We are a large MSP and have many customers with each of them having unique needs. We patch with baselines, not individual patches. We build relevance into the baselines to exclude systems that the patch or patches should not be deployed to.
This is controlled by a custom property. If that custom property “contains” a certain value, it will not be applicable to the baseline.
This also means we have a dozen EP (Exception patch) baselines that contain the patch that is being excluded from certain machines.
It is a slightly complicated process but it works extremely well. We also built in a failsafe, if someone uses the removal tool to uninstall BigFix, when it is reinstalled, it will no longer have that property set. So we set a backup key with the same value. If the agent is reinstalled, it will not match the value of the backup key so the system is automatedly placed in a computer group and locked. This keeps it from deploying the exception patch if someone uses the removal tool and then reinstalls the agent.
I have a PowerPoint presentation on this process. Unfortunately, I can’t share it because it contains proprietary information. If you want more information, let me know and I will see if I can put something together to explain it better.