Skip to main content

Hi Team,

We have a request to install only patches that are related to Security, Critical and Defender Updates and we have to exclude Updates like Feature Updates, Upgrades, Tools Updates for Windows OS.

Can you please recommend which Policy and how the settings should be configured if we need to exclude Feature Updates, Upgrades, Tools Updates and patch only Security Update, critical and Defender Updates for Windows OS?

Also, let me know if we have certain KB that are specifically used to install excluded Updates?

Thanks,

Shoaib

Hi @MD Shoaib Pasha ,

I hit on this scenario in your previous post, but happy to explain in further detail here!

For managing Security Definitions, I like to use a Patch Only Policy and scope specifically just the packages that come down as Security related.  For MacOS and Windows these packages are specifically defined as seen below.

 

Policy Name: Windows / MacOS - Security Definitions and Servicing Stack
Policy Type: Patch Only
Scope: Handles Windows SSU updates and Security Definitions. Package Targeting should scope Everything KB915597, KB2267602, Security Intelligence Update, Servicing Stack, XProtectPlistConfigData, XProtectPayloads, MRTConfigData

Schedule: Aggressive. A few days a week, or right before your primary first party policy

Install Notifications and Restarts: Both are disabled.

By scoping just the security packages you need via the Patch Only policy you can ensure that no other updates (like Feature updates) go out when scheduled:
 



I hope this helps. Have a great day!


Thanks for the information.


Reply