In order to Deploy a patch the agent must first Detect that the patch is NOT PATCHED.
Detect and/or Deploy by label (groups of patches) can be done in a schedule of the Security | Patching module.
When setting up the Detect and Deploy Schedule, our recommended "Best Practice" is to make sure that the number of patches detected is reduced to the smallest amount possible to expedite the process by only detecting relevant patches.
The reason for this is that the KACE SMA appliance will deploy only patches that are detected as NOT PATCHED in the detection label.
If a specific patch is not in the detection label, it will not be detected, and cannot be deployed. You can setup different labels for patching, but during detection, a patch must match the detect label and during deployment, it must match both the detection and deployment labels in order to be properly deployed.
When configuring your patching schedule you have the built-in option to generate a smart label with specific criteria to narrow down the patches to be detected and/or deployed.
This can be done by using the Select from suggested criteria option during the patching schedule configuration.
This allows you to focus on a specific type of patches based on your OS. For example, you can choose the critical Windows patches issued in the past 30 days.
For more information on manually configuring smart patch labels, please see the KACE-SMA Course 3 Appliance Fundamentals-Web-based Training.
You create the following patch labels for your systems by clicking:
Labels > Smart Labels > Choose Action > Create New Patch Smart Label
P_Win_Adobe - (detects Adobe Patches)
Criteria - Operating System = Windows AND Status = Active AND Title Contains Adobe
P_Win_Firefox - (detects Firefox Patches)
Criteria - Operating System = Windows AND Status = Active AND Title Contains Firefox
P_Win_Java - (detects Java Patches)
Criteria - Operating System = Windows AND Status = Active AND Title Contains Java
P_Win11_Sec - (detects Windows 11 Security Patches)
Criteria - Operating System = Windows 11 x64 AND Category = OS
P_Win10_Sec - (detects Windows 10 Security Patches)
Criteria - Operating System = Windows 10 x64 AND Category = OS
Click Security > Patch Management > Schedules > Choose Action > New (Wizard)
Add Name to Schedule > Next > Action: Detect and Deploy
Limit Detect To Selected Patch Labels:
Limit Deploy To Selected Patch Labels:
Follow the next sections to Save the Patch Schedule.
Patches for Firefox, Java, and Windows 11 are the only ones which will be deployed since those are the only patches that are detected. Patches for Adobe and Windows 10 will not be deployed to the targeted workstations.
If you want your deployment to be the same set of patches as your detection, you can actually just set the detect label and leave deploy checked as "Deploy All Patches" What this will do is only deploy out the patches that correspond to the detection label only.
© 2023 Quest Software Inc. ALL RIGHTS RESERVED. Feedback Nutzungsbedingungen Datenschutz Cookie Preference Center