label will apply and the software will install otherwise it will not apply and patches are then handled by KACE without issue.

Is this the best way or handling this? KACE labels are not the most user friendly.




0 Comments   [ + ] Show comments


Community Chosen Answer

Yes, this can be an issue when combining the two things. Your approach is pretty good. Another option that people have implemented is creating a smart label that gets applied to new computers and the managed installs are targeted at that label. Once machines are more than one or two days old they fall out of the new computer label and the K1000 no longer attempts to install software titles.

Another option is to be more aggressive about keeping your managed installs up to date. That way the most current version is being installed initially and patching doesn't come into play. That takes a fair amount of time, however.

Answered 05/23/2016 by: chucksteel
Red Belt

All Answers


I ran into this with MS Office 2019, systems kept trying to re-install the MI whenever the product was patched because the version number changed from the package associated with the MI.

I ended up creating a Custom Software Inventory object for Microsoft Office 2019 64-Bit without the version, which I list at the end of this reply. Using this entry, Only 64-Bit systems that don't have MS Office 2019 64-Bit would process the MI.  I link this MI to a very simple smart label which picks up all systems except those which are exempt for MS Office 2019. I've had issues trying to track and troubleshoot deployments that have MI's which drop the systems once the package is installed.

This also has the benefit that I could at glance view within the MI deployment how many systems had MS Office 2019 vs those that did not. I can also use the same target labels for future MS Office related deployments. 

RegistryValueEquals(HKEY_LOCAL_MACHINE64\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlus2019Volume - en-us,DisplayName,Microsoft Office Professional Plus 2019 - en-us)

Answered 04/06/2020 by: Kiyolaka
Blue Belt

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login


This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ