9

I'd like to leave Windows Automatic Updates enabled but block a specific patch from being installed that is causing us problems.

Is this possible? Anyone know how to do that?

I say Reinstate Monica
  • 3,100
  • 7
  • 23
  • 51

4 Answers4

14

In a larger network you will want to use WSUS as DanBig pointed out. However, if you owant to block an individual hot fix you can do so with the hot fix ID using this script:

If Wscript.Arguments.Count = 0 Then
    WScript.Echo "Syntax: HideWindowsUpdate.vbs [Hotfix Article ID]" & vbCRLF & _
                 "Examples:" & vbCRLF & _
                 "  - Hide KB940157: HideWindowsUpdate.vbs 940157"
    WScript.Quit 1
End If

Dim hotfixId
hotfixId = WScript.Arguments(0)

Dim updateSession, updateSearcher
Set updateSession = CreateObject("Microsoft.Update.Session")
Set updateSearcher = updateSession.CreateUpdateSearcher()

Wscript.Stdout.Write "Searching for pending updates..." 
Dim searchResult
Set searchResult = updateSearcher.Search("IsInstalled=0")

Dim update, kbArticleId, index, index2
WScript.Echo CStr(searchResult.Updates.Count) & " found."
For index = 0 To searchResult.Updates.Count - 1
    Set update = searchResult.Updates.Item(index)
    For index2 = 0 To update.KBArticleIDs.Count - 1
        kbArticleId = update.KBArticleIDs(index2)
        If kbArticleId = hotfixId Then
            WScript.Echo "Hiding update: " & update.Title
            update.IsHidden = True
        End If        
    Next
Next

If the update is not linked to an KB article then you would need to find the update ID using this script:

Dim updateSession, updateSearcher
Set updateSession = CreateObject("Microsoft.Update.Session")
Set updateSearcher = updateSession.CreateUpdateSearcher()

Wscript.Stdout.Write "Searching for pending updates..." 
Dim searchResult
Set searchResult = updateSearcher.Search("IsInstalled=0")

Dim update, kbArticleId, index, index2
WScript.Echo CStr(searchResult.Updates.Count) & " found."
For index = 0 To searchResult.Updates.Count - 1
    Set update = searchResult.Updates.Item(index)
    WScript.Echo update.Identity.UpdateID & ": " & update.Title
Next

And block it using this script:

If Wscript.Arguments.Count = 0 Then
    WScript.Echo "Syntax: HideWindowsUpdateById.vbs [Update ID]" & vbCRLF & _
                 "Examples:" & vbCRLF & _
                 "  - Hide KB940157: HideWindowsUpdateById.vbs 2ba85467-deaf-44a1-a035-697742efab0f"
    WScript.Quit 1
End If

Dim updateId
updateId = WScript.Arguments(0)

Dim updateSession, updateSearcher
Set updateSession = CreateObject("Microsoft.Update.Session")
Set updateSearcher = updateSession.CreateUpdateSearcher()

Wscript.Stdout.Write "Searching for pending updates..." 
Dim searchResult
Set searchResult = updateSearcher.Search("UpdateID = '" & updateId & "'")

Dim update, index
WScript.Echo CStr(searchResult.Updates.Count) & " found."
For index = 0 To searchResult.Updates.Count - 1
    Set update = searchResult.Updates.Item(index)
    WScript.Echo "Hiding update: " & update.Title
    update.IsHidden = True
Next

You can do all of the above in Windows PowerShell as well. I created the scripts in VBScript originally because I wanted to interact with the Windows Update Agent before PoSH was installed. The Windows Update API is documented on MSDN.

Colin Bowern
  • 356
  • 2
  • 6
  • very nice! i have slightly modified the script in http://superuser.com/a/922921/172012 - to accept multiple hotfixes at once. – Opmet Jun 03 '15 at 06:46
  • Very helpful, thanks, especially the loop for finding updates by KB number. I've incorporated that into my script for uninstalling and hiding Microsoft Updates: http://www.mcbsys.com/blog/2015/11/uninstall-and-hide-windows-updates/. – Mark Berry Dec 20 '15 at 05:36
0

If you are using WSUS, you can decline an update. I don't know of a way to do it otherwise.

DanBig
  • 11,393
  • 1
  • 28
  • 53
  • I know its via WSUS, but not sure exactly how to apply polices for this http://serverfault.com/questions/718232/disable-telemetry-data-privacy-invading-windows-updates-or-temporarily-all – Alex S Sep 02 '15 at 13:12
0

Within the Windows Update application (on Vista and 7), right-click the update you want to block and select "Hide Update". This will remove it from the list and block installing it during automatic installation. You can "restore" the hidden update any time in the future so it will appear back on the list.

There is a similar process on the older style Windows Update web site (for Windows XP) where you can hide an update. The option to do so is in different place though.

Justin Scott
  • 8,748
  • 1
  • 27
  • 39
0

I recommend a one-line change to the Colin's scripts. I'm not certain exactly why, but I find I am seeing the wrong KB number unless I use a search like:

updateSearcher.Search("IsInstalled=0 and IsHidden=0")

If I only specify IsInstalled=0, I sometimes get a different KB number.

For instance: KB2956078 is ready to install on my machine. If I specify both conditions to Search(), I see:

.Title = Security Update for Microsoft Outlook 2010 (KB2956078) 32-Bit Edition

However, with only the "IsInstalled=0" conditional, I see:

.Title = Security Update for Microsoft Outlook 2010 (KB4011273) 32-Bit Edition

Looking at Windows Update, I see that KB2956078 is the update that is being displayed. Also, I am setting that update to hidden, and that works correctly and hides the update with the change I am proposing.

Minor update: I may have figured out why this is happening. I've been suppressing certain Outlook updates that break Outlook scripting. The two updates in question have very similar titles, and it looks as though Windows Update gets confused.

trindflo
  • 1
  • 2