A disruptive day at the office could start when someone says: “Hey, I’m having problems with my OS; the last thing I saw is that there were a bunch of updates being installed”, and if we are not lucky and it is in fact an update that is generating the problem, we will need to get our hands dirty.


Getting in the situation when we know we need to rollback an update it is definitely not an easy situation. Maybe if we need to do it in our home computer it would not represent a big problem, but if we are facing a situation where we just approved the update for our entire organization, then things could get really messy.


In reviewing some of what we previously discussed in Patching Best Practices we will see that is almost a must to test our updates before deploying; but at this point, whether we tested or not, it does not matter, we need to solve this problem. However, you will see also that it is highly recommended to have ready a baseline image of our company user's system (maybe a virtual machine), this way we can rapidly start working with this image in order to solve the problem.


And of course, if we don’t have the baseline image, we can start working with the machine that appeared with the problem.


Start Working on the Problem

Having said the necessary about best practices, let’s start working on the problem. Here’s general guidance about what we need to do:


  1. If you are using WSUS, mark the recent approved updates as “Not Approved”. This will not remove the updates from computers where the update is already installed, but it will prevent them from being installed on any other systems.
  2. Use the baseline image to review the behavior when we have the updates approved.
  3. Perform some quick troubleshooting (Event Viewer, application logs) to understand a little bit more about the problem.
  4. Remove the updates installed in baseline image. We can use “Control Panel”; or “Windows Update” (in “Read More” section about “Installed Updates” sometimes the uninstall instructions appear).
  5. Verify that the problem is solved. 
  6. To extend this automatically for all users we can use WSUS or scripting:
    • For WSUS, configure the updates as “Approve for Removal” -- this will automate the process of uninstalling.
      • Even more, we set a “Deadline” to remove the update.
      • If we want to remove it as soon as possible, select a date in the past.
      • Important disclaimer: The “Approve for Removal” option is not available for several updates, so we might want to use the “scripting” option.
    • Scripting the update:
      • For Windows XP we can find the folder (hidden) for the update C:\Windows\$NtUninstallKB<number> and generate a script for uninstalling.
      • For Windows 7 we can use a script with “wusa /uninstall /kb:<number>


Handling Restore Points

“System Restore Points” are also a valid way to solve a faulty update deployment for Windows OS. A System Restore point is basically an operating system snapshot that is created whenever you make a significant change to your PC. One of the processes that can create restore points automatically is in fact Windows Update.


So, whenever we have a problem with a recent change, we can use a Restore Point to recover the exact state we have previous to our change.


Using System Restore Points

Using Restore Points does not have any big complication, just following a wizard; but the only trick is that we have to do it manually on every computer:


  1. Access “Computer” > “Properties”.
  2. Select “System Protection” and click on “System Restore”.
  3. This will open up a wizard, click “Next” in the first step.
  4. We will have the option for selecting the “Restore Point” to apply to our system, carefully select the proper one.
  5. Reboot the computer.


With that we’ll complete the necessary steps to solve our problem. But if we are going to depend on restore points, we must make sure we have the necessary configuration among all of our computers.


Creating Restore Points

To create restore points in our computers we can do it of course manually or by an automated process.


Unfortunately, the automated process is not all that simple. We will use Group Policy to distribute this configuration among our organization, but we will need a few command lines to accomplish this.


  • Creating Restore Points manually
    • Access “Computer” > “Properties”
    • In the left pane, click “System Protection”.  
    • Click the System Protection tab, and then click Create.
    • In the System Protection dialog box, type a description, and then click Create.
  • Creating Restore Points using Group Policy
    • Create a new Group Policy Object and link it to the Active Directory Container of your choice.
    • Create a new Task under [Computer Configuration\Preferences\Control Panel Settings\Scheduled Tasks]
    • Type a name and choose SYSTEM account to run this task.
    • In “Triggers” tab, click “New” and choose the period of time you would like to create a restore point.
    • In “Action” type “%windir%\system32\rundll32.exe" and in “Program/Script”: “/d srrstr.dll,ExecuteScheduledSPPCreation”
    • Click OK and complete the GPO creation.


For more information about “Restore Points” review the following link: “System Restore: frequently asked questions”.