Excluding Windows Rollup Updates from SCCM Software Updates
Microsoft’s new servicing
model pushes a new style of updates starting 10/11/2016. A security only update
that contains all security fixes in a single update and Security rollup update
containing this month’s fixes plus fixes from last month. The plan at MS is to
retrospectively, reach back and add more of the past updates with each rollup
update going back all the way to Windows 7 SP1.
A great explanation by Michael Niehaus can be found here. More on Windows 7 and Windows 8.1 servicing changes
Organizations that use WSUS
can enable “express installation files” to make sure PCs only download the
pieces they need from each Rollup update, thus keeping download size to a
minimum. Those that use SCCM 2012/ConfigMGR 2012 are not so lucky as it has no support for such feature and the whole rollup will have to be downloaded.
I chose to go ahead with
security only updates to avoid this issue. This involed excluding two types of
updates: .NET Security and Quality Rollup, and Security Monthy Quality Rollup.
I ran into a problem trying to exclude both types of updates
in the All software updates section of SCCM console.
Excluding one string “and Quality” works fine as you see
below, .NET Rollup is taken out.
Trying to exclude Monthly Quality as well breaks the
exclusion entirely. Numerous variations did not succeed.
Fortunately the ADR Property filters offer another option,
exclude multiple strings from Title with just the minus sign in front.
