How to delete upgrades in WSUS

(Alternative title: "Help, I synched Upgrades before installing the patch!"  

This applies to anyone who missed KB 3095113 when it was offered as a hotfix, and subsequently enabled synching of Upgrades in their environment. The upgrades that were downloaded happen to be from the Windows 10 1511 feature upgrade, but these steps could be modified to suit a similar purpose for a different set of content.)

In this scenario, WSUS has downloaded content that it cannot use. Because parsing only happens once, and WSUS does not know what “Upgrades” are without having installed KB 3095113, it incorrectly identifies the upgrade as a regular update and saves it to the SUSDB as such. In order to remedy this, you must perform the following sequence of steps on the WSUS servers as specified in the table below (where "USS" represents "upstream server"):

Action

Where to perform

1.       Disable the “Upgrades” classification

USS or Standalone WSUS

2.       Delete the previously synched upgrades

All WSUS (start with topmost server)

3.       Enable the “Upgrades” classification

USS or Standalone WSUS

4.       Perform full sync

USS or Standalone WSUS

Some workarounds propose that you delete these entries from the SUSDB via SQL queries, but we do not recommend directly modifying database content. The supported way to remove update content is with PowerShell commands [from an elevated session] as described below. Again, be sure that you perform the deletion step on the WSUS server that is highest in your hierarchy first, and then work your way down; otherwise, your deletions may be replaced by the USS on the next sync attempt. 

// disable Upgrades classification on local WSUS server

Get-WsusClassification | Where-Object -FilterScript {$_.Classification.Title -Eq “Upgrades”} | Set-WsusClassification -Disable  

// delete all update content on the current server belonging to the 1511 release

$s = Get-WsusServer

$s.SearchUpdates(“version 1511, 10586”) | foreach { $s.DeleteUpdate($_.Id.UpdateId) } 

// enable Upgrades classification

Get-WsusClassification | Where-Object -FilterScript {$_.Classification.Title -Eq “Upgrades”} | Set-WsusClassification 

// perform full sync

$sub = $s.GetSubscription()

$sub.StartSynchronization()