Today, I had an interesting situation regarding patching, though the solution may be moot in some cases, some others may prove to have some usefulness for it.At my district, I currently do patching on all the labs based on a specific schedule that corresponds with DeepFreeze maintenance schedules. However, and due to administrative logistics, we are still not patching staff machines with KACE.
This issues arises with new machine deployments, and machines that have been pruned, through the MIA process, and then suddenly showed up on the network again. (this is fairly common in K-12 during summer break for instance)
Since we image our machines with the K2000, using the scripted install (without slip-streaming all the updates), gets us to a base image with the latest service packs, but not including the additional security patches thereafter. installing some 150 updates after imaging a machine is pretty inconvenient, given the need for multiple reboots.
Another problem is machines that have been MIA, and have gotten pruned from the K1000 database: those machines that have been offline for so long, are likely missing a ton of updates, so, this process that I employed will allow to establish a security baseline for those machines to make sure that they have all their updates as soon as they get back on the network. This part, may likely inconvenience the users a little bit in some cases, but it’s better to do that, than to deal with a security issue due to the lack of security patching.
The method is actually quite simple, and is really just a smart label. What it does, is grab all machines that have a MACHINE.CREATED data between X days ago and Today. Now, with this label, I just create a new patch schedule to do aggressive patching, and I run that patch schedule at a fairly small interval (like every hour)
So here is the process step by step:
- Create a new Machine Label, and call it something like “Created 1 day ago” (you can change the day to whatever fits your needs
- Create a Smart Label with the following SQL query in it:
select MACHINE.*, C.CLIENT_CONNECTED, UNIX_TIMESTAMP(now()) - UNIX_TIMESTAMP(LAST_SYNC) as LAST_SYNC_TIME,
UNIX_TIMESTAMP(LAST_SYNC) as LAST_SYNC_SECONDS
LEFT JOIN KBSYS.KUID_ORGANIZATION O ON O.KUID=MACHINE.KUID LEFT JOIN KBSYS.SMMP_CONNECTION C ON C.KUID = MACHINE.KUID AND O.ORGANIZATION_ID = 1
where DATE(CREATED) BETWEEN DATE_SUB(CURDATE(), INTERVAL 1 Day) AND CURDATE()
- Create a new patch schedule, and target the label you just created.
- Set it to do a Detect and Deploy on all patches and upgrades (or whatever you’d like to patch with)
- Set the interval to run every 30 minutes or 1 hour
Tip: you will need a custom cron schedule for that. For 30 minutes every monday through friday, the crontab will look something like this:
*/30 * * * 1-5
That’s all. Now anytime you have new machines checking in, they will fall under that label, and will get their patches right away. 2 days later, they will fall out, and then fall in line with whatever other patch schedules you have for these machines.
One additional tip:Because this process may hit the MIA machines checking back in, which will in fact be applied to users actually using their computers. I would set a prompt informing the users explicitly regarding the reason their machine is being patched, then add a fairly restrictive user prompt for reboot and snooze option, which would give the user just enough time to save their work, but not wait all day to do their patching. We do this, because we will consider that a machine that has been off the network for so long to be high risk, and need to be patched ASAP.
How do you deal with your patching of new machines? is that even a problem for you? would you think there would be a need for such a system if you have a full patching schedule for your whole environment?