Firstly what version of LDMS are you running? Are you using autofix to repair patches?
In the agent you do get to set when a security scan will take place on the client. Most people are happy for scans to take place as this wont trigger any patches unless you have enabled autofix on the patches themselves.
The easiest way to make sure these 20 PC's don't get patches is to create an agent setting that has Enable autofix unchecked. The pic attached is from v9.6
I read somewhere, and I wish I could find it, that LANDesk says that Autofix isn't best practice, or typically isn't best practice. We are a hospital system and reboots are not tolerated. (Does autofix adhere to the maintenance window?) Here is our current strategy.
- We typically have a server patch and reboot night and have attached along with that a PC patch and reboot night as well. Early in the day I stage all of the pcs with the patches.Overnight, I force patching and a reboot within a maintenance (time) window (using a different agent setting within the job).
- Our standard agent setting is to only patch if no one is logged on. Autofix is enabled and we only have a handful of patches that are set to Autofix. (how many do you have?)
- Between the monthly pushes, I do pushes that do not ignore the maintenance window, just to try and keep current. We're really still within a cleanup phase in transitioning from WSUS.
So, because I manually push these tasks out, I inevitably push it to everything because I'm not going to 'pick the vegetables out of the soup'...
I guess I could have it only scan for blocked applications and then it would never see the MS patches...
That discussion is from 2008. I do agree to a point with what they are saying but we have much better functionality now like maintenance windows to control how and when Autofix completes tasks.
Many people I deal with don't have time to manually deploy patches so use autofix to take care of those patches they feel confidant in approving.
You are correct that turning the feature off doesn't really exist.
You can stop the scheduled scan from ever running but that does not stop a machine receiving a patching job.
You could allow it to scan but to run against a custom group that contains nothing. Again this won't override any direct jobs.
You could set a very small maintenance window but this can be overridden.
Probably the best thing would be to put these machines into their own scope so that whoever looks after patching would select the scope that contains everything except these machines. The admin 'could' still patch these machines but they would have to specifically choose the wrong scopes.
Also, to clarify regarding autofix. In the past autofix was very dangerous indeed. Today there are a great many more safeguards. I am a huge advocate for autofix used correctly.
In respect of anyone who says "reboots are not tolerated" this is a huge generalisation. Patching, especially in a Microsoft environment, requires reboots in order for patches to be fully effective. So if reboots cannot be allowed ever then management is effectively saying that they will not allow patching. If patching is done without reboots then you run a pretty significant risk of creating an unstable environment since some files are updated while others aren't.
In most cases "reboots are not tolerated" actually means "reboots are not tolerated unless they happen at the correct time under the correct conditions". This is where the right settings for your agent, the correct maintenance window configuration, and accurate scoping comes into effect. The only way to damage your environment is to have a badly designed agent/agent settings and/or a poorly trained administrator.
Autofix will work perfectly well if the environment is setup well, otherwise it will be a complete disaster.
MarXtar Ltd/MarXtar Corporation
LANDESK One Development Partner
The One-Stop Shop for LANDESK Enhancements
You are correct on the tolerance. Seemingly random reboots are not tolerated or tolerated well.
So how would you suggest creating a scope that does not contain any of the unmanaged devices?
One thing I would add here is that there is a separate "Reboot Settings" section that contains the acceptable hours within to reboot. Here is some further information on it:
An easy way is to create a query that does not include the 20 devices in question. Then you can right click on scopes in the network view, and select "New scope from query". Select your query and hit OK. Now you have a scope based on your query, you can go into User management in the console and make sure your teams or users do not have access to the scope. If they have access to "all devices" they will still be able to see them.
My fix was to create a registry value and then add that to custom data. I have a scope for all PCs without "No Patch".