locked
Rollback List Of Recently Patched Servers Powershell RRS feed

  • Question

  • Hi All,

    I am trying to design a Powershell Script that could actually rollback all the patches installed in the patching schedule.

    Let me make it more clear I have a CSV that contains list of servers and its schedule of patching looks like this.

    D:\Listofservers\XYZ.csv

    CI,                        Date,          Start Time,    End Time

    RandomServer1,12/10/2014,11:00:00PM, 1:00:00 AM

    RandomServer2,12/10/2014,11:00:00PM, 1:00:00 AM

    I am Trying to design a powershell script that could roll back all the changes(Uninstall the patches ) between Start Time to End Time silently.

    I am done with a little script kindly help me out to improve it to accomplish my task:

    $PatchList = (Get-HotFix | Where-Object{$_.Description -like "Security*" -and $_.InstalledOn -gt "07/17/2014"}|sort installedon)
    foreach ($Patch in $PatchList)
    {
        $KBNumber = $Patch.HotfixId.Replace("KB", "");
        $RemovalCommand = "wusa.exe /uninstall /kb:$KBNumber /quiet /log /norestart";
        Write-Host ("Removing update with command: " + $RemovalCommand);
        Invoke-Expression -Command $RemovalCommand;
        while (@(Get-Process wusa -ErrorAction SilentlyContinue).Count -ne 0)
        {
            Start-Sleep 1
            Write-Host "Waiting for update removal to finish ..."
        }
    }

    * I have to do this for list of servers as in CI of main and Dynamically pass the Date,Start Time and End Time from my CSV

    *Should be able to justify if my rollback was successful.

    Any help in this regard is highly appreciated. Thanks in advance

    Saturday, November 8, 2014 8:55 PM

Answers

  • try:

    foreach ($Server in (Import-Csv -Path "D:\Listofservers\XYZ.csv")) {
        Write-Output "Processing patches on '$($Server.CI)'"
        $Count = Invoke-Command -ComputerName $Server.CI -ScriptBlock { Param($Date)
            $PatchList = (Get-HotFix | 
                Where { $_.Description -like "Security*" -and $_.InstalledOn -eq "$Date" } | 
                    sort InstalledOn)
            if ($PatchList) {
                foreach ($Patch in $PatchList) {
                    $KBNumber = $Patch.HotfixId.Replace("KB", "")
                    Invoke-Expression "wusa.exe /uninstall /kb:$KBNumber /quiet /log /norestart"
                    while (@(Get-Process wusa -ErrorAction SilentlyContinue).Count -ne 0) {
                        Start-Sleep 1
                    }
                }
                $PatchList.count 
            } else {
                0
            }
        } -ArgumentList $Server.Date
        if ($Count -eq 0) {
            Write-Output "No patches installed on '$($Server.date)' found on '$($Server.CI)'"
        } else {
            Write-Output "Removed '$Count' patches on '$($Server.CI)'"
        }
    }


    Sam Boutros, Senior Consultant, Software Logic, KOP, PA http://superwidgets.wordpress.com (Please take a moment to Vote as Helpful and/or Mark as Answer, where applicable) _________________________________________________________________________________ Powershell: Learn it before it's an emergency http://technet.microsoft.com/en-us/scriptcenter/powershell.aspx http://technet.microsoft.com/en-us/scriptcenter/dd793612.aspx

    Sunday, November 9, 2014 2:09 AM
  • Again -  be careful. I have unpatched may way into a black hole more than once.

    ¯\_(ツ)_/¯

    Sunday, November 9, 2014 2:25 AM

All replies

  • Many if not most patches cannot be rolled back.  You can return to a save point.  I believe there is a command in PowerShell 4 that can do that.

    To do an uninstall of a pathc you must first check the patch to see if it can be uninstalled.

    To get that info you need to pull the catalog from the website and check the KB properties. You can as also retrieve the article via the Windows update Com class. Look in repository for examples.

    If you use the WU control to do thios you can chain the uninstalls and you will get a notification when the\y are done and the status.

    A large update package may spawn numerous installers to install and remove.  I am pretty sure that WUSA can terminate and the installer can keep running for quite some time.

    Many uninstallable patches can make the system unstable if uninstalled after other software has been installed. Be carefully.  Read the KB notes carefully.


    ¯\_(ツ)_/¯

    Saturday, November 8, 2014 9:32 PM
  • try:

    foreach ($Server in (Import-Csv -Path "D:\Listofservers\XYZ.csv")) {
        Write-Output "Processing patches on '$($Server.CI)'"
        $Count = Invoke-Command -ComputerName $Server.CI -ScriptBlock { Param($Date)
            $PatchList = (Get-HotFix | 
                Where { $_.Description -like "Security*" -and $_.InstalledOn -eq "$Date" } | 
                    sort InstalledOn)
            if ($PatchList) {
                foreach ($Patch in $PatchList) {
                    $KBNumber = $Patch.HotfixId.Replace("KB", "")
                    Invoke-Expression "wusa.exe /uninstall /kb:$KBNumber /quiet /log /norestart"
                    while (@(Get-Process wusa -ErrorAction SilentlyContinue).Count -ne 0) {
                        Start-Sleep 1
                    }
                }
                $PatchList.count 
            } else {
                0
            }
        } -ArgumentList $Server.Date
        if ($Count -eq 0) {
            Write-Output "No patches installed on '$($Server.date)' found on '$($Server.CI)'"
        } else {
            Write-Output "Removed '$Count' patches on '$($Server.CI)'"
        }
    }


    Sam Boutros, Senior Consultant, Software Logic, KOP, PA http://superwidgets.wordpress.com (Please take a moment to Vote as Helpful and/or Mark as Answer, where applicable) _________________________________________________________________________________ Powershell: Learn it before it's an emergency http://technet.microsoft.com/en-us/scriptcenter/powershell.aspx http://technet.microsoft.com/en-us/scriptcenter/dd793612.aspx

    Sunday, November 9, 2014 2:09 AM
  • Again -  be careful. I have unpatched may way into a black hole more than once.

    ¯\_(ツ)_/¯

    Sunday, November 9, 2014 2:25 AM