Environment
Novell ZENworks Configuration Management 11.3
Situation
Patch policy keeps applying a patch that includes version for both Disabled and Enabled. The filter is set to allow both. For example:
MS 2934088 Workaround for Vulnerability in Internet Explorer (Disabled) (See Notes)
and
MS 2934088 Workaround for Vulnerability in Internet Explorer (Enabled) (See Notes)
Resolution
Don't put workaround policy patches in your patch policy. There is a pair of patches for each workaround. Administrators should set one or both of the pair of patches to Disabled if they don't want to use them.
Automate: Change the filter to exclude Enabled and Disabled these patches. Add one or the other to the Members tab of the patch policy as needed.
Cause
The intended use is that when a zero day comes out, Microsoft may issue a workaround. At that point, the Administrator will use the "ENABLE" patch to install the workaround. Once the real patch is available - the workaround can be eliminated by using the "DISABLE" .... however at no point should both be used at the same time.