How to Remove or Modify WSUS Registry Entries for Successful Patch Installation

Product Version: 6.5.0.0

Overview

This article provides steps to modify or remove specific Windows Registry entries related to WSUS (Windows Server Update Services) to ensure the successful installation of Windows patches and remediations on end-user devices. These steps are recommended when WSUS entries exist on devices that are not configured to use WSUS, as such entries can interfere with the patch installation process.

Background

In some environments, devices may retain WSUS-related registry entries even if WSUS is no longer in use. These residual entries can cause devices to look for updates from an incorrect or unreachable WSUS server, leading to patch installation failures. Removing or correcting these registry entries allows Windows Update and Saner’s Patch Management to function correctly, ensuring that patches and remediations are applied successfully.

Solution

Follow the steps below to remove or modify WSUS-related registry entries:

1. Identify the Problematic Registry Entries

1. Open the Registry Editor (regedit) on the device.

2. Navigate to the following registry paths:

   
   

   HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update

   
   

3. Check for WSUS-related keys such as WUServer, WUStatusServer, or UseWUServer.

2. Modify or Remove WSUS Registry Entries

If the entries contain an incorrect or non-functional WSUS server address, remove or modify them:

• Remove the WSUS Server Address:
  Delete the registry values WUServer and WUStatusServer, or set them to a blank value (-).
  

• Disable WSUS Update Settings:
  Set the value of UseWUServer to 0, or delete the key entirely.

Note: Editing the registry should be performed with caution. It is recommended to back up the registry before making any modifications.

3. Create a Registry Modification File

To simplify the process and make it deployable across multiple systems, create a .reg file with the following content:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"WUServer"=-
"WUStatusServer"=-
"EnableWindowsUpdateAutoUpdate"=-

Steps to create the file:

1. Open Notepad and paste the above content.

2. Save the file with a .reg extension, e.g., Remove_WSUS_Entries.reg.

4. Deploy the Registry File via Endpoint Management (EM)

1. Compress the .reg file into a .zip format for easier deployment.

2. Use the Saner Endpoint Management (EM) module to deploy the zipped file across all target devices.
   

3. After successful deployment, the WSUS entries will be removed from the respective devices.

Conclusion

By removing or correcting misconfigured WSUS-related registry entries, you can ensure that devices receive and install patches seamlessly. Deploying these changes through Saner Endpoint Management helps maintain system compliance, enhances security posture, and reduces administrative overhead across your environment.