- Which WSUS products to select for Windows 11? - Tue, Sep 26 2023
- Activate BitLocker with manage-bde, PowerShell, or WMI - Wed, Sep 20 2023
- Join Azure Active Directory with Windows 11 - Tue, Sep 12 2023
A common reason for uninstalling updates is that they are buggy or cause problems in a particular environment. Removing them is a short-term measure only to get PCs back up and running without limitations. But especially for security updates, it's not a permanent solution.
Approve update for uninstallation
Usually, you allow or deny updates for installation, but you can also approve them for removal.
You can get this done using the GUI of the WSUS console. The biggest challenge is finding the bad updates in the long list given the very limited filtering options.
Once you have achieved this goal, mark the unwanted update, and check the detailed information in the lower section under Removable to see whether it supports uninstallation.
Check whether an update can be removed at all
If it can, select the Approve command from its context menu. In the dialog box that appears, open the dropdown menu of the appropriate computer group and check the Approved for Removal option.
Approve update for removal
If you want to set a date on which the clients will immediately start removing the updates, open the dialog for approving the updates again, and run the Deadline command for the same computer group.
Specify the date on which the clients should remove the relevant update
If you do not specify a deadline, the PCs will remove the unwanted updates only when new updates are pending installation.
After successful approval, the status of the update in the overview changes to Remove if you have applied the action to all computers. However, if you assign the uninstall operation only to one group, the console displays Mixed in the Approval column.
Approval status of an update after release for uninstallation
Uninstall updates with PowerShell
Since the Approve-WsusUpdate cmdlet provides all the approval options, you can also use the cmdlet to configure updates for removal.
As usual, the first step is to connect to the WSUS server:
$wsus = Get-WsusServer -Name wsus.contoso.com -PortNumber 8530
You can omit the parameters Name and PortNumber if you run the command locally on the server.
Next, reference the update by its ID. This is a GUID, which unfortunately cannot be obtained from $wsus.SearchUpdates() if you only know the KB. In this case, you have to look up the GUID in the Update Catalog or use this script:
$kb = Read-Host -Prompt "Search for which KB?"
$uc = Invoke-WebRequest -Uri "https://www.catalog.update.microsoft.com/Search.aspx?q=$kb"
$uc.Links | where onClick -Like "*goToDetails*"|
foreach {$_.innerText + ";" + $_.id -replace '_link',''} |
ConvertFrom-Csv -Delimiter ";" -Header "Description","ID"|
Out-GridView -PassThru | Format-List
Once you have found the UpdateId, pass it to the following command:
$u = Get-WsusUpdate -UpdateServer $wsus -UpdateId "<GUID>"
Then, check whether the update supports uninstallation:
$u.Removable
If this is true, the next step is to output the names of all computer groups:
$wsus.GetComputerTargetGroups()
In the final command to approve the removal, set the TargetGroupName parameter to the desired computer group:
$u | Approve-WsusUpdate -Action Uninstall -TargetGroupName "IT"
Steps in PowerShell to allow an update to be uninstalled
Steps in PowerShell to allow an update to be uninstalled
If you now invoke the following again:
Get-WsusUpdate -UpdateServer $wsus -UpdateId "<GUID>" | select Approved
the result should be Uninstall.
Summary
WSUS offers the possibility of removing unwanted updates on a large number of machines. To do this, you have to approve them for uninstallation.
Subscribe to 4sysops newsletter!
The easiest way to do this is via the WSUS console once you have found the relevant updates there. PowerShell requires several steps to do this but offers more flexibility for filtering the updates.
