Worklet: Windows Patch Rollback

  • 26 July 2019
  • 8 replies
  • 362 views

Userlevel 7

The Automox console will allow you to uninstall patches using the Rollback Action from the Device Details page. Unfortunately, this method may become cumbersome for a large number of devices.


So for this scenario, we can apply a Worklet that will allow us to detect the presence of, and subsequently remove, the unwanted patch.


Note: Not all patches are uninstallable. Refer to the Microsoft Update Catalog for details for your particular patch.


Evaluation Code


To evaluate this, we simply need to determine if the patch is present. This is simple to do with the PowerShell command Get-HotFix . Based on the response of that command for the patch we’re concerned with, we use the appropriate Exit Code to indicate it’s compliance status.


#### EVALUATION CODE ####
# If you want to have an ongoing evaluation use this script
# to see if the patch is present.

# If you just want to manually execute this policy, this can be as
# simple as "Exit 1"

# Change this KB number to match what you want to check for
# Be certain to use the same KB number in both Evaluation and Remediation
$kb = '4503308'

# Check for presence and assign to variable
$installed = Get-HotFix -Id "KB$kb" -ErrorAction SilentlyContinue

# Check the variable and exit accordingly
if ( $installed ) {
#Installed is Non-Conmpliant, so Exit 1
Exit 1
#Otherwise Exit 0 for Compliance
} else {
Exit 0
}

Remediation Code


Method 1 - Windows 7 and Newer


Remediation is more complex in this case. Since Windows 10 removed the option to uninstall patches silently with wusa.exe, we have to dig through packages another way, format the output, and use dism.exe to uninstall the patch.


#### REMEDIATION CODE ####
# Uninstall the specified patch using dism.exe
# Compatible with Windows 7 and Newer

# Change this KB number to match what you want to check for
# Be certain to use the same KB number in both Evaluation and Remediation
$kb = '4503308'

# Retrieve the package information from dism.exe filtered for our patch.
# Then convert the response to a string, and remove the excess label text

$package = & dism.exe /online /get-packages | Select-String $kb
Try { $packageName = $package.ToString().replace("Package Identity : ", "") }
Catch { Write-Output "Package Not Found, device is compliant"; Exit 0 }

# Use the package name we just retrieved to trigger the uninstall
$process = Start-Process -FilePath 'dism.exe' -ArgumentList "/Online /Remove-Package /PackageName:$packageName /quiet /norestart" -Wait -PassThru
$process.ExitCode

Method 2 - Windows 8 and Older


For the sake of example, here is the simpler version that can be used on devices using older operating systems (Windows 8 and older). The one complication here lies in the need to use the ‘sysnative’ path to wusa.exe when running on a 64-bit operating system. So we add a check for that and act accordingly.


Note: This is necessary because Automox runs as a 32-bit process even on 64-bit versions of Windows.


#### REMEDIATION CODE ####
# Uninstall the specified patch using wusa.exe
# Compatible with Windows 8 and Older

# Change this KB number to match what you want to check for
# Be certain to use the same KB number in both Evaluation and Remediation
$kb = '4503308'

# Determine OS Architecture to set path for wusa.exe
$osArch = (Get-WmiObject -Class Win32_OperatingSystem).OSArchitecture

# Define the FilePath to wusa.exe based on OS Architecture
if ( $osArch -match '64-bit' ) {
$filePath = 'C:\Windows\sysnative\wusa.exe'
} else {
$filePath = 'C:\Windows\System32\wusa.exe'
}

# Uninstall and save the exit code to determine success/failure
$process = Start-Process -FilePath $filePath -ArgumentList "/uninstall /KB:$kb /quiet /norestart" -Wait -PassThru
Exit $process.ExitCode


This topic has been closed for comments

8 replies

Userlevel 3

This is really useful, thanks

Userlevel 7

Glad this one is helpful! Are there any other tasks you’d like to automate through worklets? I’m working on collecting all the existing worklets in the community as well as writing more, so any requests and suggestions would be helpful.

Userlevel 2
Badge

Hi Nic,


Could this same worklet be used to check for the KB and then install the KB if it is not found? I was thinking if I change the last line from Remove-Package to Add-Package. Would that work to check for the KB and if it is not found install it??

Userlevel 7

Possibly - although typically we’d do that through the native patching function. You can search for a KB number on the software page and install it that way.

Userlevel 2
Badge

Yup my bad should have thought of that first instead of trying to make things hard for myself. Thanks again for the help

Userlevel 2
Badge

Hi Nic,


I’m trying to roll back KB5004237, however when I run the script it says Package Not Found, device is compliant. I’ve looked at the devices in question and they sill have the patch installed. I’ve checked the MS Catalog and this patch can be removed by selecting the view installed updated in the Program and Features Control Panel.


Please let me know what I’m doing wrong.

Userlevel 6
Badge

Would you be able to reach out to our support team so they can take a deeper look and pinpoint the issue? The best way is to submit a ticket via the Customer Portal and they’ll take care of you.

Userlevel 2
Badge

This issue has been resolved.


~WRD0000.jpg


image001.png


image002.png


image003.png


image004.png