In this article, I will explain how to rollback a patch using SCCM. We will look at the procedure to uninstall Windows update using ConfigMgr on remote Windows 10/11 computers.
I often get emails asking how do I roll back a patch in SCCM? Over the period of time, I realised that most ConfigMgr administrators were finding it difficult to remove a patch. To save you time, I decided to publish a guide that will cover the steps to rollback a patch update using SCCM.
On Windows systems, there are a variety of reasons why you might want to roll back an installed update. Let’s imagine you installed a set of updates on your Windows computers, but one of them is actually causing problems across the board. You’ve been instructed to locate that update and remove it from all systems.
To accomplish that, you must locate that update; finding it may require much debugging. Once you’ve done that, you should remove it from all systems. There is a simple procedure to do this and I will explain in the next section.
Configuration Manager makes it easier to deploy software updates and even rollback the software updates on Windows computers. Make sure the Configuration Manager client is installed on the computers before you attempt to rollback patches.
Ways to Uninstall Windows Update using ConfigMgr
Broadly, there are three ways to rollback Windows update using ConfigMgr:
- Use custom Task Sequence with a run command line
- Use a PowerShell script to rollback the required patch
- Create a program and remove the patch using a VB script
The task sequence approach of uninstalling a patch appears to be simpler than utilising a script. Although there are numerous PowerShell scripts available, some of them might not be effective for you in uninstalling updates. In this post, we’ll show you how to uninstall a patch from a remote Windows computer using a custom task sequence.
How to Rollback a Patch using SCCM (ConfigMgr)
We will use the following steps to rollback a patch using SCCM.
- Identify the update that needs to be uninstalled.
- Create a custom task sequence to rollback a patch.
- Deploy the task sequence to SCCM collection.
1. Identify the update for Rollback
The first step in uninstalling an update using SCCM involves identifying the update. An update can be identified with its KB number, which is a unique number assigned by Microsoft.
Use the following steps to identify the KB Update for Rollback:
- Launch the Control Panel on your computer.
- Go to Programs > Programs and Features > Installed Updates.
- From the list of installed updates, look for the update that you wish to uninstall and note down the KB number. For instance, the KB3004394 is the one that we will rollback using SCCM.
2. Create a Custom Task Sequence for Patch Rollback
Once you have identified the KB number of the patch that you want to rollback using SCCM, the next step is to create a custom task sequence in SCCM. The custom task sequence allows you to add the Run Command Line step, and here you can use the WUSA.exe command line utility to rollback the patch.
In the Configuration Manager console, navigate to Software Library > Overview > Operating Systems > Task Sequences. Right-click the Task Sequences node, and select Create Task Sequence.
From the list of TS options, select Create a new custom task sequence and click Next.
For the custom task sequence, specify a Task sequence name. You may add a brief description about what this TS is about. Make sure you don’t select any boot image for this task sequence, as it’s not required. Click Next.
The Summary page shows the task sequence details and configuration. Click Next.
On the Completion page of task sequence wizard, click Close. This completes the steps to create the custom task sequence in SCCM.
The task sequence that you created in the above step was a blank TS. It doesn’t do anything because we haven’t added any instructions for the task sequence. We will do that now. Right-click on the custom task sequence that you created, select Edit. In the task sequence editor, select Add > General > Run Command Line.
In the command line type wusa.exe /uninstall /kb:KBNUMBER/quiet /norestart. Click OK. Make sure to substitute the KB number with the one that you wish to rollback. The task sequence is now ready for the deployment.
If you are looking for the command explanation, here it is:
- wusa.exe: Windows Update Standalone Installer executable.
- /uninstall: The installer will uninstall the package.
- /kb:KBNUMBER: Install/Uninstall the package associated with KBNumber.
- /quiet: quiet mode, no user interaction here. Uninstalls the patch silently.
- /norestart: Will not initiate reboot when combined with quiet mode.
3. Deploy the Task Sequence to Rollback a Patch
We are now ready with the task sequence which will rollback or uninstall the patch from the computers. Right-click the Task sequence and select Deploy. On the General page, click on Browse and choose the collection to target the task sequence. Click Next.
On the Deployment Settings page, specify how you want to deploy the task sequence. The action is set to install, and you have to select the purpose. Select the purpose as required and click Next. Refer to the following article to know the difference between Available and Required deployment options in SCCM.
On the Scheduling tab, you can specify a schedule for the task sequence deployment. Based on the schedule that you configure, the update is uninstalled from the computers. Click Next.
Configure the required option for distribution points and click Next.
Review the TS deployment settings on the Summary page and click Close on Completion.
4. Verify Patch Uninstallation using SCCM
After you have deployed the task sequence to rollback a patch using SCCM, we will verify the deployment on our computers. Log in to the client computer (Windows 10 or Windows 11). Launch the Software Center. We see that the task sequence execution is already completed and the patch removal is successful.
Another way to verify if the patch is uninstalled using SCCM is to review the smsts.log file located on the client machine. In the smsts.log, the following line confirms that the patch has been uninstalled successfully.
Successfully completed the action (Run Command Line) with the exit win32 code 3010