Exception for a computer group on a patch

tarwaniv · March 14, 2019, 10:40am

HI All, Please assist me in creating an exception for a patch on a manual computer group called “ABCD”. I want a relevance to be added to a Adobe patch so that it should not be applied to Computer group “ABCD” (being the systems to be excluded from patch deployment for adobe).

Jeff · March 15, 2019, 12:29pm

You will need to make a copy of the Adobe fixlet and then you can modify the copy. One way to update it would be to add a condition for Group Membership - Is not member of - “ABCD” group.

JasonWalker · March 15, 2019, 12:51pm

@Jeff 's suggestion will certainly work, but I’d recommend instead creating a Baseline, with the baseline relevance excluding your group. Then you can add the Adobe fixlet(s) to the baseline and use the Baseline action for deployment.

That will make it easier to swap in a new Adobe fixlet later and still have it excluded from this group.

Even better would be to resolve whatever problem you are having with those computers, and remove Adobe entirely. Not sure whether you mean Flash or Reader or something else, but both Flash and Reader are very common attack vectors now and you put your platform at great risk by not keeping them up to date; and at a serious risk by having them installed at all.

Jeff · March 15, 2019, 1:22pm

I also like Jason’s idea for the baseline that you can update later.

Manish · March 17, 2019, 12:34am

Depend on your requirements.

If you have to exclude set of computer from specific fixlet then create custom copy and add the members ship relevance not contain Xyz computer group.
Creating baseline for the single task can create issue in long run - " Specific to environment"
If computer group need to be excluded from couple of fixlet,will recommend to create baseline and add the exclusion in baseline itself.

Regards,
Manish Singh

tarwaniv · March 17, 2019, 7:37am

Ok, I made a custom copy of the fixlet and added a relevance like mentioned below:-1:

(version of client >= “6.0.0.0”) AND (not (exists true whose (if true then (exists setting “__Group_0_XYZ” whose (value of it is “True”) of client) else false)))

But it went relevant to more servers as compared to servers mentioned in the XYZ group resulting in creating more servers to get exception. Should this require some modification?

Manish · March 17, 2019, 10:54am

Add those servers to Xyz group.

Regards,
Manish Singh

JasonWalker · March 17, 2019, 4:42pm

Did you add this as a new relevance clause, or replace something existing?

Do you have more computers subscribed to the site where you made the custom copy, than were subscribed to the original site?