How to Rollback / Remove a Patch using SCCM (ConfigMgr)
Oddly, just recently I’ve been getting an increase of this question from people so I feel it is about time I put up a post about this. First of all, the reason why you’re wanting to rollback or remove a patch is most probably because it is causing you some trouble after it is installed. You need to first know the offending patch that is causing all the problem that you’re having. Now that involves some amount of your own investigation maybe by asking questions like when did these problems begin to surface and what was the patch that was recently installed…but I’ll leave that to you. 🙂
Once you have identified the patch that you would like to rollback, the rest is pretty simple. Maybe the only caveat in this post is, this only works on Windows 7 and above. Yes, that means Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012. It will not work on your Windows Vista or Windows Server 2008, not to mention Windows XP. That calls for another post should I see more people asking about it.
So let’s just say you’ve identified KB2781197 is the one you needed to rollback from thousands of computers. Doing it manually on each computer through the Installed Updates screen in control panel is not going to cut it.
The idea behind it working is using the wusa.exe that is build into Windows 7 and above. This can be found in C:\Windows\System32 and C:\Windows\SysWOW64 depending on which version of Windows. What you need to do is to kick this off using the command line with parameters behind it. In our case of KB2781197 you can use the command line below:-
C:\Windows\System32\wusa.exe /uninstall /kb:2781197 /quiet /norestart
In a case where you’re doing this in a mass deployment like ConfigMgr, it is a good idea to include the /quiet switch to make it run silently in the background. The /norestart switch is a good idea too in order to avoid the computer from rebooting right after the removal process is complete. Trust me, it’ll help you avoid all those unnecessary helpdesk calls from your users saying their computer just rebooted for no apparent reason!
The thing to do now is to get ConfigMgr to execute this command line on all your machines for you. The way to do this is to use Task Sequence instead of creating a package/program. Package/program may work well for your 32-bit systems but will mostly fail on your 64-bit systems. There is also an option in Task Sequence that you need to disable, but I’ll cover that in a little while.
Create a new custom Task Sequence. Right-click and select Create Task Sequence. It might be a good idea to create a folder to help you organize your Task Sequences.
Select Create a new custom task sequence, then click Next.
Name your Task Sequence. Since you’re not deploying an operating system here, you do no need to specify a boot image. Go ahead and click Next to proceed.
At the Summary page, click Next.
Click Close at the Completion screen.
Now you’ve got a Task Sequence created, time to edit it. So, right-click on the Task Sequence you just created and select Edit.
Because you created a custom Task Sequence you’ll start with an empty one.
Click the Add button at the top of the screen and select General > Run Command Line.
In the command line box, here’s where you enter the command line that you want to execute to rollback the patch from your machines. So like what was stated up there, the command line would be something like C:\Windows\System32\wusa.exe /uninstall /kb:<kb number>/quiet /norestart. Remember to select the check-box beside Disable 64-bit file system redirection. This is the option you need to select in order for it to run successfully on both 32-bit and 64-bit that was mentioned earlier. Click OK once you’re done editing the Task Sequence.
Now, deploy the Task Sequence to the collection you want to rollback the patch. Right-click on the Task Sequence you’ve just edited and select Deploy.
Select the collection of computers you want to rollback the patch.
It’s really up to you whether you would like to make your deployment an Available one or Required one. Personally and realistically you would probably want to make it Required since the patch is already causing problems to your environment. Click Next to proceed.
Because you’re deploying it as a Required deployment you need to add an Assignment. So go ahead and click the New button to add as either a Schedule or an Event assignment.
You can leave this page as default and just click Next to proceed.
Unless you want it to generate alerts, you can leave this as default too.
And default on this too, click Next.
Click Next here.
Click Close and you’re done!