SCCM 2012 Block Windows Update KB Number


since a few weeks I have one update for .NET that is causing production outages.

According to ressources and discussions such update can be blocked via Custom Severity - Low and None, in the ADR's, that way all updates categorised as Low are not deployed.

Last week the problematic update passed into obsolote with a red x next to it, I wa hoping it will not come back, but I was wrong.

This week it has been set back to active and deployed to some serveres, even though all ADR's contain the Custom Severity setting as described in an external blog.

Tel wuahandler.log says on the impacted server states:

2. Update (Missing): 2017- Security and Quality Rollup for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7 on Windows 8.1 and Server 2012 R2 for x64 (KBedited) (dc4eb637-5391-4ca8-8f08-98584d61effa, 201) WUAHandler 06/12/2017 03:00:05 83708 (0x146FC)

Could someone please share a method on how can permanently block this update from installing again?
m aAsked:
Who is Participating?
RobertSystem AdminCommented:
The method I use is to do the following
1. Remove the update from any update groups
2. Set the update's custom severity to Low
3. Edit your ADR to exclude Low custom severity

I don't remember what site I seen that on to give the proper credit but it will prevent the update from getting back into deployment.
btanExec ConsultantCommented:
A similar apprach described here which requiresbit to be uninstalled first before blocking can be done.

In the Windows Update, locate the update that you want to block and right-click it. Select hide update to do so. Hiding the update blocks it from being downloaded and installed automatically.  It can still be installed manually on the system though.
m aAuthor Commented:
that can be done on windows 7, my scenario is server 2012 and is managed by SCCM/WSUS. It gets installed again automatically.
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

btanExec ConsultantCommented:
I believe then this is one of the mean which you have already shared. Need to rerun the ADR to regenerate the monthly Software Update Group. And this method only stops it from going out in the future.

Another mean shared is, as example
Out of all the updates we will not deploy all of them rather we will filter the updates by adding criteria. Click on Add criteria. Select Expired, Product, Superseded, Bulletin ID. Click Add. Choose the product as Windows 7, Bulletin ID as MS, Expired as NO, Superseded as NO.
Pankaj KumarSystems SpecialistCommented:
Just Decline that update from WSUS console in SCCM Hierarchy and you are done. Client will not scan it and it will be removed from SCCM console as well.

Sequence will be:

Remote SUP
btanExec ConsultantCommented:
From my earlier post.
Remove / Decline Update

Go to All Software Updates
Find the Update you want to decline
Highlight and right-click, then select Edit Membership
Uptick all of the Software Update Groups and click OK
m aAuthor Commented:
So yes,as it is a CAS ti PRI infra, the answer was to declined it on the Upstream servers, a little time after that the update showed  Grey x in the console.
A few days later it was deleted from it.
In case it is required again the revers steps are to be done.

thanks all for your help.
btanExec ConsultantCommented:
For author to close it. thanks
btanExec ConsultantCommented:
none of the advice assisted you? The decline of upstream update is mentioned by experts
btanExec ConsultantCommented:
ID: 42394088, ID: 42397983, ID: 42394150 and ID: 42398222 are assisted. Equal sharing.

ID: 42411750 are answered.

For consideration
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.