How to Remove WSUS Completely and Reinstall it

by | Last updated 2023.10.10 | Published on 2018.06.19 | Guides, WSUS

The steps to remove WSUS and reinstall WSUS are pretty standard but they do have some variances on how WSUS was installed in the first place.

To remove WSUS completely, you need to:

  1. Remove WSUS Role
    1. You can remove the role through the GUI using Server Manager or
    2. You can use an Administrative PowerShell prompt and run:
    Remove-WindowsFeature -Name UpdateServices,UpdateServices-DB,UpdateServices-RSAT,UpdateServices-API,UpdateServices-UI -IncludeManagementTools
  2. Remove the Database WSUS was using (SUSDB.mdf and SUSDB_log.ldf).
    1. If you were using the Windows Internal Database (WID), specifically delete the SUSDB.mdf and SUSDB_log.ldf in C:\Windows\WID\Data (or C:\Windows\SYSMSI\SSEE\MSSQL.2005\MSSQL\Data for Server 2008/2008 R2)
        1. If the WID was only used for WSUS, you should remove the WID feature in Server Manager to fully clean up the installation. When you do remove the WID Feature, make sure to remove the entire C:\Windows\WID folder too.
        2. If you want to remove WSUS and KEEP the WID, and plan on NOT to reinstall WSUS, you must first detach the SUSDB database from SQL before removing the mdf and ldf files. The easiest way is to use SQL Server Management Studio to connect to the WID, and then right click on the SUSDB database > Tasks > Detach.
        3. You can remove it through PowerShell from an Administrative PowerShell prompt by:
          Remove-WindowsFeature -Name UpdateServices-WidDB
        4. If you’re using Server 2008 / Server 2008 R2, use the following PowerShell command from an Administrative PowerShell prompt to remove the WID if it was used ONLY for WSUS:
      if ($env:PROCESSOR_ARCHITECTURE -eq 'x86') { msiexec.exe /x {CEB5780F-1A70-44A9-850F-DE6C4F6AA8FB } callerid=ocsetup.exe }
      if ($env:PROCESSOR_ARCHITECTURE -eq 'AMD64') { msiexec.exe /x {BDD79957-5801-4A2D-B09E-852E7FA64D01} callerid=ocsetup.exe }
    2. If you were using a remote SQL Server instance, detach the database from the remote server and physically delete the SUSDB.mdf and SUSDB_log.ldf.
    3. If you were using a local SQL Server instance (Standard or Express [See why you should not use Express edition for WSUS]) detach the database from the local server instance and physically delete the SUSDB.mdf and SUSDB_log.ldf.
  3. In IIS, remove the ‘WSUS Administration’ website and the ‘WsusPool’ Application Pool if they still exist.
  4. If you don’t plan on re-installing WSUS, remove the custom compression module that WSUS adds to IIS. For more information on this, visit Mark Berry’s blog post.
    & "$env:windir\System32\inetsrv\appcmd.exe" set config -section:system.webServer/httpCompression /-[name='xpress']
  5. Remove the “C:\Program Files\Update Services” folder.
  6. Remove the WSUS Content folder wherever you had it previously installed (eg. C:\WSUS, or D:\WSUS)
  7. Restart the server.

WSUS should now be completely gone from your system. Now you should be able to re-install the WSUS role, and if necessary, the Windows Internal Database (WID) role too.

To Install WSUS:

  1. Re-add the WSUS Role
    1. Re-add the WID feature if applicable
  2. Restart the server again.
  3. MAKE SURE .NET 4.7 IS NOT INSTALLED FOR SERVERS OLDER THAN 2019 (it comes as a KB number for your server OS, not an add/remove programs installation.) The WSUS post-installer on prior versions to 2019 is not compatible with .NET 4.7 and will always error out. Once WSUS is installed and working, .NET 4.7 can be reapplied and WSUS should still work. The idea here is that you do not want to remove the integral .NET component to Windows (eg. .NET 4.5) as it will remove options like Server Manager and other features. What you want to do is make sure the integral component (eg. .NET 4.5) is NOT upgraded to .NET 4.7 through Windows Update patches.
  4. Run the post-installation configuration.
    1. From an administrative command prompt:
      1. For the Windows Internal Database:
        "C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall CONTENT_DIR=C:\WSUS
      2. For any other SQL Database location:
        "C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall SQL_INSTANCE_NAME="HOSTNAME" CONTENT_DIR=C:\WSUS

        or

        "C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall SQL_INSTANCE_NAME= "HOSTNAME\INSTANCE" CONTENT_DIR=C:\WSUS

Troubleshooting Steps If You Still Have Problems:

  • If you have issues running the post-installation configuration, dis-join the server from the domain, and restart. Try the post-installation steps again. If it works, the issue is a policy on your domain that is causing the issues. You can then re-join the server to the domain.
  • If you are having issues because the C:\Program Files\Update Services\Tools\ folder doesn’t exist, use a local administrator account (not a domain admin account) on the WSUS server to perform the uninstall, restart, and reinstall.
  • If you are having issues running the post-installation, relating to “UnauthorizedAccessException: Attempted to perform an unauthorized operation.” which would be found in the postinstall log, the issue may be that the group policy Computer Configuration\Windows Settings\Security Settings\Local Policies\Manage Auditing and Security Log doesn’t have the Local Administrators group specified. Add the Local Administrators group (Showing up as “Administrators”) to this policy and force an update to the group policies with gpupdate /force
  • If you experience an issue where the error is similar to the following:
    2023-10-05 11:03:05 CreateDefaultSubscription failed. Exception: System.Net.WebException: The request failed with the error message:
    --
    <head><title>Document Moved</title></head>
    <body><h1>Object Moved</h1>This document may be found <a HREF="https://server.domain.local/ApiRemoting30/WebService.asmx">here</a></body>

    You will have to remove the “Windows Process Activation Service” and then install WSUS.

  • If you still experience issues installing WSUS, check the Component Based Servicing (CBS) log (C:\Windows\Logs\CBS\CBS.log) for details. It is possible that your system is missing an update that is preventing you from installing WSUS. If you are missing an update, make sure to run it from an Elevated Command/PowerShell Prompt, and not just double click the MSU file after you download it.

How to Tell if the WID Instance Carries More Than Just the SUSDB Database

To tell if the WID carries more than the SUSDB database, you’ll need to install SQL Server Management Studio (SSMS) and connect to the WID instance to browse the databases. To do this, open SSMS by using right click, “Run as administrator” and in the database server copy/paste

WID2008

np:\\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query

WID2012+

np:\\.\pipe\MICROSOFT##WID\tsql\query

Keep the setting for use Windows Authentication and click connect. It should connect successfully to the WID SQL instance. Then expand Databases and you should see SUSDB and any other databases on this instance.

How To Fix WSUS Synchronization Errors

How To Fix WSUS Synchronization Errors

Sometimes WSUS has issues synchronizing with the upstream server – usually Microsoft, but it can be a local upstream server. Why these errors happen can be for many reasons.Microsoft requires several websites to be accessible through the firewall to synchronize. These...

How to Prepare for On-Prem WSUS UUP Updates

How to Prepare for On-Prem WSUS UUP Updates

Quality updates are coming on March 28 for on-premises Windows 11, version 22H2 devices. The updates are coming via the Unified Update Platform (UUP) which interoperates with WSUS and Microsoft Configuration Manager. UUP quality updates are cumulative, including all...