Introduction
KB exclusions tell Level's automated patching to skip specific Windows updates. You identify the update by its KB number, add an optional description for context, and set an expiration date (or leave it permanent). Once added, the exclusion applies across every Windows device in your organization.
Use it when a Microsoft update is known to cause problems: a patch that triggers blue screens, breaks line-of-business software, or creates compatibility issues you haven't resolved yet.
⚠️ WARNING: A KB exclusion only stops Level from installing the update through its own patching pipeline. It does not hide the update from Windows, and it does not block a user with local admin rights from installing the update manually through the Windows Update UI.
What KB Exclusions Do (and Don't Do)
A KB exclusion is a flag stored on Level's side. When Level's automated patching evaluates available updates for a device, it filters out any KB on the exclusion list before installing. That's the whole mechanism.
An exclusion does not:
Call Windows'
IsHiddenAPI on the updateWrite any registry keys related to the excluded KB
Modify Windows Update settings directly
Block a manual install initiated through the Windows Update UI
How KB Exclusions Interact with Managed Devices
A device under a Level patch policy has Windows automatic updates turned off. When the agent confirms the device is being patched by Level, it disables Windows' built-in automatic update behavior by writing the AU policy registry keys. That's a single global switch ("Level owns the schedule"), applied broadly, not per-KB.
Combine that policy with a KB exclusion, and here's the practical effect on a managed Windows device:
Windows won't install the update automatically, because automatic updates are off via policy.
Level's automated patching skips the update, because it's on the exclusion list.
A user with local admin can still install it manually by opening Settings → Windows Update → Check for updates and clicking install. The exclusion doesn't gate that path.
Adding a KB Exclusion
Navigate to Workspace → KB exclusions in the left sidebar, then click + Add exclusion in the top right.
The Add exclusion dialog opens.
Enter the KB number in the KB number field. Enter only the numeric portion — the
KBprefix is already included. For example, enter5035791notKB5035791.Optionally, add a note in the Description field explaining why the update is excluded. This shows up in the exclusions list and is useful context for other technicians.
Set an Expiration date or leave it as Never.
Click Add exclusion.
💡 TIP: Use the Description field to document why the update was excluded and link to a vendor advisory or support ticket if you have one. You'll thank yourself later when you're reviewing old exclusions.
ℹ️ NOTE: Expiration options are relative to the time you create the exclusion — "7 days" means 7 days from now, not 7 days from the update's release date.
Expiration Options
Option | What it means |
Never | Exclusion stays active until you manually remove it |
7 days | Automatically expires 7 days from creation |
14 days | Automatically expires 14 days from creation |
30 days | Automatically expires 30 days from creation |
60 days | Automatically expires 60 days from creation |
90 days | Automatically expires 90 days from creation |
When an exclusion expires, the update becomes eligible to install on devices again — Level won't notify you when this happens.
⚠️ WARNING: If you're blocking an update due to a serious compatibility issue, set Never (or a long window) rather than a short expiration. Devices will attempt to install the previously excluded update as soon as the exclusion expires.
Managing Existing Exclusions
The KB exclusions page lists all active exclusions with four columns: KB number, Description, Excluded (the date the exclusion was created), and Expires.
Click the three-dot menu at the end of any row to edit or remove an exclusion.
ℹ️ NOTE: Removing an exclusion makes the update eligible to install on devices again. If you want to keep the exclusion active temporarily while you resolve the underlying issue, editing the expiration is a better option than removing and recreating.
FAQ
Does a KB exclusion apply to all devices, or can I target specific groups? KB exclusions are organization-wide. Every Windows device in your organization will be skipped by Level's automated patching for any KB on the list. There's no group-scoped exclusion. If you need to allow an update on some devices but not others, manage that through automation logic or manual install rather than exclusions.
Can a user with local admin still install an excluded update? Yes. The exclusion lives in Level, not in Windows. If a local admin opens Settings → Windows Update, clicks Check for updates, and installs the update, Windows will install it. The only way to block that path today is to restrict local admin rights on the device.
I added an exclusion but the update still installed on a device. Why? Usually one of two things happened. The update was already installed before you added the exclusion (exclusions don't roll back what's already there), or a user with local admin rights installed it manually through the Windows Update UI. Exclusions only stop Level's automated patching from pushing the update.
What happens when an exclusion expires? The update becomes eligible for Level's automated patching again. Devices will pick it up on the next patching run. Level won't alert you when an exclusion expires, so set a calendar reminder, or use Never if you want explicit control over when the block lifts.
Can I exclude macOS or Linux updates with KB exclusions? No. KB numbers are a Windows-specific concept, and the exclusion list only applies to Windows updates. For macOS and Linux, control update behavior through the Install macOS Updates Action and Install Linux Updates Action.
Who can create and manage KB exclusions? Technicians with access to Workspace settings. See Workspace → Permissions for details on role-based access.