K1000 Patching a New Machine
Hi All,
We have recently implemented the patching section of our KACE appliance. All appears to be OK so far - but the question I have is relating to new OS deployments. Our current build process is done in the following way:
- Machines are pre-created in Active Directory and placed into security groups for Applications required (e.g. MI-SOE installs standard software, MI-MS Project installs Project 2010 .etc)
- K2000 Deploys Windows 7 SP1 x86 or x64
- K2000 Renames based on K1000 asset, joins to domain
- K2000 installs/configures Timezone, Virtual Memory, Registry, K1000 Agent, Remote control software, restarts
- K1000 picks up as new machine based on K2000 marker file
- Managed Installation groups installs required software based on groups
- Machine is configured and delivered to user
I want to add my OS/App patching into the mix - but as far as I can see there is no way to "trigger" the patch deployments from the client side.
Is this correct? How can I ensure that this happens at build time?
Any suggestions are welcome - I want to ensure that the machine is patched before delivering to the client.
Kind Regards,
David Wedrat
Ausco Modular
<3 KACE ;)
Answers (6)
Thanks guys. I took the approach of having an aggressive patching cycle. Basically my K2000 drops a kace.new file on the system and the K1000 reads the timestamp on it and aggressively patches based on the that file being less than 12 hours long.
I created a detect and deploy in patching specifically for new machines. I manually add the machine to that label and then run patches. Afterwards I remove them from the label. You could probably automate it by creating a Smart Label that looks for machines without a patch that all machines should have, and then have a detect and deploy set up for that label. Once it has the patches, it should drop it from that Smart Label.
Hope this helps.
Comments:
-
That's what i would do. I have a smart label that looks for machines added to the K1, in the last 24 hours. Then an aggressive patch schedule everyday for the new machines. Just be-careful if the machine gets deleted from inventory and re-added to the K1. It'll fall in the label. - dchristian 12 years ago
-
Is that smart label an SQL query? If so, would you be so kind as to share? That would be a handy smart label to have. - tshupp 12 years ago
I've been looking at this as well. Luckily I have about a year before our current contract runs out with current patching solution. I haven't had a lot of time to test this.
I did find a powershell script at http://www.networknet.nl/apps/wp/published/powershell-delete-files-older-than-x-days. Basically I would add a txt file to a directory and have Kace inventory it. Also create a smart label for that software title. Then set an aggressive schedule for this label.
Then run this script every couple of days or so to delete the text file it it is over X days old. No text file = no more label.
Again I haven't tested this thoroughly, but I would think it should do the trick.
Comments:
-
Forgot to mention to copy the txt file as a post install to give it the current date. - dugullett 12 years ago
I have wondered about employing the following approach:
Machines are imaged and placed in a specific OU when joined
Use a smart label for machines in that OU and apply a detect and deploy job to that smart label that runs on a frequent basis
Once patching is done and machine is deployed, move it to another OU
Thanks guys.
I took the approach of having an aggressive patching cycle.
Basically my K2000 drops a kace.new file on the system and the K1000 reads the timestamp on it and aggressively patches based on the that file being less than 12 hours long.
This topic is a bit old, but I did a very similar thing yesterday, and created a post about it. My SQL is a bit like DrewDavid, except I target the MACHINE.CREATED.
Though the point about MIAs coming back online may be an issue, in discussing with my boss, we decided that it's sensible to force a machine to do updates when it comes back online after being off for more than 120 days. So went we ran with that idea.
you can see the blog post here: http://blog.foreignkid.net/2013/03/kace-auto-patching/
Hey there, bit new to KACE but here is what I have. I have a smart label that looks at the OS install date and anything that is within the last 24 hours gets added to my "Newly Imaged Systems" collection. Then, I have a aggressive patch job that runs on these systems. The job gives a brief warning that the 'forcefull' job is about to run to give our techs the option to cancel it but once it starts, its will keep going. Now, I'm still trying to find the best way to get this job to rapidly run on systems that have just joined the "Newly Imaged Systems" label...any thoughts on that?
Here is my SQL for "Newly Imaged Systems""
select
*,
UNIX_TIMESTAMP(now())-UNIX_TIMESTAMP(LAST_SYNC) as LAST_SYNC_TIME,
UNIX_TIMESTAMP(MACHINE.LAST_SYNC) as LAST_SYNC_SECONDS
from
ORG1.MACHINE
LEFT JOIN
KBSYS.KUID_ORGANIZATION ON KUID_ORGANIZATION.KUID = MACHINE.KUID
LEFT JOIN
KBSYS.SMMP_CONNECTION ON SMMP_CONNECTION.KUID = MACHINE.KUID AND KUID_ORGANIZATION.ORGANIZATION_ID = 1
where
((DATEDIFF(NOW(),OS_INSTALLED_DATE) <= 1))
Comments:
-
I would take a look at some of these to help you out better. Basically under Security>Patching> Detect and Deploy Patches you create a new patch schedule. You can deploy it to that specific label as often as you need. There is an option to prompt the user.
https://kace.webex.com/kace/lsr.php?AT=pb&SP=TC&rID=64794217&rKey=d542627c248ac670&act=pb
https://kace.webex.com/kace/lsr.php?AT=pb&SP=TC&rID=64102722&rKey=a89fe5f88f378c36&act=pb
https://kace.webex.com/kace/lsr.php?AT=pb&SP=TC&rID=64794217&rKey=d542627c248ac670&act=pb
https://kace.webex.com/kace/lsr.php?AT=pb&SP=TC&rID=62620542&act=pb&rKey=1662967d63442b76
http://www.kace.com/support/resources/kb/article/KACE-Kontinuing-Education-K1000-and-K2000-Recordings - dugullett 12 years ago