How to rollback a Microsoft patch

Sometimes a hotfix needs to be uninstalled and rolled back, this is how I do it.

First of all (if it isn’t already done) disable the hotfix. Find the hotfix and then edit membership to disable the current deployment of it.

\Software Library\Overview\Software Updates\All Software Updates

patch edit

Now we need to find out which clients have the patch installed.

Enable Quick Fix Engineering in hardware inventory. It can be found in \Administration\Overview\Client Settings and Default Settings

Default settings

And select quick fix engineering.

Quick Fix 2

Later on, I’ll use a PowerShell script to verify if the hotfix is installed or not, for that to work the ‘PowerShell execution policy’ needs to be changed to ‘Bypass’.

This is configured in the Computer Agent settings.


Now it’s time for a ConfigMgr Coffee while the ConfigMgr clients receive their new settings.
And you have to wait for the next hardware inventory cycle to run before you know which computers have the hotfix installed.

Now it’s time to create the application that will do the uninstallation.
Create an application with the manual option and name it something like “Rollback KB3025390″ and at the Deployment type select ‘script’.



Uninstall syntax: wusa.exe /uninstall /kb:3008923 /quiet /norestart
But because the Installation program cannot be empty, just type cmd /c there.

For the detection method I use a PowerShell script




If the patch can be uninstalled and the computer doesn’t need a reboot to work but the uninstall give you return code 3010 you can change this setting, If you don’t change this behavior, the computer will reboot in 90 min (default settings)


Now when the application is done it’s time to deploy it to a collection. First you select a few clients to test it on, of course. But for the real thing create a Rollback collection.

Rollback collection

Now the last step is the deployment, just remember to select uninstall :)


And I don’t want the user to see anything so I hide all notifications.

User experience

Hope you will find this useful

Have a nice day

ConfigMgr Client with Hotfix

It’s a good idea to create a separate ConfigMgr client package to use in OS deployment. By doing this, you will get more control over it than the default read-only package.

This is how I usually set it up to work together with Jason Sandys startup script as well.
Download the startup script from Jason Sandys Blog and get the SCCMClientHotfixPath script from The Deployment Guys

Create a folder called “ConfigMgr_Client_with_Hotfix”, then create another folder called Client inside that one. Copy the content from “\\cm01\SMS_PS1\Client” to the newly created Client folder. In the Client folder create a Hotfix folder and copy the content from  “\\cm01\SMS_PS1\hotfix\KB3074857\Client” to that folder. When this is done copy the SCCMClientHotfixPath.wsf script to the client folder, you also need to copy ZTIUtility.vbs into the client folder, This file you’ll find in your MDT Files Package. Your folder structure should look something like this.

ConfigMgr Client with Hotfix ConfigMgr Client

Copy the startup script from Jason Sandys to the root of the “ConfigMgr_Client_with_Hotfix” folder. Also create a “Logs” folder at this location and give Authenticated Users modify permission to it so the startup script can write error logs to the folder. (This folder should remain empty if everything works fine)

ConfigMgr Client with Hotfix Client Folder

Make your personal changes to ConfigMgrStartup.xml For reference, review the ConfigMgr Startup Script.pdf that follows with the script download. This is how my sample file looks like:

Now its time for the GPO. Create a GPO and edit so it looks something like this.

ConfigMgr Client with HotfixGPO

Next time a computer reboots it will check if it has the latest client version and patches- if not, the script will update it for you  :)

On to the OSD part.

Create a Package in the ConfigMgr console and name it “ConfigMgr Client with Hotfix” with source files pointing to “\\cm01\sources$\OSD\ConfigMgr_Client_with_Hotfix\Client”. Don’t create a program for the package.

ConfigMgr Client with Hotfix Create Client Pakage ConfigMgr Client with Hotfix No Program

In the Task Sequence. Create a Task Sequence Variable called “SMSClientInstallProperties” before the “Setup Windows and ConfigMgr” step. Under “Value” type in the special properties you might have.

New Propertys

Next up is the SCCMClientHotfixPath.wsf script, Add a Run Command line step, name it “Set ConfigMgr Client PATCH Paths” and select the “ConfigMgr Client with Hotfix” package.
For the command line, type “cscript.exe SCCMClientHotfixPath.wsf”

ConfigMgr Client with Hotfix TS Step Two

Now, in the “Setup Windows and ConfigMgr” step change the client package to “ConfigMgr Client with Hotfix” that we created earlier and remove any properties you might have.
(They should now be in the SMSClientInstallProperties step instead)

ConfigMgr Client with Hotfix TS Step 3

Why the SCCMClientHotfixPath script ?

Instead of using something like this PATCH=”C:\_SMSTaskSequence\OSD\PS10006E\Hotfix\X64\kb977384\configmgr2012ac-r2-kb3026739-x64.msp” the SCCMClientHotfixPath script searches the “\hotfix\i386” and “\hotfix\x64″ folders after any patches and then copies them to C:\Windows\Temp\Hotfix folder and uses this path C:\Windows\Temp\hotfix\configmgr2012ac-r2-kb3026739-x64.msp for install. This way the patch is still there if the client needs to do a repair.

The default behavior in the SCCMClientHotfixPath script is to search in both folders “\i386\hotfix” and “\x64\hotfix” for hotfixes.
Instead of having two hotfix folders I change four lines in the script so it uses the hotfix folder in the package we created instead (\hotfix\x64 and \hotfix\i386).

ConfigMgr Client with Hotfix Patch Script

Hope this will save you some time with next CU or upgrade. When it’s time to upgrade just copy the new files to your new client package and update the Distribution point(s). And then change the ConfigMgrStartup.xml to the right client version and you are good to go for deployment of the new client. OSD will find the patches if there are any and the startup script will check if the version is correct on the already deployed computer.


Adding date to the captured WIM File in MDT Two

Johan Arwidmark wrote a great post on how to create a wim file with the date in the name. That’s great but I want a zero in front of month or date with only one digit.

Johan’s post shows

If you add this to the CustomSettings.ini

You get this output.

Simon do magic

Simon help’t me with the format I only share it with the world. Visit his blog to learn powershell.


How old are your computers ?

Lately I have been asked “Can you use ConfigMgr to see how old our computers are”.

And the answer is: YES with some modifications/limitations, and it only works if you haven’t deleted the computer object in the Active Directory every time you re-install your computers.

Step one:
Add the Active Directory attribute “whenCreated” to the Active Directory System Discovery.Add Attribute

Use the Custom button.
Add Attribute Custom

Step two:
Run a discovery and you will get a new attribute on the device object.Client01

Now you can use this attribute in collections or reports to get a good picture on how many computers that might need to be replaced during the following years.

In the sample query below I select computers that are 2 -3 years old.Query 2-3

And the query in a text box :)


And here is a sample picture how I use this information in a custom report.
Report year

This is just a way to get a hint on the age of your computers. It’s not as accurate as looking in to invoices and so on.


Have a nice day

Cleanup the IIS logs on a ConfigMgr Server

If you have installed a ConfigMgr on a server a few years ago there might be a lot of IIS log files stored on the C drive (if you used the default settings when installing the IIS). In the sample picture it’s been 246 days since the installation and each log file is about 8-20 MB depending on the traffic to the IIS server. In time this can become a problem.

Logfiles IIS

Copy the syntax below and paste it into an elevated command prompt and hit enter.

So now there is a new scheduled job created in Task Scheduler that clears the IIS log directory from files that are 30 days and older. The location where the log directory is located on the server is automatically found out by the PowerShell command.

This will free up some space on C: drive next Sunday at 01:00 or directly if you run the task manually.

Cleanup Task


Have a nice day

Where is a collection included in ?

It’s time for my first public blog post. What should it be about ??
It will be about collections in ConfigMgr 2012.
I got a question from a customer: How can I find out which other collections this collection is used in ?
It’s very easy to see if there is collections included by looking in the Referenced Collections. Open every collection to see the name is time consuming. A script is needed :)


After some research I find this blog.

But I wanted to have it a little bit different. PowerShell is not my strongest skill, but I have a college (Simon Wåhlin) who is VERY skilled. He gladly helped me and the result is the following:

Here is a video recording from running the script:

Have a nice day