Systems Management Question

Security Patching thousands of machines

06/08/2016 1552 views

I am interested in understanding how many machines you have Kace managing?  And how you manage the Patch Management of all the machines.  We currently have more than 8000 Windows machines in Kace, and we want to start upgrading all the machines with all the patches, except a set of a dozen or so patch collections that we need to exclude due to conflict with our software.

When we had meetings with Dell Kace initially when we were piloting the appliance, we were told that 8000 clients shouldn't be an issue, however I am finding that sometimes the appliance can get very bogged down so I would like to understand how you get around this?  Currently, I mainly have the Kace agent do DETECT of all the patches on all the machines everyday, and it seems to take around 24 hours for that DETECT process to complete -- the 8000 machines are all over the world and currently I am in process of setting up the replication of the patching files to all the sites through DFS-R, so currently the machines mainly have to go back to one site so that may be the reason why some of these are taking a long time to download the patch descriptors from the patch location.

I guess my question is mainly to those who have 5000+ or 10000+ clients to manage, how is Kace Security Patching working for you, and how do you find the performance of the Kace appliance in patching the machines?  Do you know anything to make the patching run more efficiently?  How much resources do you give to the appliance?  We are currently running the Kace appliance on a VM with 128GB memory and 12 vCPUs...  Would having the appliance run on physical hardware be better?

Thank you very much.

1 Comment   [ + ] Show comment


  • tuyen,

    The answers below are correct. Replication Shares are the most important next step for you. Btw, you said that you've been through JumpStart training, but have you viewed any of our many KKEs on Patching (and other topics)?

    KACE Advisor
    Ron Colson

    KACE Kontinuing Education (KKE) Recording: Patching Week - Basics (155630)

    KACE Kontinuing Education (KKE) Recording: Patching Week - Scenarios (155072)

All Answers

We have one physical K1 for 3k+ machines and 6 Replication Shares spread across the org's

to help distribute patching set up replication shares and point groups of machines (using smart labels) to each replication share to load balance the patching across them.

here is a screen shot from one org's replication server

Answered 06/08/2016 by: SMal.tmcc
Red Belt

12,000 + machines

1 physical K1000 with 19 replication shares (use smart labels to target machines to the proper replication share)

Make sure you use servers for the replication shares to avoid the Windows issue where you have limited concurrent connections.
Answered 06/08/2016 by: rockhead44
Red Belt

  • How many computers can you patch concurrently?
    • I try to keep it to less than 1000 at any given time and less than 400 per replication share.
  • I talked with the Dell Kace techs and they kept insisting that the VM Appliance is enough. My manager has asked about considering whether we should plan on using a physical machine.

    As for the patching concurrently, I am planning on pushing schedule against all 8000+ machines, and currently, usually I am seeing around 200 or 300 machines are in process concurrently doing the patch detect process -- we are still in process of testing for the deployment of patches through Kace as we are migrating from using SCCM to Kace. When you said you less than 1000, how long does it take to complete that 1000?

    For the replication shares, I am planning to use DFS-R such that the Kace appliance replicates to one of the DFS-R servers, and through DFS all the clients in all our different site will automatically redirect to the closest DFS share to download the patches required -- the initial replication of the files is still in process... I am hoping once all the patching files are replicated to all the sites, then the clients process the detection and patching quicker since it would copy the patch files from a more local location than from halfway around the world for some of them.
    • Totally depends on what you are patching. I sometimes have Windows Update jobs that will run 4-5 hours. I run all of them after hours, which I have the luxury of doing (nights/weekends are available for me to patch)
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ