Best practices for uninstallation of Windows updates

Background

The capability to uninstall Windows updates from a device after they have been applied is a common request from partners. While this functionality is still offered on the surface by some tools and was common practice prior to the introduction of Windows as a service, Datto RMM does not support this functionality. A ComStore component is available to uninstall updates by KB designator, but the component is not supported on Windows 10 and above.

This topic proposes alternative management practices that administrators can use to bring order to their patching regimen.

Technical information

As follows are the two ways to uninstall a KB via the Windows command line:

Windows Update Standalone Installer (WUSA)

Using the WUSA tool to craft a command such as wusa /uninstall /kb:KBNUMBER /quiet /norestart is the most commonly cited method, but it is severely flawed. WUSA is on notice to become officially deprecated when used alongside the /quiet switch, a necessity for any RMM system. As stated by Microsoft, "Uninstalling updates quietly could be a security risk because malicious software could quietly uninstall an update in the background without user intervention." Refer to this Microsoft article.

This method also suffers from the drawback discussed in the next paragraph.

Deployment Image Servicing and Management (DISM)

Although a more modern approach, using the DISM tool to accomplish largely the same task using a command string such as dism /Online /Remove-Package /PackageName:'PackageIdentifier, WUSA and DISM share the same drawbacks. Currently, most updates simply cannot be uninstalled from Windows using these methods. A criterion each update package contains is its permanency. When this flag is set to permanent, it means that the update has been configured to not permit its removal. Any cumulative update issued by Microsoft will have this permanent flag set.

Certain online guides (such as this Windows Report guide) suggest that editing an installed update's metadata to adjust this flag will lead to the update becoming uninstallable. While this may produce the desired result, this approach opposes Microsoft's best practices for the operating systems. Datto RMM does not support this feature, and no ComStore component will provide for it. Partners who choose to employ this method do so at their own risk.

Summary

Datto RMM does not permit the uninstallation of Windows updates because Microsoft does not permit the uninstallation of Windows updates.

Best practices

Proactively employing Datto RMM Windows Update management in conjunction with a Patch Management policy can help to catch problematic updates before they are released onto a network. By configuring a minimum age threshold of one week for all new updates, partners can ensure that only updates with a certain pedigree are installed. Updates found to be problematic by the community will be detected and pulled by Microsoft before this time.

Using this strategy alongside a policy of researching and blocking known problematic updates via Patch Management policy controls will ensure that only updates that have passed community testing are installed onto local devices via Datto RMM Patch Management. Refer to Patch Management.

	Need troubleshooting help? Open Kaseya Helpdesk.
	Want to talk about it? Head on over to the Kaseya Community!
	Have an idea for a new feature? Want to learn about upcoming enhancements? Visit the ideas forum!
	Provide feedback for the Documentation team.