Block specific windows updates

Syncro NEEDS to have the ability to block a specific windows update, or at least observe the flag in windows update to mark a patch as hidden!

I cannot keep disabling windows update entirely whenever there is a bad patch then waiting and re-enableing it when the problem is fixed!

I tried using PSWindowsUpdate in a script to block the update. This worked for a few hours, manually running Windows Update said there were no available updates. Then a few hours later syncro popped up saying that updates had been installed and the computer needed to be rebooted!

NinjaRMM and N-Central both have the ability to block specific windows updates for specific computers.

I’m begging you, PLEASE GIVE US MORE GRANULAR CONTROL OVER WINDOWS UPDATE!

20 Likes

I was going to add this suggestion. With the recent patch issues, this is critical. My techs are panicked because they cannot block the problem patches. We need true patch management. All other RMM on the market allow blacklisting patches.

1 Like

During the fireside chat, they said WU improvements were being worked on, such as features like this. You’d rarely want a client setting overriding the RMM, so Syncro has chosen to ignore local settings. Syncro just scans for installed patches, compares to a list of available, and then pushes it out using PS commands. It doesn’t use the systems WU. For now, the best option is to disable the category “SecurityUpdate” until MS has a fix or a reasonable workaround has been found.

I understand that you would not want malware on a workstation hiding a security update, but… If the client already has malware then the updates would fail for another reason. The only way for a user to hide updates on windows 10 is to use PSWindowsUpdate or wushowhide.diagcab, both of which require admin rights (which your end users shouldn’t have).

I am considering turning off all categories of updates in Syncro then scheduling a script to run PSWindowsUpdate to handle installing the updates. I haven’t thought through the full logic of this yet but is would at least give me a way to ignore updates. Off the top of my head I could keep a list of blocked updates in an asset field that the script could exclude at runtime. This would keep the blocked list in the RMM and not on the client.

I have a love/hate relationship with scripting in general. I fear that I will put in hours of development into getting this to work properly only for Syncro to implement it a week later making all my effort a wast of time.

I wasn’t referring to malware, but what if you take over a client who was with another RMM. Others are more aggressive and make a lot of changes to WU. Without realizing, you think their system is up-to-date because your RMM is telling you it is based off client settings. Seen this happen before.

There’s only a handful of patches released every month for systems and cumulative, so if you kept the list clean, it would be short or empty most of the time. MS will usually pull or rollback the code in the update as a fix, so if you delay patching, it’s usually not that big of a deal. So when we discover bad patches, we just deselect the category until the issue is resolved. Even with a new system from Syncro, category vs KB will most likely be the difference of a patch or 2 per system. For example, 2 KB’s came out for Windows 10, the monthly cumulative, and the .NET one. So category “blocking” isn’t that bad this month. Other months it could be more of an issue.

That is what I am doing for now. The issue is that We have to remember to re-enable it after the issue has been fixed. A setting to block a specific patch would allow us to set it and forget it. Microsoft USUALLY issues a new KB number when they pull an update and fix an issue with it so once it’s blocked I can forget about it.

As for the hiding of updates, It wouldn’t be an issue to unhide all of the updates on onboarding then hide only the ones you choose to block.

1 Like

All previous RMM tools I have used allow you to block updates and I miss and need that function back.

2 Likes

If you advertise that you provide patch management, and use Syncro, you’d be lying. The ability to selectively deploy/block patches is required to meet compliance requirements for example. Our clients no longer meet NIST/CMMC at this point, and it has become an embarrassment for us.

Desperately need patch management in Syncro.

2 Likes

I just submitted a ticket for this and expect that I will hear the same thing. Micro$oft security patches have caused us a lot of greif lately, we knew the specific patches and were UNABLE to simply block them globally so we were forced to turn off automatic updates of critical and security updates.

One client server 4 hrs away was going into a reboot loop. Thankfully we have Connectwise integration as a backup because it appears Splashtop will not do a reboot into safe mode to allow us to remove the patch and bring the server back up. After removing the patch it was immediately que’d up again forcing us to disable automatic install of security patches.

We already have a delay in the patch install schedule just for this situation and were able to catch a few but not all when the message boards lit up with the results of installing the latest security patches.
For crying out loud, somehow… give us the ability to block specific patches and force us to manually push out security and critical patches!

2 Likes

I requested this about 3 months ago but never received any response from Syncro themselves on it. If they are working on it, great, but it can’t come soon enough as it really is an important feature to have.
At the time the main issue for me was driver updates on Lenovo devices breaking the keyboards, so I had to disable driver updates across the board since I couldn’t block the specific driver.
Now it’s security updates causing much more serious issues, so now I’ve had to disable all server patching until we get proper control.

1 Like

does anybody have a solution to this that they could share in the meantime

No and this is a huge issue.

Delayed patching and disabling entire categories of updates are the only tools we have at the moment.

I saw a script in the community scripts library for abcupdate. I am thinking about checking that out.

I am about using pswindowsupdate to manage the built in windows update using powershell scripts.

I am hesitate though because syncro claims that “big improvements are coming” to the windows update portion of syncromsp. I don’t want to waste my time developing something and then have it obsoleted in a few months.

1 Like

I have a script to manually push out an update if you want it. You just provide the url for the .msu file when you schedule the script.

So I unselected the category like I normally do because of the KB5009543 issue with VPN. I have gotten 2 calls this week where it got installed on 2 Windows Pro machines, but if you look in Syncro, there’s no date of install, so it wasn’t Syncro that installed it and these 2 customers wouldn’t do updates themselves.

There is an out of band fix from Microsoft to fix the vpn issues. I used a script to push it out to all ov my clients who use l2tp vpns. I don’t remember the kbid but a quick Google search should find it.

This doesn’t address syncro’s horrible patch management but it does put the fire out on the January cumulative update nightmare.

I got the fix, but you also have to have the broken patch installed first lol. What concerns me is that something installed the update to begin with even though Syncro is supposed to disable auto updates, which it appears it did because these weren’t installed until this week. The good news is, Feb patch just came out, so the other isn’t available now. Let’s see what mess this one brings, so far not too much chatter.

I’m sure everyone would appreciate iff anyone from Syncro could provide an answer or update here, on such critical missing piece in the RMM.

Syncro?

2 Likes

We really need this feature as well, we have spent tens of hours over the last few months reversing broken windows updates.

We had the same problem, Group Policy will override Syncro disabling of Windows Update. You need to refine your GPO to disable Windows Updates. Otherwise, every time the workstation refreshes its group policy, Windows updates are reenabled.