Best Practices Question

What are your experiences with patch detection (and deployment)?

10/13/2015 1971 views
So I've prepared patching on the K1000aaS; subscriptions, labels, tested it within IT to get a feel for the process, implemented it on servers.  That part is fine.  

When I first turned on detect for all computers, ~1150, the K1000 was getting crushed.  The load average under Settings > Provisioning > Communication Settings was unbelievably high.  80 was the high score.  On a scale of 10.  I understand that the first detect generated a lot more data, and all of it hitting at once was probably not good, so I changed the schedule from a specific time, to be once every 24 hours, and now it's only reporting new missing patches, and the computers are naturally staggered throughout the day.  

I was always told that detects are a very minor task, and doesn't require many resources, which is why I turned it on with a set schedule. (Users have never noticed anything.)  Even though things have calmed down, I still see the load average above 10 or even 20, while the Security > Schedules page shows maybe 50 detects executing, give or take.

When I turn on patching, I plan on having it run at night, so it doesn't impact things during the workday.

The only other things I have running are Inventory and one service desk queue.  No scripts, no installations, no provision schedules, no network discovery, no monitoring.

I have a ticket open with support, but they've only said they don't see anything wrong, and I don't feel like I'm getting much help from them.  

Environment: K1000 as a service, version 6.3, replication shares in each remote office.

So my questions for anyone are:
Have you seen similar load while doing detects?  Does this seem normal?
How are your detects/deploys staggered?  
1 Comment   [ + ] Show comment


  • Hello KACE_Mary here from KACE Support. Can you please email me your Open ticket so I can provide further guidance? Mary_scherich@dell.com.

All Answers

I have no more than 500 computers at a time actively engaged in detect/deploy processes and have no issues. I manage this via patch schedules.
Answered 10/14/2015 by: rockhead44
Red Belt

  • Do you mean 500 computers targeted at once, or 500 computers executing at once? While 1000 computers might be targeted for a detect, the Executing column in the Patch Schedule view shows an average of 30-80 running at any given time.
In the end, I broke the Detect schedule up into staggered groups, which alleviated all the pressure on the K1.  

Patching runs fine overnight, when users leave their computers on, at least, but that's another story.
Answered 02/09/2016 by: ondrar
Black Belt

  • I did the same breaking down detection for patch groups such by patch vendor. We do not use the OS patching on KACE so it is just for 3rd party software and plug-ins.
  • When you do your detect, do you have it filtered (the definitions) by label, or are you doing a detect all?

    Ah users, if only the K1000 could manage them...
    • We decided to defer patches by 7 days, so my patching label is for all patches where the release date is not within the last 7 days, and is not part of a label I created to mark patches that have given us problems. It's almost all of them.

      As for targets, I broke our offices into 5 groups, and have a Detect run on one group each day of the week.

We have roughly 4500 nodes, and our Patching generally works fine. We don't seem to notice any lag or massive increases in Load Average. A couple of things that contribute to this:

Our Inventory interval is 6 hours, with most everything else at 1 day.

We don't use patching for the OS, just Applications.

We detect and deploy for each product on a different schedule. (i.e. MS Office on the 1st, Adobe Reader on the 5th, Silverlight on the 3rd of the month, etc).

Answered 10/13/2015 by: BHC-Austin
4th Degree Black Belt

  • That's certainly an option. I was hoping not to have to break it up, but I'll consider it if things get worse.
this is far too high. 
The first I would check: Settings > Provisioning > Communication settings

By default the settings are fine for a test box but not for a box with 1k clients.
Set it to much lower settings (Agent Inventory to 6hr (or 12hr) and Metering to 1day)
With this you may be able to run more smoothly.

At first I also would test the settings with a small group so you can be sure the patching works as you want it.
(ask 5 people and you will get 10 advises how to patch)
Answered 10/13/2015 by: Nico_K
Red Belt

  • The Agent Inventory was at 2 hours, but I had already throttled everything else back to 1 day. I'll try setting the inventory to a longer interval.

    Patch deployment worked fine with servers, and with the entire IT department.

    I know there are KACE customers with many more than 1000 clients, right? How does a company with 10,000 computers detect and patch?

    The problem isn't crippling; it just makes the K1000 run a little slower from time to time.

    Thanks for the response.
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ