Using SCUP to Create 3rd Party Updates: Exclude Updates from Computers

This post is part of an ongoing series about using SCUP to publish 3rd party updates in MEMCM. Previous posts on SCUP and 3rd party updates:

With your workforce likely working from home under COVID-19 lockdown, it’s more important than ever to ensure that your patching is up-to-date, to include 3rd party updates. It’s not enough anymore to just ensure that Windows is patched.

The blog was put together using MEMCM 2002 and SCUP 6.0.394.0, available here:

This post will focus on a method to exclude certain 3rd party updates from installing on a computer. This method uses a simple registry key per app to block installation. This method will make deploying updates much easier, as you won’t need dedicated collections or separate software update groups. I’m going to use a registry key, but a file on the system could also work.

This method is really for excluding all updates for a particular application, not just one version of an application. An example of a use case for this is a computer that must run a certain version of Mozilla Firefox for an application or process to run correctly.

There are two steps involved in this process – first, we need to create an application in MEMCM that deploys a registry value that tells an application to be excluded. This registry value is made-up and is only used for this purpose. Second, we need to add an applicability rule to your software update in SCUP that uses this registry value.

MEMCM Application & Collection

We’re going to use an application in MEMCM to add a registry value to the computer. You can then create a required deployment to a collection that will add the registry value to the computer.

My organization creates a registry key during the imaging process where we store information about the task sequence. This registry key is located at HKEY_LOCAL_MACHINE\SOFTWARE\ContosoCorp. I’m going to re-use this key for this purpose. If your organization does not do this, then I would suggest creating a new key for the purposes of this blog post. I created a sub-key called SoftwareUpdates to store these exclusion values.

  1. Create a new application in MEMCM. I would suggest calling it Exclude Mozilla Firefox Updates.
  2. Go through the wizard as you normally would until you run the section about creating a deployment type.
  3. When you reach the Content screen, do not select a Content location.

  1. In the Installation program box, type (replacing the path with your correct path):
reg add HKLM\SOFTWARE\ContosoCorp\SoftwareUpdates /t REG_SZ /v ExcludeMozillaFirefox /f
  1. In the Uninstall program box, type (replacing the path with your correct path):
reg delete HKLM\SOFTWARE\ContosoCorp\SoftwareUpdates /v ExcludeMozillaFirefox /f

  1. Click Next.
  2. Add the Detection Method.
    1. Click Add Clause.
    2. Change Setting Type to Registry.
    3. Select HKEY_LOCAL_MACHINE as the Hive.
    4. Type SOFTWARE\ContosoCorp\SoftwareUpdates into the Key box.
    5. Type ExcludeMozillaFirefox into the Value box.
    6. Select String as the Data Type.

  1. Click OK.
  2. Configure the User Experience.
    1. For Install behavior, select Install for system.
    2. For Logon requirement, select Whether or not a user is logged on.
    3. For Installation Program visibility, select Hidden.

  1. Proceed through the rest of the Create Application Wizard.

Now that you have your application, you can create the collection to deploy it too. I would recommend creating a collection just for this purpose. Once you have a collection, you can create a required deployment, so that anytime a computer is added to the collection, this application automatically runs.

SCUP Install Rule

Now that we have the application deployment configured, we need to add the same registry key to the update in SCUP as an applicability rule.

  1. Open SCUP and edit the Mozilla Firefox update.
  2. In the Edit Update wizard, go to the Applicability workspace.
  3. Click the Add button.

  1. Create the Applicability rule.
    1. Change the Rule type to Registry.
    2. Type SOFTWARE\ContosoCorp\SoftwareUpdates into the Subkey box.
    3. Type ExcludeMozillaFirefox into the Value name box.
    4. Change Data type to REG_SZ.

  1. Click OK.
  2. Click the exclamation point button (!) to change this rule to NOT.

  1. Click Next and complete the Edit Update wizard.
  2. Publish the update.

Now this update will not be applicable to any computer with that registry key.

Happy Updating!


All content provided on this blog is for information purposes only. Windows Management Experts, Inc makes no representation as to accuracy or completeness of any information on this site. Windows Management Experts, Inc will not be liable for any errors or omission in this information nor for the availability of this information. It is highly recommended that you consult one of our technical consultants, should you need any further assistance.



Contact Us

On Key

More Posts

Mastering Azure AD Connect - A Comprehensive Guide by WME
Active Directory

Mastering Azure AD Connect – A Comprehensive Guide

Modern businesses are fast moving toward cloud-based infrastructure. In fact, cloud-based business is not just a trend anymore but a strategic necessity. Microsoft’s Azure Active Directory (Azure AD) has become a frontrunner in this domain. It

Read More »
Security Best Practices in SharePoint
Office 365

Security Best Practices in SharePoint

Microsoft SharePoint is an online collaboration platform that integrates with Microsoft Office. You can use it to store, organize, share, and access information online. SharePoint enables collaboration and content management and ultimately allows your teams to

Read More »
The Ultimate Guide to Microsoft Intune - Article by WME
Active Directory

The Ultimate Guide to Microsoft Intune

The corporate world is evolving fast. And with that, mobile devices are spreading everywhere. As we venture into the year 2024, they have already claimed a substantial 55% share of the total corporate device ecosystem. You

Read More »
Protecting Microsoft 365 from on-Premises Attacks
Cloud Security

How to Protect Microsoft 365 from On-Premises Attacks?

Microsoft 365 is diverse enough to enrich the capabilities of many types of private businesses. It complements users, applications, networks, devices, and whatnot. However, Microsoft 365 cybersecurity is often compromised and there are countless ways that

Read More »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.