Microsoft releases cumulative updates monthly, but not every patch is safe to deploy immediately. Some updates can break applications, disrupt workflows, or cause stability issues on client devices. MSPs and IT admins often need a way to block a specific Windows update while keeping the rest of the patch cycle on schedule. Each Windows update is identified by a unique Knowledge Base (KB) number, which makes it possible to target and block only the problematic patch.
By using tools like PowerShell, Group Policy, Registry edits, and RMM scripting, you can selectively stop problematic KBs without pausing Windows Update entirely. This keeps endpoints secure with the latest fixes while preventing known bad patches from causing downtime.
Guide to blocking a specific Windows update without pausing patch cycles
📌 Prerequisites:
- Devices must be running Windows 10, Windows 11, or Windows Server 2016.
- You need administrator rights on local or remote endpoints to block or defer updates.
- PowerShell 5.1 or higher must be available to run scripts for hiding or unhiding specific KB updates.
- Access to the Windows Registry is required if you plan to configure update blocks manually.
- Group Policy Management Console (GPMC) should be available in domain environments for enforcing update rules at scale.
- Optionally, an RMM platform such as NinjaOne can be used to deploy scripts, enforce policies, and report on blocked updates across client devices.
Method 1: Block a specific Windows update using PowerShell
You can use PowerShell to hide a single problematic KB so it will not install, while allowing all other updates to proceed normally.
📌 Use Cases:
- This method lets you prevent a known bad KB from installing this month’s patch cycle without pausing updates.
- You can use this to unhide the KB later after Microsoft issues a fix or when your testing clears it.
📌 Prerequisites:
- Administrator rights on the endpoint or via your RMM
- PowerShell 5.1 or higher with internet access to install the PSWindowsUpdate module
- The exact KB number you want to block
Here are the steps to use PowerShell to block a specific Windows update:
- Open PowerShell and install the module using this command:
Install-Module PSWindowsUpdate -Force
- Next, use this command to list pending updates and confirm the KB number:
Get-WindowsUpdate -MicrosoftUpdate
- Subsequently, use this code to hide the specific KB (replace KB5000000 with your target) so it will not install:
Get-WindowsUpdate -KBArticleID KB5029263 | Hide-WindowsUpdate -Confirm:$false
- To view hidden updates, use this:
Get-WindowsUpdate -IsHidden
- To unhide, use this command:
Hide-WindowsUpdate -KBArticleID ‘KB5000000’ -MicrosoftUpdate -Hide:$false -Confirm:$false
Method 2: How to use Microsoft’s wushowhide.diagcab tool to block specific updates
The wushowhide.diagcab tool lets you manually block specific Windows updates without pausing the entire patch cycle. It’s good for use in individual machines, but not for automation or deployment at scale.
📌 Use Cases:
- You can use this to manually hide a problematic update on a standalone device.
- This is a lightweight option for technicians when an RMM tool or Group Policy is unavailable.
📌 Prerequisites:
- You’ll need local administrator rights on the endpoint.
- Download of the wushowhide.diagcab tool from Microsoft.
Use the wushowhide.diagcab tool via these steps:
- Download wushowhide.diagcab from Microsoft’s site.
- Run the tool and follow the on-screen prompts to scan for available updates.
- Select the problematic update and choose Hide update to block it.
Method 3: Block updates via GPO or Registry (driver example)
If a Windows update keeps pushing an unwanted driver, you can block it by targeting its hardware ID. You can do this via GPO or the Registry.
📌 Use Cases:
- You can use this to prevent Windows from automatically reinstalling a problematic driver.
- Apply consistent driver blocking across managed endpoints.
📌 Prerequisites:
- Administrator rights and access to the Group Policy Management Console (for domain devices) or Registry Editor (for standalone devices)
- The hardware ID of the driver you want to block, which can be found in Device Manager > Device Properties > Details tab > Hardware IDs
To use Group Policy to block a specific Windows update, use these steps:
- Open the Group Policy Editor and navigate to:
Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions.
- Enable Prevent installation of devices that match any of these device IDs. To remove the policy, you can set it back to Not Configured or Disabled.
- Add the hardware IDs of the driver you want to block.
You can perform the Registry method by running this code on PowerShell:
| New-Item -Path “HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions” -Force Set-ItemProperty -Path “HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions” -Name “DenyDeviceIDs” -Value “PCI\VEN_8086&DEV_1234” |
To undo the change, follow these steps:
- Open Registry Editor.
- Go to: HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions
- Delete the DenyDeviceIDs entry, or remove the entire Restrictions key.
- Reboot your computer so the changes can take effect.
⚠️ Warning: Be sure to use this method carefully. Blocking by hardware ID will prevent Windows from reinstalling the driver properly until the policy or registry entry is removed.
Method 4: Use Registry to log or tag blocked updates
You can log which KBs have been blocked by writing them into the Registry. This gives technicians or RMM tools a local record to validate against during audits or compliance checks.
📌 Use Cases:
- Keep a simple local record of blocked KBs on each endpoint.
- Provide RMMs with a reliable key to query for compliance reporting.
📌 Prerequisites:
- Administrator rights to create or edit Registry keys under HKLM
- Consistent naming conventions for Registry entries (e.g., KB numbers as value names)
Here’s how to use the Registry to log or tag blocked updates:
- To create a Registry key to hold blocked KBs, run this command:
New-Item -Path “HKLM:\SOFTWARE\Org\UpdateExclusions” -Force
- Next, add the KB number you want to track:
Set-ItemProperty -Path “HKLM:\SOFTWARE\Org\UpdateExclusions” -Name “KB5029263” -Value “Blocked”
- Here’s how to record when the block was last updated:
Set-ItemProperty -Path “HKLM:\SOFTWARE\Org\UpdateExclusions” -Name “LastUpdated” -Value (Get-Date).ToString(“u”)
- To validate, you can run this on the Command Prompt:
reg query HKLM\SOFTWARE\Org\UpdateExclusions
Method 5: Use Windows Update for Business (WUfB) policies to delay updates (optional)
Windows Update for Business lets you delay certain types of updates through Group Policy. This does not block an individual KB, but it allows you to pause entire categories of updates until you’ve had time to test them.
📌 Use Cases:
- This lets you delay feature or quality updates across devices for testing before a broad rollout.
- You can use this to add a buffer period to catch issues without disabling Windows Update.
📌 Prerequisites:
- You will need Windows Pro, Enterprise, or Education edition (WUfB is not available on Home).
- Access to the Group Policy Management Console (GPMC).
Here’s how you can use Windows Update for Business (WUfB) policies to prevent updates for the time being:
- Open the Group Policy Editor.
- Navigate to:
Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business.
- Configure these policies:
- Select when Quality Updates are received
- Select when Feature Updates are received
- Set the number of days to defer each type of update based on your patching strategy.
⚠️ Things to look out for
| Risks | Potential Consequences | Reversals |
| Blocking the wrong KB | May stop critical security fixes from being applied | Unhide the KB with PowerShell or wushowhide and allow Windows Update to install it. |
| Overusing WUfB or GPO delays | Devices may fall behind on cumulative updates, leaving gaps in protection. | Adjust or disable the policy to resume normal update flow. |
| Registry entries misconfigured | Can cause updates or drivers to fail unexpectedly | Remove or correct the Registry keys and restart the device. |
Additional considerations when blocking specific Windows updates
Watch for supersession
Some blocked KBs may be replaced by newer rollups. Check each month’s updates and reblock the new KB if needed.
Reporting
Use event logs and Windows Update logs with the Get-WindowsUpdateLog command to confirm that updates are being suppressed correctly.
Third-party patch tools
Be cautious of conflicts if you are also using WSUS, Intune, or third-party patch management. These tools may override or bypass manual blocks.
Dependencies
Some Windows updates require prerequisites. Blocking one update can delay others until the dependency is installed.
Troubleshooting issues related to blocking specific Windows Updates
Update still installs
Check if the KB was replaced by a newer rollup or delivered through another update bundle. If necessary, reblock the superseding KB.
Hide-WindowsUpdate not working
Confirm that the PSWindowsUpdate module is up to date and that PowerShell is running with administrator rights.
Device ID block ineffective
Validate that you are using the correct hardware ID. Run pnputil /enum-devices /connected to list IDs and confirm accuracy.
Registry not applying
Double-check the Registry path, data type, and permissions. Make sure the key is created under HKLM and not HKCU.
NinjaOne services for blocking specific Windows updates
| What NinjaOne can do | What it is | How it helps |
| KB-specific hide scripts | Deploys PowerShell hide commands via its automation policies | This lets you block targeted KBs at scale on various endpoints without manual effort. |
| Registry audit | Checks Registry keys for blocked update markers | It confirms which endpoints have exclusions. |
| Endpoint tagging | Tags devices with temporary exclusions | Makes it easy to track which systems are holding back a KB |
| Alerts on reclassified updates | Triggers alerts if an excluded update installs after supersedence | This makes sure blocked patches don’t slip back in through rollups. |
| Reporting update compliance | Reports update status while honoring exclusions | MSPs can isolate problematic updates without disrupting organization-wide patch hygiene. |
Block specific updates and maintain stability while keeping patch cycles on track
Blocking individual Windows updates is essential when stability or compatibility is at risk, especially if updates can hinder tools and workflows your technicians use. By targeting specific KBs instead of pausing patching altogether, MSPs and IT admins can keep devices secure while avoiding downtime from problematic and disruptive updates.
Related topics:
- 4 Ways to Easily Disable Windows Updates in Windows 10
- How to Turn On or Off Show Windows Update Restart Notifications in Windows 10
- How to Clear Windows Update History in Windows 10 and Windows 11
- Guide to Diagnosing Windows Update Issues Using PowerShell
- How to Turn On or Off Windows Update Delivery Optimization in Windows 11
