Best Practices Question

Questions about KACE software patching

08/14/2017 2100 views

I’m new to KACE and have a number of questions. I haven’t had my JumpStart training yet, but I don’t want to waste the expensive JumpStart time asking questions that I can get answered elsewhere. I’d like to find out what people are using in the real-world, and not just what KACE’s recommendations are.


I started setting up patching schedules, and it quickly became apparent the method I was using would quickly become unwieldy. I was trying to setup a schedule for each product type (Windows, Office, Visual Studio, Acrobat, etc.). That allowed very granular control, but created a huge number of schedules. I had Smart Labels setup this way

                Devices – OS – Microsoft Windows 10

                Devices – App – Microsoft Windows 2013

                Devices – App – Adobe Acrobat Reader DC


                Patches – OS – Microsoft Windows 10

                Patches – App – Microsoft Windows 2013

                Patches – App – Adobe Acrobat Reader DC


Patch Schedules

                Detect and Deploy – OS – Microsoft Windows 10

                Detect and Deploy – App – Microsoft Windows 2013

                Detect and Deploy – App – Adobe Acrobat Reader DC



What I’m thing of now is to setup two patch schedules per computer (Microsoft and non-Microsoft)

                Devices – Virtual – No

                Patches – App – Microsoft

                Patches – App – Non-Microsoft

Patch Schedules

                Detect and Deploy – Microsoft Windows and Microsoft Apps – Virtual No

                                Device Labels: Devices – Virtual – No

                                Operating Systems: Windows

                                Detect Patch Labels: Patches – OS – Microsoft Windows, Patches – App – Microsoft

                Detect and Deploy – non-Microsoft Apps – Virtual No

                                Device Labels: Devices – Virtual – No

                                Operating Systems: Windows

                                Detect Patch Labels: Patches – App – non-Microsoft


What are the advantages and disadvantages to using a single patch schedule which includes Microsoft and non-Microsoft patches?

                Patches – All

                                Status is Active and

                                Type is not Software Installer and

                                Name does not contain Service Pack

Patch Schedule

                Detect and Deploy – Microsoft Windows

                                Device Labels: Devices – Virtual – No

                                Operating Systems: Windows

                                Detect Patch Labels: Patches – All


0 Comments   [ + ] Show comments


Community Chosen Answer

We patch both OS and applications in the same schedule to minimize user disruption. The only exception to this is a schedule that runs once a month that installs critical security OS updates. I work in higher education, so our concerns might be different from yours. You can see a detailed description of our patching schedules here:

We do use labels to filter out which patches are included in our schedules so that we can limit the time that it takes the agent to run the detection. We also have the need to limit which patches are installed on certain systems. For instance, Java updates frequently break some of our in house applications so those need more testing and are deployed separately.

Answered 08/15/2017 by: chucksteel
Red Belt

All Answers

Good informations about patching can be found here:

As a rule of thumb:
Create one detect job for all systems
Create deploy jobs for the different systems (not software) and run the patching against your machines at different times.
With the current appliance rarely patching labels are needed.
If you uncheck the Software Packages also no additional software is installed.
You can subscribe the vendors directly.
This has some pros: you don't need to use labels (additional potential problem)
Also a con: to catch up to the latest version may need multiple patching runs and software which updates major versions instead of minor versions need to be deployed with a managed install.

Answered 08/15/2017 by: Nico_K
Red Belt

  • Not using patching labels concerns me. Let’s say there’s an update for Adobe Acrobat Reader DC. What happens when a computer is selected which doesn’t have Reader installed? Does KACE realize that and not even try to install any Reader patches? Or does KACE try to install the Reader patch, but the patch fails to install because Reader isn’t installed? How efficient/inefficient is it to select patches for software that isn’t even installed on a computer?

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login


This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ