Microsoft Updates and Excluded systems

I’m working on a method of patching workstations and servers that avoids using the Lock feature of the computer settings (which is how we were excluding systems prior to this). I’ve created a “NoPatch” property, and have populated it with YES on all the systems that need to be excluded. However, when I try to create automated groups for this, I’m running into an issue. What I’m attempting to do is this (or something similar):

OS (contains) Win2008
NoPatch (does not contain) YES

and then set it so that both properties are included (using ALL instead of ANY). This should (according to my potentially flawed logic) create an Automated Group that populates all Windows 2008 servers except ones where the NoPatch property is populated with YES.

However, what I’m running into with this is that no systems show up at all. If I try to set the properties to ANY instead of ALL, I get the entire list of Win2008 servers - including the NoPatch ones with YES.

I have also attempted to change the YES to the number 1 and use “Does not equal” but that yields the same results.

So, at this point, I’m somewhat at a loss as to how to get this functioning correctly. I’m not understanding why the example above isn’t working.

The issue is the limitations of the “ALL” / “ANY”.

Use relevance directly instead.

Just define the criteria in Relevance the same way you would for a Fixlet/Task.

Also, you should always Opt-In to patching, not Opt-Out. What happens when a new server installs the client for the first time?

Okay, thanks - that actually verifies what I was thinking.

Now the issue becomes the relevance itself - I’ve been trying to figure out how to create a relevancy that actually scrutinizes the NoPatch property with little luck. I’ve tried

settings “NotPatch” != “YES”

but that comes back with a “settings is not defined” error

As for your question, in our environment sadly that’s not really viable for us - it’s much better to have all servers and workstations default to patching and have to be manually excluded. We’ve tried opting in in the past and we ended up with servers that didn’t get patched for years. So in regard to your specific question, in our environment a server / workstation with a new client would have nothing set in the NoPatch property and be patched until I manually changed it to YES to exclude it.

Try something like this …

(exists setting "NotPatch" whose (exists Value of it AND Value of it as lowercase != "yes") of client)

(Sorry, edited to add !=)

That worked great on it’s own… thank you so much. However, when I try to add to that to an OS relevancy, I’m not getting the responses I was looking for. What I have is something like this:

(exists (operating system) whose (it as string as lowercase contains "Win7" as lowercase)) AND (exists setting "NoPatch" whose (exists Value of it AND Value of it as lowercase = "yes") of client)

But that isn’t working as expected - it seems as though both of these work independently, but aren’t working together (I’m sure it’s most likely due to a syntax issue I’m not seeing).

Try
(exists (operating system) whose (it as string as lowercase contains "Win7" as lowercase)) AND (exists setting "NoPatch" whose (exists Value of it AND Value of it as lowercase contains "yes") of client)

I’ve seen cases where a Setting value contains quote characters.

Hi Tim -

Thanks for your help on this!

I do however have an issue I’m seeing with this. In my environment we have a lot of systems that don’t check in regularly sometimes (usually due to bandwidth). As a result, what I have is a situation where the NoPatch property is populated by three potential entries:

YES - in the case where I’ve actually entered that
<not set> - in the case where the machine hasn’t had the property set
<not reported> - in the case where the machine hasn’t checked in to report that it’s not set

Just to be clear, the <not set> and <not reported> are, I realize, expected results.

What I’m seeing is that if I attempt to use the relevancy that you have provided (this in particular):

(exists setting "NotPatch" whose (exists Value of it AND Value of it as lowercase != "yes") of client)

I’m seeing only machines that are listed with <not reported> in the NoPatch field (all of which are inactive clients that haven’t checked in for some time). No other machines are showing up.

I did a test of this on my personal machine… after I removed the YES, the NoPatch property is now simply blank on my system. It will show up in this group as well… but again, no other system other than the <not reported> NoPatch property ones.

At this point I’m stumped - I thought this would be fairly easy and straightforward. :confused:

This is what you want:

not exists settings "NotPatch" whose( value of it as trimmed string as lowercase = "yes" ) of client

This will give you all windows machines that do not have NotPatch set to yes:

(windows of operating system) AND ( not exists settings "NotPatch" whose( value of it  as trimmed string as lowercase = "yes" ) of client )

Awesome - that looks like it did the trick… all the groups are working like I initially expected them to. Thank you very much JGstew and Tim!

1 Like