Denying Patch Services to Cloned Desktops

Now that you have created an OU in AD, you can associate a policy that effectively denies patch acquisition to the devices contained in this OU.

To deny patch services to cloned desktops:

Follow the generalized procedure outlined in Assigning Policy to Directory Objects. However, in this procedure, which is specific to entitling a policy to devices that denies a service, note the actual values you must provide to achieve this goal.

  1. Select View/Edit Properties for the OU directory object that contains the cloned desktops.
  2. From the drop-down menu on the Policy Management Wizard icon, select Launch Policy Management Wizard (Policy) to add a normal policy.
  3. In the Policy Management Wizard, select Patches as the Service Domain.
  4. Select the DISCOVER_PATCH and FINALIZE_PATCH services in the list and click Add to Selection.
  5. Click Next.
  6. In the Selected Services list, select all the services and specify the following changes for all of the services listed:
  7. Click Next and Commit to save the changes.

This procedure has assigned a policy that denies patch services to the OU that contains the cloned desktops. Since the priority of this policy is specified as high, it will get resolved above all the other policies within its hierarchy. You can verify this by viewing the Entitlement list of policies for any one of the devices in the list.

Now when the patch connect is run on any of the cloned desktops contained in the specified OU, the patch service entitlement is not resolved, and the patch will not be installed. This does not affect other services which are entitled for the cloned desktops, and they are thus resolved.

You must ensure that only cloned desktops are contained in this OU. If any other device is added to this OU, it will also be denied patch services.

You can deny patch services through policy entitlement at any level; that is, it can be done at the container, OU, or device level.

Note: It is important to apply the policy at the correct level in the hierarchy so that its affects only the required devices and not all devices.


© 2003 - 2012 Hewlett-Packard Development Company, L.P.