How to scriptably uninstall patches for Windows 10?

Cerulean

[H]F Junkie
Joined
Jul 27, 2006
Messages
9,272
First: you can no longer use wusa.exe to uninstall patches silently since Windows 8/Server 2016, so this is out of the question. You. Just. Can't. Do. It! Thanks Microsoft (for ingeniously deciding that parameters /quiet and /kb:kb123456 are illegal to use together). Sometimes wusa.exe will be able to remove a patch if you manually execute it in a console-level session, and there will be pop-ups you have to interact with, too.

Second: dism does not list every installed patch as a package. Said differently, not every installed patch exists as a package for dism to work with. On my Windows 10 machine, of 6 installed KB patches only 1 KB patch had a package listed by DISM.

Third: appwiz.cpl > Installed Patches appears to be the most rock solid and effective way to uninstall ANY patch. Problem: this isn't automatable and requires you to remote and login to every machine to do it manually with mouse clicking and interaction.

Fourth: dism appears to have support for uninstalling a patch by feeding it a .CAB file that has been extracted from an .MSU file. Problem: this means you would have to download the MSU package for every patch you want to uninstall, and to get that package you'll somehow magically have to acquire the download URL for whatever KB# you wish to remove. Good luck with that! I also don't know how effective this solution truly is, either (might not be effective at all!).

I have searched up and down for a solution but it seems that at present there isn't a silent and automation-friendly way to uninstall patches. You have to do it manually by hand, machine by machine, through a console session and GUI.
 

vick1000

2[H]4U
Joined
Sep 15, 2007
Messages
2,061
A remote script to remove core components, like OS updates? Sounds like a major security vulnerability.
 

B00nie

[H]F Junkie
Joined
Nov 1, 2012
Messages
8,487
A remote script to remove core components, like OS updates? Sounds like a major security vulnerability.
Sounds like a dream for someone handling 2000 corporate workstations... Although administering Windows is never a dream job. Unless one's a serious masochist.
 

Cerulean

[H]F Junkie
Joined
Jul 27, 2006
Messages
9,272
A remote script to remove core components, like OS updates? Sounds like a major security vulnerability.
Think in terms of 1000-10000 or more endpoints, and the latest CU or other patch breaks a critical line of business application resulting in 100% work stoppage for most workers. It takes time for vendors to patch their software as well as for Microsoft to fix their bugs. This happens more often than some people may think. It's a back and forth game when it comes to ensuring all machines are patched (because security fixes are real).
 

vick1000

2[H]4U
Joined
Sep 15, 2007
Messages
2,061
Think in terms of 1000-10000 or more endpoints, and the latest CU or other patch breaks a critical line of business application resulting in 100% work stoppage for most workers. It takes time for vendors to patch their software as well as for Microsoft to fix their bugs. This happens more often than some people may think. It's a back and forth game when it comes to ensuring all machines are patched (because security fixes are real).
The windows update platform already allows for update deployment, that's not the same as update removal. Changes get reversed by hotfixes in update deployment, not uninstallation.
 

dbwillis

Supreme [H]ardness
Joined
Jul 9, 2002
Messages
7,913
Test, Pilot, Prod
That's how we deploy , doesn't everyone !
 
Top