Monthly Archives: October 2015

How to rollback a Microsoft patch

Sometimes a hotfix needs to be uninstalled and rolled back, this is how I do it.

First of all (if it isn’t already done) disable the hotfix. Find the hotfix and then edit membership to disable the current deployment of it.

\Software Library\Overview\Software Updates\All Software Updates

patch edit

Now we need to find out which clients have the patch installed.

Enable Quick Fix Engineering in hardware inventory. It can be found in \Administration\Overview\Client Settings and Default Settings

Default settings

And select quick fix engineering.

Quick Fix 2

Later on, I’ll use a PowerShell script to verify if the hotfix is installed or not, for that to work the ‘PowerShell execution policy’ needs to be changed to ‘Bypass’.

This is configured in the Computer Agent settings.


Now it’s time for a ConfigMgr Coffee while the ConfigMgr clients receive their new settings.
And you have to wait for the next hardware inventory cycle to run before you know which computers have the hotfix installed.

Now it’s time to create the application that will do the uninstallation.
Create an application with the manual option and name it something like “Rollback KB3025390″ and at the Deployment type select ‘script’.



Uninstall syntax: wusa.exe /uninstall /kb:3008923 /quiet /norestart
But because the Installation program cannot be empty, just type cmd /c there.

For the detection method I use a PowerShell script




If the patch can be uninstalled and the computer doesn’t need a reboot to work but the uninstall give you return code 3010 you can change this setting, If you don’t change this behavior, the computer will reboot in 90 min (default settings)


Now when the application is done it’s time to deploy it to a collection. First you select a few clients to test it on, of course. But for the real thing create a Rollback collection.

Rollback collection

Now the last step is the deployment, just remember to select uninstall :)


And I don’t want the user to see anything so I hide all notifications.

User experience

Hope you will find this useful

Have a nice day

ConfigMgr Client with Hotfix

It’s a good idea to create a separate ConfigMgr client package to use in OS deployment. By doing this, you will get more control over it than the default read-only package.

This is how I usually set it up to work together with Jason Sandys startup script as well.
Download the startup script from Jason Sandys Blog and get the SCCMClientHotfixPath script from The Deployment Guys

Create a folder called “ConfigMgr_Client_with_Hotfix”, then create another folder called Client inside that one. Copy the content from “\\cm01\SMS_PS1\Client” to the newly created Client folder. In the Client folder create a Hotfix folder and copy the content from  “\\cm01\SMS_PS1\hotfix\KB3074857\Client” to that folder. When this is done copy the SCCMClientHotfixPath.wsf script to the client folder, you also need to copy ZTIUtility.vbs into the client folder, This file you’ll find in your MDT Files Package. Your folder structure should look something like this.

ConfigMgr Client with Hotfix ConfigMgr Client

Copy the startup script from Jason Sandys to the root of the “ConfigMgr_Client_with_Hotfix” folder. Also create a “Logs” folder at this location and give Authenticated Users modify permission to it so the startup script can write error logs to the folder. (This folder should remain empty if everything works fine)

ConfigMgr Client with Hotfix Client Folder

Make your personal changes to ConfigMgrStartup.xml For reference, review the ConfigMgr Startup Script.pdf that follows with the script download. This is how my sample file looks like:

Now its time for the GPO. Create a GPO and edit so it looks something like this.

ConfigMgr Client with HotfixGPO

Next time a computer reboots it will check if it has the latest client version and patches- if not, the script will update it for you  :)

On to the OSD part.

Create a Package in the ConfigMgr console and name it “ConfigMgr Client with Hotfix” with source files pointing to “\\cm01\sources$\OSD\ConfigMgr_Client_with_Hotfix\Client”. Don’t create a program for the package.

ConfigMgr Client with Hotfix Create Client Pakage ConfigMgr Client with Hotfix No Program

In the Task Sequence. Create a Task Sequence Variable called “SMSClientInstallProperties” before the “Setup Windows and ConfigMgr” step. Under “Value” type in the special properties you might have.

New Propertys

Next up is the SCCMClientHotfixPath.wsf script, Add a Run Command line step, name it “Set ConfigMgr Client PATCH Paths” and select the “ConfigMgr Client with Hotfix” package.
For the command line, type “cscript.exe SCCMClientHotfixPath.wsf”

ConfigMgr Client with Hotfix TS Step Two

Now, in the “Setup Windows and ConfigMgr” step change the client package to “ConfigMgr Client with Hotfix” that we created earlier and remove any properties you might have.
(They should now be in the SMSClientInstallProperties step instead)

ConfigMgr Client with Hotfix TS Step 3

Why the SCCMClientHotfixPath script ?

Instead of using something like this PATCH=”C:\_SMSTaskSequence\OSD\PS10006E\Hotfix\X64\kb977384\configmgr2012ac-r2-kb3026739-x64.msp” the SCCMClientHotfixPath script searches the “\hotfix\i386” and “\hotfix\x64″ folders after any patches and then copies them to C:\Windows\Temp\Hotfix folder and uses this path C:\Windows\Temp\hotfix\configmgr2012ac-r2-kb3026739-x64.msp for install. This way the patch is still there if the client needs to do a repair.

The default behavior in the SCCMClientHotfixPath script is to search in both folders “\i386\hotfix” and “\x64\hotfix” for hotfixes.
Instead of having two hotfix folders I change four lines in the script so it uses the hotfix folder in the package we created instead (\hotfix\x64 and \hotfix\i386).

ConfigMgr Client with Hotfix Patch Script

Hope this will save you some time with next CU or upgrade. When it’s time to upgrade just copy the new files to your new client package and update the Distribution point(s). And then change the ConfigMgrStartup.xml to the right client version and you are good to go for deployment of the new client. OSD will find the patches if there are any and the startup script will check if the version is correct on the already deployed computer.


Adding date to the captured WIM File in MDT Two

Johan Arwidmark wrote a great post on how to create a wim file with the date in the name. That’s great but I want a zero in front of month or date with only one digit.

Johan’s post shows

If you add this to the CustomSettings.ini

You get this output.

Simon do magic

Simon help’t me with the format I only share it with the world. Visit his blog to learn powershell.