/build/static/layout/Breadcrumb_cap_w.png

K1000 Patching: Will detect schedule for "All Patches" override subsequent deploy scheduled with filtered criteria?

I’m in the process of setting up patching for MSSQL on approximately 80% of our servers through KACE, but I've hit a snag that I need help navigating.


Currently, we run one daily detect schedule and numerous deploy schedules, all configured to "All Patches." This setup complicates matters, as I want to add SQL updates to the software catalog. However, doing so would trigger automatic deployments to several high-touch, sensitive servers that require manual oversight during patching.



My proposed solution is to create a smart label for patch criteria, scoped to OS Category updates. These updates would need to be Active, Not superseded, and Not released within the last 3 days. I plan to apply this smart label retroactively to all existing patch deploy schedules, effectively narrowing their scope to OS security updates. Meanwhile, the detect schedule would remain set to "all patches."



However, I'm unsure about the behavior of the deploy schedule in this context, as I vaguely remember once seeing a deploy schedule's criteria being ignored due to a previous detect schedule being set to all patches.



So, here's my question:- If a detect schedule runs and identifies both OS and application updates, and two days later, a deploy schedule (scoped to only OS updates) runs, will it strictly deploy the OS updates? Or is there a risk that both OS and application updates might be deployed?


0 Comments   [ + ] Show comments

Answers (2)

Posted by: Hobbsy 1 year ago
Red Belt
0

All the detect all will do is identify patches that are missing from the targeted endpoints. You will need to deploy a patch marked as missing for it to be installed by a deploy schedule.


So in short No, the patch will be marked as missing , but unless you deploy the missing patch it will never be installed.

Posted by: Kiyolaka 1 year ago
Third Degree Green Belt
0

Hmm, I'm still a bit unclear. 


Can you help me by confirming the following scenario?


Detect Schedule runs on Windows Server system, scoped to "All Patches";

- Windows Server Cumulative Update is flagged as missing.

- .Net Framework Cumulative Update is flagged as missing

- Microsoft SQL Server Cumulative Update is flagged as missing.

2 Days later, a Deploy schedule runs scoped to ONLY OS Updates;

- Windows Server Cumulative Update is installed.

- .Net Framework Cumulative Update is installed (as it's technically an OS update).

- Microsoft SQL Server Cumulative Update is NOT installed as it's not an OS update.


Thanks!


Comments:
  • I’d say correct, I’d also say use a label, add all your OS patches to the label, then only those patches will be deployed, simple - Hobbsy 1 year ago
  • That's what our setup over here does, and it works exactly like that. "Detect" only detects. "Deploy" only deploys. All programs get updated data from the detect scan, but only ones scheduled for deploy in the schedule get deployed. I think it will only get more complicated in this regard if you try to do a "Detect and Deploy" scan, as those acted quite weird when we tested them, and did seem to have weird ideas of what to patch vs what to scan only. - Quacky 1 year ago
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ