2 Replies Latest reply on Nov 14, 2013 3:00 PM by Lawrence Garvin

    Selective Targeting of Patches

    elgoosea

      We have an interesting scenario at work, we are planning on rolling out Adobe and Java patches with Patch Manger, which works just fine. However I was told that we have a grouping of machines that for application compatability reasons cannot get the latest version of  Java. Is there a good way to be able to approve these patches but selectivly miss this random group of machines. Like for example could I create a "Deny Java" AD Group and have patch manager not apply the Java Patch to the AD Group. I know that is an unlikely scenario, but hoping for something like that.

       

      Thanks

       

      Stephen

        • Re: Selective Targeting of Patches
          jbaits

          I have encountered the same issue with Java and a few other patches. You could do this using WSUS groups but for my environment I found it easier to manage using an AD group. Computers that are members of the group get a registry key created (ex. DWORD "PreventJavaUpdate" 1). I then built a rule into the update package that makes them not applicable if that registry key is set to the appropriate value. Machines not in that group have the same registry key but it is set to 0. This allows me to remove a computer from the group in the event updates can be applied. There may be a better way to manage these scenarios but this process has worked well for me.

          • Re: Selective Targeting of Patches
            Lawrence Garvin
            Is there a good way to be able to approve these patches but selectively miss this random group of machines.


            Yes, and I just posted a blog article in PatchZone yesterday that describes exactly how do to this.

            Using Multiple WSUS Target Groups