How to Remove / Rollback a Patch using SCCM

You may find various reasons to remove a patch from your clients and/or servers. This is one way to do so. This method will not work for OS versions older than Window 7 and Server 2008 R2.

First you have to identify the patch that you want to rollback/Remove.
In this case we use patch KB2898514 as example.


This method uses the Windows Updates Standalone Installer (Wusa.exe) which is built into windows 7 and above. (And Server 2008 R2 +).

Wusa.exe is located in “C:\Windows\System32” and “C:\Windows\SysWOW64” depending on which version of Windows is used.
What we need to do is execute Wusa.exe with parameters. It this case the command will be:

Wusa.exe /uninstall /kb:2898514 /quiet /norestart

Explanation of the command:

  • exe – Windows update standalone installer executable
  • /Uninstall – Switch that tells Wusa.exe to go in uninstall mode
  • /kb:2898514 – Switch that tells Wusa.exe which update to work with.
  • /quiet – Switch that tells Wusa.exe to run without user input or visible progress.
  • /norestart – Switch that tells Wusa.exe to ignore restart commands from the patch.

In a mass deployment like this will be, the /quiet and /norestart command is a good idea as the user in the other end, will not be interrupted in their work with unnecessary prompts or reboots.

Now we want SCCM to execute the command on all machines. In this case we use a Task sequence to do it, but we might as well use a package/program.

Create a custom Task Sequence. Right-click and select Create Task Sequence.




Select Create a new custom task sequence, then click Next.


Name your Task Sequence. Since we are not deploying an operating system, we don’t need to choose a boot image. Click Next.


At the Summary page, click Next.


Click Close at the Completion screen.


Now the Task Sequence is created. Right-click on the Task Sequence and select Edit.


As we created a custom Task Sequence it is created with no predefined steps.



Click the Add button at the top of the screen and select General > Run Command Line.


We can edit the Name of the Command Line if we want, but other than that we just need to fill in the command line in the ”Command Line:” box. Click OK when done.


Now we need to deploy the Task Sequence to the collection of computers that needs the rollback.

Right click on the Task Sequence and select Deploy.


Choose the desired computer collection and click Next.


We have to choose if the rollback should be required or available. In this case we want to remove the patch on every machine, so we choose required and the patch will be remove automatically. If we would like the users to choose if they wanted the patch uninstalled, we will choose available, then the user would have to start the Task Sequence manually.

Click Next to proceed.


Because we’re deploying it as a Required deployment we need to add an Assignment. Click the New button to add either a Schedule or an Event assignment. Under “Assign immediately after this event” we choose “As soon as possible” and click OK and Next.

14 15 16

Leave this page as default and click Next.


Leave this page as default and click Next.


Leave this page as default and click Next.


Click Next.


Click Close and we’re done!




This entry was posted in Uncategorized and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s