4 Replies Latest reply on Aug 18, 2014 6:04 PM by Lawrence Garvin

    Uninstall Security Update 2982791 in a WSUS and Patch Manager Environment

    scottk

      What is the best way to uninstall security update 2982791 in a WSUS and Patch Manager environment? Microsoft has pulled a number of security updates released last week. Last Friday, Microsoft revised MS14-045 (https://technet.microsoft.com/library/security/ms14-045) and wrote the following:

       

      Why was this bulletin revised on August 15, 2014?
      Microsoft revised this bulletin to address known issues associated with installation of security update 2982791. Microsoft is investigating behavior associated with the installation of this update, and will update this bulletin when more information becomes available. Microsoft recommends that customers uninstall this update. As an added precaution, Microsoft has removed the download links to the 2982791 security update. For instructions on how to uninstall this update, see
      Microsoft Knowledge Base Article 2982791.


      Looking at KB2982791 (http://support.microsoft.com/kb/2982791), Microsoft wrote:

       

      Open the Programs and Features item in Control Panel, and then click View installed updates. Find and then uninstall any of the following update that are currently installed:

      • KB2982791
      • KB2970228
      • KB2975719
      • KB2975331

       

      So there are four security updates, which have been installed on a large number of computers last week in our environment that now needs to be uninstalled. Manually going around to hundreds of computers is not an option. What options do we have in Patch Manger to uninstall this updates?

        • Re: Uninstall Security Update 2982791 in a WSUS and Patch Manager Environment
          scottk

          Below is what I am attempting within WSUS:

          1) Search for “KB2982791” update

          2) Select all updates

          3) Right-click and select Approve…

          4) For All Computers, select Approve for Removal and then Apply to Children

          5) Click the OK button

          6) Click the Close button for the Approval Progress window

          NOTE: Some updates had results of “The select update does not support removal” but it still worked

          7) Repeat for “KB2970228”, “KB2975719”, and “KB2975331”

           

          The Windows Update client on computers with these updates have new updates with names that start with “(Uninstall:)” followed by the name of the update.

          • Re: Uninstall Security Update 2982791 in a WSUS and Patch Manager Environment
            Lawrence Garvin

            There is no best way.

            There is only one way.

            One update at a time; one machine at a time.

            It's not a limitation of Patch Manager; it's a limitation of the servicing stack used by Windows to install updates.

             

            Which is one of the reasons the message in this article from a couple of years ago is still as every bit important today as it was then.

             

            It may be possible to script the removals using WUSA.EXE

             

            EDIT: After reading Scott's message.. I actually looked. Surprise! Somehow, these updates are actually capable of remote removal via the WSUS approval methodology.

             

            Unfortunately... the updates are EXPIRED (by Microsoft), which means that even though they can be Approved for Removal ... the WUA won't be able to see the updates because they're expired.

              • Re: Uninstall Security Update 2982791 in a WSUS and Patch Manager Environment
                scottk

                We did extensive testing and found no problems in our environment with these updates, but since Microsoft is strongly recommending everyone uninstall these updates (even if not experiencing problems) that is why I investigating our options. This option I found for Removal within WSUS appears to working. Below is a screenshot form a client.

                 

                WindowsUpdateClient_Uninstall_KBs.JPG

                 

                If this hadn't worked then I would have scripted something like the follow into a package with Patch Manager:

                • for x86: C:\Windows\System32\wusa.exe /uninstall /kb:2982791 /quiet /norestart /log
                • for x64: C:\Windows\SysWOW64\wusa.exe /uninstall /kb:2982791 /quiet /norestart /log
                1 of 1 people found this helpful
                  • Re: Uninstall Security Update 2982791 in a WSUS and Patch Manager Environment
                    Lawrence Garvin
                    This option I found for Removal within WSUS appears to working.

                    I'm pleasantly surprised to hear that this is working. First, I'm near shocked that an OS update actually supports removal, but I'm intrigued that the WUA is capable of removing an expired update.


                    If this hadn't worked then I would have scripted something like the follow into a package with Patch Manager:

                    • for x86: C:\Windows\System32\wusa.exe /uninstall /kb:2982791 /quiet /norestart /log
                    • for x64: C:\Windows\SysWOW64\wusa.exe /uninstall /kb:2982791 /quiet /norestart /log

                    I don't know that you can build a package directly using WUSA.EXE, but you can configure a PackageBoot ruleset to call WUSA and remove the update.

                     

                    However, the best approach is likely to configure a POWER-ON script with appropriate wrapper logic so that it only runs once per system.

                    Then use Patch Manager to send a mass RESTART command to all of the affected computers.