SCCM 1711 Block a Problematic Windows Update KB

Since the MeltUp and SpectreBond007 back in January 2018 things got complicated from Windows Updates standpoint, some updates had to be denied from installing on servers or work stations.

Now best Practice always is to have the latest and most expensive OS and all the latest updates installed , but sometime Business wakes you up a 3 o clock in the morning with a the amazing good news that you urgently have to rush to the Date Center ,because the vNIC of 12.000 servers has been automatically set to DHCP instead of the fix IP’s. This is when you realize you have to hurry and you don’t even have time to make a coffee or brush your teeth.

How that got solved will be covered in an upcoming article.


To avoid that kind ok cataclysm, the algorithm  is very simple, test updates well before hand and do not rush  them in production.

Be aware also that testing is good but if you have like 3000 Test Servers, you will still get that nice phone call at 3 in the morning.

With that said, test but don’t oversize it !

In regards to how can a KB be denied ?…

Some very nice folks on the internet share the knowledge of a Custom Severity that can be set . That way some priorities are set to low and the KB in question gets mishandled….

Well if you go down that path , you contract can end sooner that you expected !

Some people argue this but , I always think from ” Better Safe than Sorry”

If you have a small or large Infrastructure you will have a Wsus somewhere. No matter if an Upsteam or Down Stream WSUS Server, the SCCM Primary Site runs the WU gig for the dancers attached to that site.

So the Software Update Point managing your WU will download and Sync the updates from the Upstream Server according to when and what you have set up.

Now all the Custom Severity will do, it will temporarily set a red X on the KB inside your SCCM Console .You will expect it to be permanent, but a red X doesn’t mean expired, it means content was downloaded previously but can’t be found anymore.

The simple way to decline that KB is to go to your Upstream WSUS (or the one downloading it  directly from the WU Catalog)  and set it to DECLINED.

If at some point you will wish to allow that KB to be deployed, all you have to do is Approve  and it will be available again for install in your software Update Groups.


Ok, that’s it for now as a customer just came in asking if SCCM can manage Coffee Machines.