Remote Monitoring & Management Help

Uninstall Microsoft Patches

After an update to fix a vulnerability becomes public knowledge, attackers will specifically target the exploit on unpatched devices. In line with security best practices to mitigate the impact of these types of attack it is always advisable to ensure computers are running the latest patches.

Depending on your company's policy, patches may be automatically installed as soon as they are released or reported as missing, or they may be tested in an internal sandbox environment before deployment to the Client's devices.

However, there may be instances where a problem was discovered with a patch after it was made publicly available, for example an issue did not manifest itself during the vendor's internal testing and was only discovered post-release.

To help deal with this situation with Microsoft patches, we have included the option to trigger the removal of Microsoft patches directly from the Dashboard.

There are two requirements:

  • Device is running Windows Monitoring Agent 10.2.0 (or later)
  • Patch is marked as uninstallable

To avoid accidental installation of the Patch in the future, once the uninstall action successfully completes, the patch's status changes to ignored.

Uninstall Specific Patch on a Device - Patch Information Dialog

  1. Log into the Dashboard
  2. Select the target device in the north pane
  3. Go to its south pane Patches tab
  4. Double-click on the target Patch to open the Patch Information dialog
  5. Check if Uninstallable: Yes under Details
  6. Click Uninstall
  7. Click OK to accept the Confirm action message to initiate the removal process

pm_uninsall_patch

Uninstall one or more Patches on a Devices - Patches Tab

When selecting multiple patches, only those that are marked as uninstallable are removed.

  1. Log into the Dashboard
  2. Select the target device in the north pane
  3. Go to its south pane Patches tab
  4. Choose patches with multi-select (Shift and left-click for a range, Control and left-click for specific Patches)
  5. Right-click on one of the selection (or from the Patch) drop-down
  6. Click Uninstall
  7. Click OK to accept the Confirm action message to initiate the removal process

pm_uninstall_patch

Uninstall one or more Patches across multiple Devices - Patch Management Workflow

This dialog contains information on all the discovered patches across your devices and the number of entries may easily stretch into the tens of thousands. To simplify the management of these patches we have included three main filters along with column options to provide a more targeted information.

The Uninstall option is only available on devices running Agent 10.2.0 or later where the Microsoft Patch has Yes in the Uninstallable column.

  1. Log into the Dashboard
  2. Go to Settings
  3. Patch Management
  4. Management Workflow
  5. Select the Patches

  6. Use the filters to return information on the target patch(es):
  7. Filters

    Notes

    Search

    The Patch name search supports partial string searches and returns those patches that contain an element of the entered string in their name.

    Please note that the returned results are based on the Date and Filter by Status selection with the search immediately applied.

    Date

    Choose the patch Release Date range to display from: Last 24 hours | Last 7 days | Last 3 months | Last 6 months | Last year | All time

    Filter by Status

    Select Installed to return all Patches meeting this criteria with this setting immediately applied.

  8. Click Apply filters to view the results or Reset filters to remove all filters and return to the defaults. Date: Last Month | Filter by Status: Missing
  9. Use the Columns drop-down to refine the results, providing the required information to make a considered patch selection. For patch removal we would suggest at least the Installed and Uninstallable columns are enabled
  10. Click on the left-column link (where available) to visit the vendor's site for more information on a patch.
  11. Multi-select the patches (Shift and left-click for a range, Control and left-click for specific patches)
  12. Uninstall Process

  13. Proceed to continue
  14. Choose Uninstall as the action to apply to the patch selection (only one option is supported)
  15. Click Next
  16. Select the device type (Servers and/or Workstations) to remove the patch from along with the Client and Site combination
  17. Apply or Next to immediately initiate the uninstall process

Patch Selection Dialog, Action Dialog and Entity Selection Dialog

pm_workflow_main pm_workflow_action pm_workflow_clients

Ten Patches Limit

Up to ten patches are selectable for uninstall at any one time. Where you wish to remove more than ten Patches, we suggest batch deletion. Select the first ten choose Uninstall then repeat the process as often as required to remove any additional patches.

Recommendation: Reboot after Patch Uninstall

We strongly recommend rebooting the device once the Patch uninstall process is complete to ensure all remnants of the Parch are completely removed. Rebooting the device will also stop any of the Patch's dependencies which may have prevent the Patch's removal allowing the uninstall to begin.

Where the Patch status does not change from Installed (patch uninstall unsuccessful or requires a reboot) to Ignored the next time the scan runs after the restart we would suggest attempting to uninstall the patch again.

Patch Uninstall Process

After the Uninstall action is initiated the selected patch state moves to Uninstalling.

This action is immediately communicated to the Agent via the Persistent Connection (where available) or during the next scheduled 24x7 cycle.

Once the command is received, the Agent begins the uninstall process when Patch Management is inactive. i.e. it will not attempt to uninstall the patch where Patch Management is in the process of performing an action: scan, remediation or update.

We wait ten minutes after the last uninstall action completes before automatically running the Patch Scan and changing the Patch state to Ignored (uninstall successful) or Installed (Patch failed to uninstall or the device requires a reboot to complete the uninstall process).

The Patch Scan may also be manually initiated from the Dashboard.

  1. Log into the Dashboard
  2. Right-click on the target device in the north pane (or from the Server or Workstation drop-down)
  3. Select Patch Management
  4. Re-run Patch Status Check.
  5. Once actioned this command is sent to the device and the Patch Status Check scan runs

The Patch Status Check scan performs an intensive analysis of the system and as such it may take some time to complete.

Superseded Patches

Patch Management utilizes the Windows WSUS database to determine which Microsoft patches are missing on a device and where a patch is superseded by a subsequent release, WSUS does not report the original patch as missing.

As such where an uninstalled patch was superseded it no longer appears in Patch Management.

For example, KB3140410 supersedes KB3121212, if KB3121212 is uninstalled on the device no longer appears in Patch Management with only KB3140410 displayed.