Removing an expired/deleted update from WSUS

We recently removed Patch Manager from our WSUS and during the deployment we had Wireshark being deployed to workstations. We're now trying to remove Wireshark from some of those workstations, but it continues to reinstall via WSUS. I see no mention of Wireshark in WSUS anymore. 

I tried renaming the SoftwareDistribution on the client machines and they still pull the .cab file from the WSUS server? I've even ran the WSUS server clean-up. Anyone have any ideas? If it helps here is the WindowsUpdate log from a client. Again, from what I can see Wireshark has been removed when we decommissioned Patch Manager. 

2020/06/30 14:34:31.9704376 4816 6524 Agent Title = Wireshark 3.2.2 x64 (Upgrade)
2020/06/30 14:34:31.9704417 4816 6524 Agent UpdateId = 4E96905D-C3D8-41F3-8D0A-4801E3656EFD.2
2020/06/30 14:34:31.9704563 4816 6524 DataStore Failed to find update with global id of 4E96905D-C3D8-41F3-8D0A-4801E3656EFD.2 (sessiondata = (null))
2020/06/30 14:34:31.9704642 4816 6524 DownloadManager No locked revisions found for update 4E96905D-C3D8-41F3-8D0A-4801E3656EFD.2 (SessionData = (null)); locking the user-specified revision.
2020/06/30 14:34:31.9704724 4816 6524 DataStore Failed to find update with global id of 4E96905D-C3D8-41F3-8D0A-4801E3656EFD.2 (sessiondata = (null))

  • Time to fire up some PowerShell.

    You'll need to launch an elevated session on a machine with the WSUS RSAt installed (doesn't have to be the WSUS server)

    Then you'll need to run this:

    $wsus = get-wsusServer -Name WSUS.FQDN -Port X

    The port will be what your WSUS server runs on (defaults are 80 or 8530 for HTTP and 443 or 8531 for HTTPS)

    If you're requiring HTTPS for your WSUS server, you'll need to add -UseSSL to that line

    Next you'll run:

    get-wsusupdate -updateserver $wsus -articleid 4E96905D-C3D8-41F3-8D0A-4801E3656EFD

    Make sure that's wireshark (should be displayname

    Then run

    get-wsusupdate -updateserver $wsus -articleid 4E96905D-C3D8-41F3-8D0A-4801E3656EFD | deny-wsusupdate

    You may get prompted for confirmation.

    That will decline the update from WSUS and will prevent further installs.

  • For anyone for future reference I ran the following syntax to deny the updates. 

    get-wsusupdate -UpdateId 4E96905D-C3D8-41F3-8D0A-4801E3656EFD
    * Displayed the product version and approval status.
    get-wsusupdate -UpdateId 4E96905D-C3D8-41F3-8D0A-4801E3656EFD | Deny-WsusUpdate
    * Deny's the update within WSUS.