Deploying Security Only Updates for SCCM 2012 and Excluding Rollups

Excluding Windows Rollup Updates from SCCM Software Updates

Microsoft’s new servicing model pushes a new style of updates starting 10/11/2016. A security only update that contains all security fixes in a single update and Security rollup update containing this month’s fixes plus fixes from last month. The plan at MS is to retrospectively, reach back and add more of the past updates with each rollup update going back all the way to Windows 7 SP1.

A great explanation by Michael Niehaus can be found here. More on Windows 7 and Windows 8.1 servicing changes

Organizations that use WSUS can enable “express installation files” to make sure PCs only download the pieces they need from each Rollup update, thus keeping download size to a minimum. Those that use SCCM 2012/ConfigMGR 2012 are not so lucky as it has no support for such feature and the whole rollup will have to be downloaded.

I chose to go ahead with security only updates to avoid this issue. This involed excluding two types of updates: .NET Security and Quality Rollup, and Security Monthy Quality Rollup.

I ran into a problem trying to exclude both types of updates in the All software updates section of SCCM console.

Excluding one string “and Quality” works fine as you see below, .NET Rollup is taken out.

Trying to exclude Monthly Quality as well breaks the exclusion entirely. Numerous variations did not succeed.

Fortunately the ADR Property filters offer another option, exclude multiple strings from Title with just the minus sign in front.

Here is the wanted result, Security only updates for Windows 7 and .NET and NO Rollups.