Blog Post

Windows IT Pro Blog
3 MIN READ

Uninstalling Windows updates on managed devices using Intune

AriaUpdated's avatar
AriaUpdated
Icon for Microsoft rankMicrosoft
Mar 24, 2023

Have you ever been in a situation where a Windows device takes an update that is not compatible with the system or causes an issue that prevents user productivity? In this scenario, it can be frustrating to determine the best way to get the device(s) back to a protected and productive state. Using Microsoft Intune, here are a few ways to address the situation.

If the update you want to uninstall is a Windows feature update that replaced the previous version of the operating system (OS) on the device, you can roll back the feature update using Intune and by leveraging the Update CSP.

Screenshot of the Overview page in the Intune admin center, showing the Uninstall options for update rings for Windows 10 and later

To use the Uninstall option for feature updates (Rollback/FeatureUpdate in the Update CSP) in Intune, the device must be running Windows 10, version 1803 and above, have feature updates paused, and be within the uninstall period.

Intune also provides the ability to uninstall quality updates installed on a device. Again, to leverage this capability, the device must be running Windows 10, version 1803 and above, have quality updates paused, and be running the latest quality update available to the device based on quality update deferral settings.

Caution: Before uninstalling quality updates, please carefully review Understanding the risks: Why you should not uninstall security updates.

To uninstall other types of updates, including Windows feature updates delivered via enablement package, you can leverage PowerShell scripts in Intune.

*An enablement package, sometimes referred to as an eKB, is a small, quick-to-install "master switch" that activates features already present on a device but in an inactive and dormant state. Enablement packages are available for feature updates that share the same core operating system (OS) as the version of Windows prior to them (e.g. Windows 10, version 21H2 and Windows 10, version 22H2).

PowerShell

Once you are ready to use PowerShell scripts on Windows 10/11 devices in Intune, run the following two PowerShell scripts:

First, to get the full list of updates installed on the device run:

 

 

 

 

 

get-windowspackage -online -PackageName "*KB<NUM>*"

 

 

 

 

 

Then, to uninstall a specific update that was present in the list of installed updates, run:

 

 

 

 

 

Remove-WindowsPackage -Online -PackageName "Package_for_KB5015684~31bf3856ad364e35~amd64~~19041.1799.1.2"

 

 

 

 

 

You will need to swap the package information above with the package that you wish to uninstall.

 

Note: You will want to run both scripts under the system account. This means you should choose "No" as the default for "Run this script using the logged on credentials".

Once the uninstallation is complete, restart the system.

Deployment Image Servicing and Management (DISM)

Alternatively, you can use the DISM tool directly:

 

 

 

 

 

dism /online /remove-package /PackageName:Package_for_KB5015684~31bf3856ad364e35~amd64~~19041.1799.1.2

 

 

 

 

 

You will need to swap the package information above with the package that you wish to uninstall.

As above, once uninstallation is complete, restart the system.

I hope you find this brief guide to uninstalling updates helpful. May you never need this information! As always, please feel free to reach out to me on Twitter @AriaUpdated or here on the Tech Community with questions, comments, and feedback.


Continue the conversation. Find best practices. Bookmark the Windows Tech Community and follow us @MSWindowsITPro on Twitter. Looking for support? Visit Windows on Microsoft Q&A.

 

Updated Aug 21, 2024
Version 4.0

3 Comments

  • That said I am glad you wrote about this solution, Aria. 

     

    An Inspiration for the PowerShell team.

    Get-Hotfix should always sort output by date. It doesn't by today. 

     

    As the output can be worked with, we could select last entry of the specific update type to fetch the KB for the script above.

     

    Or use wusa. 

     

     

    An even better FR, would be to provide a PowerShell commandlet to uninstall updates in the future, so we don't have to rely on Dism and wusa.

    Many Dism commands already have sufficient PowerShell commandlets.

     

    Some more 

     

     

    #On Windows 10 the /quiet no longer works. You may use:
    
    $SearchUpdates = dism /online /get-packages | findstr "Package_for"
    $updates = $SearchUpdates.replace("Package Identity : ", "") | findstr "KBXXXXXX"
    #$updates
    DISM.exe /Online /Remove-Package /PackageName:$updates /quiet /norestart

     

    https://social.technet.microsoft.com/Forums/windows/en-US/f6594e00-2400-4276-85a1-fb06485b53e6/issues-with-wusaexe-and-windows-10-enterprise?forum=win10itprogeneral

  • I am also looking forward for a native implementation. Then as a next leap forward, in addition in Azure Update Management Center. 

  • Reza_Ameri's avatar
    Reza_Ameri
    Silver Contributor

    These are valuable and time saving features.

    I hope to be able to uninstall other type updates using Intune GUI (in addition to PowerShell) too.