Stop BigFix from Patching Exchange

Usage and Config Security
1

(imported topic written by rich872)

We recently implemented bigfix to patch all of our servers with windows server securtiy updates. The problem is it is also patching our Exchange 2007 application with updates. It installed update rollup 11 on my exchange servers. How can we stop bigfix from patching Exchange? Thanks.

2

(imported comment written by martinc)

You have not provided that much info on your patching process, but I think there 2 parts to this that we can break it down to:

  1. Do you want to stop patching everything on the exchange servers

  2. Do you want to stop applying Exchange patches, but keep doing the OS patches on the exchange servers?

If you are trying to do #1, then when you are targeting the action, just exclude the exchange servers. If you are using groups, then filter the exchange servers out of the group

If you are trying to do #2, then just remove the exchange fixlets from your baseline.

Martin

3

(imported comment written by liuhoting)

You can also hide content by right clicking on it in the console and hitting globally hide or local hide.

4

(imported comment written by rich872)

Yes, its #2 that we want to accomplish. So removing the Exchange fixlets from the baseline will stop any future Exchange updates from being installed?

5

(imported comment written by martinc)

Well… :slight_smile:

This stops your baselines actions from applying them, but it is still possible to select the fixlet and deploy it to the system. This really goes back to how you design your processes. You can create the baselines and put them in a custom site and only give access to the custom site to the people who would submit the action. This way they could not see the fixlets in the Patches for Windows site. You could hide the fixlets as liuhoting mentioned, but if everyone is MO, then this will not work. You could also restrict access to the Exchange servers to a select few so that only they can deploy patches to those systems.

I think that there are quite a few ways to handle this situation, but it really comes down to your internal processes. Since I do not know thing like who patches, who has access to the console, infrastructure layout, AD layout and a few other things, it is difficult to come up with a solution.

Martin