Greetings all,
We recently switched over to LDMS 9.6 and have discovered a problem with one of our agent configurations that we setup for "no patching". We use this agent for inventory purposes only on a couple vendor supplied devices that we're not supposed to patch as part of our normal patching routine.
With 9.5, we followed the guidance from this article to set up the "No Patching" agent: How to exclude a managed device from applying patches
With 9.6, we tried doing the same. The agent installs just find and I'm able to verify that vulscan.exe does not get installed. However, the problem is a couple days later, it (vulscan.exe) somehow gets installed. Policysync then runs and picks up all the patches we have set for policy.
I have tried recreating the configuration from scratch. I also tried configuring separate distribution and patch settings to use in the configuration. Specifically Patch Only Settings > Scan Options > Type > un-checking all otpions.
We have used queries in the past to exclude devices from policy, but we would like to get away from this method because of the growing number of devices.
Any suggestions are appreciated.