My organization recently implemented a K1000 in our environment.  Everything seems to be up and running - we are in the middle of setting up patch subscriptions and I've set up patch labels for each individual OS in our environment.  

I created a test label to push Windows updates our through the KACE system and after successfully detecting what updates were necessary, the KACE system successfully deployed all updates that were a part of the Windows 7 patch label that I created.  I set the patch smart label up to include any Windows 7 updates that are applicable to x86 or x64 architectures, so essentially any Windows 7 update KACE has in its catalog.  

The problem we ran into is the update process forced the I.T. computers (which were relatively up-to-date) to reboot between 4-6 times before the process was complete.  Obviously pushing this type of update out across the environment requiring that many reboots isn't an option.  

My question:  Is there a way to filter out the hotfix updates in KACE?  I didn't filter "Recommended" and "Critical" updates, I included every update KACE had to offer.  
I'm not sure what best practices are in this aspect.  

I looked through the update catalog and could not find hotfixes identified as a hotfix anywhere in the list, they seem to be listed by the KB number.  Unnecessary hotfixes were installed on my system as well as other I.T. systems, this was verified by looking through the Installed Updates history.  I've read that hotfixes should only be installed if the user is experiencing the problem the hotfix was created to solve, is this accurate?  

Any help is appreciated.  
Answer Summary:
0 Comments   [ - ] Hide Comments


Please log in to comment

Answer this question or Comment on this question for clarity



Is there a reason you made such granular Patch Labels?  The K1000 automatically detects which ones are needed and only deploys the Patches that are compatible with the machine AND that the machines actually need installed.  No filtering is necessary, unless you don't want certain patches to be deployed that are actually needed by a machine (JAVA).

Unfortunately, we can't control which patches require a reboot, though try to chain as many together as we can.  I wonder if you might be using a "Detect and Deploy", when you really want a "Deploy" type job, to minimize the additional passes.

We've covered Patching extensively in the KKE program.  Have you checked it out?  Link below.  r2

Ron Colson
KACE Koach
Answered 11/18/2014 by: ronco
Second Degree Brown Belt

  • Thanks for the information, I'll check out the KKE program. Our company is new to KACE and we are trying to figure out the best way possible to deploy updates.

    The bigger issue we seem to be facing is that the hotfix updates are being applied when we may not need them installed. For instance - http://support.microsoft.com/kb/976373 - this hotfix was installed on my system via the KACE appliance patching system. I thought hotfixes could only be applied by manually downloading the hotfix and applying it based on experiencing the specific issue it was meant to fix?
    • sokrina,

      One of the many frustrating things you'll learn about patching, especially Microsoft updates, is that these terms are (at best) variable, and mostly meaningless.

      Rest assured that, based on the information provided by the patch vendor (MS, Adobe, etc.) to Lumension (KACE's patch provider), the K1000 will detect whether patches are NEEDED by a machine. If it is not detected as being needed by a machine then we WILL NOT even attempt deployment. I encourage you to watch the KKE recordings - I cover all of this and much more in those sessions. Please don't hesitate to ask me any questions.

      Ron Colson
      KACE Koach
Please log in to comment
did you set this under your patch schedule?

Answered 11/19/2014 by: SMal.tmcc
Red Belt

  • I did not set the reboot options to "No Reboot", I set ours to "Prompt User". Regardless of the reboot setting, wouldn't the computer still require the same amount of reboots whether it be at the prompting of the user or as a forced measure (be it an immediate reboot or at a later time)?
    • ours is set there and we push all patches out via kace and the user never gets bothered, We force evening shutdown to make them apply. All machines are patching just fine for us
      • Interesting, so the next time the user shuts the computer down it goes through the round of reboots? That might work - although for clarification, when you have a large round of updates with hotfixes as well, do you go through multiple reboots? Our systems went through 3-6 rounds of reboots before the patch process was complete and I was curious whether this was normal or atypical.
      • it normally just boots once unless some of the hot fixes are dependent on a previous hot fix to be installed that also requires a reboot
Please log in to comment
For clarification or future reference, the solution that SMal.tmcc offered - to disable rebooting in the patch schedule/setup of the patch schedule did the trick.  Rather than rebooting 3-6 times throughout the update process (which had been the initial problem when the "Reboot" options were set to "Prompt User"), the computer rebooted after all updates were installed.  This resulted in a much cleaner and a far less intrusive update from a customer service/productivity standpoint.  
Thank you all for your help!
Answered 11/19/2014 by: sokrina
White Belt

Please log in to comment