Deploying a Registry Key / Value to HKEY_CURRENT_USER (HKCU) or All Users in HKEY_USERS (HKU)

By Scott | Published: February 11, 2019

A question that comes up periodically is “How can I deploy a registry key or value to the HKEY_CURRENT_USER (HKCU) hive of the registry on a target computer or group of computers?”

If you were to follow the tutorial at this link to deploy a .reg file to target computers, you might have unexpected results if the key/value described inside the .reg file is intended for the HKCU hive of the target computer registry. If you deploy the .reg file and then take a look in HKCU, you might not see the key/value created. There are a couple of reasons for this.

Understanding the HKEY_CURRENT_USER (HKCU) Registry Hive

First, HKCU represents the registry hive of the current user. When you deploy a .reg file in BatchPatch, the current user is going to be the user that executed the deployment. However, you probably want the registry key/value to end up in the current user hive for the user who logs on to the target computer, not the user who deploys the registy key/value in BatchPatch. So, if you are trying to deploy to HKCU, then you would need to execute the deployment with the same user account under which you want to be able to see the registry key/value exist on the target computer. In some cases this might work well for your needs, but below I will show you another way to accomplish the task by deploying to HKU instead of HKCU, which might be better suited for you, depending on exactly what you need to accomplish.

Second, if you are deploying a registry key/value, using the method linked above, directly to HKCU, then you need to set your BatchPatch ‘remote execution context’ for the deployment to ‘Elevated token‘ as opposed to ‘SYSTEM‘. More details on configuring the ‘remote execution context’ here: ‘Remote Execution Context‘. If you deploy to HKCU under the ‘SYSTEM’ remote execution context, the registry key/value will actually end up under the Local System account’s registry hive, which is not what you want. However, below I demonstrate a more effective and simpler way of deploying a registry key/value to HKCU by not actually deploying directly to HKCU but instead deploying to HKU for each user that has logged on to the computer.

It’s important to understand that the HKEY_CURRENT_USER (HKCU) hive of the registry is really just a view or mirror of a particular SID’s subkey under HKEY_USERS (HKU). That is to say that under HKU you will see one SID for each user account that has been created on the computer. In the screenshot below you can see the SIDs for the built-in accounts above the SIDs for the actual user accounts that have logged on to the computer.

The most effective way of deploying a registry key/value to HKCU is to actually not deploy directly to HKCU but rather to deploy to HKEY_USERS\SID of the desired user(s). Realistically in most cases if you are trying to deploy a registry key/value to HKCU, you want that registry key/value to be deployed for all users of the computer, not just a particular one. Although we may add functionality in a future version of BatchPatch that enables the administrator to easily deploy a registry key/value to all SIDs under HKEY_USERS, currently the only way to do this is with a custom script. Below you can see the script that I have written to handle this process.

Script to Create a Registry Key and Value Under All SIDs in HKEY_USERS

Registry DWORD (REG_DWORD) Example:

strComputer = "."
strRegPathSuffix = "\Software\Microsoft\Office\15.0\Common\Identity"
strRegValueName = "EnableADAL"
intRegValueDec = "1"
Const HKEY_USERS = &H80000003
 
Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")
strKeyPath = ""
oReg.EnumKey HKEY_USERS, strKeyPath, arrSubKeys
 
For Each subkey In arrSubKeys
    'wscript.echo subkey
    'We only want to do something if the subkey does not contain any of the following: .DEFAULT or S-1-5-18 or S-1-5-19 or S-1-5-20 or _Classes
    If NOT ((InStr(1,subkey,".DEFAULT",1) > 0) OR (InStr(1,subkey,"S-1-5-18",1) > 0) OR (InStr(1,subkey,"S-1-5-19",1) > 0) OR (InStr(1,subkey,"S-1-5-20",1) > 0) OR (InStr(1,subkey,"_Classes",1) > 0)) Then
	'Create desired registry key/value
	strKeyPath = subkey & strRegPathSuffix
	'wscript.echo strKeyPath
	oReg.CreateKey HKEY_USERS, strKeyPath
	oReg.SetDWORDValue HKEY_USERS, strKeyPath, strRegValueName, intRegValueDec
    End If
Next

Registry String (REG_SZ) Example:

strComputer = "."
strRegPathSuffix = "\Software\Microsoft\Windows\CurrentVersion\Run"
strRegValueName = "ApplicationName"
strRegValue = "C:\Some Folder\Path To\Application.exe"
Const HKEY_USERS = &H80000003
 
Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")
strKeyPath = ""
oReg.EnumKey HKEY_USERS, strKeyPath, arrSubKeys
 
For Each subkey In arrSubKeys
    'wscript.echo subkey
    'We only want to do something if the subkey does not contain any of the following: .DEFAULT or S-1-5-18 or S-1-5-19 or S-1-5-20 or _Classes
    If NOT ((InStr(1,subkey,".DEFAULT",1) > 0) OR (InStr(1,subkey,"S-1-5-18",1) > 0) OR (InStr(1,subkey,"S-1-5-19",1) > 0) OR (InStr(1,subkey,"S-1-5-20",1) > 0) OR (InStr(1,subkey,"_Classes",1) > 0)) Then
	'Create desired registry key/value
	strKeyPath = subkey & strRegPathSuffix
	'wscript.echo strKeyPath
	oReg.CreateKey HKEY_USERS, strKeyPath
	oReg.SetStringValue HKEY_USERS, strKeyPath, strRegValueName, strRegValue
    End If
Next

If you run one of the above scripts on a single computer as-is, it will enumerate all of the subkeys under HKEY_USERS, and then it will insert the desired registry key and value (the reg key and value are defined at the top of the script) into each of the HKEY_USERS subkeys for any actual user who has logged on to the computer. We skip any subkeys that contain “.DEFAULT” or “S-1-5-18” or “S-1-5-19” or “S-1-5-20” or “_Classes” so that we only end up inserting the desired key/value into the subkeys that correspond to actual users of the computers.

Executing the Script

If you want to run the script, save the script text to a text file with a .vbs extension. For the sake of this example we’ll just call it script.vbs. You could double-click on script.vbs to run it on a single computer. However, if you want to deploy the script to numerous computers, using BatchPatch, it’s very quick and easy to that. Of course the first thing you should do is modify the script so that the registry key and value that will be deployed are the key and value that you are trying to deploy. Modify the values for strRegPathSuffix, strRegValueName, and intRegValuDec so that you can deploy the desired key and value.

Note, on the target computer when the script runs the key must be created first in order for the value to be created successfully, so in the script you can see that we create the key first and then we create the value immediately after that. You will not be able to create the value if the key does not already exist and you do not create it.

To deploy the registry key/value to numerous computers using BatchPatch, all we really have to do is deploy the script to those computers. When the script is executed on those computers, the registry key/value will be created for each user that has logged on to the computer, based on the SIDs that the script finds in HKEY_USERS. Select the desired computers in the BatchPatch grid, and then click on ‘Actions > Deploy > Create/modify

Your deployment should look like the screenshot above. When you execute it, BatchPatch will copy the script.vbs file to each of the highlighted target computers, and then it will execute the script on each of those computers too. The result will be that each user who has ever logged on to any of the target computers will see the registry key/value under his/her own HKCU hive of the registry. NOTE: If a user has not ever logged on to one of the target computers, then when he/she logs on for the first time he/she will not see the key/value under his/her own HKCU hive of the registry because the script cannot create the key/value for users who don’t already exist on the computer. In such a case you would have to re-run the script after a new user has logged on to the computer for the first time, because that user’s SID will only exist in HKEY_USERS *after* he/she logs on to the computer for the first time.

In PART 2 on deploying to HKCU, I demonstrate how to deploy to HKCU for future users— users who have never logged on to the target computers but who *will* log on at some point in the future.

Posted in Blog, General, Tutorials | Tagged , , , , , , | Comments closed

Copying Files from Target Computers to the Local BatchPatch Computer

By Scott | Published: February 6, 2019

Occasionally someone asks how they can use BatchPatch to copy files from target computers back to the BatchPatch computer. While BatchPatch has a built-in function for copying files to target computers, it does not have a built-in function for copying files from target computers back to the local BatchPatch computer. Fortunately even when an action is not built-in to BatchPatch, in most cases it’s still very easy to use BatchPatch to accomplish the desired task. Below I will demonstrate how to use BatchPatch to copy a file from desired target computers back to the BatchPatch computer. We will accomplish this task using the ‘Local Process / Command’ feature in BatchPatch.

  1. Select the desired target hosts in the BatchPatch grid, and then click ‘Actions > Execute local process/command > Create/modify local command 1’
  2. In the ‘Local Process/Command 1’ window insert the following command. Of course you will need to replace the file paths in your command with whatever you need for your task. We are going to use xcopy to perform the file copy.

    Note, the destination directory specified in the command has a trailing backslash. This is necessary in some cases for xcopy to know that we are talking about a folder and not a file. Without the trailing backslash, depending on the paths used, xcopy might prompt you for input while the task is running to specify if it’s a directory or file. The problem is that we need the command to run silently without any prompting, otherwise the command will hang indefinitely because it is running hidden on the target computers. There is no way for you to respond to prompts for input while the task is executing in BatchPatch. So, if the xcopy command does not contain the trailing backslash, it might hang indefinitely. When that happens in BatchPatch we will just see ‘Executing…’ forever.

    Also note, my command contains $computer as a variable that BatchPatch will automatically replace with the actual host name from the Host column in the grid. This lets us copy a file from each target computer to a local folder, and then in the local folder a subfolder with the target computer name will be created as the destination location.

    This is the command to insert into the BatchPatch ‘Local Process/Command 1’ window:

    xcopy "\\$computer\c$\someFolder\someFile.ext" "C:\someFolder\$computer\"


    When BatchPatch executes the command above for the first row in the grid, after BatchPatch substitutes $computer for the actual computer name in the Host column for the executing row, the actual command that will get executed is:

    xcopy "\\TargetHost1\c$\someFolder\someFile.ext" "C:\someFolder\TargetHost1\"
  3. That’s actually all there is to it! You can highlight all of the desired hosts at the same time and then execute the command. You’ll end up with a folder on the BatchPatch computer with one subfolder for each target computer. Each of those subfolders will be named after the target computer. And then the desired file from each target computer will be copied into the corresponding subfolder on the BatchPatch computer.
Posted in Blog, General, Tutorials | Tagged | Comments closed

BatchPatch Service Stuck Starting?

By Scott | Published: January 29, 2019

When you want or need to have BatchPatch execute scheduled tasks even if the BatchPatch computer is not logged-on and/or you have not launched BatchPatch, the BatchPatch ‘run-as-service’ feature enables you to install BatchPatch to run as a service. You can then run any grids in this service instance so that the scheduled tasks defined in those grids will be executed regardless of whether or not anyone is actually logged on to the BatchPatch computer. This has obvious benefits. For more information on setting up and utilizing the service instance, please review this link.

Reasons for BatchPatch Service Getting Stuck Starting or Failing to Start Altogether

Under normal operating circumstances it’s very quick a painless to install and operate the service using the default installation parameters. 99% of users will be able to do this without issue. The service will install and operate without any problems on an unmodified fresh installation of Windows. However, occasionally we hear of a user having issues where the service appears to install successfully, but in the Windows Services console it gets stuck in the “starting” state. We have identified the following possible causes for this situation.

  1. Windows executable security block: Make sure that Windows has not put a security block on BatchPatch.exe, BatchPatchService.exe, or BatchPatchServiceInstance.exe. To check, right-click on each of these files and view Properties > General. If a file is blocked you’ll have an ‘Unblock‘ option as shown in the screenshot below. The BatchPatch.exe file will be located wherever you chose to put it. The BatchPatchService.exe and the BatchPatchServiceInstance.exe will be located in the directory that you selected to install the BatchPatch service (default is C:\Program Files (x86)\BatchPatch\Service )

  2. Service runner account has never logged on: If the account that you are using to install the service has never logged-on to the computer before, that could be the source of the problem. Make sure that you have logged on to the computer at least one time with the user account that will be running the service. If you use right-click run-as to run BatchPatch as a different user account from the account that you are logged-on to the computer with, make sure to log on to the computer separately with the run-as account one time. After you have logged on with the runner account once, you may switch back to the other account and then continue using right-click run-as to launch BatchPatch as the runner account without being logged on to the computer with that account.

  3. Launching BatchPatch from inside a .zip file: Make sure that you are not running the BatchPatch.exe directly from inside the BatchPatch.zip file. Please first extract the batchpatch.exe to a location on disk using the .zip extraction tool of your choice, and then double-click the batchpatch.exe to launch it. Do not simply “open” the batchpatch.zip file and double-click the batchpatch.exe without first extracting the batchpatch.exe to a new location on disk. If you launch BatchPatch directly from the unextracted .zip file and then proceed to install the service, it could create a situation where incorrect or unexpected permissions prevent the service from starting successfully.

  4. Permissions issue with service installation location: The default location for the installation of the BatchPatch service is ‘C:\Program Files (x86)\BatchPatch\Service’. If you find that the service is stuck starting, it could be due to unexpected or unusual permissions being applied to that folder. In this case we recommend uninstalling the service and then attempting to reinstall it using an installation directory that’s inside the user profile for the user running the service (e.g. if ‘SomeUser’ is the service runner account, then install the service in ‘C:\Users\SomeUser\BatchPatch\Service’ or similar location). It might be the case that modifying the permissions on the original ‘C:\Program Files (x86)\BatchPatch\Service’ directory would also fix the problem, so long as the service runner account has full read/write access to that directory. Both options are probably worth trying to see if one works for you.

  5. Service runner account is not local administrator: Make sure the service runner account is a member of the local administrators group on the computer. Membership in the local administrators group may not be required for the service to run successfully, but it’s the first best thing to try if you are having problems trying to run the service with an account that is not a member of the local administrators group. If you can get things working properly with the account in the local administrators group first, then you can work from there as a starting point if you still want to run the service without local administrator permission, in which case you would still need, at the very least, to grant the runner account the ‘Log on as a service’ security policy setting.

Other Possible Reasons for BatchPatch Service Getting Stuck Starting

If you discover a different cause for the service getting stuck in the “starting” state on your computer or simply failing to start altogether, we would really appreciate if you could please reach out to us to let us know, so that we can update this posting accordingly. Thanks!

Posted in Blog, General, Tutorials | Tagged , , | Comments closed

Online Cached Mode Fails to Download Update: Illegal characters in path. HRESULT: -2146233079

By Scott | Published: January 15, 2019

For those of you using BatchPatch in online cached mode… Starting with Windows 10/2016 version 1709 you might start seeing these two errors occur together in the ‘Local Agent Log’ column:

An exception occurred during a WebClient request.. HRESULT: -2146233079
Failed: Illegal characters in path.

The Problem:

Starting with Windows 10/2016 build 1709 Microsoft began publishing some updates with different/new update URLs in the update metadata as compared to all previous versions of Windows.

These new update URLs are formatted like this:

http://tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/096dd15c-70d9-4d48-b99c-0272f32a1853?P1=1521499885&P2=301&P3=2&P4=DS9%2bc8sTV40DeDsw3Rjf98wBE%2bifv2dl%2fV%2buaU9HtGw%3d

Instead of like this:

http://download.windowsupdate.com/c/msdownload/update/software/secu/2018/04/windows10.0-kb4093107-x64_b5d9c24dfcf332de6968faeb867a31a2d6a10e8b.cab

The URLs that Microsoft embeds in the metadata for Windows updates is how BatchPatch knows where to download updates from when BatchPatch is running in online ‘cached mode’. Unfortunately, updates with the new URL format are not able to be downloaded in a web browser or by BatchPatch. As such, when you have online cached mode enabled, if you try to update a system that is running Windows 10/2016 version 1709 or later, you might see an error. If that happens, then in your ‘Local Agent Log’ column you will see something similar to what I have pasted below. Generally, all three of these things will likely be true in order for you to be experiencing the problem described in this blog posting. If you are not seeing all three of the below items in your ‘Local Agent Log’ column, you might be experiencing a different issue:

  1. A filename that ends with this text: 
    %3d
  2. Exception text: 
    An exception occurred during a WebClient request.. HRESULT: -2146233079
  3. Exception text: 
    Failed: Illegal characters in path

Sample Local Agent Log That Contains The Aforementioned Exception Text:

Local Agent Log
::Begin download
 
1> 80f5d408-146c-4819-b094-424d7bafa43f?P1=1518618864&P2=301&P3=2&P4=XQl9XGC2jopOymNc05rGw5X11vmG1pBIUA6TVBR5N5s%3d :: Attempt 1: Failure: An exception occurred during a WebClient request.. HRESULT: -2146233079. Attempt 2: Failure: An exception occurred during a WebClient request.. HRESULT: -2146233079.
 
::End download
 
Files downloaded: 0
Files located in cache: 0
Files excluded by filter: 0
Files initiated by another row: 0
Failures: 1
 
::Begin file copy operation
 
1> 80f5d408-146c-4819-b094-424d7bafa43f?P1=1518618864&P2=301&P3=2&P4=XQl9XGC2jopOymNc05rGw5X11vmG1pBIUA6TVBR5N5s%3d :: Failed: Illegal characters in path.
 
::End file copy operation
 
Files copied: 0
Files skipped: 0
Failures: 1

Workarounds:

  1. Disable cached mode. When BatchPatch is running in normal/default mode with no caching, this issue does not exist. If you do not have a specific need for using cached mode, then I would recommend you simply disable it and run in normal/default mode.

  2. Enable offline mode. When BatchPatch is running in offline mode (aka: offline cached mode) this issue does not exist. Offline mode will generally only install Security Updates, so it may not be optimal for you to run in this mode at all times if you want other updates to be installed. It depends on your needs and preference. If you can disable cached mode altogether, then the previous option is the best option. If you must use cached mode, then you can use offline cached mode to get the security updates installed that fail with the issue described in this blog posting.

  3. Download the .msu update file directly from the Microsoft Update Catalog. You can find your update in the catalog by going to the catalog site and searching for the desired update or by submitting the search query yourself into your browser with a link formatted as follows, but of course you’ll need to substitute the KB ID of the update that you are searching for the KB ID that is used in my link here: 
    https://www.catalog.update.microsoft.com/Search.aspx?q=KB4480116

    Then after downloading the .msu update file you can deploy it directly to target computers using BatchPatch’s deployment feature. You may use this tutorial to guide you through the deployment process: Remotely Deploy a Standalone MSU File to Multiple Computers

  4. Install a WSUS server in your environment. Use it to cache the updates. Then use BatchPatch in default/normal (non-cached) mode to trigger the distribution/installation.
Posted in Blog, General, Tutorials | Tagged , | Comments closed

Remotely Deploying Windows Feature Update Version 1809 (the ‘October 2018 Update’)

By Scott | Published: January 8, 2019

In order to use BatchPatch to deploy Windows 10 feature update 1809, please follow the method outlined below. The normal Windows Update actions in BatchPatch are not sufficient for installing the feature updates to Windows 10. Also note just for the sake of clarity that even though these are considered Windows 10 feature updates, the Windows Update Agent (WUA) puts these in the update classification called Upgrades. EDIT: Starting with the April 2020 release of BatchPatch, feature updates can also now also be installed using the normal Windows update actions, though cached mode must be disabled in order for that to be successful.

  1. Obtain the Windows 10 Media Creation Tool from Microsoft. Follow this link and then choose the option to download the tool. Be careful to not select the option to ‘Update now’ because at the time of this writing the above link will have both options– a link to update the current computer plus a separate link to download the Windows 10 Media Creation Tool. If you choose ‘Update now’ you’ll begin the update process for the computer that you are using to view that webpage. Instead choose the ‘Download tool now’ option, though note that it’s very possible that Microsoft could change the language or the text on the download button by the time you are reading this to something other than ‘Download tool now’. Also note, the Windows 10 Media Creation Tool does not let you choose which version of Windows 10 it will download. It will only ever download the latest release, which at the time of this writing is version 1809. If you have another means of obtaining Windows 10 media, such as through a volume licensing agreement with Microsoft, then you may do that instead of using the media creation tool.

  2. Launch the Windows 10 Media Creation Tool that you downloaded in the previous step. NOTE, you *must* be logged on to the computer as a local administrator when you launch the tool. For reasons that Microsoft has not made clear, it is *not* sufficient to use run-as to launch the media creation tool elevated as administrator. Instead you have to actually be logged on to the computer with the admin account before you launch the tool. Otherwise you’ll end up launching the tool as a standard user and clicking through screens until the tool itself notifies you that it cannot complete its job.

  3. Use the Windows 10 Media Creation Tool to create installation media. When you run the tool you will be prompted to select either ‘Upgrade this PC now’ or ‘Create installation media (USB flash drive, DVD, or ISO file) for another PC. The goal here is not to upgrade the current PC but rather to obtain media that can be used to update other PCs, so choose the second option to ‘Create installation media…’ and then click ‘Next’.

  4. Select the desired language, edition, and architecture, and then click ‘Next’.

  5. Choose which media to use. For this tutorial you should select ISO as the media type. When you click ‘Next’ you will be prompted to choose a disk location for the ISO file to be saved. Choose a folder and then wait until the download completes. It will take some time because it’s ~4GB.

  6. Extract the ISO contents to a folder on your computer. When the download completes you will need to browse to the ISO file location. Many different tools can be used to extract the contents of the ISO file. We prefer 7-zip, which is free, for this sort of thing. When the extraction is complete you should have all of the feature update installation files in a single folder.

  7. Create a BatchPatch deployment. In BatchPatch click on Actions > Deploy > Create/modify. In the Deployment interface that appears, browse to the folder where you extracted the ISO contents, and select the setup.exe as the file to deploy. Make sure to tick the ‘Copy entire directory‘ box and the ‘Leave entire directory‘ box. When the upgrade/installation is being performed, Windows will reboot the target computer multiple times during the process. The installation/upgrade process must have access to all of the files required for the upgrade. Having both of the checkboxes ticked will ensure that the process has all of the needed files available to it during the installation. After the upgrade is complete you may delete the files from the target computer(s), but just make sure that you don’t delete them until the upgrade process is 100% complete. In your BatchPatch deployment configuration you will also need to add the following parameters: 
    /auto upgrade /quiet

  8. Execute the deployment. In the deployment configuration from the previous step you can either save the deployment to execute later by using the double-right-arrow ‘>>’ button, or you can execute the deployment now for the currently selected rows in the BatchPatch grid by clicking the Execute now button. If you saved the deployment configuration for later, then when you are ready to deploy the upgrade to your target computers, go ahead an execute it by clicking Actions > Deploy > Execute deployment, and then choose the deployment that you just created/saved. The process will take some time to complete because BatchPatch has to copy the entire multi-gigabyte media folder to the target computer(s) before it can execute the upgrade. When BatchPatch shows Exit Code: 0 (SUCCESS) for a given target computer it means that the BatchPatch process has completed, but you should still expect that the target computer(s) will still be working and will still reboot at least one time but possibly multiple times while Windows is upgraded and configured, so be patient and let it complete!

    NOTE: We have had a couple of reports from users who received the following error:

    Deployment: Error: Access to the path '\\TargetComputer\C$\Program Files\BatchPatch\deployment\autorun.inf' is denied.

    It’s unclear why these users experienced this error even though most other users have executed the deployment successfully without encountering the error. My guess is it might have something to do with the application used to extract the .ISO file and the way permissions were applied or inherited. Regardless, if you encounter this error it can be resolved quickly and easily by just deleting the autorun.inf file from the source directory after extracting the ISO contents but before executing the actual deployment for any target computers. In this way when BatchPatch copies the installation files to the target computer, the autorun.inf won’t even be there, so this error won’t occur.

Posted in Blog, General, Tutorials | Tagged , , , | Comments closed

Windows Update for Offline Computers and Disconnected Networks

By Scott | Published: December 31, 2018

It’s becoming increasingly common for companies and organizations to segregate at least some of their servers (and even non-server computers sometimes too) so that they don’t have any internet access. The goal in eliminating internet access for computers is virtually always to increase security by decreasing the attack surface or vector. However, while it’s true that removing internet access for computers will in many ways dramatically decrease the exposure for attack, it can be a bit of a catch-22. On the one hand when a system does not have internet access, it’s not going to be as vulnerable to as many attacks. On the other hand when machines are offline it’s more difficult to keep them up to date, and when an operating system or an application running on the OS is not up to date, the system becomes more vulnerable. An attack might be less likely to occur on an offline network, but if the computers on that network are not kept up to date and are subsequently attacked in one way or another, the attack has a much higher likelihood of being successful than it would if the computers were patched/updated regularly.

How to Deploy Windows Updates to Offline Computers

There are a number of ways to accomplish this task, but unless you want a heavy monthly burden that eats a lot of human-hours, you really need to use a patch management application that’s going to do most of the work for you. You don’t necessarily have to use BatchPatch for this purpose, but even though I’m obviously biased I’m just going to come right out and say that despite my bias BatchPatch is still likely to be the easiest, most efficient, and least expensive option that you have for applying Windows Updates to numerous offline computers.

BatchPatch has two primary modes of operation (or three, depending on how you look at it). The default mode that BatchPatch operates in requires target computers to have internet access or access to a WSUS server, but if you switch BatchPatch to ‘offline mode‘ you can use it to scan offline computers for needed updates, and then deploy the updates to those computers. And you can do it efficiently so that all of the offline computers can be updated at the same time.

At the following link I have described the three different scenarios for using BatchPatch in ‘offline mode’. Note, they are ordered from least stringent to most stringent offline network scenarios. There is always a balance between security and convenience. The offline networks with the most stringent rules will generally be the least convenient or least efficient to patch. The offline networks with the least stringent rules will usually be easier or more efficient to patch but of course it always depends on the particulars of your environment. That said, when choosing which BatchPatch ‘offline mode’ approach/method to use, start at the top and work your way down until you see the method that will work for your environment. If you choose the method that is designed for the absolute most secure environments, you might be decreasing your own efficiency for patching your network if your network’s requirements are not quite so strict.

Offline Patch Management with BatchPatch

More Details on BatchPatch Cached Mode and Offline Updates

Posted in Blog, General, Tutorials | Tagged , , , | Comments closed

Configuring Per-Grid Windows Update Filter Exclusions Using Row Templates in BatchPatch

By Scott | Published: December 18, 2018

One of the topics that I have written about in the past is how you can configure filters in BatchPatch to prevent certain categories of updates from installing, or so that you can exclude particular individual updates from being installed on target computers. Those postings are here:

Additionally I have posted in the past about the ‘Row Template’ feature in BatchPatch here:

Apply Update Exclusions Per-Grid Using the Row Template

Today I’m going to demonstrate how you can use the ‘Row Template’ feature to pre-configure a grid with Windows Update filters that will enable you to exclude certain updates from being applied to target computers, depending on which grid you add the computers to.

The ‘Row Template’ feature enables you to create a single template row for each grid. After you enable a row template for a given grid, then when you add new rows/hosts to that grid, the new rows/hosts will receive the pre-configured values that you have stored in the row template for that grid. This may sound confusing when written down, but in practice it’s actually very simple.

For example, let’s say that you have a group of SQL servers that you manage in a single BatchPatch grid. You want to ensure that these SQL servers will not install a particular update KB112233, and you want to also ensure that when new SQL servers are added to this same grid that none of them install the update either. However, you also have a separate group of web servers that you manage in a separate BatchPatch grid, and for these web servers you want them to apply KB112233, but you don’t want them to apply KB445566. And similarly, you want to ensure that when a new web server is added to the BatchPatch grid (.bps) file that it will have the same exclusion/filter rules configured as the existing servers in the grid. How can you do this?

In BatchPatch we can create a row template on a per-grid basis, and then in the row template we can store the Windows Update filters / exclusions, so that any time a new row/host is added to a grid, it will automatically receive any values that were pre-configured in the row template. This means that the new hosts/rows can automatically receive the same Windows Update filters / exclusions that exist for other hosts in the same grid.

Here’s how it works:

  1. First we need to create a row template for our grid. For the sake of this example we will create a row template that will include an exclusions for update KB112233, so that KB112233 is never installed on computers that are added to this grid. In our grid we have 3 hosts to start. Create a Windows Update exclusion filter by selecting the rows and then clicking ‘Actions > Windows updates > Filter which available updates are included or excluded when downloading/installing > Exclude specific updates (textual)…’
  2. In the exclusions window that appears I will type/paste the KB112233 that I want to be excluded from being applied to the computers in this grid. Then I’ll click Save. You can see in the screenshots below what this process looks like.

  3. Now we can use one of the existing rows in the grid to create a row template. Select just a single row in the grid, and now click ‘Grid > Row template configurator’. In the window that appears click ‘Create/update row template based on selected row in main BatchPatch grid’. You’ll see now that the ‘Download/install filter’ column, including the data stored for the selected row, has been copied to the ‘Row Template’ for the grid.

  4. At this point we just need to make sure that we enable the Row Template by clicking the radio button ‘Enabled‘ in the upper right corner of the window. In the screenshot above you can see that when I captured the image it was still set to ‘Disabled.’ Make sure you click ‘Enabled‘ before clicking OK. If a row template has been created but is left ‘Disabled’ it will have no effect. It must be ‘Enabled’ to actually do something.

  5. Now the row template for the grid has been created and enabled. If we add more hosts to the grid, they will automatically receive the values that were stored in the row template. In this case we stored the ‘Download/Install Filter‘ value to exclude KB112233. So, after I add new hosts to the grid, you can see in the screenshot below that they have the same filter applied as the previously existing rows.
Posted in Blog, General, Tutorials | Tagged , , | Comments closed

Get Adobe Flash Version Number from Multiple Computers

By Scott | Published: December 11, 2018

We recently received the following questions: “How can one tell if Adobe Flash is installed on numerous target computers? If it’s installed, what’s the best way to determine which version is on each target?”

Today I’m going to demonstrate one possible way to get the desired information, but there are probably other equally viable methods, so definitely feel free to do what works best for you and your environment.

Get List of All Installed Applications

First, note that in BatchPatch there is a built-in menu item ‘Actions > Get information > Get list of installed programs‘ that one can use to obtain a list of all installed programs on target computers. This action queries the following two registry keys on target computers to obtain a list of installed applications. While this list is generally going to be pretty comprehensive, please be aware that a program can be installed without having ever registered itself with the system, so it’s possible that you could have an app that does not appear in the output list that this method obtains. Also note, this output will not necessarily include version numbers. Additionally, this output will generally include duplicate entries because many applications will be entered into both of the following registry keys as opposed to just one. For the sake of completeness BatchPatch gets information from both keys and does not extract unique results, which means that if an application is entered in both locations you will see it appear twice in the list.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall

Sample output:

Get Adobe Flash Version Number

A very quick Google search revealed this link ( https://forums.adobe.com/thread/912422 ) which explains that Adobe Flash version information can be obtained by looking at the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Macromedia

In BatchPatch we can obtain registry values from numerous computers simultaneously by selecting the desired computers in the BatchPatch grid and then executing ‘Actions > Get information > Get registry key/value‘, which will pop the following window:

In the window shown in the above screenshot you can add the desired registry key and value that you would like to read. Once the appropriate key and value name are entered, click OK to see the results.

We can see in the above screenshot of the result that the test computer I queried has version version 18.0.0.203. If a target computer does not have Adobe Flash installed at all, then we would expect this ‘Get registry key/value’ to return nothing for the registry key and value that we queried. Pretty simple! I hope this helps.

Posted in Blog, General, Tutorials | Tagged , | Comments closed

Explanation of ‘Get Pending Reboot Status’ Actions in BatchPatch

By Scott | Published: December 5, 2018

Windows does not offer/provide a sanctioned, singular way to determine with certainty if a computer is in need of a reboot. However, Windows does mark in several places in the OS values that can be used to infer that a reboot is required to complete certain operations.

When using one of the ‘Get pending reboot status‘ actions in BatchPatch, a check is initiated that looks in the following locations of the target computer(s) to determine if reboot is needed:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update

If a subkey contains “RebootRequired” BatchPatch returns TRUE

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing

If a subkey contains “RebootPending” BatchPatch returns TRUE

HKLM\SOFTWARE\Microsoft\Updates

If the UpdateExeVolatile value exists and is greater than 0, BatchPatch returns TRUE

CCM_ClientUtilities.DetermineIfRebootPending method

If the host has SCCM installed and this method returns TRUE, BatchPatch returns TRUE

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager

If the PendingFileRenameOperations value contains any filepaths, BatchPatch displays them, but this will not cause BatchPatch to return TRUE even though the rename operations will occur upon reboot.

All that said, when you use ‘Get pending reboot status’ and it returns TRUE it doesn’t mean that you absolutely must reboot the computer. It means that Windows has operations that are pending reboot to be completed. It does not necessarily mean that the computer is in an unstable or problematic state.

If you use one of the BatchPatch methods to install Windows updates, but you do not let BatchPatch also ‘reboot if required‘ then you could leave your computers in an unstable/unprotected/vulnerable state since it is the case that some updates will not be “live” until the reboot occurs. However, if you are rebooting the computers after Windows updates are installed, but then at a later date ‘Get pending reboot status‘ reports TRUE, it does not necessarily mean that the sky is falling and that you must drop everything and reboot immediately, though it may warrant further investigation to see why BatchPatch is reporting TRUE so that you can determine if you want to reboot the computers or not.

Posted in Blog, General, Tutorials | Tagged | Comments closed

Windows Update Options for Reboot Timing and Behavior

By Scott | Published: November 20, 2018

One of the questions that people sometimes ask us is can BatchPatch initiate the Windows Update download/installation on target computers *without* also triggering an immediate reboot of those computers? The short answer is yes. The longer answer is that controlling the behavior in BatchPatch is very straightforward and simple, but the behavior of BatchPatch isn’t really what you have to worry about. It’s Windows and the various settings provided by Windows for reboots after updates that you have to be concerned about.

For this posting I’m going to focus on Windows 10 options when it comes to reboots after updates. Other Windows operating systems may vary, but since Windows 10 is the latest version of Windows, I think it makes the most sense to focus on Windows 10.

In BatchPatch you have numerous options for applying Windows Updates. The primary action items to select from in BatchPatch when downloading and/or installing updates are:

  • Download available updates
  • Download and install updates
  • Download and install updates + reboot if required
  • Download and install updates + reboot always
  • Install downloaded updates
  • Install downloaded updates + reboot if required
  • Install downloaded updates + reboot always

If you select one of the options that does not include reboot, BatchPatch will not reboot the target(s) after installing updates. You can, optionally, always come back at any time with BatchPatch and execute a standalone reboot, but the topic of today’s posting is about controlling reboot behavior specifically for when installing Windows Updates.

The first thing that you should do is acquaint yourself with the different options that Windows provides via Group Policy for controlling computer restarts around Windows Updates installations. Once you’re well acquainted you can then test accordingly so that you can determine exactly the behavior to expect in your environment based on the settings that you select. The primary settings to control reboot after Windows Updates all live in Group Policy in Computer Configuration\Administrative Templates\Windows Components\Windows Update It’s actually possible to control all of these policies via direct registry edits too, but for ease of operation it’s really best to control these settings via Group Policy (or of course you may also use Local Policy if you’re not on a domain).

Turn off auto-restart for updates during active hours
Use this policy to configure active hours, during which the device will not be restarted. This policy has no effect if the No auto-restart with logged on users for scheduled automatic updates installations or Always automatically restart at the scheduled time policies are enabled.

Always automatically restart at the scheduled time
Use this policy to configure a restart timer (between 15 and 180 minutes) that will start immediately after Windows Update installs important updates. This policy has no effect if the No auto-restart with logged on users for scheduled automatic updates installations policy is enabled.

Specify deadline before auto-restart for update installation
Use this policy to specify how many days (between 2 and 14) an automatic restart can be delayed. This policy has no effect if the No auto-restart with logged on users for scheduled automatic updates installations or Always automatically restart at the scheduled time policies are enabled.

No auto-restart with logged on users for scheduled automatic updates installations
Use this policy to prevent automatic restart when a user is logged on. This policy applies only when the Configure Automatic Updates policy is configured to perform scheduled installations of updates.
There is no equivalent MDM policy setting for Windows 10 Mobile.

You can review more details about managing Windows device restarts after updates at this link: Manage device restarts after updates

Posted in Blog, General, Tutorials | Tagged | Comments closed