Microsoft shipped its latest round of security patches on April 9, 2025, and within 48 hours, reports of boot failures, sluggish performance, and broken VPN connections began flooding Reddit and Microsoft’s own support forums. If your PC started misbehaving right after Patch Tuesday, the culprit is almost certainly one of those updates—and you don’t have to live with it.

The good news: every modern Windows build includes a built-in escape hatch. You can strip out a problematic update through the Settings app, classic Control Panel, or command-line tools like WUSA and DISM. The trick is knowing which method to reach for and when.

What Actually Changed—and What’s Breaking

The April 2025 cumulative update for Windows 11 24H2 (KB5053654) was supposed to close 68 security vulnerabilities and polish the taskbar’s weather widget. Instead, it introduced a memory leak in the Local Security Authority Subsystem Service (LSASS) that forces domain-joined machines to reboot every 30 minutes. On Windows 10 22H2, KB5053606 is blocking some third-party VPN clients from establishing a tunnel, a regression that Microsoft hasn’t formally acknowledged as of this writing.

Separately, the Windows Recovery Environment (WinRE) dynamic update KB5053728 is triggering BitLocker recovery key prompts on a small subset of Surface Laptop 6 devices. These aren’t theoretical hair-pullers; they are documented in Microsoft’s own “known issues” list, with mitigation steps that amount to “uninstall the update until we fix it.”

These three patches aren’t the first troublemakers of the year. February’s KB5050094 broke audio on USB DACs, and January’s KB5049622 nuked Citrix’s HDX redirection. The cadence is familiar: quality-improvement updates land, regressions slip through testing, and the rollback tools get a workout.

What This Means for You

For home users: You’re most likely to notice a problem when Windows Update auto-installs a patch overnight and you wake to a machine that can’t connect to Wi-Fi or keeps showing the Blue Screen of Death. The fix is usually a simple uninstall via Settings, and then you can pause updates for a week to give Microsoft time to ship a corrected version.

For IT administrators: Domain-joined workstations that pull updates from WSUS or Microsoft Endpoint Manager are the canaries. When KB5053654 triggers an LSASS leak, no amount of group-policy tweaking will stop the reboots—you need to uninstall en masse, which means PowerShell scripts that call wusa.exe /uninstall or DISM commands. This is also a good moment to revisit your deployment rings and delay patches for pilot groups by at least 14 days.

For developers and power users: If you rely on a hypervisor stack, custom kernel drivers, or non-mainstream VPN protocols, new patches can break your toolchain. Keeping a system restore point before every Patch Tuesday is your cheapest insurance policy.

How We Got Here: A Brief History of Busted Updates

The patch-rollback dance isn’t new. Microsoft’s servicing model shifted dramatically in 2016 with the introduction of cumulative updates. Before that, you could uninstall a single security fix without affecting others; today, all patches for a given month are baked into one monolithic package. That makes rollback all-or-nothing—but it also means the guidance is uniform across millions of devices.

Microsoft added the “Uninstall updates” button to Settings with Windows 10 version 1607, recognizing that users needed a graphical escape route. The Windows Update Standalone Installer (WUSA) and Deployment Image Servicing and Management (DISM) tools have existed since the Vista era, and they remain the fallback when the GUI fails. The prevalence of bad updates hasn’t declined—the October 2018 file-deletion bug, the March 2021 printer bluescreen, and the endless parade of PrintNightmare collateral damage all taught the same lesson: knowing how to rollback is as essential as knowing how to install.

Your Step-by-Step Removal Toolkit

Which method you use depends on how badly your system is hobbled. If you can still boot to the desktop, start with Settings. If you’re stuck in a boot loop, jump to advanced recovery or the command line.

Method 1: Settings App (Fastest for a Single Buggy Patch)

  1. Press Windows + I to open Settings.
  2. Click Windows Update (or Update & Security on older Windows 10 builds).
  3. Select Update history.
  4. Scroll down and click Uninstall updates.
  5. Find the offending update—look for the KB number in the “Microsoft Windows” section. If you’re unsure, sort by “Installed On” to find the most recent patch.
  6. Select the update and click Uninstall. Confirm and restart.

This works for standard cumulative updates and some driver updates. It does not remove servicing stack updates (those are permanent) or .NET patches that are listed separately.

Method 2: Control Panel (Classic Interface)

The Control Panel route is identical but appeals to admins who still navigate via the old-style Programs and Features window.

  1. Open Control Panel (search for it in Start).
  2. Under Programs, click Uninstall a program.
  3. In the left pane, click View installed updates.
  4. Locate the KB, right-click it, and choose Uninstall. Restart.

This interface often loads faster than the Settings counterpart on spinning hard drives—if you’re supporting a fleet of older PCs, it’s worth bookmarking.

Method 3: WUSA via Command Prompt (Scriptable and Remote-Friendly)

When you need to uninstall an update from an elevated command prompt—perhaps via remote management or a PowerShell script—use the Windows Update Standalone Installer:

  1. Open Command Prompt as Administrator.
  2. Type the command exactly: wusa /uninstall /kb:5053654 (substitute your KB number).
  3. If the update is installed, Windows will ask for confirmation. If you want a fully silent removal (useful for scripts), add the /quiet and /norestart switches: wusa /uninstall /kb:5053654 /quiet /norestart.
  4. Reboot manually afterward.

WUSA is also the official way to remove a package that was installed from the Microsoft Update Catalog, making it the first resort when you manually downloaded an update to test.

Method 4: DISM (When All Else Fails)

DISM is the nuclear option. It can enumerate and remove packages that WUSA can’t touch, and it works from a recovery environment when Windows won’t boot.

  1. Boot to Advanced Startup (hold Shift while restarting, or boot from installation media).
  2. Navigate to Troubleshoot > Advanced Options > Command Prompt.
  3. List installed packages by typing: dism /image:C:\ /get-packages /format:table (adjust the drive letter if your Windows partition is mounted elsewhere).
  4. Find the package identity that includes the KB number—look for something like Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.xxxx.x.x.
  5. Remove it: dism /image:C:\ /remove-package /packagename:[full package identity]
  6. If that fails because the package is permanently marked, you can try dism /image:C:\ /cleanup-image /revertpendingactions to undo any staged installation.

DISM is unforgiving—typos can strand your installation—so use it only when WUSA and the GUI are unavailable.

Bonus: System Restore as a Last Resort

If you enabled System Protection before the bad patch arrived, you’re in the clear even if the update refuses to uninstall.

  1. Search for Create a restore point in Start.
  2. Click System Restore.
  3. Choose a restore point created before the update installed.
  4. Follow the prompts and restart.

This method reverses the entire system state, so any documents or settings changed after the restore point will be lost—make a backup first if you can.

What to Watch Next

Microsoft typically acknowledges a widespread regression within two weeks and ships an out-of-band fix if the issue is severe. For KB5053654, expect a re-release by mid-May, likely as a preview cumulative update. Until then, keep the problematic update uninstalled and pause updates: go to Settings > Windows Update > Pause for 1 week (you can extend that up to five times).

On the transparency front, the Windows release health dashboard remains the best source for confirmed issues—bookmark it. And if history is any guide, the June optional preview will introduce a new servicing stack update that finally addresses this quarter’s stability regressions, but don’t hold your breath.

Your rollback toolkit is now fully stocked. The next time a Patch Tuesday goes sideways, you’ll be back in business before your morning coffee gets cold.