In this post we will see how to rollback a patch using configuration manager. Assume that you have deployed a set of updates to your windows computers and one of the update is really causing the issues with all the systems. Now you have been told to find that update and uninstall it from all systems. So you have to identify that update, this might need you to do a lot of troubleshooting to identify it. Once you do that you want to uninstall it from multiple systems. I will show you a simple way of uninstalling or removing a patch using SCCM. So let’s say you have identified that update and it’s KB3004394. Now that you know the KB number we can use the Task Sequence to uninstall patch from multiple systems. The task sequences can do lot of things. These tasks can deploy an operating system image to a destination computer, build and capture an operating system image from a set of operating system installation files, and capture and restore user state information.
How to Rollback a Patch using Configuration Manager
Open the control panel on one of the client computer. Click on Programs > Programs and Features > Installed Updates. You can see which updates are installed on the system. In this example we will see how to uninstall KB3004394.
In the Configuration Manager console, navigate to Software Library > Overview > Operating Systems > Task Sequences. To start the New Task Sequence Wizard, right-click the Task Sequences node, and then click Create Task Sequence.
On the Create a New Task Sequence page, select Create a new custom task sequence. Click Next.
Specify a Task sequence name and click Next. Don’t choose any boot image in this step.
Click Next on the Summary page.
Finally click Close. You have just created a blank task sequence.
Right click on the task sequence that you created, click on Edit. In the TS editor, click on Add > General > Click Run Command Line.
In the command line type wusa.exe /uninstall /kb:KBNUMBER/quiet /norestart. Click OK. The TS is ready to be deployed.
Explanation of the command:
- wusa.exe – Windows Update Standalone Installer executable.
- /uninstall – The installer will uninstall the package.
- /kb:KBNUMBER – Install/Uninstall the package associated with KBNumber.
- /quiet – quiet mode, no user interaction here.
- /norestart – Will not initiate reboot when combined with quiet mode.
Right click the Task sequence and click Deploy. On the General page, click on Browse and choose the collection. Click Next.
For Deployment Settings, choose Available or Required. In this example I have set the deployment setting to required. Click Next.
Difference between Available and Required in SCCM
Available – If the application is deployed to a user, the user sees the published application in the Application Catalog and can request it on demand. If the application is deployed to a device, the user will see it in the Software Center and can install it on demand. In simple words Available applications mean that users can choose to install the software when they want.
Required – The application is deployed automatically according to the configured schedule. However, a user can track the application deployment status if it is not hidden, and can install the application before the deadline by using the Software Center. Required applications have an installation schedule and automatically install if they are not already installed by a defined deadline.
To schedule the deployment, click on New and choose the Assignment schedule as As soon as possible. Click Next.
On Specify how to run the content for this program page, choose the Deployment options as Download all content locally before starting task sequence. Click Next.
After few minutes, launch the software center on the client machine and you will see that the task sequence has done its work. The patch has been uninstalled by the task sequence.
If you are looking for which log file to check for troubleshooting purpose, you need to open smsts.log file located on the client machine.