-
Title
How to filter persistent undesired patches from the patch deployment schedules by using smart labels -
Description
An example on how to use patch smart labels to exclude/block current and future patches from installing into the client devices.
Some reasons for this is if you want to exclude certain types of patches being installed due to unique devices such as servers.
Sometimes, given the subscription settings on the Patch module, some undesired patches might get downloaded and detected to be needed by the client machines, however the customer might not want to have this patch installed due to multiple reasons such as, the patch gets installed via windows updates, the patch conflicts with other patches or software already installed on the machine, the patch is too big and the network can’t handle it, etc.
When this is a onetime event the patch can be easily excluded by inactivating it on the patch catalog; nonetheless, there are patches that come out every month, have the same name, are added to the patch catalog as a new patch and hence depending on the subscription settings are found active but might be permanently undesired by the customer.
-
Resolution
For this example, the Windows Malicious Tool Removal (KB890830) will be excluded from the patch deployment schedule.
1. Find the package that needs to be excluded from deployment on the Patch Catalog. If the package is not in the catalog, The K1000 is unable to exclude it from the deploy schedule. It might be necessary to change the "show" option to Individual Patches in order to find the specific patch.
2. Once you have confirmed the patch to exist on the catalog, create a patch smart label. Navigate to Home | Label Management | Labels | Smart Labels | Choose Action | Create New Patch Smart Label.
On the filter first dropdown select ‘Package’, on the second dropdown select (n‘!=’ ot equal) and on the text box following the conditions dropdown, enter the name of the package you wish to exclude. In this example, KB890830. You can exclude as many patch packages as you wish, and add as many conditions as needed (perhaps you want this to be a deploy application patches label so you will need to specify this on the label conditions as well, otherwise, it will deploy all patches but the one excluded).
Test the label and save it.
3. Now apply this label to your patch deploy schedule and the particular patch will not get installed on targeted devices now and in the future (as long as the patch package name does not change).