Preventing specific software from updating is a common requirement in IT environments. Whether you need to maintain compatibility with existing systems, avoid known issues with newer versions, or follow internal testing protocols, Automox provides multiple methods to control which software gets updated.
You can block specific software from updating by using one of three methods: Ignore feature, Patch All Except policies, or Advanced Policies.
Prerequisites
- Automox administrator access with permission to manage policies.
- Devices reporting correctly to the Automox console.
- Software must be Automox-supported to use package targeting filters.
Choosing the Right Method
It's helpful to understand when each approach is most appropriate for your needs.
- Ignore: Fast, temporary, update-specific
- Patch All Except: Simple, consistent exclusions across many devices
- Advanced Policy: Flexible, conditional, and scalable
Most organizations use a combination of all three.
Example: An organization may use Ignore for emergency situations, maintain a Patch Except policy for known problematic software, and leverage Advanced Policies for ongoing conditional exclusions based on risk tolerance and testing procedures.
Option 1: Ignore a Specific Patch
Use Ignore to immediately block a specific patch on one or more devices without changing existing policies. This method is ideal for one-off situations where you need to prevent a specific update from installing on certain machines without altering your overall patching strategy.
Ignore a Patch from the Device Details Page (one device)
- Go to Devices and open the target device.
- Scroll to the Software and Patches section.
- Select the checkbox next to the patch.
- Click Bulk Actions → Ignore.
- Confirm the action.
Ignore a Patch from the Software Page (all devices)
- Go to Software in the Automox console.
- Locate the patch or software.
- Open the Actions menu for that item.
- Select Ignore.
Important: This action applies immediately and does not prompt for confirmation. After ignoring a patch, run a device scan to ensure the ignored status is registered before the next policy run.
When to Use Ignore
- Temporary or emergency patch blocks.
- One-off exceptions on individual devices.
- Short-term testing or validation scenarios.
Option 2: Patch Except Policy with Package Targeting
Use a Patch All Except policy to patch all supported software except a defined list of excluded packages. This method is best when you have a defined list of software that should never update across your entire organization, such as legacy applications or specific versions required for business operations.
Create a Patch All Except Policy
- Go to Automate → Policies.
- Click Create Policy.
- Select Patch All Except.
- Enter a descriptive name in the Policy Name field.
- Click Associate Groups to select the groups this policy should apply to.
- Set the policy Status to Active.
- (Optional) Configure Device Targeting to apply to specific devices within the groups.
- In Package Targeting:
- Select Automox Supported.
- Search for packages to exclude.
- Select the checkbox next next to each package to add them to the exclusion list.
- The selections will appear in the exclusion list on the right
- Configure the patch schedule.
- (Optional) Configure User Notifications.
- Click Create Policy to save your configuration.
When to Use Patch All Except
- Software that should never update organization-wide.
- Legacy or business-critical applications.
- Simple, auditable exception management.
Option 3: Advanced Policy with Package Targeting
Use an Advanced Policy when exclusions must be based on conditions such as severity, age, OS, or patch source. This options offers the highest level of customization for your patching strategy, and it is ideal when complex criteria and software exclusions are required.
Creating an Advanced Policy
- Go to Automate → Policies.
- Click Create Policy.
- Select Advanced.
- Enter a descriptive name in the Policy Name field.
- Click Associate Groups to select the groups this policy should apply to.
- Set the policy Status to Active.
- (Optional) Configure Device Targeting to apply to specific devices within the groups.
- In Package Targeting
- Patch Source: Filter by software source (Microsoft, Apple, etc.)
- Patch OS: Target patches based on the operating system
- Type: Filter by update type (Windows Only and other options)
- Display Name: Match software by name or partial name
- Patch Severity: Include or exclude based on CVE severity scores
- Patch Age: Target only packages that are a certain number of days old (1-180 days)
- Add multiple conditions as needed to refine targeting.
- Configure the patch schedule.
- (Optional) Configure User Notifications.
- Click Create Policy to save your configuration.
Example: Excluding Software by Severity and Age
A common use case is excluding lower-severity updates until they have been available for a period of time. You might create a policy that only patches Critical severity updates immediately while deferring Medium and Low severity updates for 30 days after release. This approach allows your team to monitor new patches for issues before they deploy broadly.
When to Use Advanced Policy
- Conditional or complex rules required.
- Deferring new patches until validated.
- Complex environments requiring granular control.
Best Practices
- Document why exclusions exist and review them regularly.
- Periodically audit ignored patches and policy exceptions.
- Remove exclusions when software becomes stable or compliant again.
By understanding and properly implementing these three methods, you gain complete control over your organization's patching strategy while maintaining the automation benefits that make Automox valuable.