04/30/2012 7403 views

Hi All,

We have recently implemented the patching section of our KACE appliance. All appears to be OK so far - but the question I have is relating to new OS deployments. Our current build process is done in the following way:

  1. Machines are pre-created in Active Directory and placed into security groups for Applications required (e.g. MI-SOE installs standard software, MI-MS Project installs Project 2010 .etc)
  2. K2000 Deploys Windows 7 SP1 x86 or x64
  3. K2000 Renames based on K1000 asset, joins to domain
  4. K2000 installs/configures Timezone, Virtual Memory, Registry, K1000 Agent, Remote control software, restarts
  5. K1000 picks up as new machine based on K2000 marker file
  6. Managed Installation groups installs required software based on groups
  7. Machine is configured and delivered to user

I want to add my OS/App patching into the mix - but as far as I can see there is no way to "trigger" the patch deployments from the client side.

Is this correct? How can I ensure that this happens at build time?

Any suggestions are welcome - I want to ensure that the machine is patched before delivering to the client.


Kind Regards,

David Wedrat
Ausco Modular

<3 KACE ;)

Answer Summary:
Thanks guys. I took the approach of having an aggressive patching cycle. Basically my K2000 drops a kace.new file on the system and the K1000 reads the timestamp on it and aggressively patches based on the that file being less than 12 hours long.
0 Comments   [ + ] Show comments


All Answers


I created a detect and deploy in patching specifically for new machines. I manually add the machine to that label and then run patches. Afterwards I remove them from the label. You could probably automate it by creating a Smart Label that looks for machines without a patch that all machines should have, and then have a detect and deploy set up for that label. Once it has the patches, it should drop it from that Smart Label.

Hope this helps.

Answered 05/01/2012 by: WGM_Jeff
Fourth Degree Black Belt

  • That's what i would do. I have a smart label that looks for machines added to the K1, in the last 24 hours. Then an aggressive patch schedule everyday for the new machines. Just be-careful if the machine gets deleted from inventory and re-added to the K1. It'll fall in the label.
  • Is that smart label an SQL query? If so, would you be so kind as to share? That would be a handy smart label to have.

I've been looking at this as well. Luckily I have about a year before our current contract runs out with current patching solution. I haven't had a lot of time to test this.

I did find a powershell script at http://www.networknet.nl/apps/wp/published/powershell-delete-files-older-than-x-days. Basically I would add a txt file to a directory and have Kace inventory it. Also create a smart label for that software title. Then set an aggressive schedule for this label. 

Then run this script every couple of days or so to delete the text file it it is over X days old. No text file = no more label.

Again I haven't tested this thoroughly, but I would think it should do the trick.

Answered 05/02/2012 by: dugullett
Red Belt

  • Forgot to mention to copy the txt file as a post install to give it the current date.

I have wondered about employing the following approach:

Machines are imaged and placed in a specific OU when joined

Use a smart label for machines in that OU and apply a detect and deploy job to that smart label that runs on a frequent basis

Once patching is done and machine is deployed, move it to another OU


Answered 05/01/2012 by: chucksteel
Red Belt


Thanks guys.

I took the approach of having an aggressive patching cycle.
Basically my K2000 drops a kace.new file on the system and the K1000 reads the timestamp on it and aggressively patches based on the that file being less than 12 hours long.

Answered 07/26/2012 by: auscoit
Orange Belt


This topic is a bit old, but I did a very similar thing yesterday, and created a post about it. My SQL  is a bit like DrewDavid, except I target the MACHINE.CREATED. 

Though the point about MIAs coming back online may be an issue, in discussing with my boss, we decided that it's sensible to force a machine to do updates when it comes back online after being off for more than 120 days. So went we ran with that idea. 

you can see the blog post here: http://blog.foreignkid.net/2013/03/kace-auto-patching/

Answered 03/13/2013 by: gkhairallah
Purple Belt


Hey there, bit new to KACE but here is what I have. I have a smart label that looks at the OS install date and anything that is within the last 24 hours gets added to my "Newly Imaged Systems" collection. Then, I have a aggressive patch job that runs on these systems. The job gives a brief warning that the 'forcefull' job is about to run to give our techs the option to cancel it but once it starts, its will keep going. Now, I'm still trying to find the best way to get this job to rapidly run on systems that have just joined the "Newly Imaged Systems" label...any thoughts on that?

Here is my SQL for "Newly Imaged Systems""




Answered 06/18/2012 by: drewdavis1
Orange Belt

  • I would take a look at some of these to help you out better. Basically under Security>Patching> Detect and Deploy Patches you create a new patch schedule. You can deploy it to that specific label as often as you need. There is an option to prompt the user.