There are documented cases where rollback of some Microsoft security patches have damaged core software components of computer systems, resulting in instability or even unrecoverable system failure. One example of why this can happen would be if a security patch that is rolled back removes updates to files that another security patch relies on to function correctly. In this case, instability can occur.
The first rule of rolling back security patches is that you should only do this if you absolutely need to. Patches are (generally) well tested by Microsoft and will not often introduce instability. If it is necessary to rollback a security patch using
ManageSoft, you can minimize the risk by following the instructions described in this document.Security patches targeted to computers via the ManageSoft Security Patch Management portal are automatically marked to not be uninstalled when they are removed from policy at a later date. This is to stop accidental rollback caused by user error. Once a security patch is added to a group policy, you may want to switch to Active Directory Group Policy editor and mark the security patch packages to be uninstalled when they are removed from policy, so you are prepared to rollback the security patch if it causes instability. You can do this by doing the following:
- Find your security patch policy, possibly using Active Directory Users and Computers.
- Edit the policy.
- Navigate to the 'Computer Configuration\Software Settings\Software Management' node.
- Double-click on each package for the selected bulletin, which opens the ManageSoft package properties dialog box.
- For each package, select the 'Deployment conditions' tab and ensure that the 'Remove this application when it falls outside the applicable policy' checkbox is checked.
It is strongly recommended that if you do need to rollback more than one security patch, that you do so one at a time with enough time in between to allow the managed devices to update their policy can carry out the uninstall.
There are some security patches that require a reboot before the uninstall of another security patch is attempted, otherwise system instability can occur. ManageSoft for managed devices (for Security Patch Management) will only perform one rollback per policy update, but if the user declines to reboot the computer after the first uninstall, a later policy update may uninstall a second security patch which may result in some instability. Also, if possible try to rollback patches in reverse order from how they were applied, as this has less risk of causing a problem.
Thorough testing of security patch installation over as many different system configurations as possible should make security patch rollback unnecessary, but if rolling back cannot be avoided then it is important that the recommendations in this document should be carried out in order to minimize the risk of damage to computer systems.