I'd like to leave Windows Automatic Updates enabled but block a specific patch from being installed that is causing us problems.
Is this possible? Anyone know how to do that?
I'd like to leave Windows Automatic Updates enabled but block a specific patch from being installed that is causing us problems.
Is this possible? Anyone know how to do that?
In a larger network you will want to use WSUS as DanBig pointed out. However, if you owant to block an individual hot fix you can do so with the hot fix ID using this script:
If Wscript.Arguments.Count = 0 Then
WScript.Echo "Syntax: HideWindowsUpdate.vbs [Hotfix Article ID]" & vbCRLF & _
"Examples:" & vbCRLF & _
" - Hide KB940157: HideWindowsUpdate.vbs 940157"
WScript.Quit 1
End If
Dim hotfixId
hotfixId = WScript.Arguments(0)
Dim updateSession, updateSearcher
Set updateSession = CreateObject("Microsoft.Update.Session")
Set updateSearcher = updateSession.CreateUpdateSearcher()
Wscript.Stdout.Write "Searching for pending updates..."
Dim searchResult
Set searchResult = updateSearcher.Search("IsInstalled=0")
Dim update, kbArticleId, index, index2
WScript.Echo CStr(searchResult.Updates.Count) & " found."
For index = 0 To searchResult.Updates.Count - 1
Set update = searchResult.Updates.Item(index)
For index2 = 0 To update.KBArticleIDs.Count - 1
kbArticleId = update.KBArticleIDs(index2)
If kbArticleId = hotfixId Then
WScript.Echo "Hiding update: " & update.Title
update.IsHidden = True
End If
Next
Next
If the update is not linked to an KB article then you would need to find the update ID using this script:
Dim updateSession, updateSearcher
Set updateSession = CreateObject("Microsoft.Update.Session")
Set updateSearcher = updateSession.CreateUpdateSearcher()
Wscript.Stdout.Write "Searching for pending updates..."
Dim searchResult
Set searchResult = updateSearcher.Search("IsInstalled=0")
Dim update, kbArticleId, index, index2
WScript.Echo CStr(searchResult.Updates.Count) & " found."
For index = 0 To searchResult.Updates.Count - 1
Set update = searchResult.Updates.Item(index)
WScript.Echo update.Identity.UpdateID & ": " & update.Title
Next
And block it using this script:
If Wscript.Arguments.Count = 0 Then
WScript.Echo "Syntax: HideWindowsUpdateById.vbs [Update ID]" & vbCRLF & _
"Examples:" & vbCRLF & _
" - Hide KB940157: HideWindowsUpdateById.vbs 2ba85467-deaf-44a1-a035-697742efab0f"
WScript.Quit 1
End If
Dim updateId
updateId = WScript.Arguments(0)
Dim updateSession, updateSearcher
Set updateSession = CreateObject("Microsoft.Update.Session")
Set updateSearcher = updateSession.CreateUpdateSearcher()
Wscript.Stdout.Write "Searching for pending updates..."
Dim searchResult
Set searchResult = updateSearcher.Search("UpdateID = '" & updateId & "'")
Dim update, index
WScript.Echo CStr(searchResult.Updates.Count) & " found."
For index = 0 To searchResult.Updates.Count - 1
Set update = searchResult.Updates.Item(index)
WScript.Echo "Hiding update: " & update.Title
update.IsHidden = True
Next
You can do all of the above in Windows PowerShell as well. I created the scripts in VBScript originally because I wanted to interact with the Windows Update Agent before PoSH was installed. The Windows Update API is documented on MSDN.
If you are using WSUS, you can decline an update. I don't know of a way to do it otherwise.
Within the Windows Update application (on Vista and 7), right-click the update you want to block and select "Hide Update". This will remove it from the list and block installing it during automatic installation. You can "restore" the hidden update any time in the future so it will appear back on the list.
There is a similar process on the older style Windows Update web site (for Windows XP) where you can hide an update. The option to do so is in different place though.
I recommend a one-line change to the Colin's scripts. I'm not certain exactly why, but I find I am seeing the wrong KB number unless I use a search like:
updateSearcher.Search("IsInstalled=0 and IsHidden=0")
If I only specify IsInstalled=0, I sometimes get a different KB number.
For instance: KB2956078 is ready to install on my machine. If I specify both conditions to Search(), I see:
.Title = Security Update for Microsoft Outlook 2010 (KB2956078) 32-Bit Edition
However, with only the "IsInstalled=0" conditional, I see:
.Title = Security Update for Microsoft Outlook 2010 (KB4011273) 32-Bit Edition
Looking at Windows Update, I see that KB2956078 is the update that is being displayed. Also, I am setting that update to hidden, and that works correctly and hides the update with the change I am proposing.
Minor update: I may have figured out why this is happening. I've been suppressing certain Outlook updates that break Outlook scripting. The two updates in question have very similar titles, and it looks as though Windows Update gets confused.