-
Titel
Patching Detect and Deploy Labels Best Practices -
Beschreibung
In order to Deploy a patch the agent must first Detect that the patch is NOT PATCHED.
Detect and/or Deploy by label (groups of patches) can be done in a schedule of the Security | Patching module.
When setting up the Detect and Deploy Schedule, our recommended "Best Practice" is to make sure that the number of patches detected is reduced to the smallest amount possible to expedite the process by only detecting relevant patches.
The reason for this is that the KACE SMA appliance will deploy only patches that are detected as NOT PATCHED in the detection label.
If a specific patch is not in the detection label, it will not be detected, and cannot be deployed. You can setup different labels for patching, but during detection, a patch must match the detect label and during deployment, it must match both the detection and deployment labels in order to be properly deployed. -
Lösung
When configuring your patching schedule you have the built-in option to generate a smart label with specific criteria to narrow down the patches to be detected and/or deployed.
This can be done by using the Select from suggested criteria option during the patching schedule configuration.
This allows you to focus on a specific type of patches based on your OS. For example, you can choose the critical Windows patches issued in the past 30 days.
- Click Select from suggested criteria.
- In the Select Suggested Criteria dialog box that appears, click Select Suggested Criteria, then click Save.
For more information on manually configuring smart patch labels, please see the KACE-SMA Course 3 Appliance Fundamentals-Web-based Training.
Manual Examples:You create the following patch labels for your systems by clicking:
Labels > Smart Labels > Choose Action > Create New Patch Smart Label
P_Win_Adobe - (detects Adobe Patches)
Criteria - Operating System = Windows AND Status = Active AND Title Contains Adobe
P_Win_Firefox - (detects Firefox Patches)
Criteria - Operating System = Windows AND Status = Active AND Title Contains Firefox
P_Win_Java - (detects Java Patches)
Criteria - Operating System = Windows AND Status = Active AND Title Contains Java
P_Win11_Sec - (detects Windows 11 Security Patches)
Criteria - Operating System = Windows 11 x64 AND Category = OS
P_Win10_Sec - (detects Windows 10 Security Patches)
Criteria - Operating System = Windows 10 x64 AND Category = OSPatch Schedule
Click Security > Patch Management > Schedules > Choose Action > New (Wizard)
Add Name to Schedule > Next > Action: Detect and Deploy
Limit Detect To Selected Patch Labels:P_Win_Adobe
P_Win_Firefox
P_Win_Java
P_Win11_Sec
P_Win10_Sec
Limit Deploy To Selected Patch Labels:
P_Win_Firefox
P_Win_Java
P_Win11_Sec
Follow the next sections to Save the Patch Schedule.
Patches for Firefox, Java, and Windows 11 are the only ones which will be deployed since those are the only patches that are detected. Patches for Adobe and Windows 10 will not be deployed to the targeted workstations.
If you want your deployment to be the same set of patches as your detection, you can actually just set the detect label and leave deploy checked as "Deploy All Patches" What this will do is only deploy out the patches that correspond to the detection label only.