How to Roll Back an Installed Patch on Devices

On occasion, it might be necessary to uninstall a recently applied patch due to unexpected system instability or application errors following patch installation. A feature that is currently only available for Windows-based devices, an Automox patch rollback is an excellent way to "undo" the installation of unstable or undesired patches.

  • Rolling back a patch is currently only available for Windows-based devices.
  • Note: Not all patches can be rolled back.

Removing a Patch Using the Automox Console

To roll back an installed patch in the Automox console, first navigate to the target device's Device Details page and scroll down to the Software section. When you locate the patch you would like to roll back, select it and the BulkActions drop-down menu. Click Roll Back.

Keep in mind that this is an inherently risky process that can cause operating system or application failures, so it is highly recommended to test rollbacks prior to applying them to critical systems.

Removing a Patch Using the Rollback Windows Patches Worklet

Another option is to use the Automox Verified Worklet called Rollback Windows Patches.

  1. In the console, go to Automate → Worklet Catalog.
  2. Search for and select Rollback Windows Patches.
  3. Select the Code Preview arrow to open the Evaluation and Remediation Code details.
  4. This worklet is designed to remove one or multiple KBs from a device. Add KBs by placing the KB number (for example, KB1234567) between single quotes in the $KBNumbers variable.



If you want to block something that is released, refer to Adding Patches to the Block List in the Automox Console. This reduces the remediation footprint.

Uninstallable Patches

It is important to note that not all patches can be rolled back. In order to be flagged as uninstallable, a patch must meet the following criteria:

  • The target device's operating system must be Windows Server 2008 R2/Windows 7 or newer
  • The applied patch must have an associated Knowledge Base article identifier
  • The applied patch must have been installed with Windows Update, Microsoft Update, or Windows Server Update Services
  • The package must be specifically marked as uninstallable

For more information, refer to Microsoft's Uninstallable Patches documentation.

Related Topics