10/30/2019 343 views

Hello there,

I performed an upgrade to v10.0.290 on my KACE SMA last week and noticed that most of the smart patch labels that I made have been modified\converted to a new format. I read through this article to understand the changes in v10 - https://support.quest.com/kb/264454/deprecated-patching-items-in-the-10-0-release

The biggest change that I noticed is a new query called "Classification" in the smart label wizard. Previously, I was using the query "Type" to sort between Security, Non-Security, and Software Installer patches. All patch labels have had this Type query converted over to Classification and this is where my question lies: What is the best way to use this new query? I relied heavily on using Type and now that there are so many options under Classification, I am afraid that I am going to exclude important patches from the label if I do not use the Classification query properly. An example of my previous smart patch labels that worked very well:

Patch Label NameOperating SystemCategoryTypeImpactStatus
SPL - Win10-OS-Sec-CritWin 10 OSSecurityCriticalActive
SPL - Win10-OS-NonSec-CritWin 10 OSNon-SecurityCriticalActive
SPL - Win10-OS-SoftInstall-CritWin 10 OSSoftware InstallerCriticalActive
SPL - Win10-OS-Sec-ReccWin 10 OSSecurityReccommendedActive
SPL - Win10-OS-NonSec-ReccWin 10 OSNon-SecurityReccommendedActive
SPL - Win10-OS-SoftInstall-ReccWin 10 OSSoftware InstallerReccommendedActive
SPL - Win10-App-Sec-CritWin 10 ApplicationSecurityCriticalActive
SPL - Win10-App-NonSec-CritWin 10 ApplicationNon-SecurityCriticalActive
SPL - Win10-App-SoftInstall-CritWin 10 ApplicationSoftware InstallerCriticalActive
SPL - Win10-App-Sec-ReccWin 10 ApplicationSecurityReccommendedActive
SPL - Win10-App-NonSec-ReccWin 10 ApplicationNon-SecurityReccommendedActive
SPL - Win10-App-SoftInstall-ReccWin 10 ApplicationSoftware InstallerReccommendedActive

Each of the query types were put into their own group and bound together with AND operands. This seemed to work well, not many patches were 'missed' from this query. I could easily remove one of these labels from a patch schedule if I found it was redundant or contained too many patches for the SMA to push out at once. I want to include every patch that is detected as missing on my patch schedules through the use of smart patch labels without overloading the SMA with a giant amount of patches\too many machines to push to. 

Curious to hear how others are handling this change.

Thanks, Alex

2 Comments   [ + ] Show comments


  • " I want to include every patch that is detected as missing"
    Are you using one patch label for detects and a different one for deployments?

    That sounds very odd... Any particular reason?

    Normally, your Patch Smart Label will be the same one for detects and deploys.
    • Sorry I should have clarified better - No I am not using different patch labels for detect & deploy jobs, I use the same patch labels on detect jobs that are used for the corresponding deploy job. The problem is that the patch label's TYPE query was converted to CLASSIFICATION. Type had 3 different options to choose from, classification has a lot more to choose from at 12, so the conversion didn't really work & is impacting what patches show up for a particular label. Hope that explains it a little better
      • no problem, well those fourteen types of patches are actually the ones Microsoft Uses.


        I'm guessing KACE wants to be aligned with the Vendor and also getting ready to provide more type of security patches.

        This of course is madness for any existing Patching labels... and I would really recommend you to access that microsoft URL , and decide with your team how to assemble your patches.

        Also you could have (like me), three labels for Detects and Deploy, I could have just one, but I prefer them like this for organization purposes, and all three are attached to a single detect and deploy job.
  • Thought I'd share this solution that I found - https://www.itninja.com/blog/view/example-patch-label-for-updating-windows-os

There are no answers at this time