Automox Worklet: Run Windows Patch Rollback

The Automox console allows you to uninstall patches using the Rollback Action from the Device Details page. However, this method can become cumbersome when you need to rollback a patch on a large number of devices. Luckily, we have an Automox Worklet for just that scenario. 

This Windows Patch Rollback Worklet will detect the presence of, and subsequently remove, the unwanted patch.

Note: Not all patches are uninstallable. Refer to the Microsoft Update Catalog for details for your particular patch.

Automox Worklet: Run Windows Patch Rollback

To deploy this endpoint hardening Worklet, do the following:

  1. Log in to your Automox Console.
  2. Navigate to the System Management page and click Create Policy in the upper right-hand section of the screen.
  3. Choose Windows under Worklet.Screen Shot 2019-10-14 at 4.09.21 PM
  4. Copy and paste the Evaluation and Remediation code scripts from below. Choose the remediation code that matches your OS version.
  5. Change the values as described in the code so that they match your needs. 
  6. Note: to evaluate if a specific patch is present, we use the PowerShell command Get-Hotfix. Based on the response of that command, we use the appropriate Exit Code to indicate its compliance status.

Evaluation:

 # If you want to have an ongoing evaluation use this script
 # to see if the patch is present.
 
 # If you just want to manually execute this policy, this can be as
 # simple as "Exit 1"
 
# Change this KB number to match what you want to check for
# Be certain to use the same KB number in both Evaluation and Remediation
$kb = '4503308'
 
# Check for presence and assign to variable
$installed = Get-HotFix -Id "KB$kb" -ErrorAction SilentlyContinue
 
# Check the variable and exit accordingly
if ( $installed ) {
    #Installed is Non-Compliant, so Exit 1
    Exit 1
    #Otherwise Exit 0 for Compliance
} else {
    Exit 0
}
 

Remediation:

Method 1 - Windows 7 and Newer

Remediation is more complex in this case. Since Windows 10 removed the option to uninstall patches silently with wusa.exe, we have to dig through packages another way, format the output, and use dism.exe to uninstall the patch.

# Uninstall the specified patch using dism.exe
# Compatible with Windows 7 and Newer
 
# Change this KB number to match what you want to check for
# Be certain to use the same KB number in both Evaluation and Remediation
$kb = '4503308'
 
# Retrieve the package information from dism.exe filtered for our patch.
# Then convert the response to a string, and remove the excess label text
 
$package = & dism.exe /online /get-packages | Select-String $kb
Try { $packageName = $package.ToString().replace("Package Identity : ", "") }
Catch { Write-Output "Package Not Found, device is compliant"; Exit 0 }
 
# Use the package name we just retrieved to trigger the uninstall
$process = Start-Process -FilePath 'dism.exe' -ArgumentList "/Online /Remove-Package /PackageName:$packageName /quiet /norestart" -Wait -PassThru
$process.ExitCode
 

Method 2 - Windows 8 and Older

For the sake of example, here is a simpler version that can be used on devices using older operating systems (Windows 8 and older). 

The one complication here lies in the need to use the ‘sysnative’ path to wusa.exe when running on a 64-bit operating system. So we add a check for that and act accordingly.

Note: This is necessary because Automox runs as a 32-bit process even on 64-bit versions of Windows.

# Uninstall the specified patch using wusa.exe
# Compatible with Windows 8 and Older
 
# Change this KB number to match what you want to check for
# Be certain to use the same KB number in both Evaluation and Remediation
$kb = '4503308'
 
# Determine OS Architecture to set path for wusa.exe
$osArch = (Get-WmiObject -Class Win32_OperatingSystem).OSArchitecture
 
# Define the FilePath to wusa.exe based on OS Architecture
if ( $osArch -match '64-bit' ) {
    $filePath = 'C:\Windows\sysnative\wusa.exe'
} else {
    $filePath = 'C:\Windows\System32\wusa.exe'
}
 
# Uninstall and save the exit code to determine success/failure
$process = Start-Process -FilePath $filePath -ArgumentList "/uninstall /KB:$kb /quiet /norestart" -Wait -PassThru
Exit $process.ExitCode
 

7. Save the Worklet.

You can assign this Worklet to the appropriate Windows groups and execute the policy. You can also set the Worklet to run on a schedule like any other Worklet. 

Below is an example of what this should look like in the Automox console. If you need technical assistance, contact our support team at support@automox.com.

patch-rollback-worklet

About Automox

Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.

Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure. 

Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.

Get Instant Updates on Vulnerabilities

Subscribe to receive Automox vulnerability alerts

Reduce your threat surface by up to 80%

Make all of your corporate infrastructure more resilient by automating the basics of cyber hygiene.

Take 15 days to raise your security confidence!
Start a Free Trial