Introduction
KB exclusions let you block specific Windows updates from installing on any device in your organization. You identify the update by its KB number, add an optional description for context, and set an expiration date (or leave it permanent). Once added, the exclusion applies globally across your devices.
This is useful when an update causes known issues β a bad patch that triggers blue screens, breaks line-of-business software, or creates compatibility problems you haven't resolved yet.
Adding a KB Exclusion
Navigate to Workspace β KB exclusions in the left sidebar, then click + Add exclusion in the top right.
The Add exclusion dialog opens.
Enter the KB number in the KB number field. Enter only the numeric portion β the
KBprefix is already included. For example, enter5035791notKB5035791.Optionally, add a note in the Description field explaining why the update is excluded. This shows up in the exclusions list and is useful context for other technicians.
Set an Expiration date or leave it as Never.
Click Add exclusion.
π‘ TIP: Use the Description field to document why the update was excluded and link to a vendor advisory or support ticket if you have one. You'll thank yourself later when you're reviewing old exclusions.
βΉοΈ NOTE: Expiration options are relative to the time you create the exclusion β "7 days" means 7 days from now, not 7 days from the update's release date.
Expiration Options
Option | What it means |
Never | Exclusion stays active until you manually remove it |
7 days | Automatically expires 7 days from creation |
14 days | Automatically expires 14 days from creation |
30 days | Automatically expires 30 days from creation |
60 days | Automatically expires 60 days from creation |
90 days | Automatically expires 90 days from creation |
When an exclusion expires, the update becomes eligible to install on devices again β Level won't notify you when this happens.
β οΈ WARNING: If you're blocking an update due to a serious compatibility issue, set Never (or a long window) rather than a short expiration. Devices will attempt to install the previously excluded update as soon as the exclusion expires.
Managing Existing Exclusions
The KB exclusions page lists all active exclusions with four columns: KB number, Description, Excluded (the date the exclusion was created), and Expires.
Click the three-dot menu at the end of any row to edit or remove an exclusion.
βΉοΈ NOTE: Removing an exclusion makes the update eligible to install on devices again. If you want to keep the exclusion active temporarily while you resolve the underlying issue, editing the expiration is a better option than removing and recreating.
FAQ
Does a KB exclusion apply to all devices, or can I target specific groups? KB exclusions are organization-wide. Every device in your organization will skip the excluded update. There's no group-scoped exclusion β if you need to allow an update on some devices but not others, you'd need to manage that through automation logic or manual installation rather than exclusions.
What happens when an exclusion expires? The update becomes eligible to install again. Devices will pick it up on their next update cycle. Level won't alert you when an exclusion expires, so set a calendar reminder or use a "Never" expiration if you need explicit control over when the block lifts.
Can I exclude macOS or Linux updates with KB exclusions? KB numbers are a Windows-specific concept. KB exclusions only apply to Windows updates.
I added an exclusion but the update still installed on a device. Why? The exclusion only prevents future installations. If the update was already installed before you added the exclusion, it stays installed β the exclusion doesn't trigger a rollback.
Who can create and manage KB exclusions? Technicians with access to Workspace settings. See Workspace β Permissions for details on role-based access.