We use the Configuration Manager console to push Windows patches. Nothing too surprising there, I would assume. However, what we are finding is that since the Shavlik XML file contains scads of other patches, every month we have to re-do our patch analysis a few times for some groups of servers to update our "exclude" list. (We only want the Windows stuff, and thus have to filter out Office, Adobe, Firefox, SQL Server, etc...)
This is a bit cumbersome, especially when running PA on groups of a couple hundred servers just to eliminate one or two additional patches. We are considering the idea of switching to "whitelist" patch analysis across the board -- in other words, every month just specifically add only the Q-numbers of the security updates from Microsoft.
Does anyone have any preference or recommendation for doing it one way or the other? Would there be a down side to doing an "include only" patch list instead of defaulting to everything and filtering out what we don't want? Is there an easy way to see the total list of patches included in the XML file so we can make our whitelist?
Or is it just six of one and a half-dozen of the other and we're just being ridiculously over-analytical? :)
Thanks for any comments or suggestions.