SCCM 2012 Block Windows Update KB Number

Hello,

since a few weeks I have one update for .NET that is causing production outages.

According to ressources and discussions such update can be blocked via Custom Severity - Low and None, in the ADR's, that way all updates categorised as Low are not deployed.

Last week the problematic update passed into obsolote with a red x next to it, I wa hoping it will not come back, but I was wrong.

This week it has been set back to active and deployed to some serveres, even though all ADR's contain the Custom Severity setting as described in an external blog.

Tel wuahandler.log says on the impacted server states:

2. Update (Missing): 2017- Security and Quality Rollup for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7 on Windows 8.1 and Server 2012 R2 for x64 (KBedited) (dc4eb637-5391-4ca8-8f08-98584d61effa, 201) WUAHandler 06/12/2017 03:00:05 83708 (0x146FC)

Could someone please share a method on how can permanently block this update from installing again?
m aAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

RobertSystem AdminCommented:
The method I use is to do the following
1. Remove the update from any update groups
2. Set the update's custom severity to Low
3. Edit your ADR to exclude Low custom severity

I don't remember what site I seen that on to give the proper credit but it will prevent the update from getting back into deployment.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
A similar apprach described here which requiresbit to be uninstalled first before blocking can be done.

In the Windows Update, locate the update that you want to block and right-click it. Select hide update to do so. Hiding the update blocks it from being downloaded and installed automatically.  It can still be installed manually on the system though.

https://www.ghacks.net/2014/12/11/how-to-remove-installed-windows-updates-and-block-them-afterwards/
0
m aAuthor Commented:
that can be done on windows 7, my scenario is server 2012 and is managed by SCCM/WSUS. It gets installed again automatically.
0
Introduction to Web Design

Develop a strong foundation and understanding of web design by learning HTML, CSS, and additional tools to help you develop your own website.

btanExec ConsultantCommented:
I believe then this is one of the mean which you have already shared. Need to rerun the ADR to regenerate the monthly Software Update Group. And this method only stops it from going out in the future.

http://blog.danovich.com.au/2012/12/18/decline-exclude-an-update-in-sccm-2012/

Another mean shared is, as example
Out of all the updates we will not deploy all of them rather we will filter the updates by adding criteria. Click on Add criteria. Select Expired, Product, Superseded, Bulletin ID. Click Add. Choose the product as Windows 7, Bulletin ID as MS, Expired as NO, Superseded as NO.
https://prajwaldesai.com/deploy-software-updates-using-sccm-2012-r2/
0
Pankaj KumarSystems SpecialistCommented:
Just Decline that update from WSUS console in SCCM Hierarchy and you are done. Client will not scan it and it will be removed from SCCM console as well.

Sequence will be:

CAS
Primary
Secondary
Remote SUP
0
btanExec ConsultantCommented:
From my earlier post.
Remove / Decline Update

Go to All Software Updates
Find the Update you want to decline
Highlight and right-click, then select Edit Membership
Uptick all of the Software Update Groups and click OK
0
m aAuthor Commented:
So yes,as it is a CAS ti PRI infra, the answer was to declined it on the Upstream servers, a little time after that the update showed  Grey x in the console.
A few days later it was deleted from it.
In case it is required again the revers steps are to be done.

thanks all for your help.
0
btanExec ConsultantCommented:
For author to close it. thanks
0
btanExec ConsultantCommented:
none of the advice assisted you? The decline of upstream update is mentioned by experts
0
btanExec ConsultantCommented:
ID: 42394088, ID: 42397983, ID: 42394150 and ID: 42398222 are assisted. Equal sharing.

ID: 42411750 are answered.

For consideration
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
.NET Programming

From novice to tech pro — start learning today.