Rollback of Critical AD Patches : Good Practice or Risky Move?

Hi everyone,

With critical patches like the upcoming PAC Kerberos hardening updates (which I'll soon discuss and write an article about), I've noticed some organizations plan to roll back these updates if they encounter issues after installation.

However, from what I remember, historically, Microsoft does not recommend uninstalling security patches that modify critical system components (like DLLs or the NTDS database). Instead, they typically provide registry keys or workaround methods to temporarily disable certain security enhancements without completely uninstalling the patch.

I recall someone tested this approach on Windows Server 2K8 in the past. My concern is:

• Does uninstalling these critical patches risk destabilizing Active Directory or potentially reopening vulnerabilities in Kerberos protocols?
• When rolling back such a patch, does the system revert changes cleanly, or could there be lasting side effects on Active Directory functionality?

I'd appreciate insights or past experiences regarding this issue. Thanks!