The Best Windows Patching Software

When it comes to patching and updating the Windows operating system in a business environment, there are a lot of options to choose from. Regardless of whether you have a smaller business with fewer computers to manage or larger business with hundreds or thousands of machines, you still need a good solution to help keep your computers up to date without costing you too much time or pain (or money!).

Why BatchPatch?

  • Lightweight: BatchPatch does not require a lot of resources to run. It’s a stream-lined application that enables you to just get things done quickly, easily, and painlessly.
  • Easy setup/configuration: In many environments it’s as simple as just launching the app and patching target computers. However, in other environments some configuration may be required to allow BatchPatch to do its thing. In either case it’s very easy and straightforward to configure your environment to work with BatchPatch.
  • Simple to use: Ease of use is a major factor that should be considered when selecting an application for any situation. If the application has a steep learning curve or is generally complicated to operate, the time and cost to get the most out of it will be increased. We intentionally designed BatchPatch to function intuitively so that it doesn’t require hours or days or weeks to learn and get used to. Most BatchPatch users will find that they automatically understand how to operate it almost instantly. Even for the features that require a bit more effort to learn, they are still very simple to use overall, and we have numerous tutorials on our website to guide you.
  • Powerful: It doesn’t matter how simple an application is to use if it’s not powerful enough to do what you need it to do. BatchPatch has all the patching power you need whether you’re responsible for 50 computers or 1000+ computers.

The Best Windows Patching Software

BatchPatch core features and functionality

  • Initiate the download and / or installation of Windows updates with real-time monitoring on target computers– standalone, in a workgroup, or domain members, including options for computers that have access to a WSUS, the internet, or for computers that are completely offline without access to either. Standard mode tutorial. Offline mode.
  • Deploy third-party software / updates to target computers
  • Execute scripts remotely on target computers
  • Reboot, shutdown, wake on LAN functionality
  • Job queues for executing multiple tasks sequentially on hosts
  • Advanced sequences for orchestrating complex dependent operations across multiple targets
  • Scheduled tasks as well as on-demand operation
  • Retrieve inventory information from targets
Posted in Blog, General, Topics | Tagged , , , | Comments closed

Using BatchPatch to Deploy Software to Multiple Remote Computers

In addition to being a great tool for initiating Windows update processes on remote computers, BatchPatch can also simplify the task of deploying / installing third-party software on numerous target computers. The process is generally very simple with three basic steps:

  1. Identify the silent / quiet parameter for the installer package that you plan to deploy. In order to perform a remote installation, you need to determine the proper command for making that installation occur without any user interaction. These types of installations are generally called silent or quiet because the user doesn’t get prompted to respond to any dialog windows. Instead, the administrator is able to execute a command to install the software without any additional interaction. We have more details and information at the following link about silent parameters for software deployments and how to determine what the silent parameter is for a given software installer package.

    Understanding and Discovering the Silent Parameters Required to Remotely Deploy Software with BatchPatch

  2. Create your deployment configuration in BatchPatch. At the following link you’ll find numerous tutorials that demonstrate how to create and execute BatchPatch software deployments. Regardless of whether your installer setup package is in the form of .exe, .msi, .msp., .msu, or some other format, we’ve got you covered. You can use BatchPatch to deploy software like Firefox, Chrome, Adobe Flash or Reader, Skype, Notepad++, 7-zip, and virtually any other application. You can even use BatchPatch to deploy and execute scripts on remote computers or apply registry keys or retrieve system information as well as perform numerous other tasks.

    Software Deployment with BatchPatch

  3. Execute your deployment. After you create the deployment configuration in BatchPatch all you really need to do is select the desired target computers, and then execute the installation. Each of the tutorials listed in this link includes complete instructions for creating and executing a deployment. We also have a video tutorial that demonstrates creating and executing a deployment in BatchPatch.
Posted in Blog, General, Tutorials | Tagged , , , | Comments closed

Remotely Installing Windows Feature Update Version 1903 (the ‘May 2019 Update’)

To install Windows 10 feature update 1903 (as well as the other Windows 10 feature updates) remotely using BatchPatch, you should follow the process outlined below. The standard, built-in Windows update actions in BatchPatch will not work to install these feature updates. Also note FYI even though these are “feature updates” they are actually technically classified as “upgrades” by the Windows Update Agent. The update classification is probably not relevant for the administrator to be aware of in most situations, but I did just want to highlight that in case it comes up when you are researching.

  1. Download (from Microsoft) the Windows 10 Media Creation Tool. Use this link to download the media creation tool directly from Microsoft. At the time of this writing the media creation tool web page contains two options: ‘Update now’ and ‘Download tool now’. Do NOT click on ‘Update now’ because doing so would begin the update process on your computer. Since your goal is to deploy the upgrade to remote computers, instead please click on ‘Download tool now’ to save the tool to your computer. Important: When you run the media creation tool per the next step, you will not have a choice to select which Windows 10 version is used to create the media. This means that if Microsoft releases a new version of Windows 10 when you follow this tutorial, you’ll end up with that version as opposed to the specific version 1903 that is available today at the time of this writing. If you have another channel for obtaining media for a particular Windows 10 version, such as with a Microsoft volume licensing agreement, you may use that instead of obtaining the media through the steps outlined in this tutorial.
  2. Open the Windows 10 Media Creation Tool that you saved to your computer a moment ago. IMPORTANT: It is NOT sufficient to run the tool as administrator from an account that is logged on without admin privileges. For whatever reason, you must actually be logged on to the computer with an account that is a member of the local administrators group. Otherwise the tool will not allow you to run it to completion. We have no idea why Microsoft made the tool work this way, but it’s what they did. So go ahead and log on to your computer as a local administrator, and then launch the tool and follow the rest of this tutorial.
  3. Create installation media with the Windows 10 Media Creation tool. When the tool is running you’ll have to choose between two options to either ‘Upgrade this PC now’ or ‘Create installation media (USB flash drive, DVD, or ISO file) for another PC. Since you are following this tutorial with the intention of learning how to to use BatchPatch to update other PCs, choose the option to ‘Create installation media…’ and then click ‘Next’.
  4. Choose your language / edition / architecture, and then click ‘Next’.
  5. Choose the media type. For the sake of this tutorial please select ISO as the type of media. After clicking the ‘Next’ button you will be prompted to choose a location on your computer to store the ISO file that will be downloaded/created. Select a directory/location to store the file, and then do something else until the download finishes. Depending on your connection speed it could take a little while because it’s in the range of 4GB.
  6. Extract the ISO contents to a location on your local disk. After the download in the previous step is complete you’ll have to locate the file on disk and then extract the contents of the ISO to another folder. I like to use the free 7-zip for this process, but you may use whichever tool you prefer: 7-zip. After the ISO has been extracted you’ll have all of the installation files for the feature update in a single folder.
  7. Configure a deployment in BatchPatch. In BatchPatch click on Actions > Deploy > Create/modify. In the window that pops up for the Deployment configuration, click on the ‘…’ button to browse to the location where your ISO contents have been extracted to, and then choose the ‘setup.exe’ file as the file to deploy. Make sure to check the boxes for ‘Copy entire directoryandLeave entire directory. After the initial deployment phase is complete, the target Windows operating system will end up rebooting itself at least once but usually more than once while it completes the setup and installation for the feature update. As the process runs it needs to have access to all of the files that BatchPatch will deploy. Having both of the aforementioned boxes checked will ensure that when the upgrade process runs on the target computer that it has all of the files it needs for the installation. After the feature update has completed 100% you may delete the files from the target computer(s). However, please make absolutely sure that the upgrade process is 100% completed before you delete any files. In your BatchPatch deployment configuration screen you will also need to add the following parameters:
    /auto upgrade /quiet

  8. Execute the feature upgrade deployment. In the deployment configuration that you created in the in the previous step you can execute the deployment immediately for the currently selected rows in the grid by just clicking on the ‘Execute now’ button. Alternatively you may save the deployment for future usage by clicking the double-right-arrow button ‘>>’. If you choose to save the deployment instead of executing it immediately, then when you are ready to deploy the feature update to your remote computers, you can begin the process by selecting those computers in the BatchPatch grid and then clicking on Actions > Deploy > Execute deployment, and then choose the deployment that you just created/saved.

    You should expect that the entire process will take a bit of time to complete. BatchPatch has to copy the whole installation directory to the target computer(s), which contains several gigabytes, before it can execute the upgrade process on the target(s). IMPORTANT: After the BatchPatch deployment completes for a given target computer BatchPatch will show Exit Code: 0 (SUCCESS). However, this just means that the BatchPatch deployment component is finished. The Windows feature update/upgrade process will take additional time. Please be patient and let the target computer continue upgrading and rebooting as many times as is needed. It might take a little while with multiple automatic reboots before everything is 100% finished.

    NOTE: We have had a couple of reports from users who received the following error:

    Deployment: Error: Access to the path '\\TargetComputer\C$\Program Files\BatchPatch\deployment\autorun.inf' is denied.

    We don’t know the exact cause of this issue, but it seems likely to somehow be related to the way that permissions were applied or inherited during the ISO extraction process. If you encounter this error it can be resolved quickly and easily by just deleting the autorun.inf file from the source directory after extracting the ISO contents but before executing the actual deployment for any target computers. This will prevent the problematic file from ever being copied to target computers. As such, the error will not occur.

Posted in Blog, General, Tutorials | Tagged , , , | Comments closed

An Alternate Way to Deploy a Registry Value to Remote Computers

In the past I demonstrated how to use BatchPatch to deploy registry changes to multiple remote computers. For your reference those tutorials are available at the following links:

Remote Registry Updates with BatchPatch

Deploy Registry Keys to Multiple Computers Using BatchPatch

Deploying a Registry Key / Value to HKEY_CURRENT_USER (HKCU) or All Users in HKEY_USERS (HKU)

Today I’m going to show you another simple way that you can use to create or modify the registry on multiple remote target computers, using BatchPatch. This method is very simple. Essentially we are just going to use the ‘REG ADD‘ functionality that exists in Windows, but we are going to use BatchPatch to remotely execute that functionality on the desired target computers. Microsoft has documentation for ‘REG ADD’ at this link. If you plan to use this method, you’ll almost definitely want to read through that documentation before you begin. You’ll use the instructions in the documentation to create the actual string that you’ll input into BatchPatch for remote execution. In this example the REG ADD command does all the work of creating/modifying the desired registry key/value. BatchPatch in this case is simply providing you with a simple method for remotely executing the command on numerous remote computers.

For this tutorial we are going to set the value of the ‘Start’ DWORD under HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR to 3. The REG ADD command to accomplish this is:

REG ADD HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR /v Start /t REG_DWORD /d 3 /f

IMPORTANT: Aside from making sure that you create the correct syntax for the desired registry key/value to be applied to target computers, the most important component of the command above for running remotely from inside of BatchPatch is the ‘/f’ parameter. The reason for this is because the /f instructs the target computer to skip any confirmation prompts that would otherwise popup invisibly and prevent the command from completing. Under normal circumstances if you were to execute the REG ADD command at the cmd prompt of a given computer, it would prompt you to confirm that you want to proceed. However, if you run the same command remotely with BatchPatch, the confirmation prompt will not be visible. This will cause the command to hang indefinitely without ever completing. So, in order to ensure that the command proceeds without any kind of confirmation prompt, you need to add /f to the end of it.

  1. The most important step of this process is to make sure that your command does what you want it to do without actually using BatchPatch. That is to say that you need to run the command at the cmd prompt of a test computer to make sure that it inserts the desired registry key/value, and make sure that it does not prompt for confirmation after it is executed. Once you confirm that the command does what you want it to do, then you are ready to insert that command into BatchPatch for remote execution on numerous systems.

  2. At this point you should have already tested your REG ADD command at the cmd prompt of a test computer. Now that it works as desired, all you need to do is add it to BatchPatch. For this we’ll use a BatchPatch remote command. Highlight the desired target computers in your BatchPatch grid, and then select ‘Actions > Execute remote process/command > Create/modify remote command 1’. You can actually use any of the remote commands 1, 2, 3, or 4 to accomplish this, but for this tutorial we’re just using 1.
  3. Copy and paste your command into the BatchPatch remote command window.
  4. The last thing to do is execute the command. When you do this BatchPatch will connect to all of the highlighted target computers in the grid, and it will submit this command to be executed on all of those machines. That’s all there is to it.
Posted in Blog, General, Tutorials | Tagged , , , | Comments closed

Orchestrating Complex Update And Reboot Sequences Involving Multiple Target Computers

BatchPatch has a unique capability that we call the ‘Advanced multi-row queue sequence‘. Admittedly the name of this functionality isn’t its best feature, but we chose to name it for exactly what it is and what it does rather than a fancier name that would be less descriptive. 🙂

The advanced multi-row queue sequence is essentially an orchestration feature that enables you to have an unlimited number of distinct computers participate in a singular sequence such that you can control the update and reboot process (or any custom script execution or deployment etc) so that a particular order of events is preserved across all of the systems that are included in the sequence.

Let’s break this down a bit. BatchPatch has a more basic automation functionality called the ‘Job Queue‘. The job queue in BatchPatch enables the administrator to execute a queue of different tasks on a given target computer (or on a group of target computers). So for example with the job queue you might instruct a target computer (or a group of computers) to download and install updates, then reboot, then wait 10 minutes, then make sure that the computer is online, then execute a custom script, then initiate another reboot. The job queue enables you to create a single-click task that executes the entire queue on the desired computers. However, what if you have multiple computers, and each computer has its own customized job queue, and you want to create a sequence that instructs each target computer to execute its own custom job queue in a particular sequence such that certain computers execute their assigned queues first, followed by a second set of computers executing their assigned queues, followed by a third set of computers executing their assigned queues, and so on. This is where the advanced multi-row queue sequence comes in to play. While a job queue applies to each independent computer separately, the advanced multi-row queue sequence enables you to orchestrate a process that involves each computer executing its own custom job queue within a larger multi-computer sequence.

Job Queue Example:

Instruct computer1, computer2, and computer3 to each execute the following list of actions:

  • Download and install updates + reboot
  • Wait 10 minutes
  • Wait for host to be detected online
  • Download and install updates + reboot

Advanced Multi-Row Queue Sequence Example:

Instruct computer1, computer2, and computer3 to each execute the following list of actions:

  • Download and install updates + reboot
  • Wait 10 minutes
  • Wait for host to be detected online
  • Download and install updates + reboot

Then when all actions have completed for computer1, computer2, and computer3, instruct computer4, computer5, and computer6 to each execute the following list of actions:

  • Execute a custom script
  • Wait 10 minutes
  • Download and install updates + reboot
  • Wait 10 minutes
  • Wait for host to be detected online
  • Execute a custom script

Then when all actions have completed for computer4, computer5, and computer6, instruct computer7 to execute the following list of actions:

  • Reboot
  • Execute a custom script

Summary and Tutorials:

So, while the job queue enables you to execute a set of actions on a target host (or multiple target hosts), the advanced multi-row queue sequence enables you to orchestrate a group of target computers to each execute a defined queue of actions (each computer can have its own separate queue of actions to execute) within a larger sequence, allowing you to control the ordering of which target computers execute their queues in which position of the overall sequence.

We have a number of tutorials that demonstrate various uses of the advanced multi-row queue sequence, including a video tutorial to help you better understand how it all works and when you might want to use it:

Advanced Multi-Row Queue Sequence – Video Tutorial

Virtual Machine Guest + Host Update and Reboot Sequence Automation

Custom Update And Reboot Sequences for Multiple Computers

Advanced Multi-Row Queue Sequence – Contingent Operations with Custom Scripts

Posted in Blog, General, Tutorials | Tagged , , | Comments closed

Using BatchPatch Standalone Without WSUS

If you are using BatchPatch in a standalone configuration without a WSUS server, there are a few things to be aware of.

  1. The first order of business is to configure your environment to work with BatchPatch. Please review the Getting Started page. Make sure that you can successfully run the BatchPatch action ‘Windows updates > Check for available updates’ on target computers. Generally if that action is functioning properly, all other actions in BatchPatch should also function properly.
  2. If your goal is to use BatchPatch to handle the process of downloading and/or installing updates on your computers, you’ll want to configure those computers to *not* automatically download and/or install updates on their own. There is a group policy that you should set on those computers if they are part of a domain. If they are running standalone (not part of a domain) then you’ll want to set the same local policy on each target computer. The behavior of this setting varies slightly depending on which operating system is running, but regardless you would want to open the group policy editor (or the local policy editor) and find the setting for ‘Configure Automatic Updates‘ which is available under ‘Computer Configuration > Administrative Templates > Windows Components > Windows Update‘. Setting the value to either ‘2 – Notify for download and notify for install’ or ‘3 – Auto download and notify for install’ will prevent them from installing on their own so that you can instead trigger the install from BatchPatch. If you want BatchPatch to perform both the download and installation, then set the value to 2. If you want the computers to auto-download the updates but use BatchPatch for the installation, then set the value to 3.
  3. Next you’ll need to decide the source for the Windows updates. Since you aren’t using a WSUS as the source, your source is going to be either ‘Windows Update’ or ‘Microsoft Update.’ The default behavior in Windows is to use ‘Windows Update’ as the source. However, if you go into the Windows Update settings in the control panel of a target computer you can see there is an option that says something like this, depending on the OS: ‘Give me updates for other Microsoft products when I update Windows’. If you tick that box, then you are enabling ‘Microsoft Update’ on that computer. ‘Windows Update’ provides updates for just Windows operating systems, while ‘Microsoft Update’ provides updates for Windows operating systems PLUS updates for other Microsoft applications.

    In BatchPatch under ‘Tools > Settings > Server selection’ you’ll see three different options:

    Default / Managed: Uses the target computer’s existing configuration to determine where to search for updates. If you leave BatchPatch set to ‘Default / Managed’ then it will use whichever setting is applied on the target computers for the update source. If the update source is *not* set in Group Policy to a local WSUS, then the update source will be ‘Microsoft Update’ if on the target computer you have ticked the ‘Give me updates for other Microsoft products when I update Windows’ box. If you leave that box unticked then the update source will be ‘Windows Update’.

    Windows Update: Bypasses the target computer’s configuration and searches for updates on Microsoft’s public server. Includes only Windows updates.

    Microsoft Update: Bypasses the target computer’s configuration and searches for updates on Microsoft’s public server. Includes Windows updates AND updates for other Microsoft products. Before using Microsoft Update, target servers must be opted-in to the service. If you have ticked the box ‘Give me updates for other Microsoft products when I update Windows’ then you have opted-in that target computer. If you do not tick that box individually on each target computer, then you may use BatchPatch to remotely tick that box on each target by executing ‘Actions > Windows Updates > Opt-in…’ one time.

  4. If you will be applying updates to computers that do not have internet access, please review the various options that BatchPatch provides for cached mode and offline updates.

Additional Tutorials for Using BatchPatch without a WSUS

Posted in Blog, General, Tutorials | Tagged , , | Comments closed

BatchPatch Stuck ‘Attempting to initiate Windows Update’

This isn’t a particularly common issue, but occasionally we’ll have a user who can’t seem to get any Windows Update, Remote Process, or Deployment actions to work in BatchPatch. Inevitably they all seem to just hang, indefinitely, on ‘Attempting to initiate Windows Update‘ or similar, depending on the particular action that is being executed. To confirm whether or not you are experiencing the particular issue that I’m describing in this posting, try to execute ‘Actions > Windows updates > Check for available updates‘ on a couple of target computers. If multiple target computers all get stuck on the same ‘Attempting to initiate Windows Update‘ message, you might be experiencing this issue.

Why is this happening?

In this particular case, the issue is that BatchPatch is launching PsExec.exe, but PsExec.exe is actually getting blocked from execution by Windows. When Windows does this it normally would pop up a dialog window of some kind notifying you that the application was downloaded from the internet and might be unsafe. It prompts you to check or uncheck a box and then click OK to proceed with execution. Normally if this happens the box only needs to be checked/unchecked once, and then the operating system stores the decision so that in the future when PsExec.exe is launched, there is no warning prompt. The problem occurs when the dialog that is being displayed by Windows cannot be seen or has been inadvertently closed or hidden by the user. One way this can happen is if you are logged on to the BatchPatch computer as UserA, but you launch BatchPatch using run-as UserB, and then when the popup is created by Windows, it is created in the context of UserB and not visible to the user who is currently logged on as UserA.

How to resolve getting stuck indefinitely on ‘Attempting to initiate Windows Update’

We are aware of just two ways that the operating system might present this issue, depending on which version of Windows is being used. If you see Windows popup a warning dialog, it might look like this screenshot, but of course it would reference the location of PsExec.exe on your computer, not File.exe like is shown in the screenshot:

If this occurs, simply UNcheck the box that says “Always ask before opening this file,” and then click ‘Run’. After doing that just one time, the issue should be resolved.

However, if you do not see the above warning appear, then you should try right-clicking on the PsExec.exe file and clicking ‘Properties’ to view the PsExec.exe properties dialog. On the ‘General’ tab, if the file is being blocked from execution by Windows you might see a security note at the bottom of the properties window that says “This file came from another computer and might be blocked to help protect this computer.” You are given a checkbox to ‘Unblock’ the file. Click on the ‘Unblock’ checkbox and then click OK. You can see what this security warning and checkbox look like in the screenshot below.

At this point you probably already resolved the issue, but if for some reason you are still having the same problem, and if you are not able to find one of the checkboxes shown in the screenshots above, another thing you should try is logging on to the computer with the same user account that you are using to launch BatchPatch. So in this case if you were logged on as UserA but you were using run-as to launch BatchPatch as UserB, try logging out as UserA and then log back on as UserB. Then launch BatchPatch (without using run-as), which will automatically run in the context of UserB. See if the warning prompt now appears. If not, try right-clicking on the PsExec.exe file and selecting ‘Properties’ from the menu now to see if you can find the security warning as noted in the above screenshot.

Posted in Blog, General, Tutorials | Tagged , , , | Comments closed

Custom Update And Reboot Sequences for Multiple Computers

Today I’d like to demonstrate how to create a complete update-plus-reboot sequence where a group of computers must be shutdown and started up in a particular order. You might work in an environment where there is at least one group of servers that are not only reliant on each other for various reasons but where the overall system or service that is provided by this group of servers might be so fragile or so complex that you want to make sure that the group is taken offline in a specific sequence and then brought back online in the opposite sequence. Many of us have worked with systems that for whatever reason aren’t happy if they come online in an unexpected order. These days it’s probably not as common as it was 10 or 20 years ago because systems are coded more robustly than they once were, but still some of us are running old services or poorly coded apps that simply are not robust enough to survive an out-of-order reboot without issues. Typically the reason for this is because one server hosts a database that another server relies upon, but if the database system is offline when the application system is rebooted, the application never runs properly until/unless its host server is rebooted again after the database server is fully online. So today we’ll look at an example of how to deal with updates and reboots for a group of computers when that group needs to be taken offline and brought online in a specific sequence. With BatchPatch you can turn this into a one-click process instead of having to manually handle each computer.

First, for this particular example I’m going to use Wake on LAN (WoL) to boot computers that are shut down. Your needs may vary, and you simply might not need to use Wake on LAN depending on exactly what your goal is, but if you have a situation where you need or want to automate the process of powering up computers that are in a shutdown or powered off state, WoL is the most realistic option in most cases. If you’re going to use WoL, then before you get started you’ll need to make sure that it has been enabled in the BIOS of the target computer as well as in the Windows operating system on that computer too. This link illustrates how to enable Wake on LAN. Once you have enabled WoL on the target systems, make sure to test it so that you know it works before you try to include those systems in a larger sequence, such as the one we are about to create below.

For this example I have host1, host2, host3, host4, and host5. My goal is to download and install Windows updates on host1, and then after updates are installed the system will be shutdown. Then updates will be downloaded and installed on host2, after which host2 will be shutdown. Then host3, host4, and host5 will each do the same, in sequence. After all 5 hosts have been updated and have been shutdown, then we’ll start them back up in the reverse order so that first host5 comes online, then host4, then host3, then host2, and finally host1. We can orchestrate this entire sequence in BatchPatch with just a single action.

  1. We’ll start by adding all of our hosts to a BatchPatch grid. Note that I have added the following: host1,host2,host3,host4,host5,host4,host3,host2,host1. Hosts 1 through 4 appear twice, while host5 appears only once. The basic idea here is that we’re going to update and shutdown host1, then update and shutdown host2, then update and shutdown host3, then update and shutdown host4, then update and reboot host5 and wait until it’s online before powering up host4. We’ll wait for host4 to be detected online before powering up host3. Then wait for host3 to be detected online before powering up host2. Then wait for host2 to be detected online before powering up host1. Then we’ll be done. IMPORTANT: We do not recommend running a sequence like this without overseeing it. If you want to run a sequence like this in the middle of the night via scheduled task while you are sleeping, that’s fine. However, it’s important to understand that if something goes wrong with one of the hosts in the sequence, it could prevent the rest of the sequence from proceeding as expected. Therefore we think sequences like this are best used while someone is still monitoring what’s going on, so that if there is an issue it can be dealt with right away.

  2. Now that we have added our hosts to the grid, let’s create the job queues needed for each row. The first four rows in the grid (host1,host2,host3,host4) will all have the following job queue:

    Download and install updates + shutdown
    Wait 1 minute

    The fifth row (host5) will have the following job queue:

    Download and install updates + reboot always
    Wait for host to go offline and come back online
    Wait 3 minutes

    The sixth through ninth rows (host4,host3,host2,host1) will have the following job queue:

    Wake on LAN (requires MAC address)
    Wait for host to be detected online

    If you’re not familiar with creating job queues, please see this tutorial before proceeding. In all cases when you create the job queues for this sequence you will need to use the option ‘Apply queue to row(s) without executing.’ When all the queues are setup, your grid should look like this. The rows only show the first line of each job queue that is assigned, so I’ve pasted three screenshots below with tooltip windows next to each different queue so that you can see the different queue contents for each row:

  3. At this point we are ready to create the actual sequence. In BatchPatch we call this an advanced multi-row queue sequence, since it is a sequence of job queues that will be executed across multiple rows. Select ‘Actions > Job Queue > Create/modify advanced multi-row queue sequence’. Then assign the same Sequence Name to each row, but set the Sequence Position Number from 1 to 9 for each row, so that the first row in the grid is set to position number 1, and then last row is set to position number 9. See the screenshots below for reference.

  4. The last thing we need to do is create a sequence execution row. This is just a “dummy” row in the grid that is used to execute the advanced multi-row queue sequence. For the sake of this tutorial I’ll actually put the name “SequenceExecutionRow” in the row’s host column, but it can be called anything. Then using the same menu item as in the previous step we just change the radio button to ‘Create Sequence Execution Row’ before we click the ‘Apply values to selected row(s)’ button.

  5. At this point everything is set up. Now all we have to do is execute the sequence. Highlight just the execution row that you just created in the previous step. Then click on ‘Actions > Job Queue > Execute advanced multi-row queue sequence’ to execute the sequence.

Posted in Blog, General, Tutorials | Tagged , , | Comments closed

When WSUS and Group Policy (GPO) Are Not Enough

Does Everyone Need a 3rd-Party Patch Management Solution?

A very common statement that you’ll find in discussions on the web about updating Windows computers in a network environment goes something like this: “There is no need to employ a 3rd-party Windows Update management solution because Microsoft provides WSUS and Group Policy objects (GPO) for free.” One of the interesting facets of the web and of the internet, in general, is that it allows anyone, regardless of expertise, to publish statements to a massive audience, even if those statements are not actually grounded in reality. The particular statement above is a good example of that, and it’s a good indication that the author of such a statement (or a similar statement) probably has never worked in a significantly sized enterprise environment.

Now, let me start by saying that WSUS and GPO are powerful options that definitely have their places. In some environments the two together might be totally sufficient because not all environments need more than what they offer. For example, smaller environments where there simply aren’t that many servers to deal with might be able to get away with just GPO and WSUS. Or even in some larger environments if servers can be down for long periods of time without creating lots of problems, it’s possible that WSUS plus Group Policy objects might work ok enough to not invest in something more. Ultimately if you are responsible for an environment where uptime isn’t particularly important or where efficiency isn’t needed, or where there just isn’t much complexity, then you might be fine with just WSUS and GPOs.

Why WSUS and Group Policy are Not Enough in Many Environments

  • Size: The size of the environment, without taking into account any other factors, is a major aspect to consider. The more computers that you are dealing with on your network, the more likely you will find benefit in utilizing a 3rd-party patching tool. For example in an environment with just 10 servers, a single sysadmin can manually patch and reboot those 10 servers without any automation whatsoever in a very short period of time. However, as the number of servers starts increasing, the manual operation quickly becomes infeasible. Group Policy might then be able to pick up the slack if you’re dealing with a few dozen machines, but what if it’s a 100, 500, 1000, or even more computers? Things can start to get dicey pretty quickly. See below for more.
  • Uptime guarantees / Small maintenance windows: If you simply cannot afford to have servers be offline for any longer than absolutely necessary, then you need to make your update and reboot process as efficient as possible. If you are relying on just group policy to control the timing of updates and reboots, it’s very difficult, if not impossible to have visibility and/or precise control over the process, especially when machines do not complete quickly or when they encounter issues either during installation or during reboot. This leads to computers being offline when they need to be online.
  • Visibility: With just group policy configured to auto-install and/or auto-reboot servers, you have no way of knowing what the status of any given server is at a given time without manually checking. This scales horribly, as you can imagine.
  • One or more updates fail to install successfully on one or multiple computers: Installation failures are inevitable. How do you learn about them when you have zero visibility into the update process? Typically you don’t find out until your maintenance window is over. In some cases you might not know for weeks or even months. In these cases the security and reliability of your computers is at stake.
  • Computers get stuck during reboot: You need a way to discover if/when computers hang on shutdown or startup during the update and reboot process. If you are using a separate uptime monitoring tool, is it disabled during your maintenance window? Do you only learn about stuck servers at the end of the window when you re-enable your alerting system? What about in cases where the machine hangs on shutdown such that it doesn’t go offline and trigger your alerting system? Instead it just never reboots, so it hangs in limbo while Windows is trying to shut it down, but it still responds to requests during this time. Not great when you’re trying to maintain a secure and stable environment.
  • Critical services fail to start after reboot: With just group policy controlling the timing of updates and reboots, how will you learn about the services that never started on one or more machines after reboots completed?
  • Server dependencies and update/reboot timing: In many environments there will be servers which are interdependent such that some cannot be offline unless others are online. Or in some cases a particular shutdown and/or startup sequence must be executed. This can’t be accomplished with just group policy.

If you’ve realized that in your environment you need more than just group policy with WSUS to control the update and reboot process of your servers, have a look at BatchPatch. It could be just what you need.

Posted in Blog, General, Tutorials | Tagged , , , | Comments closed

Patching Automation

When we originally designed BatchPatch the primary goal was to enable administrators to have much more control over the Windows update and reboot process on numerous systems. If the entire process is left to Group Policy it can be very difficult, if not impossible, to control the *exact* timing of everything and to have visibility into exactly what is occurring and when. Of course you always have the option of manually logging on to every system and initiating the process, but this can quickly become a problem when you have a lot of systems or a short maintenance window or both. With BatchPatch the idea was to give you one central place where you could kick off the process on numerous computers, and then monitor the status of all of those computers without having to directly log on to any of them unless addressing an issue. Ultimately we wanted to make patching as efficient as possible while also keeping the process simple and easy to manage at the same time.

Now, when we talk about Windows patching automation, we could leave the discussion at just being able to trigger the update/reboot process and monitor it on numerous computers, simultaneously. However, patching automation with BatchPatch can easily be taken to new heights, and it’s worth discussing in what other ways you can automate the process. We have some customers who prefer to use scheduled tasks in BatchPatch to trigger the process on their entire network of computers. There is nothing wrong with this approach, though it’s not our favorite because we think that when you’re dealing with a lot of computers, especially if you have a limited maintenance window and uptime guarantees, it’s important to monitor the process in real-time so that you can immediately deal with any issues that might arise. Now, if you’re using scheduled task to launch update and reboot actions on target hosts, you can certainly also have BatchPatch email you a copy of the grid so that you can see what’s going on without being actively logged on. It really all depends on your desires coupled with the requirements for your organization. We have some customers who will patch all of their critical systems while sitting in front of the BatchPatch console so that they can monitor everything in real-time. And then they’ll use the task scheduler to handle less important systems in the middle of the night or early in the morning. For those less important systems if there are any issues then they can just be dealt with when arriving to work in the morning.

Another thing that I particularly like to do to increase efficiency is to setup one-click processes for systems with inter-dependencies. For example in the case of virtual machines I like to use the advanced multi row queue sequence in BatchPatch to automate the process so that I can use a single click to initiate the update and reboot process on the virtual guests, and then when they are completed, the virtual host is automatically handled by the sequence. Otherwise what ends up happening when *not* using the advanced multi row queue sequence is that after kicking off the virtual guests to update, I’m busy dealing with other items before I remember to eventually make sure that the guests are completed before starting the process on the virtual hosts. There is nothing wrong with doing this, but it’s not as efficient as using a sequence to take care of it because the sequence can be setup to start the process on one machine (or on a group of machines) at the exact moment that another machine (or group of machines) finishes its processes. The advanced multi-row queue sequence is not only good for virtual machines. It’s also great for any situation where you have some machines that can only be offline when others are online, for example.

When it comes to automation, it’s not always just about automating the actual update and reboot process on target systems. We have some customers who want to use automation to also populate the BatchPatch grid with computers in the first place. It’s actually possible to automatically synchronize a BatchPatch grid with OUs and Groups in Active Directory, so that new computers that have been added to the network can be automatically added to a BatchPatch grid. Additionally, you can use row templates to automatically apply scheduled tasks to computers when they’re added to the grid. The two of these features can be used in conjunction with one another to take your automation goals to the next level. 🙂

BatchPatch really lets you keep things as simple and straightforward as you desire. If you don’t want to deal with any automation, you don’t have to. If you want to automate everything under the sun, you can do that to. It’s up to you!

Posted in Blog, General, Tutorials | Tagged | Comments closed