Remove Windows updates from the list of available updates in Puppet Enterprise patch management

You might want to remove Windows updates from the list of available updates in PE patch management and/or puppetlabs-patching_as_code; the best way is to manage Windows patching by creating an auto-approval rule in WSUS which allows you to remove updates from the list. At this point, you can point clients directly at Windows Update for patching.

Note: We cannot troubleshoot third-party software.

However, if you can’t use WSUS, you can hide Windows updates on Windows agents using PowerShell commands.

Version and installation information

PE version: All supported versions
OS: Windows

Solution

Hide KB updates by completing the following steps with elevated privileges on affected Windows nodes in PowerShell.

1. Install the PowerShell PSWindowsUpdate module by running Install-Module PSWindowsUpdate
2. Show the available updates by running Get-WindowsUpdate
3. To hide an update, run Hide-WindowsUpdate -KBArticleID <KBNUMBER> where KBNUMBER is the KB update you’d like to hide. For example, Hide-WindowsUpdate -KBArticleID KB5007206
4. To refresh the list of updates, reboot.

During the next puppet run, the KB update you specified is omitted from the list of available updates in the pe_patch section of the agent’s facts.

To make the process easier, you can script these steps and add them as a task in Puppet Enterprise that accepts a KB number as a parameter.