This post is part of an ongoing series about using SCUP to publish 3rd party updates in MEMCM. Previous posts on SCUP and 3rd party updates:
- Using System Center Update Publisher to Create 3rd Party Updates: Intro
- Using SCUP to Create 3rd Party Updates: Publish an Update
- Using SCUP to Create 3rd Party Updates: Publish a Scripted Update
With your workforce likely working from home under COVID-19 lockdown, it’s more important than ever to ensure that your patching is up-to-date, to include 3rd party updates. It’s not enough anymore to just ensure that Windows is patched.
The blog was put together using MEMCM 2002 and SCUP 6.0.394.0, available here: https://www.microsoft.com/en-us/download/details.aspx?id=55543.
This post will focus on a method to exclude certain 3rd party updates from installing on a computer. This method uses a simple registry key per app to block installation. This method will make deploying updates much easier, as you won’t need dedicated collections or separate software update groups. I’m going to use a registry key, but a file on the system could also work.
This method is really for excluding all updates for a particular application, not just one version of an application. An example of a use case for this is a computer that must run a certain version of Mozilla Firefox for an application or process to run correctly.
There are two steps involved in this process – first, we need to create an application in MEMCM that deploys a registry value that tells an application to be excluded. This registry value is made-up and is only used for this purpose. Second, we need to add an applicability rule to your software update in SCUP that uses this registry value.
MEMCM Application & Collection
We’re going to use an application in MEMCM to add a registry value to the computer. You can then create a required deployment to a collection that will add the registry value to the computer.
My organization creates a registry key during the imaging process where we store information about the task sequence. This registry key is located at HKEY_LOCAL_MACHINE\SOFTWARE\ContosoCorp. I’m going to re-use this key for this purpose. If your organization does not do this, then I would suggest creating a new key for the purposes of this blog post. I created a sub-key called SoftwareUpdates to store these exclusion values.
- Create a new application in MEMCM. I would suggest calling it Exclude Mozilla Firefox Updates.
- Go through the wizard as you normally would until you run the section about creating a deployment type.
- When you reach the Content screen, do not select a Content location.
- In the Installation program box, type (replacing the path with your correct path):
reg add HKLM\SOFTWARE\ContosoCorp\SoftwareUpdates /t REG_SZ /v ExcludeMozillaFirefox /f
- In the Uninstall program box, type (replacing the path with your correct path):
reg delete HKLM\SOFTWARE\ContosoCorp\SoftwareUpdates /v ExcludeMozillaFirefox /f
- Click Next.
- Add the Detection Method.
- Click Add Clause.
- Change Setting Type to Registry.
- Select HKEY_LOCAL_MACHINE as the Hive.
- Type SOFTWARE\ContosoCorp\SoftwareUpdates into the Key box.
- Type ExcludeMozillaFirefox into the Value box.
- Select String as the Data Type.
- Click OK.
- Configure the User Experience.
- For Install behavior, select Install for system.
- For Logon requirement, select Whether or not a user is logged on.
- For Installation Program visibility, select Hidden.
- Proceed through the rest of the Create Application Wizard.
Now that you have your application, you can create the collection to deploy it too. I would recommend creating a collection just for this purpose. Once you have a collection, you can create a required deployment, so that anytime a computer is added to the collection, this application automatically runs.
SCUP Install Rule
Now that we have the application deployment configured, we need to add the same registry key to the update in SCUP as an applicability rule.
- Open SCUP and edit the Mozilla Firefox update.
- In the Edit Update wizard, go to the Applicability workspace.
- Click the Add button.
- Create the Applicability rule.
- Change the Rule type to Registry.
- Type SOFTWARE\ContosoCorp\SoftwareUpdates into the Subkey box.
- Type ExcludeMozillaFirefox into the Value name box.
- Change Data type to REG_SZ.
- Click OK.
- Click the exclamation point button (!) to change this rule to NOT.
- Click Next and complete the Edit Update wizard.
- Publish the update.
Now this update will not be applicable to any computer with that registry key.
All content provided on this blog is for information purposes only. Windows Management Experts, Inc makes no representation as to accuracy or completeness of any information on this site. Windows Management Experts, Inc will not be liable for any errors or omission in this information nor for the availability of this information. It is highly recommended that you consult one of our technical consultants, should you need any further assistance.