How to Rollback a Patch using SCCM | Uninstall Windows Update using ConfigMgr

ByPrajwal Desai Hours

In this article, I will explain how to rollback a patch using SCCM. We will look at the procedure to uninstall Windows update using ConfigMgr on remote Windows 10/11 computers.

I often get emails asking how do I roll back a patch in SCCM? Over the period of time, I realised that most ConfigMgr administrators were finding it difficult to remove a patch. To save you time, I decided to publish a guide that will cover the steps to rollback a patch update using SCCM.

On Windows systems, there are a variety of reasons why you might want to roll back an installed update. Let’s imagine you installed a set of updates on your Windows computers, but one of them is actually causing problems across the board. You’ve been instructed to locate that update and remove it from all systems.

To accomplish that, you must locate that update; finding it may require much debugging. Once you’ve done that, you should remove it from all systems. There is a simple procedure to do this and I will explain in the next section.

Configuration Manager makes it easier to deploy software updates and even rollback the software updates on Windows computers. Make sure the Configuration Manager client is installed on the computers before you attempt to rollback patches.

Ways to Uninstall Windows Update using ConfigMgr

Broadly, there are three ways to rollback Windows update using ConfigMgr:

  • Use custom Task Sequence with a run command line
  • Use a PowerShell script to rollback the required patch
  • Create a program and remove the patch using a VB script

The task sequence approach of uninstalling a patch appears to be simpler than utilising a script. Although there are numerous PowerShell scripts available, some of them might not be effective for you in uninstalling updates. In this post, we’ll show you how to uninstall a patch from a remote Windows computer using a custom task sequence.

How to Rollback a Patch using SCCM (ConfigMgr)

We will use the following steps to rollback a patch using SCCM.

  1. Identify the update that needs to be uninstalled.
  2. Create a custom task sequence to rollback a patch.
  3. Deploy the task sequence to SCCM collection.

1. Identify the update for Rollback

The first step in uninstalling an update using SCCM involves identifying the update. An update can be identified with its KB number, which is a unique number assigned by Microsoft.

Use the following steps to identify the KB Update for Rollback:

  • Launch the Control Panel on your computer.
  • Go to Programs > Programs and Features > Installed Updates.
  • From the list of installed updates, look for the update that you wish to uninstall and note down the KB number. For instance, the KB3004394 is the one that we will rollback using SCCM.
Identify the update | Rollback a Patch using SCCM
Identify the update | Rollback a Patch using SCCM

2. Create a Custom Task Sequence for Patch Rollback

Once you have identified the KB number of the patch that you want to rollback using SCCM, the next step is to create a custom task sequence in SCCM. The custom task sequence allows you to add the Run Command Line step, and here you can use the WUSA.exe command line utility to rollback the patch.

In the Configuration Manager console, navigate to Software Library > Overview > Operating Systems > Task Sequences. Right-click the Task Sequences node, and select Create Task Sequence.

Create a Custom Task Sequence | Rollback a Patch using SCCM
Create a Custom Task Sequence | Rollback a Patch using SCCM

From the list of TS options, select Create a new custom task sequence and click Next.

Create a Custom Task Sequence | Rollback a Patch using SCCM
Create a Custom Task Sequence | Rollback a Patch using SCCM

For the custom task sequence, specify a Task sequence name. You may add a brief description about what this TS is about. Make sure you don’t select any boot image for this task sequence, as it’s not required. Click Next.

Create a Custom Task Sequence | Rollback a Patch using SCCM
Create a Custom Task Sequence | Rollback a Patch using SCCM

The Summary page shows the task sequence details and configuration. Click Next.

Create a Custom Task Sequence in SCCM
Create a Custom Task Sequence in SCCM

On the Completion page of task sequence wizard, click Close. This completes the steps to create the custom task sequence in SCCM.

Create a Custom Task Sequence in SCCM
Create a Custom Task Sequence in SCCM

The task sequence that you created in the above step was a blank TS. It doesn’t do anything because we haven’t added any instructions for the task sequence. We will do that now. Right-click on the custom task sequence that you created, select Edit. In the task sequence editor, select Add > General > Run Command Line.

Task Sequence Run Command Line | Rollback a Patch using SCCM
Task Sequence Run Command Line | Rollback a Patch using SCCM

In the command line type wusa.exe /uninstall /kb:KBNUMBER/quiet /norestart. Click OK. Make sure to substitute the KB number with the one that you wish to rollback. The task sequence is now ready for the deployment.

If you are looking for the command explanation, here it is:

  • wusa.exe: Windows Update Standalone Installer executable.
  • /uninstall: The installer will uninstall the package.
  • /kb:KBNUMBER: Install/Uninstall the package associated with KBNumber.
  • /quiet: quiet mode, no user interaction here. Uninstalls the patch silently.
  • /norestart: Will not initiate reboot when combined with quiet mode.
Rollback a Patch using SCCM
Rollback a Patch using SCCM

3. Deploy the Task Sequence to Rollback a Patch

We are now ready with the task sequence which will rollback or uninstall the patch from the computers. Right-click the Task sequence and select Deploy. On the General page, click on Browse and choose the collection to target the task sequence. Click Next.

Deploy the Task Sequence to Rollback a Patch
Deploy the Task Sequence to Rollback a Patch

On the Deployment Settings page, specify how you want to deploy the task sequence. The action is set to install, and you have to select the purpose. Select the purpose as required and click Next. Refer to the following article to know the difference between Available and Required deployment options in SCCM.

Deploy the Task Sequence to Rollback a Patch
Deploy the Task Sequence to Rollback a Patch

On the Scheduling tab, you can specify a schedule for the task sequence deployment. Based on the schedule that you configure, the update is uninstalled from the computers. Click Next.

Deploy the Task Sequence to Rollback a Patch
Deploy the Task Sequence to Rollback a Patch

Configure the required option for distribution points and click Next.

Deploy the Task Sequence to Rollback a Patch
Deploy the Task Sequence to Rollback a Patch

Review the TS deployment settings on the Summary page and click Close on Completion.

Deploy the Task Sequence to Rollback a Patch
Deploy the Task Sequence to Rollback a Patch

4. Verify Patch Uninstallation using SCCM

After you have deployed the task sequence to rollback a patch using SCCM, we will verify the deployment on our computers. Log in to the client computer (Windows 10 or Windows 11). Launch the Software Center. We see that the task sequence execution is already completed and the patch removal is successful.

Verify Patch Uninstallation using SCCM
Verify Patch Uninstallation using SCCM

Another way to verify if the patch is uninstalled using SCCM is to review the smsts.log file located on the client machine. In the smsts.log, the following line confirms that the patch has been uninstalled successfully.

Successfully completed the action (Run Command Line) with the exit win32 code 3010
Verify Patch Uninstallation using SCCM
Verify Patch Uninstallation using SCCM
Avatar photo

Prajwal Desai is a Microsoft MVP in Intune and SCCM. He writes articles on SCCM, Intune, Windows 365, Azure, Windows Server, Windows 11, WordPress and other topics, with the goal of providing people with useful information.

26 Comments

  1. Avatar photo Khaldoun Ahmad says:

    Hello Brajwal,

    If i pushed a task sequence to remove a specifc KB while this KB is already pushed using ADR, does this guarantee that the KB will not be installed again using the ADR?

    Reply
  2. Avatar photo Christopher L Gatling says:

    the wusa uninstall command quiet mode does not work on server 2016 or 2019. do you know of a way to quietly remove updates from 2016/2019?

    Reply
  3. Avatar photo Aditi Vaidya says:

    The command with /quiet option do not work for Win 2019 server. When tried without /quiet it works. How do I uninstall the update with no user interaction on win 2019 servers?

    Reply
    1. Avatar photo Fernando Castor says:

      Hi.
      Now with acumulatives updates this comando doesnt works.

      Try with command – dism /Online /Remove-Package /PackageName

      For me works very well

      Reply
  4. Avatar photo Sarfraz Aslam says:

    I tried it to remove a June 2020 Windows 10 update. But in the software center the status is installing but nothing is happening. Also, checked the smsts.log, could not find anything.
    Task Sequence command is :
    c:\windows\system32\wusa.exe /uninstall /kb:4561602 /quiet /norestart

    Reply

  5. Hi Prajwal, Once you remove the KB with the Task Sequence, do you need to do anything to make sure it will not be installed again with the software update deployments? I have an issue with in KB only in one country

    Reply
  6. Avatar photo imambasha says:

    Hi , Can we remove patch from application and package model?if is a possible please provide me information both process.

    Reply
  7. Avatar photo Narendra Negi. says:

    I am trying to patch uninstallation command in windows10 Operating System it it not accepting this command.

    I tested this command on single system also it is getting error.

    Windows update could not be uninstalled because of error 2147942487 “The parameter is incorrect.” (Command line: “C:WINDOWSsystem32wusa.exe /uninstall /kb4230204.msu /quiet /log”).

    Reply

    1. That is because when you use /log switch, you have to provide the path for log file

      Reply
      1. Avatar photo Narendra Negi. says:

        I also tried command without /log still getting error.

        I tried command for both OS windows 7 and Windows 10 C:WINDOWSsystem32wusa.exe /uninstall /kb4230204 /quiet /norestart

        In windows7 is working but not working on windows10 please assist me.

        Reply

        1. It should be /kb:4230204

          Reply
      2. Avatar photo imambasha says:

        Can we remove the patch from application and package model? If is a possible please provide me process in package model.

        Reply

    2. I think there are missing after WINDOWS and system32. So it should be “C:WINDOWSsystem32wusa.exe /uninstall /kb4230204.msu /quiet /log” and maybe exclude the /log as per Prajwal’s comments.

      Reply
  8. Avatar photo Arindam Ganguly says:

    Hello ,

    I followed these steps to uninstall a KB on Windows 10 and the exit code is 87.
    Executing command line: smsswd.exe /run: wusa.exe /uninstall /kb:3163912 /quiet /norestart TSManager 8/8/2016 12:21:23 PM 768 (0x0300)
    [ smsswd.exe ] InstallSoftware 8/8/2016 12:21:24 PM 4540 (0x11BC)
    PackageID = ” InstallSoftware 8/8/2016 12:21:24 PM 4540 (0x11BC)
    BaseVar = ”, ContinueOnError=” InstallSoftware 8/8/2016 12:21:24 PM 4540 (0x11BC)
    ProgramName = ‘wusa.exe /uninstall /kb:3163912 /quiet /norestart’ InstallSoftware 8/8/2016 12:21:24 PM 4540 (0x11BC)
    SwdAction = ‘0001’ InstallSoftware 8/8/2016 12:21:24 PM 4540 (0x11BC)
    Command line for extension .exe is “%1” %* InstallSoftware 8/8/2016 12:21:24 PM 4540 (0x11BC)
    Set command line: Run command line InstallSoftware 8/8/2016 12:21:24 PM 4540 (0x11BC)
    Working dir ‘not set’ InstallSoftware 8/8/2016 12:21:24 PM 4540 (0x11BC)
    Executing command line: Run command line InstallSoftware 8/8/2016 12:21:24 PM 4540 (0x11BC)
    Process completed with exit code 87 InstallSoftware 8/8/2016 12:21:24 PM 4540 (0x11BC)
    Command line returned 87 InstallSoftware 8/8/2016 12:21:24 PM 4540 (0x11BC)
    Process completed with exit code 87 TSManager 8/8/2016 12:21:24 PM 768 (0x0300)
    !——————————————————————————————–! TSManager 8/8/2016 12:21:24 PM 768 (0x0300)
    Failed to run the action: Remove Update KB3163912.
    The parameter is incorrect. (Error: 00000057; Source: Windows) TSManager 8/8/2016 12:21:24 PM 768 (0x0300)
    Set authenticator in transport TSManager 8/8/2016 12:21:24 PM 768 (0x0300)
    Set a global environment variable _SMSTSLastActionRetCode=87 TSManager 8/8/2016 12:21:24 PM 768 (0x0300)
    Set a global environment variable _SMSTSLastActionSucceeded=false TSManager 8/8/2016 12:21:24 PM 768 (0x0300)
    Clear local default environment TSManager 8/8/2016 12:21:24 PM 768 (0x0300)
    The execution engine ignored the failure of the action (Remove Update KB3163912) and continues execution TSManager 8/8/2016 12:21:24 PM 768 (0x0300)
    Set authenticator in transport TSManager 8/8/2016 12:21:24 PM 768 (0x0300)
    Updated security on object C:_SMSTaskSequence. TSManager 8/8/2016 12:21:24 PM 768 (0x0300)
    Set a global environment variable _SMSTSNextInstructionPointer=1 TSManager 8/8/2016 12:21:24 PM 768 (0x0300)
    Set a TS execution environment variable _SMSTSNextInstructionPointer=1 TSManager 8/8/2016 12:21:24 PM 768 (0x0300)
    Set a global environment variable _SMSTSInstructionStackString= TSManager 8/8/2016 12:21:24 PM 768 (0x0300)
    Set a TS execution environment variable _SMSTSInstructionStackString= TSManager 8/8/2016 12:21:24 PM 768 (0x0300)
    Save the current environment block TSManager 8/8/2016 12:21:24 PM 768 (0x0300)
    Set a global environment variable _SMSTSLastActionRetryCount=0 TSManager 8/8/2016 12:21:24 PM 768 (0x0300)
    The task exeuction engine successfully completed the execution TSManager 8/8/2016 12:21:24 PM 768 (0x0300)
    Set authenticator in transport TSManager 8/8/2016 12:21:24 PM 768 (0x0300)
    **************************************************************************** TSManager 8/8/2016 12:21:24 PM 768 (0x0300)
    Execution engine result code: Success (0) TSManager 8/8/2016 12:21:24 PM 768 (0x0300)
    Cleaning Up. TSManager 8/8/2016 12:21:24 PM 768 (0x0300)
    Removing Authenticator TSManager 8/8/2016 12:21:24 PM 768 (0x0300)
    Cleaning up task sequence folder TSManager 8/8/2016 12:21:24 PM 768 (0x0300)
    Unable to delete file C:_SMSTaskSequenceTSEnv.dat (0x80070005). Continuing. TSManager 8/8/2016 12:21:24 PM 768 (0x0300)
    Failed to delete directory ‘C:_SMSTaskSequence’ TSManager 8/8/2016 12:21:24 PM 768 (0x0300)
    SetNamedSecurityInfo() failed. TSManager 8/8/2016 12:21:24 PM 768 (0x0300)
    SetObjectOwner() failed. 0x80070005. TSManager 8/8/2016 12:21:24 PM 768 (0x0300)
    RemoveFile() failed for C:_SMSTaskSequenceTSEnv.dat. 0x80070005. TSManager 8/8/2016 12:21:24 PM 768 (0x0300)
    RemoveDirectoryW failed (0x80070091) for C:_SMSTaskSequence TSManager 8/8/2016 12:21:24 PM 768 (0x0300)
    Deleting volume ID file C:_SMSTSVolumeID.7159644d-f741-45d5-ab29-0ad8aa4771ca … TSManager 8/8/2016 12:21:24 PM 768 (0x0300)
    Successfully unregistered Task Sequencing Environment COM Interface. TSManager 8/8/2016 12:21:24 PM 768 (0x0300)
    Executing command line: “C:WindowsCCMTsProgressUI.exe” /Unregister TSManager 8/8/2016 12:21:24 PM 768 (0x0300)
    ==========[ TsProgressUI started in process 4432 ]========== TsProgressUI 8/8/2016 12:21:24 PM 3752 (0x0EA8)
    Command line: “C:WindowsCCMTsProgressUI.exe” /Unregister TsProgressUI 8/8/2016 12:21:24 PM 3752 (0x0EA8)
    Unregistering COM classes TsProgressUI 8/8/2016 12:21:24 PM 3752 (0x0EA8)
    Unregistering class objects TsProgressUI 8/8/2016 12:21:24 PM 3752 (0x0EA8)
    Shutdown complete. TsProgressUI 8/8/2016 12:21:24 PM 3752 (0x0EA8)
    Process completed with exit code 0 TSManager 8/8/2016 12:21:24 PM 768 (0x0300)
    Successfully unregistered TS Progress UI. TSManager 8/8/2016 12:21:24 PM 768 (0x0300)
    Start to cleanup TS policy TSManager 8/8/2016 12:21:24 PM 768 (0x0300)
    End TS policy cleanup TSManager 8/8/2016 12:21:24 PM 768 (0x0300)
    Task Sequence Manager ServiceMain finished execution. TSManager 8/8/2016 12:21:24 PM 768 (0x0300)
    Task Sequence Manager service will be reconfigured TSManager 8/8/2016 12:21:24 PM 768 (0x0300)
    Task Sequence Manager service reconfigured successfully TSManager 8/8/2016 12:21:24 PM 768 (0x0300)
    Sending success status message TSManager 8/8/2016 12:21:24 PM 768 (0x0300)
    Set authenticator in transport TSManager 8/8/2016 12:21:24 PM 768 (0x0300)
    RegQueryValueExW is unsuccessful for SoftwareMicrosoftSMSTask Sequence, SMSTSEndProgram TSManager 8/8/2016 12:21:24 PM 768 (0x0300)
    GetTsRegValue() is unsuccessful. 0x80070002. TSManager 8/8/2016 12:21:24 PM 768 (0x0300)
    End program: TSManager 8/8/2016 12:21:24 PM 768 (0x0300)
    Successfully finalized logs to SMS client log directory from C:WindowsCCMLogs TSManager 8/8/2016 12:21:25 PM 768 (0x0300)

    Reply
    1. Avatar photo Oleg Proscurchin says:

      I’m getting same error 87. Just going crazy with this crap for few days already. Tried all possible and impossible with wusa – packages and TS – nothing works. As soon as I run the command from 32 bit CMD/Powershell it fails with “Installer encountered an error: 0x8000fffff /Catastrophic failure” . Disable 64-bit file system redirection also doesn’t help. I need to run it on windows 10 1909. Any help will be appreciated. Thanks.

      Reply
      1. Avatar photo Ian Paul Spencer says:

        Hi, I have loads of trouble using WUSA, I think it has to check on-line during the WUSA process. I discovered dism “dism.exe /online /add-package /packagepath:”C:\Windows\Temp\Windows10.0-KB4601345-x64_PSFX.cab” /quiet /norestart

        Unsure if it works in TS ok but it was much more successful than WUSA?

        Reply

  9. Hello,

    In the task sequence method can you have more than one KB in the TS? For instance could I have KB123456 and KB654321 in the same TS?

    Thank you again for your great articles!

    Reply
      1. Avatar photo Dinesh Kumar says:

        How to link the KB’s in command
        wusa.exe /uninstall /kb:KBNUMBER1 /kb:KBNUMBER2 /quiet /norestart
        or
        wusa.exe /uninstall /kb:KBNUMBER1 /quiet /norestart
        wusa.exe /uninstall /kb:KBNUMBER2 /quiet /norestart

        Reply

        1. Tell me if it worked.

          Reply
  10. Avatar photo aakash saxena says:

    I tried it to remove an Office update. But in the software center the status is installing but nothing is happening. Also, checked the smsts.log, could not find anything.

    Reply

  11. Will it works for server 2003?

    Reply

  12. Will it works in server 2003?

    Reply
  13. Avatar photo Cody Lee Clements says:

    Why would you choose to go with a TS when you could create an application and validate the update was removed?

    Reply

    1. Yes you are correct. But i wanted to show that a Task sequence can also do this.

      Reply
      1. Avatar photo Mike Compton says:

        In which case, you should make clear in the opening paragraph, that this is not the best solution, wrapping the command in the task sequence engine is an unnecessary complication and overhead on the client; more to go wrong, more logs to check.

        If you create the update as an Application, and enter the command line to remove it, you have the added benefit of being able to scan the system using a powershell script to confirm the hotfix has been removed, you can also control the restart better.

        The above solution is far from the best available in SCCM 2012 i think.

        Reply

Leave a Reply

Your email address will not be published. Required fields are marked *