Locking ability for specific patches

(imported topic written by SystemAdmin)

Ben,

We have had several issues now where we have applied a patch and later had to either remove the patch and/or apply a Microsoft Hot fix and it sure would be nice to have the ability to lock machines from individual patches.

We occasionally have to go back and reapply patches as the relevant number begins to creep back up, but I know applying x patch to y machines will cause them to break again. This was easy to manage with one or two exceptions, but now there are at least 5 patches that we have had issues with. I now fear resending older patches because I may cause more issues than good.

Thanks,

Scott

(imported comment written by rad.ricka91)

Scott, would globally hiding the patches work for you?

R.

(imported comment written by SystemAdmin)

Hi Scott,

The best way I could think of to handle this would be to create a custom copy of these Fixlets and hide the original. In the custom copy you can add an additional relevance check that sees if a Client Setting (reg key) has been set to exclude this Fixlet from applying on the Computer. You would need a different client setting for each of the Fixlets.

This way the custom Fixlet won’t be relevant on these problem computers but you’ll still have the original Fixlet to reference computers that have the vulnerability. So the new Fixlet recognizes computers that can be remediated while the original Fixlet identifies computers that have the vulnerability.

Tyler