SCCM update exclusions
Hi. We currently distribute updates based on one query collection that excludes a particular group (based on subselect) that does not receive patches. This month we sent out the updates and one of the patches caused issues on a group of machines. How do we remove the patches from only the group of machines? If I remove them from the collection, they will not receive any patches. If I remove them from the pc's, they end up coming down again when inventory is run. I am surprised SCCM doesnt have a simple exclusion list per deployment. If it does, I havent found it...:)
All Replies
You will need to make a collection of all the computer from which you would like to uninstall the patch. Advertise the uninstall string to that collection. Next make sure to remove that patch from the deployment package and deployment management otherwise it will be reinstalled on the re-evaluation cycle.
I do with SCCM had a better way to take patches back off machines but this is what you will have to do.
John Marcum | http://www.TrueSec.com/en/Training.htm | http://myitforum.com/cs2/blogs/jmarcum- Ok, That would definitely work for those machines, but all the rest of the deployment group need that patch. Only the small group of machines do not. If I remove the patch from the deployment package then all the machines will not have the patch. I need all the machines except a few to have that patch. Is this possible?
- Sure its possible. Have separate collection of those affected machines you need to remove the patch from. Exclude them from your main patching collection. Target the new collection with a seperate Update List minus the patch causing a problem.
Matt - It may be easier to figure out what the patch broke and fix that. Can you tell us what the patch is and what it broke?
John Marcum | http://www.TrueSec.com/en/Training.htm | http://myitforum.com/cs2/blogs/jmarcum - Sure, the patch is KB974455 and it interferes with Kronos, an app we use here. The patch is an IE patch and Kronos is a web based app. They can no longer get past the logon screen unless we unintall the patch.
- I am trying to think of a method that will not get messy in the long run. We have been using SCCM here for a few months. We used to use Altiris. With Altiris, I would just enter exceptions and be done. The next month when they approved the patches to be installed, I would remove them from the exception list. This will happen ofter with servers where they will be exempt from reveicing patches for a month or so, and then they will eb approved. Sometimes we also have patches like this where small groups can not receive them. :)
- I figured you were going to say that was the issue. It broke our SAP single sign on too.
You can fix this by changing a registry key.
In registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\
Add DWORD value SuppressExtendedProtection - 0x02
Please see the link below as well:
http://forums.sdn.sap.com/thread.jspa?messageID=8291879
John Marcum | http://www.TrueSec.com/en/Training.htm | http://myitforum.com/cs2/blogs/jmarcum - I would reccoemdn that you test the fix that I posted and push that out with a pacakge. Also you should know that if this patch broke it then Windows 7 will also not work for that app. I have a thread here where I am trying to get a fix for it because we are testing Windows 7 now. We can't go live with Windows 7 until Microsoft gets this worked out though.
http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/1a58678e-6787-4582-805b-6414855ec016/
John Marcum | http://www.TrueSec.com/en/Training.htm | http://myitforum.com/cs2/blogs/jmarcum
