Patching - Computers built after a patching window
Hi, quick question on patching.
I'm currently testing KACE patching to replace WSUS but one thing that has occured to me is this: in WSUS you can set patch deployment deadlines and this is how I ensure that PC's built between patching windows are kept up to date. I set the deadline of approved patches to the day of the patching window, then any PC's that are built after that are immediately updated as they are detected as missing patches with an expired deadline.
I don't want PC's built between windows to go un-patched until the next window so how can I ensure freshly built PC's are updated as soon as they finish building? I know the K1000 has "Run on next connection if offline" but to me that will only cover PC's that KACE already knows about, i.e. has checked in before but is offline at time of patching.
So to summarise my questions:
1) Does checking "Run on next connection if offline" cover freshly built PC's?
a) If not, is there a way to get KACE to deploy patches the same way WSUS deadlines does?
Thanks.
Answers (2)
I think the simplest answer to your question is that KACE only patches PCs that it can target via inventory. If you build a PC, but do not install the KACE agent, KACE cannot patch it, as that PC would lack the agent and associated patching processes that are installed alongside the agent. The agent software fascillitates the patching, so without it, and without an inventory item for the PC, it can't patch.
Once the PC has checked in (after the Agent is installed), then it gets evaluated. If you set the "Run on next connection if offline" to yes, then it should check-in and run the detect or deploy schedule you have setup with the "Run on next connection" option set.
Depending on how you have your patch windows setup (with prompted/forced reboots or notifications), you might look into have a separate patch schedule which only targets newly-built PCs. You can create a smart label which only applies to "new" machines, and target those machines with a detect/deploy patch cycle with no notifications/forced reboots to get those PCs patched as quickly as possible.
Comments:
-
Hi, thanks for the response. My KACE client is installed by Group Policy so for this exercise you can assume the client is always installed. You said you can "create a smart label which only applies to "new" machines". That was my thinking as well, but how to do that is the hard part - do you have any ideas? Best I could come up with and am testing now is 'where CREATED < 120' apply "LabelX". I've guessed that Created is the right field and that its calculated in minutes haha. Then the next problem is getting those machines targeted for patching instantly. Again, best idea I have is to deploy every hour to this label, with the label being removed after PC has existed for more than 120 minutes. - twit 11 years ago
-
How often do you run patching? - chucksteel 11 years ago
-
For the "New PC" smart label SQL, look at dugullett's advice. You can set your "New Machine Patch Schedule" to run once a week, with the "Run on next connection if offline" trigger active.
For example, you schedule the "New Machine Patch Schedule" (with RONC active) to run every Monday at 8:00 am. When you build a new PC on Tuesday, the PC will check in and should trigger the patch schedule. - tshupp 11 years ago
Add
OS_INSTALLED_DATE > DATE_SUB(NOW(), INTERVAL 2 DAY)
to your machine label. Call it something like new_imaged_machines. Create a patch schedule to run at a higher interval, and apply this label to that schedule. After those two days these machines will automatically drop out of this label, and continue on a regular patch schedule.
Comments:
-
Thanks heaps for this dugullett! Works perfectly, except for I changed it to INTERVAL 2 HOUR. Just want to be able to tell clients that their PC might patch/restart within the first couple hours of use should it be provided to them that soon after building. Tested this and it works perfectly. - twit 11 years ago