How to rollback a microsoft patch

Sometimes a hotfix needs to be uninstalled and rolled back, this is how I do it.

First of all (if it isn’t already done) disable the hotfix. Find the hotfix and then edit membership to disable the current deployment of it.

\Software Library\Overview\Software Updates\All Software Updates

patch edit

Now we need to find out which clients have the patch installed.

Enable Quick Fix Engineering in hardware inventory. It can be found in \Administration\Overview\Client Settings and Default Settings

Default settings

And select quick fix engineering.

Quick Fix 2

Later on, I’ll use a PowerShell script to verify if the hotfix is installed or not, for that to work the ‘PowerShell execution policy’ needs to be changed to ‘Bypass’.

This is configured in the Computer Agent settings.


Now it’s time for a ConfigMgr Coffee while the ConfigMgr clients receive their new settings. And you have to wait for the next hardware inventory cycle to run before you know which computers have the hotfix installed.

Now it’s time to create the application that will do the uninstallation. Create an application with the manual option and name it something like “Rollback KB3025390″ and at the Deployment type select ‘script’.



Uninstall syntax: wusa.exe /uninstall /kb:3008923 /quiet /norestart But because the Installation program cannot be empty, just type cmd /c there.

For the detection method I use a PowerShell script



if (Get-WmiObject -Query "Select * from WIN32_QuickFixEngineering where HotFixID = 'KB3025390'"){write-host "Installed"}

If the patch can be uninstalled and the computer doesn’t need a reboot to work but the uninstall give you return code 3010 you can change this setting, If you don’t change this behavior, the computer will reboot in 90 min (default settings)


Now when the application is done it’s time to deploy it to a collection. First you select a few clients to test it on, of course. But for the real thing create a Rollback collection.

Rollback collection

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_QUICK_FIX_ENGINEERING on SMS_G_System_QUICK_FIX_ENGINEERING.ResourceId = SMS_R_System.ResourceId where SMS_G_System_QUICK_FIX_ENGINEERING.HotFixID = "KB3025390"

Now the last step is the deployment, just remember to select uninstall :)


And I don’t want the user to see anything so I hide all notifications.

User experience

Hope you will find this useful

Have a nice day /Johnny