Uninstall Microsoft Patches
After an update to fix a vulnerability becomes public knowledge, attackers will specifically target the exploit on unpatched devices. In line with security best practices, to mitigate the impact of these types of attack it is always advisable to ensure computers are running the latest patches.
Depending on your company's policy, patches may be automatically installed as soon as they are released or reported as missing, or they may be tested in an internal sandbox environment before deployment to the Client's devices.
However, there may be instances where a problem was discovered with a patch after it was made publicly available, for example an issue did not manifest itself during the vendor's internal testing and was only discovered post-release.
To help deal with this situation with Microsoft patches, if a patch is marked as uninstallable, you can trigger the removal of Microsoft patches using N-sight RMM.
To avoid accidental installation of the Patch in the future, once the uninstall action successfully completes, the patch's status changes to ignored.
Where a Windows Update Agent scan reports a patch as uninstallable, Patch Management for Windows reports that patch as uninstallable.
Uninstall Specific Patch on a Device - Patch Information Dialog
- On the All Devices view, select the target device in the North-pane.
- Go to the South-pane Patches tab.
- Double-click the target Patch to open the Patch Information dialog.
- Check the Uninstallable: = Yes in the Details section.
- Click Uninstall.
- Click OK to accept the Confirm action message to initiate the removal process.
Uninstall one or more Patches on a Devices - Patches Tab
When selecting multiple patches, only those that are marked as uninstallable are removed.
- On the All Devices view, select the target device in the North-pane.
- Go to the South-pane Patches tab.
- Choose patches with multi-select (Shift and left-click for a range, Control and left-click for specific Patches).
- Right-click on one of the selection (or from the Patch) drop-down.
- Click Uninstall.
- Click OK to accept the Confirm action message to initiate the removal process.
Uninstall one or more Patches across multiple Devices - Management Workflow
This dialog contains information on all the discovered patches across your devices and the number of entries may easily stretch into the tens of thousands. To simplify the management of these patches we have included four main filters along with column options to provide a more targeted information.
The Uninstall option is only available on devices where the Microsoft Patch has Yes in the Uninstallable column.
- On the All Devices view, go to Settings > Patch Management > Management Workflow.
- Use the filters to return information on the target patch(es):
- Click Apply filters to view the results or Reset filters to remove all filters and return to the defaults. Date: Last Month | Filter by Status: Missing.
- Use the Columns drop-down to refine the results, providing the required information to make a considered patch selection. For patch removal we would suggest at least the Installed and Uninstallable columns are enabled.
- Click on the left-column link (where available) to visit the vendor's site for more information on a patch.
- Multi-select the patches (Shift and left-click for a range, Control and left-click for specific patches).
- Click Proceed to continue.
- Choose Uninstall as the action to apply to the patch selection (only one option is supported).
- Click Next.
- Select the device type (Servers and/or Workstations) to remove the patch from along with the Client and Site combination.
- Apply or Next to immediately initiate the uninstall process.
Filter | Description |
---|---|
Search |
The Patch name search supports partial string searches and returns those patches that contain an element of the entered string in their name. Please note that the returned results are based on the Date and Filter by Status selection with the search immediately applied. |
Date |
Choose the patch Release Date range to display from: Last 24 hours | Last 7 days | Last 3 months | Last 6 months | Last year | All time. |
Filter by Status |
Select Installed to return all Patches meeting this criteria with this setting immediately applied. |
Patch Selection Dialog, Action Dialog and Entity Selection Dialog
Ten Patches Limit
Up to ten patches are selectable for uninstall at any one time. Where you wish to remove more than ten Patches, we suggest batch deletion. Select the first ten choose Uninstall then repeat the process as often as required to remove any additional patches.
Recommendation: Reboot after Patch Uninstall
We strongly recommend rebooting the device once the Patch uninstall process is complete to ensure all remnants of the Patch are completely removed. Rebooting the device will also stop any of the Patch's dependencies, which may prevent the Patch's removal to complete.
Where the Patch status does not change from Installed (patch uninstall unsuccessful or requires a reboot) to Ignored the next time the scan runs after the restart we would suggest attempting to uninstall the patch again.
Patch Uninstall Process
After the Uninstall action is initiated the selected patch state moves to Uninstalling.
This action is immediately communicated to the Agent via the Persistent Connection (where available) or during the next scheduled 24x7 cycle.
Once the command is received, the Agent begins the uninstall process when Patch Management for Windows is inactive (i.e. it will not attempt to uninstall the patch where Patch Management for Windows is in the process of performing an action: scan, remediation or update).
We wait ten minutes after the last uninstall action completes before automatically running the Patch Scan and changing the Patch state to Ignored (uninstall successful) or Installed (Patch failed to uninstall or the device requires a reboot to complete the uninstall process).
The Patch Scan may also be manually initiated from the All Devices view.
- On the All Devices view North-pane, right-click on the device.
- Select Patch Management > Run Patch Status Scan.
The command is sent to the device and the Patch Status Check scan runs.
The Patch Status Check scan performs an intensive analysis of the system and as such it may take some time to complete.
Superseded Patches
Patch Management for Windows utilizes the Windows WSUS database to determine which Microsoft patches are missing on a device and where a patch is superseded by a subsequent release, WSUS does not report the original patch as missing.
As such where an uninstalled patch was superseded it no longer appears in Patch Management for Windows.
For example, KB3140410 supersedes KB3121212, if KB3121212 is uninstalled on the device no longer appears in Patch Management with only KB3140410 displayed.