Video Screencast Help

Exceptions for Multi-Bulletin Policy

Created: 29 Aug 2012 | 5 comments

For Patch Management Solution 7.1, I included several Microsoft updates in a single policy but may have to exclude some PCs for a particular bulletin due to an application compatibility issue.  Is there a way to remove a bulletin from a policy that contains multiple bulletins?  Also, I don't see a way to apply a target to just the affected bulletin within the policy.  Guess this is one of the negatives of combining bulletins in a single policy where I never had this issue with Altiris 6 since each policy only contained a single bulletin.

Comments 5 CommentsJump to latest comment

Roman Vassiljev's picture

Hi Clint,

When policy is created, all included bulletins will have same target  - common target defined in policy.
If you want to exclude some machine from policy, you need to modify target for this policy, but in this case bulletins included to this policy will not be installed to excluded machine. It is not possible to create own target for each update within the policy. You need to create separate policy for this purpose.

If you want to exclude some bulletin or update from created policy, you can do it by disabling updates in Advanced policy setting. Disabled updates will not be installed on target computers.

Best regards,
Roman  

Clint's picture

Perhaps it's easier to just delete the policy, create a new one with all the previous bulletins except the one with the compatibility issue, then create a second new policy with just the bulletin that has the modified target?  Would doing this have any side effects on the clients (i.e. bulletins reinstalling)?

Clint

Roman Vassiljev's picture

Hi Clint,

I agree that it is easier to delete old policy and create a new one. This should not cause issues like updates reinstalling.

If any update from old policy has been already installed on client it should be marked as Installed and should not be applicable to client anymore even new policy is created.
If update from old policy is applicable to client and has not been installed yet, it should disappear from client as soon as old policy is deleted. After new policy is created, this update will try to be installed within new created policy(in case if it is included to created policy)

Thanks,
Roman

Clint's picture

If I want to disable a multi-bulletin software update policy in order to create a new one without a particular bulletin, is there a best practice for how long to wait before deleting the old policy?  I've been told I can create and enable the new policy right away but looking for general wait times for the deletion.

Heard weird things could occur if you don't wait long enough for the clients to realize the old policy has been disabled on the server.  It'd be nice if the devs had built a check into the SU agent which automatically deletes a policy on the client if it doesn't find it on the server although sounds like something like this isn't in place.

Clint

Roman Vassiljev's picture

Hi Clint,

Basically client will realize that old policy has been disabled on notification server as soon as configuration is updated on agent. By default agent configuration is updated every 1 hour.

I don't think that weird things may occur if you don't wait for the clients to realize the old policy has been disabled, because new created policy is also received by client during configuration update - in case if you delete or disable one SWU policy on NS and create another at same time, old SWU policy will be disabled on clients with the next configuration update and new created policy will appear on targeted clients also with the next configuration update as well.

Please note that in order to receive new SWU policy client machine should appear in policy target filter. Target filters for SWU policies are updating according to specified Patch Filter Update Interval in Windows Patch Remediation Settings.

Thanks,
Roman