Uninstall Microsoft Patches

After an update to fix a vulnerability becomes public knowledge, attackers will specifically target the exploit on unpatched devices. In line with security best practices, to mitigate the impact of these types of attack it is always advisable to ensure computers are running the latest patches.

Depending on your company's policy, patches may be automatically installed as soon as they are released or reported as missing, or they may be tested in an internal sandbox environment before deployment to the Client's devices.

However, there may be instances where a problem was discovered with a patch after it was made publicly available, for example an issue did not manifest itself during the vendor's internal testing and was only discovered post-release.

To help deal with this situation with Microsoft patches, if a patch is marked as uninstallable, you can trigger the removal of Microsoft patches using the Dashboard.

To avoid accidental installation of the Patch in the future, once the uninstall action successfully completes, the patch's status changes to ignored.

Where a Windows Update Agent scan reports a patch as uninstallable, Patch Management for Windows reports that patch as uninstallable.

Uninstall Specific Patch on a Device - Patch Information Dialog

  1. On the N-sight RMM Dashboard, select the target device in the North-pane
  2. Go to the South-pane Patches tab
  3. Double-click the target Patch to open the Patch Information dialog
  4. Check the Uninstallable: = Yes in the Details section
  5. Click Uninstall
  6. Click OK to accept the Confirm action message to initiate the removal process

Uninstall one or more Patches on a Devices - Patches Tab

When selecting multiple patches, only those that are marked as uninstallable are removed.

  1. On the N-sight RMM Dashboard, select the target device in the North-pane
  2. Go to the South-pane Patches tab
  3. Choose patches with multi-select (Shift and left-click for a range, Control and left-click for specific Patches)
  4. Right-click on one of the selection (or from the Patch) drop-down
  5. Click Uninstall
  6. Click OK to accept the Confirm action message to initiate the removal process

Uninstall one or more Patches across multiple Devices - Management Workflow

This dialog contains information on all the discovered patches across your devices and the number of entries may easily stretch into the tens of thousands. To simplify the management of these patches we have included four main filters along with column options to provide a more targeted information.

The Uninstall option is only available on devices where the Microsoft Patch has Yes in the Uninstallable column.

  1. On the N-sight RMM Dashboard, go to Settings > Patch Management > Management Workflow
  2. Use the filters to return information on the target patch(es):
  3. Filter Description

    Search

    The Patch name search supports partial string searches and returns those patches that contain an element of the entered string in their name.

    Please note that the returned results are based on the Date and Filter by Status selection with the search immediately applied.

    Date

    Choose the patch Release Date range to display from: Last 24 hours | Last 7 days | Last 3 months | Last 6 months | Last year | All time

    Filter by Status

    Select Installed to return all Patches meeting this criteria with this setting immediately applied.

  4. Click Apply filters to view the results or Reset filters to remove all filters and return to the defaults. Date: Last Month | Filter by Status: Missing
  5. Use the Columns drop-down to refine the results, providing the required information to make a considered patch selection. For patch removal we would suggest at least the Installed and Uninstallable columns are enabled
  6. Click on the left-column link (where available) to visit the vendor's site for more information on a patch.
  7. Multi-select the patches (Shift and left-click for a range, Control and left-click for specific patches)
  8. Click Proceed to continue
  9. Choose Uninstall as the action to apply to the patch selection (only one option is supported)
  10. Click Next
  11. Select the device type (Servers and/or Workstations) to remove the patch from along with the Client and Site combination
  12. Apply or Next to immediately initiate the uninstall process

Patch Selection Dialog, Action Dialog and Entity Selection Dialog

Ten Patches Limit

Up to ten patches are selectable for uninstall at any one time. Where you wish to remove more than ten Patches, we suggest batch deletion. Select the first ten choose Uninstall then repeat the process as often as required to remove any additional patches.

Recommendation: Reboot after Patch Uninstall

We strongly recommend rebooting the device once the Patch uninstall process is complete to ensure all remnants of the Patch are completely removed. Rebooting the device will also stop any of the Patch's dependencies, which may prevent the Patch's removal to complete.

Where the Patch status does not change from Installed (patch uninstall unsuccessful or requires a reboot) to Ignored the next time the scan runs after the restart we would suggest attempting to uninstall the patch again.

Patch Uninstall Process

After the Uninstall action is initiated the selected patch state moves to Uninstalling.

This action is immediately communicated to the Agent via the Persistent Connection (where available) or during the next scheduled 24x7 cycle.

Once the command is received, the Agent begins the uninstall process when Patch Management for Windows is inactive (i.e. it will not attempt to uninstall the patch where Patch Management for Windows is in the process of performing an action: scan, remediation or update).

We wait ten minutes after the last uninstall action completes before automatically running the Patch Scan and changing the Patch state to Ignored (uninstall successful) or Installed (Patch failed to uninstall or the device requires a reboot to complete the uninstall process).

The Patch Scan may also be manually initiated from the Dashboard.

  1. Log into the Dashboard
  2. Right-click on the target device in the North-pane (or from the Server or Workstation drop-down)
  3. Select Patch Management > Run Patch Status Scan
  4. Once actioned this command is sent to the device and the Patch Status Check scan runs

The Patch Status Check scan performs an intensive analysis of the system and as such it may take some time to complete.

Superseded Patches

Patch Management for Windows utilizes the Windows WSUS database to determine which Microsoft patches are missing on a device and where a patch is superseded by a subsequent release, WSUS does not report the original patch as missing.

As such where an uninstalled patch was superseded it no longer appears in Patch Management for Windows.

For example, KB3140410 supersedes KB3121212, if KB3121212 is uninstalled on the device no longer appears in Patch Management with only KB3140410 displayed.