We help IT Professionals succeed at work.

Decline specific update for specific machine

ModusLink
ModusLink asked
on
Hello,

I manage windows updates for 1300 machines with SCCM 2007 R2. Now I have two machines that need to be prevented from installing a specific windows update as it interferes with a software package installed only on those two machines. The recommendation to uninstall came from the vendor.

As it's a security update I don't want decline for all, also creating a separate update package with all updates except the one  feels like to wrong approach as the current update deployment is assigned to all machines would demand to redesign deployment, creating new collections for all

Anyone an idea how to prevent this update from installing? If somehow I could fake the software inventory on the client to think this update has been installed could be a solution but I have no clue how to approach that.

Thanks,
Edwin.
Comment
Watch Question

Commented:
Just create a new organization unit in active direcory & have a completely different GPO for Windows Updates pushed to the OU those computers are in.

Author

Commented:
I use SCCM for update deployment, there is no GPO involved like with WSUS.
I think you have to create a own Collection and Update Deployment for those Clients and exclude them from the rest! :(
gpo idea sounds good but you could create an enforced rule to just them machines. Will make it easier than moving the machines completely.

Author

Commented:
Thank you for the answers but I'm afraid I can't use that as a solution. The whole point is that in a large environment I don't like to have to many "specials", meaning pc's with different then generic settings.

When a GPO is used for update settings it overrules the SCCM SUP localization and would need a WSUS target group with settings just for these pc's. If it was larger group I would create a special SCCM collection and attach a custom deployment were this particular update was remove from the update list, but with only two pc’s needing this decline on one specific patch , it seems overkill. Next to that I must be careful with each new update release as these two pc’s will keep reporting this patch as “required, not installed”.

If there would be a way to prevent this at the client side then I do not need to create all kinds of specials what can lead to a management nightmare.
As a side note you also have to be carefull of roleup patches, that might combine this update along with others.

What ive done on other computers that have had patches push to them after realising they are trouble is to open up the update client from the taskbar and select to block the patch.

Obviously this only worked because I had patches set to install only on restart/shut down.

Im sorry im not giving exact instructions but basicly on the computer view the pending patches to be installed and you can choose to remove/block/hide the offending patch.
Easiest method is to build a seperate Update Deployment for those two Clients

Author

Commented:
Thanks merowinger, I guess thats the only valid option.

Author

Commented:
the solution confirmed that there is no other option then what I tried to prevent from happening. As no new insight was posted I've graded as "good".