SOLVED

Windows Update roll back for specific device.

%3CLINGO-SUB%20id%3D%22lingo-sub-1008470%22%20slang%3D%22en-US%22%3EWindows%20Update%20roll%20back%20for%20specific%20device.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1008470%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20slowly%20implementing%20Windows%20Update%20rings%20with%20Intune%20in%20our%20organization.%20We%20have%20seen%20that%20it%20is%20possible%20to%20roll%20back%20potentially%20harmful%20updates.%3C%2FP%3E%3CP%3EFrom%20the%20Microsoft%20documentation%20we%20can%20see%20that%20it%20is%20possible%20in%20the%20Update%20ring%20to%20roll%20back%20all%20of%20the%20assigned%20users.%20What%20we%20are%20not%20sure%20and%20can't%20find%20anywhere%20is%20if%20it%20is%20actually%20possible%20to%20roll%20back%20an%20update%20for%20a%20specific%20group%20of%20devices.%3C%2FP%3E%3CP%3ELet's%20say%20we%20apply%20the%20ring%20to%20almost%20all%20users%2Fdevices%2C%20and%20only%20a%20few%20people%20are%20having%20trouble%20with%20the%20update.%20Do%20we%20really%20have%20to%20roll%20back%20the%20entire%20ring%20or%20can%20we%20do%20this%20manually%20for%20one%20or%20more%20devices%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMicrosoft%20documentation%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fprotect%2Fwindows-update-for-business-configure%23uninstall%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fprotect%2Fwindows-update-for-business-configure%23uninstall%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1008470%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Update%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1010923%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Update%20roll%20back%20for%20specific%20device.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1010923%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F299283%22%20target%3D%22_blank%22%3E%40SamTeerlinck%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20pretty%20sure%20you%20can%20only%20roll%20updates%20back%20for%20the%20ring%20itself%2C%20affecting%20all%20members.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20suggestion%20would%20be%20to%20create%20several%20rings%20with%20staggered%20deferrals.%20Have%20some%20users%20be%20early%20adopters%20(with%20the%20lowest%20deferral%20value)%20to%20fully%20test%20your%20updates%20in%20all%20device%20scenarios%20and%20uses%20before%20rolling%20out%20to%20the%20wider%20estate.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20resolve%20your%20situation%2C%20you%20could%20create%20a%20new%20ring%20with%20a%20long%20deferral%2C%20move%20the%20problematic%20devices%20into%20this%20ring.%20Then%20deploy%20a%20Powershell%20script%20to%20remove%20the%20problematic%20update%2C%20EG%20containING%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3Ewusa%20%2Funinstall%20%2Fkb%3AKBNUMBER%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThen%20once%20you've%20decided%20on%26nbsp%3B%20your%20long%20term%20update%20strategy%20and%20incorporate%20those%20devices%20into%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi all,

 

We are slowly implementing Windows Update rings with Intune in our organization. We have seen that it is possible to roll back potentially harmful updates.

From the Microsoft documentation we can see that it is possible in the Update ring to roll back all of the assigned users. What we are not sure and can't find anywhere is if it is actually possible to roll back an update for a specific group of devices.

Let's say we apply the ring to almost all users/devices, and only a few people are having trouble with the update. Do we really have to roll back the entire ring or can we do this manually for one or more devices?

 

Microsoft documentation:

https://docs.microsoft.com/en-us/intune/protect/windows-update-for-business-configure#uninstall

 

Thanks in advance!

1 Reply
Best Response confirmed by SamTeerlinck (Occasional Contributor)
Solution

@SamTeerlinck 

 

I'm pretty sure you can only roll updates back for the ring itself, affecting all members.

 

My suggestion would be to create several rings with staggered deferrals. Have some users be early adopters (with the lowest deferral value) to fully test your updates in all device scenarios and uses before rolling out to the wider estate.

 

To resolve your situation, you could create a new ring with a long deferral, move the problematic devices into this ring. Then deploy a Powershell script to remove the problematic update, EG containING:

 

wusa /uninstall /kb:KBNUMBER

 

Then once you've decided on  your long term update strategy and incorporate those devices into it.