Windows Patch Management - Exclusion List

Background Information
We have a customer that uses Meraki VPN utilizing the Windows VPN client. We ran into an issue today where a newly released Windows Update caused the Windows VPN client to cease functioning properly.

Root Cause
A newly released windows security update caused the issue (KB5009543)

Resolution
Uninstalled KB5009543 and rebooted the computer.

Syncro Requirement
How do we create a Windows Update exception list for a policy? Our goal is to exclude KB5009543 for this particular customer.

You will need to uncheck the SecurityUpdate category in your policy until there’s a fix or actionable workaround. There is no way to exclude specific updates. This update will kill more than just Meraki VPN, I created a post earlier about the 3 patches to watch out for this month.

Do you know a chocolatey script that we can run to stop this update getting installed?

Choco is for 3rd party install/updates. You can’t control Windows Updates with it. Syncro doesn’t care about client-side settings, so your only option is to unselect the category so that it doesn’t get pushed out.

This is beta… Not fully vetted, but I spun this up late at night. Use at your own risk… (Although I don’t mind feedback.)

Import-Module $env:SyncroModule

$priorEP = Get-ExecutionPolicy
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Confirm:$false

$mod = (Get-Module PSWindowsUpdate)
If ($mod -eq $null) {
    Set-PSRepository -Name 'PSGallery' -InstallationPolicy Trusted
    Install-Module PSWindowsUpdate -Confirm:$false
    Import-Module PSWindowsUpdate
}

# The passed-in value needs to include the text 'KB' at the begining to function properly.
Log-Activity -Message ("Blocking " + $ToBlock_Include_KB + " from Windows Update.") -EventName "WU Block KB"

Get-WindowsUpdate -KBArticleID $ToBlock_Include_KB -Hide

Set-ExecutionPolicy -ExecutionPolicy $priorEP -Confirm:$false

You have to create a runtime variable: ToBlock_Include_KB

Jeremy,
I tried a similar approach, but there are a couple of issues.

-PSWindowsUpdate can only block an update if the update is not installed
—you have to uninstall the update then block it after the reboot

-Syncro still pushes the update out even if it is blocked!
—Everything was working great this morning after I pushed out a script that removed the update, rebooted, and then blocked the update.
—I double checked and the update was listed as blocked, and running windows update showed no available updates
—A few hours later Syncro popped up the messagebox saying that I needed to reboot for updates and after the reboot the (formerly blocked) update was installed and VPN’s were borked again.

Yikes. Guess I’ll need to disable updates in the policy on managed machines for now then. (Original script is targeting employee-owned PCs that work from home using L2TP VPNs…)

Does anybody know what Category KB5009566 and KB5009543 as well as KB5009586 and KB5009624 (Windows Server 2012 Hyper-V issues) fall under? I’m assuming “Security Update.”

as far as I know they are all under Security.

Yep, just came her to say this. I tried the same approach the last time or two ago that there was a bad patch and ran into the same thing with Syncro pushing “Blocked” patches. I think it would be more accurate to call them “hidden” lol.

Syncro just scans for missing patches, and then uses PS commands to push it. Doesn’t use client-side settings, so that’s why the system can’t override Syncro, nor do you typically want that. Hopefully Syncro’s new patch management comes out sooner rather than later. I have seen the patches also listed under “Upgrades” but we have no category for that…

Then this should be really easy for Syncro to give us a simple block list by KB number.

They are working on it, mentioned in the fireside chat.

I’m thankful to hear this. Thanks Jimmie. I have a customer with a similar problem today. No one could get on their Meraki Client VPN. I’m hoping removing the KB here soon will do the trick.

This would be quite the interesting situation with a large company with lots of employees that relied on VPN connectivity. But at least we’d be able to uninstall via script, it seems.

I haven’t tried it, so use at your own risk:

wusa /uninstall /kb:5009543

Source: https://community.meraki.com/t5/Security-SD-WAN/Client-VPN-Error-After-January-Windows-Updates/m-p/137497#M34554%3Futm_source=communitymembers&utm_medium=email&utm_campaign=immediate_general

Got my vote for this feature request (the ability to block installation of patches). Seems like a basic thing.

We don’t push drivers to machines that are running fine ESPECIALLY NIC drivers, unless we are prepared to roll a truck.

I can uncheck DRIVERS category, however even though now-a-days, they are automatically deselected from Windows Server Updates settings, the problem is that excluding them is detrimental to the VUNERABLE SYSTEMS REPORT and EXECUTIVE SUMMARY. As a result, we cannot use the report because it says 0 machines fully patched.

I hope they take this into consideration if building a new patch engine.
Have been asking for it going on 3 years now.

RC

This is a reporting issue, the report should consider what was is approved and not approved, but it doesn’t look at this info and I’m not sure it’s in the database this way either. When they update WU, I hope they can distinguish between approved, ignore, denied so that the report can use these fields.

dereks:

Apparently wusa can’t be used to remove that update. More here:

Uninstall security update KB5009543 in Windows 10 - Microsoft Q&A)

There’s a replacement Powershell command in the post, and one respondant said it didn’t work. But I have seen other comments (in other posts) that say it does. So, your mileage may vary.

Works fine. I’ve been using these commands without issue. There’s a new update released to address these patches though, so just apply the optional patch or the replacement patch.

if (get-hotfix -id KB5009566) { wusa /uninstall /kb:5009566}   11
if (get-hotfix -id KB5009624) { wusa /uninstall /kb:5009624}   2012
if (get-hotfix -id KB5009543) { wusa /uninstall /kb:5009543}   10
if (get-hotfix -id KB5009557) { wusa /uninstall /kb:5009557 }   2019

I would LOVE to see that happen as well! Other MSP Partners can do it! Why not Syncro?

Syncro patch management seems more like smoke and mirrors to me. They aren’t really “managing patches” compared to what I’ve seen in other RMM’s.