OpenText product name changes coming to the community soon! Learn more.

Wikis - Page

ZENworks: How to block the automatic install of specific Windows KB updates using PowerShell

1 Likes

There can be instances where one wants to block the automatic installation of specific Windows patches on devices via "Windows Update", where those patches may cause issues.

"PSWindowsUpdate" is one PowerShell tool that can assist in this matter.  The tool will not block the installation of those patches via ZENworks Patch Management or other mechanisms.  Details about this PowerShell tool can be found here: https://www.powershellgallery.com/packages/PSWindowsUpdate/2.2.1.5

Below is an example that can be run via a ZENworks bundle calling a PowerShell script.

Install-PackageProvider -Name Nuget -MinimumVersion 2.8.5.201 -Force
set-executionpolicy bypass
Install-Module -Name PSWindowsUpdate -Force
$HideList = "KB5041580", "KB5041585"
Hide-WindowsUpdate -KBArticleID $HideList -Verbose -Confirm:$False

In this example, the script will silently download and install the prerequisite "Nuget" package as well as "PSWindowsUpdate".

It then issues the command to "Hide" KB5041580 and KB5041585.

The results can be seen below where KB5041585 is hidden. (Note This is a Windows 11 PC, so KB5041580 is not applicable and thus not hidden.)

Checking For Windows Updates shows the following results, without the hidden patch.

In cases where the "Hidden" patch was in the process of automatically downloading, the progress was reset so it stopped downloading, did not resume automatic downloading, but did remain in the list to allow for manual installation.

With the PowerShell Module installed one also has access to commands to check both WIndows Update history and needed patches.  The following results are what is shown after running the script bundle to "Hide" the specified updates.

One can see that the specified KBs have not been installed in the past and are not listed as needed, despite other KBs released at the same time as showing still needed.  

Previously "Hidden" Windows updates can be "unhidden" using the "Show-Windows Update" command such as: Show-WindowsUpdate -KBArticleID "KB5041850","KB5041585" -Verbose -Confirm:$False

After running the "Show" command, we can now see the KB is now listed as needed.

Attached is a sample bundle:

KBBlocker.zip

Please checkout the following link for other important articles: 

https://community.microfocus.com/members/craigdwilson/bookmarks

Labels:

Configuration Management
Full Disk Encryption
Patch Management
Comment List
Related
Recommended