One of the questions we occasionally receive from SCCM users is can BatchPatch install/apply the Windows Updates that are currently being presented to a computer through SCCM?
BatchPatch and SCCM?
There are a couple things that you need to know…
Windows Updates that are being offered to a computer to a computer through SCCM are only available inside of SCCM. BatchPatch does not have the ability to directly access or control your SCCM server. BUT… you still have options. See below.
Executing SCCM Client Triggers from within BatchPatch
If you check in BatchPatch under ‘Tools > SCCM Client Triggers‘ you will see a list of all available SCCM trigger commands. Each of these can be individually executed through BatchPatch on target computers that have SCCM installed. However, depending on your needs and your environment, utilizing these triggers may not be sufficient, so you may need to do more. See below.
Using BatchPatch in an Existing SCCM Environment
If you want to be able to use BatchPatch in an environment that already uses SCCM, you have a couple of options. If you have SCCM in your environment, it’s important to understand that SCCM utilizes its own WSUS server. Once SCCM takes control of a WSUS during the setup/configuration of SCCM, that WSUS can no longer be used by a non-SCCM application like BatchPatch to search for updates. So, if your target computers are configured via Group Policy to search for updates on a WSUS that is controlled by your SCCM server, then if you use BatchPatch to initiate a scan for available updates, and if BatchPatch’s ‘Server Selection‘ setting is set to ‘Default/Managed‘, BatchPatch will always report ‘No applicable updates‘. In order to use BatchPatch with a WSUS, the WSUS must be independent. It cannot be linked to or controlled by SCCM.
So, if you want to use BatchPatch in an environment that is already using SCCM, you can either set BatchPatch’s ‘Server Selection‘ under ‘Tools > Settings > Windows Update‘ to Windows Update or Microsoft Update
Or… you can setup a secondary WSUS server that is independent and not touched by or controlled by SCCM. However, this creates a minor secondary challenge. Since Group Policy is generally the method that is used to configure target computers to point to a particular WSUS server (in the case of SCCM environments, the Group Policy setting will point to the WSUS server that has been configured for use by SCCM), you would need a way to tell a target computer to utilize your secondary independent WSUS, at will. The idea here would be that since your target computers all look to the WSUS that is controlled by SCCM (let’s call that the SCCM-WSUS from now on), you need a way to temporarily modify that setting to tell target computers to look at your independent WSUS during the time that you are using BatchPatch. While you could modify your Group Policy to point to the independent WSUS, use BatchPatch, and then set it back to the SCCM-WSUS afterward, another option that is probably more seamless would be to directly modify the GPO’s underlying registry values on target computers, rather than touching the GPO itself. In BatchPatch you could actually setup a job queue to do the following all in a single click:
Step 1. Update the target computer registry to point to your independent WSUS
Step 2. Execute your BatchPatch Windows Update actions
Step 3. Reboot the target, which will trigger a Group Policy refresh, which will have the effect of wiping out the registry values that you put in place so that they get set back to the values that the Group Policy Object contains. Alternatively instead of rebooting the target, you can send a new command to the target computer to update the registry values again to point back to the SCCM-WSUS.
At the following link we demonstrate how to setup a BatchPatch job queue with “pre” and “post” commands that will handle what I just described above.
Using An Alternate WSUS Server For BatchPatch Windows Update Actions
Using An Alternate WSUS Server For BatchPatch Windows Update Actions Part 2