Patch Management Solution

We're considering using Altiris Patch Management for Microsoft Patching after using it successfully with the other 3rd party patching as a replacement for WSUS, but we discovered a snag: there's no simple rollback.  The only solution we could come up with was disassembling the packages and determining the uninstall keys ourselves and then deploying them.  The flaw in this is that we're a global company with 13 languages, which, worst case scenario, could mean 40 or more packages that need to be disassembled to uninstall.

My question, then, is: has anyone else moved from WSUS to Altiris, and how do you handle rollback?

Take a look at KM: HOWTO42396, for it details a process to run the uninstall for an update via a Task Job within the Symantec Management Platform.

Joshua,

The Howto you referance seems to be targeted toward  the XP OS. Are you aware of an enhancement request for a patch rollback process from within the solution?

Hello dodgint,

     Initially, Patch Management was not designed for Software Update uninstall, for adding this uninstall process would greatly increase the .cab file data size and download time. Hence the process provided in KM: HOWTO42396 for Windows XP that would allow the uninstall process to be performed via run script.

     However, the software update installations for later operating systems (i.e. Windows 7) no longer implements these file types. These files are not present in Windows Vista, Windows 7, Windows Server 2008 or other recent operating systems, for the uninstall process is handled by the servicing stack of the OS. The supported method for uninstalling Windows Updates moving forward; use the 'uninstall updates' in the Control Panel > Programs and Features > View install updates, and right-click > uninstall.

     Please view this TECHNET forums link for more information regarding these file types and locations for recent operating systems. If you have any further questions regarding a scriptable method to perform the software update uninstall; please contact Microsoft.

     Keep in mind that if the uninstall software update process is scriptable; the process detailed on KM: HOWTO10487 under heading 'Create a Custom Task and Script for Windows' would be the best practice within our product moving forward.

Thank you,

Joshua

We maintain both systems in our environment.  We use wsus to handle most windows updates and altiris to handle application updates.  We recently used Altiris to deploy IE9.  The packages for WSUS were too large.

I too wish there was a built-in uninstall feature within Patch Management.

For Windows 7/2008r2, I have used this in a custom script task: wusa.exe /uninstall /kb:2823324 /quiet /norestart.

For XP: C:\Windows\$NtUninstallKB2753842-v2$\spuninst\spuninst.exe /quiet /norestart.

The KB number will vary, of course. There is no applicability or detection with this.