Enjoy Sharing

How to Rollback / Remove a Patch using SCCM (ConfigMgr)

Oddly, just recently I’ve been getting an increase of this question from people so I feel it is about time I put up a post about this. First of all, the reason why you’re wanting to rollback or remove a patch is most probably because it is causing you some trouble after it is installed. You need to first know the offending patch that is causing all the problem that you’re having. Now that involves some amount of your own investigation maybe by asking questions like when did these problems begin to surface and what was the patch that was recently installed…but I’ll leave that to you. 🙂

Once you have identified the patch that you would like to rollback, the rest is pretty simple. Maybe the only caveat in this post is, this only works on Windows 7 and above. Yes, that means Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012. It will not work on your Windows Vista or Windows Server 2008, not to mention Windows XP. That calls for another post should I see more people asking about it.

So let’s just say you’ve identified KB2781197 is the one you needed to rollback from thousands of computers. Doing it manually on each computer through the Installed Updates screen in control panel is not going to cut it.



The idea behind it working is using the wusa.exe that is build into Windows 7 and above. This can be found in C:\Windows\System32 and C:\Windows\SysWOW64 depending on which version of Windows. What you need to do is to kick this off using the command line with parameters behind it. In our case of KB2781197 you can use the command line below:-

C:\Windows\System32\wusa.exe /uninstall /kb:2781197 /quiet /norestart

In a case where you’re doing this in a mass deployment like ConfigMgr, it is a good idea to include the /quiet switch to make it run silently in the background. The /norestart switch is a good idea too in order to avoid the computer from rebooting right after the removal process is complete. Trust me, it’ll help you avoid all those unnecessary helpdesk calls from your users saying their computer just rebooted for no apparent reason!

The thing to do now is to get ConfigMgr to execute this command line on all your machines for you. The way to do this is to use Task Sequence instead of creating a package/program. Package/program may work well for your 32-bit systems but will mostly fail on your 64-bit systems. There is also an option in Task Sequence that you need to disable, but I’ll cover that in a little while.

Create a new custom Task Sequence. Right-click and select Create Task Sequence. It might be a good idea to create a folder to help you organize your Task Sequences.



Select Create a new custom task sequence, then click Next.



Name your Task Sequence. Since you’re not deploying an operating system here, you do no need to specify a boot image. Go ahead and click Next to proceed.



At the Summary page, click Next.



Click Close at the Completion screen.



Now you’ve got a Task Sequence created, time to edit it. So, right-click on the Task Sequence you just created and select Edit.



Because you created a custom Task Sequence you’ll start with an empty one.



Click the Add button at the top of the screen and select General > Run Command Line.



In the command line box, here’s where you enter the command line that you want to execute to rollback the patch from your machines. So like what was stated up there, the command line would be something like C:\Windows\System32\wusa.exe /uninstall /kb:<kb number>/quiet /norestart. Remember to select the check-box beside Disable 64-bit file system redirection. This is the option you need to select in order for it to run successfully on both 32-bit and 64-bit that was mentioned earlier. Click OK once you’re done editing the Task Sequence.



Now, deploy the Task Sequence to the collection you want to rollback the patch. Right-click on the Task Sequence you’ve just edited and select Deploy.



Select the collection of computers you want to rollback the patch.



It’s really up to you whether you would like to make your deployment an Available one or Required one. Personally and realistically you would probably want to make it Required since the patch is already causing problems to your environment. Click Next to proceed.



Because you’re deploying it as a Required deployment you need to add an Assignment. So go ahead and click the New button to add as either a Schedule or an Event assignment.


image image


You can leave this page as default and just click Next to proceed.



Unless you want it to generate alerts, you can leave this as default too.



And default on this too, click Next.



Click Next here.



Click Close and you’re done!







18 responses

  1. brink668

    Thanks this is very helpful! Didn’t know you could use Task Sequences on machines for other purposes rather than image deployments.

    September 12, 2013 at 10:58 pm

  2. Carlson

    I have a question to regarding this. Do you know how to remove updates that were installed by SCCM 2012? There doesn’t seem to be a way to do this. I looked at your removal process and that seems to only work for updates that I install via Windows Update on the client but not if pushed/installed from SCCM 2012.

    Would you be able to write a tutorial on how to do this? If there is an automated way to get this to work?

    September 13, 2013 at 8:32 am

    • Hi Carlson. Actually this should work whether or not the Windows Update was installed by SCCM or by other means. The key here is to kick off the wusa.exe with the switch to remove the specific update.

      However, this does not apply to 3rd party/non-Microsoft updates.

      September 16, 2013 at 11:57 am

  3. SUPvsWSUS

    Looks like this only works with updates installed from Windows Update and not updates installed from CM12. I can’t remove KB2592687 as an ex. installed from CM12 ADR using this tutorial.

    Have you tested this on updated installed from CM12?

    September 24, 2013 at 7:50 pm

  4. This was so helpful – I’m researching this for an SOP at work, and the BIG orange book didn’t have anything this clear, concise or helpful. Really appreciated.

    October 22, 2013 at 10:45 pm

  5. Juergen

    I just needed to remove KB2883201 what was pushed through SCCM2012 onto Win8 x64 Enterprise. (this update causes the Client within domain not being able to change the password “the security database on the server …”)
    The above mentioned procedure with the tasksequence is perfectly working and easy.

    Thank you for that tutorial.


    November 21, 2013 at 11:10 pm

  6. Hello,

    I follow your procedure to uninstall an Office 2013 KB (2850061).

    Unfortunately it doesn’t work, I tried to manually run:

    C:\Windows\System32\wusa.exe /uninstall /kb:2850061 /quiet /norestart /log

    It will failed with: “ Windows Update could not be uninstalled because of error 2359303”

    As well as:

    C:\Windows\SysWOW64\wusa.exe /uninstall /kb:2850061 /quiet /norestart /log

    Failed with “Windows update could not be uninstalled because of error 2147549183 “Catastrophic failure” (Command line: “wusa.exe /uninstall /kb:2850061 /quiet /norestart /log”)”

    I also tried running only C:\Windows\System32\wusa.exe /uninstall /kb:2850061

    and I receive “The update KB2850061 is not installed in this computer”

    Well it is installed, because I can see it listed in my Programs and Features – View Installed Updates…

    Is there a special procedure to remove Office KB’s ?


    February 25, 2014 at 7:50 pm

  7. Meanwhile…

    I found out how to uninstall Office KBs:

    Browse to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\, and then search for the KB number of the update you need to remove. Once found, look at the Uninstall String, and you’ll see a value like this:

    For Win 8 x64:

    “C:\Program Files\Common Files\Microsoft Shared\OFFICE15\Oarpmany.exe” /removereleaseinpatch “{90150000-0011-0000-1000-0000000FF1CE}” “{E8F64CB5-1419-47A8-9FCE-F6E4137F2D25}” “1033” “0”

    using the uninstall command:

    msiexec /package {90150000-0011-0000-1000-0000000FF1CE} MSIPATCHREMOVE={E8F64CB5-1419-47A8-9FCE-F6E4137F2D25} /qb /norestart /l+ c:\windows\ccm\logs\KB2850061_rollback.txt

    For Win 7 x64:

    “C:\Program Files\Common Files\Microsoft Shared\OFFICE15\Oarpmany.exe” /removereleaseinpatch “{90150000-001A-0409-1000-0000000FF1CE}” “{DC09D330-4049-4A18-8591-CDA3E30A9F6B}” “1033” “0”

    using the uninstall command:

    msiexec /package {90150000-001A-0409-1000-0000000FF1CE} MSIPATCHREMOVE={DC09D330-4049-4A18-8591-CDA3E30A9F6B} /qb /norestart /l+ c:\windows\ccm\logs\KB2850061_rollback.txt


    February 25, 2014 at 9:15 pm

  8. Check out a method with Powershell Remoting so you can target a list in a text file or by OU: http://mbrownnyc.wordpress.com/2014/08/18/querying-for-and-uninstalling-evil-kbs-with-powershell-remoting/ Join #powershell on freenode with questions!

    August 20, 2014 at 4:54 am

  9. Dan

    You’re a legend. What a fantastic blog. Thank you, so much.

    August 22, 2014 at 6:14 pm

  10. Fred

    Also try this…..

    wmic product where “name like ‘Microsoft Office O MUI (English) 2010%%'” call uninstall /nointeractive, la quoted name is the software you decire to uninstall. Best regards Fred

    November 5, 2014 at 12:13 am

  11. Sonja

    Fantastic blog…Simple and easy to follow which is great – and it worked first time… Appreciate the sharing…

    November 12, 2014 at 7:20 am

  12. Bhaskar Dev

    Your article is brilliant mate..definitely worked for me.
    I uninstalled windows patches using the task sequence.

    January 16, 2015 at 10:35 pm

  13. Rich

    I am trying to use with IE11 Removal and not having the same success on a Win7 64bit PC

    I use c:\windows\System32\wusa.exe /uninstall /kb:2841134 /quiet /norestart

    It will just display the task progress bar for ages once the PC receives the task. Eventually I kill the job. If I just run the above cmd on the PC I am testing with IE11 removes fine. I feel like I am following the instructions fine but just cannot get this to go.

    Any help would be great.

    May 7, 2015 at 3:11 am

    • Rich

      Never mind…it is working now 🙂

      May 7, 2015 at 3:16 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s