Declining MECM updates that aren’t visible in WSUS

Ever need to decline an update or updates from MECM, and then get stuck because the update isn’t visible in the WSUS console?

This is pretty common with items from 3rd party catalogs, but sometimes you know exactly which update you want to get rid of and don’t want to scroll through all the updates in the WSUS console to find it?

As is so often the case, PowerShell to the rescue! 😃

You’ll need access to both the ConfigurationManager and UpdateServices modules, and the account you’re running the script as will need at least Read access to Software Updates in MECM and membership in the WSUS Administrators group on the WSUS server that your root SUP talks to.

The ConfigurationManager module comes with the MECM Console install, and the UpdateServices module is part of the WSUS RSAT feature. Or if you’re feeling fancy, you can implicit remote these from your site server. 😃

The embedded code (thanks Gist!) is a rough sketch that will do the trick for you; the first few lines will need to be customized for your environment per the comments.

Down on line 36 is where you’ll put the article ID of the update you want to decline. PLEASE BE CAUTIOUS HERE as some vendors will use the same article ID for multiple updates.

You can modify the Get-CMSoftwareUpdate section to go by other attributes; the important bit is that the CI_UniqueID of the CMSoftwareUpdate is the UpdateID that Get-WSUSUpdate is looking for.