Today-challenge n.3 : offending patches and SCCM 2012

Hi mates,
I had a big issue during the previous days with a specific Microsoft Patch. The 12 of September MS released an update for Office (KB4011089).
One of my clients had in production SCCM 2012 R2 to install automatically this kind of patches.
The day after a lot of users started calling the helpdesk telling that the cannot open attachments on archived emails . They use a product that is not famous on the market, as we say a "niche" product.
Anyway after investigating a lot we identified the "offending" patch (yes I know that usually patches must be  distributed in a test environment before anything). I wrote  "a lot" because this is a very dinamyc environment : they apply GPO, update and so on everyday, so you have to understand which single change may have had a specific impact.
So at this point two tasks were assigned to me :

    1. Uninstall the patch
    2. Stop the ditribution of it through SCCM 2012 R2
 
Uninstall a patch via SCCM is apparently  easy but the procedure is different for Office patches compared to Windows patches.
The normal procedure doesn't work so I had to find the alternative way to do it.
I've found good documentation on internet about this issue : the command line that you've to type in the task sequence is a little bit complex and should be built paying attention the some information that you can retrieve on the registry.

Those can be checked in :
HKLM\ Software\ Microsoft\ Windows\ CurrentVersion\ Uninstall\ for x86 systems and HKLM\ Software\ WOW6432Node\ Microsoft\ Windows\ CurrentVersion\ Uninstall\  for x64 systems.


So open the registry, go to the UNINSTALL key and search for the patch number that you desire to uninstall.
After finding it open the key named "UninstallString".

For example on my PC I've :

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\Oarpmany.exe" /removereleaseinpatch "{90140000-001A-0410-0000-0000000FF1CE}" "{2B4AAD09-2E6B-47ED-9755-ABEA0F807E9F}" "1040" "0"

In red you have the GUID1 (the product ID) and in blue the Patch GUID (GUI2)

At this point you have to construct the command to insert in the task sequence observing the following syntax :

msiexec /package "{90140000-0011-0000-0000-0000000FF1CE}" MSIPATCHREMOVE="{C7C38F96-0BA9-48FC-A8A2-4C375A00AC88}" /quiet /norestart

Do not forget to configure the task sequence in the right way. In my situation I've to specify other 2 options :

Final step : assign the task sequence to the right collection.
Tips : I've to deploy 2 task sequence for each operating system since  the language pack in use is also affected by the patch (in the Control Panel --> "programs and features" I found two times the same KB installed)

At this point you are ready to block the distribution of the "indicted" installer.
It's not so easy , a little bit farraginous but feasible.

First of all on SCCM go to "All Software Updates" and find the update that you want to mark.
Select it, right click and "Edit Membership". You will have the list of all Software Update Group, select where it should be included (a criteria could be the release date of the patch). Uptick them and click ok.
The right click on the patch again, select "Properties" and modify the severity of the patch from "None " to "Low":

Last step : Go to the Automatic Deployment Rule section, right click on the one that contains the patch and go to the properties.
Select the "Software Updates" tab , add a new filter field named "Custom Severity". Set it to "None". Boom, Done !!!

SCCM will , from now on, exclude every update with a custom severity field set up to any value except the ones with no value.
Hope this helps.
See you soon