How To Automatically Uninstall Microsoft Software Updates Through Patch Management

book

Article ID: 180315

calendar_today

Updated On:

Products

Patch Management Solution for Windows

Issue/Introduction

 

Resolution

Patch Management Solution currently does not support a method for uninstalling patches; however, this can be easily accomplished by using Run Script tasks to run commands to uninstall the patches.

1. Create the Script Task to run the uninstall command line.

  • Go to Manage>Jobs and Tasks.
  • Select an appropriate folder to create the task under.
  • Right-click on the folder and go to New>Task.
  • The Create New Task window will appear.
  • Scroll down to the bottom of the available tasks and select Run Script.
  • Name the task appropriately.
  • Leave Script type: set to Command Script.
  • In the empty box enter the command line to uninstall a particular patch. Different command lines are required for different types of patches (see Alternative Commands section) but the following command works for MOST Microsoft updates (NOT Office updates) and in this example would uninstall KB3079904:

C:\Windows\System32\wusa.exe /uninstall /kb:3079904 /quiet /norestart

  • Click OK to close the Create New Task window and save the task.

2. Run the Script Task

  • Click on New Schedule, choose Now or specify a schedule time and repeat interval.
  • Specify target computers to run the task on.
  • To target a single computer click in the Quick add: box and search for the name of the computer, or use the Quick Run feature instead of New Schedule.
  • To target a list of computers click on Add>Computers or Devices then manually select the desired computers and click > and OK.
  • To target a computer filter (such as All Computers) click on Add>Target, click Add rule, choose exclude computers not in, and search the name of the filter in the final drop-down box, then click OK.

Alternative Commands for uninstalling patches:

  • Java Software: Link provides examples of replacement scripts of uninstall current version and replace with another
  • Some updates provide an uninstall command line in the registry; search the for the update in the registry keys under:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
  • Example of a command found found in the registry: C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe
  • Microsoft Office Updates: If the update was installed via MSI or MSU file find the Product Code and Update Code in the registry and use this command: msiexec /I {[Product Code]} MSIPATCHREMOVE={[Update Code]} /qn REBOOT=REALLYSUPPRESS
    • This blog describes a more difficult method
  • Adobe Software (use the Product Code and Update Code found in the registry): msiexec /x {[Package Name | Product Code]} /qn
  • Please search the internet for uninstall commands for other updates; some updates have NO silent uninstall command

Adisory: Some updates, like the ones provided by Java, are a full install and do not roll-back, so it will need to be replaced with the previous version of the executable and that is not going to be provided by Patch Management as it will only download the current version of the supported Software. Testing the Java deployment is ideal within an isolated environment to ensure it is deployed appropriately prior to being rolled out in production.