Automated Patch Management

By Scott | Published: May 28, 2018

Today I’d like to go through all the ways that BatchPatch can be used to automate your software and operating system patch management.

Standard BatchPatch Actions:

If you log on to a computer locally to apply updates and reboot, it’s a multi-step process. First you have to use remote desktop to connect to the desired computer, then you have to logon, then you have to launch the Windows Update control panel, then you have to download and install the available updates. At this point you’d have to wait usually at least a few minutes, but sometimes much longer while the download and update process completes. And even after the updates have been installed you still then have to manually initiate a reboot and monitor the computer with a ping command or a monitoring tool while the reboot is taking place, so that you can confirm that the computer is back online after the reboot. This process could easily take 30 minutes per computer, which is fine if you just have a few, but what if you have dozens or hundreds or even thousands of computers to manage?

With BatchPatch you can add all of the desired computers to a grid, and then select the entire lot to ‘Download and install updates + reboot if required.’ Instead of having to individually log on to each computer to perform the action, BatchPatch will remotely connect to every computer at the same time to initiate and monitor the whole process. You can have the entire fleet of computers updated and rebooted within a matter of minutes. How’s that for automation! BatchPatch can perform almost any action that you would ever need to perform on remote computers, and it can do all of the remote computers simultaneously. This is great for deploying software or updates, or for executing remote commands or scripts, or for retrieving information or updating registry values etc.

Example:
batch-install-windows-updates

Scheduled Tasks:

Ok, so you’ve been using BatchPatch to manage updates, but what if you don’t even want to touch the BatchPatch console? You could further automate your updating process by scheduling task to occur at a desired date/time, so that when that time arrives BatchPatch will automatically launch the tasks that you scheduled across whichever target computers you created the schedule for. You can even have it email you a copy of the BatchPatch grid for review so that you don’t have to touch the BatchPatch console during the maintenance window, if so desired.

Another automation option for scheduled tasks is the facility in the scheduler to ‘Run task immediately upon detecting target computer online’. This option let’s you configure a scheduled task to run as soon as BatchPatch detects the target computer on the network, rather than having to wait for a specific scheduled date/time for the task to run. This way if you have computers that are frequently pulled off the network, instead of scheduling an update process to occur at a date/time, since you don’t know if the computer will be connected to the network at that time, it’s often easier to just have BatchPatch run the task as soon as the computer is detected online.

Example:
using-the-task-scheduler-in-batchpatch

Job Queues:

If you need to run multiple different tasks in a specific sequence so that you can start and stop scripts before and after patching, or execute multiple patch and reboot cycles with a single click, or any number of other things, check out the Job Queue feature.

Example:
using-the-job-queue-in-batchpatch-for-multi-step-execution

Multi-Row Sequences:

What about the case where you have multiple computers that are all dependent on one another in some way, such that you want to make sure that only one of them is taken offline at any given time. Or perhaps you want/need to apply updates and reboot these computers in a specific order. Or maybe it’s a virtual machine host with a number of virtual machine guests on it, and you want to apply updates to all guests first, and then when the guests are complete you want to update and reboot the host. Well, you could certainly oversee this process manually. You could make sure to be careful about which machines you update and in which order and when. However, wouldn’t it be nice if you could kick off these entire sequences with a single click rather than having to manually manage the whole process? BatchPatch has a feature called “Advanced multi-row queue sequence” that enables the administrator to construct sequences of actions across multiple computers for maximum automation and control.

Example:
advanced-multi-row-queue-sequence

Posted in Blog, General | Tagged Automated Patch Management, automation | Comments closed

Remotely Uninstall Firefox from Multiple Computers

By Scott | Published: May 21, 2018

Removing Firefox from numerous computers does not have to be a tedious process. While you could certainly use remote desktop to connect to each target computer and then manually launch the add/remove programs applet, this would take a very long time if you had to perform the task on dozens or perhaps hundreds or even thousands of computers. Alternatively you could just use BatchPatch to perform this task on all of your remote computers at the same time, enabling you to effectively uninstall Firefox from your entire network of computers in under a minute. The process if very straightforward and simple.

First you’ll just need to identify the installation directory on your computers. For example, on my lab computers Firefox is installed in either “C:\Program Files\Mozilla Firefox” or “C:\Program Files (x86)\Mozilla Firefox”. If your computers have Firefox installed in a different directory then just make sure you substitute your installation directory in the command instead of using the one in my command.

In order to remove Firefox from numerous computers using BatchPatch, we first have to be able to successfully uninstall it from a single computer at the command prompt with no user interaction. We need the process to execute “silently” or “quietly” so that it simply runs to completion without needing any additional interaction from the user or administrator to complete the process. We don’t want a situation where we have to click “yes” or confirm in some other way to proceed with the uninstallation. We just want the process to run on its own after we launch it. So first to confirm that we are able to successfully remove the software from just one computer using the command prompt rather than BatchPatch, we execute the following command in a cmd.exe window.

The x64 version of Firefox default setup uninstall command:

"C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /S

The x86 version of Firefox default uninstall command:

"C:\Program Files (x86)\Mozilla Firefox\uninstall\helper.exe" /S

Run the command and make sure that it successfully removes Firefox. If the command does not successfully remove Firefox on your computer at the command prompt, then there’s no way that BatchPatch will be able to remotely execute the same command with success. However, the command should work for you just as it did for me to completely remove Firefox. Once confirmed, we can then run the same command in BatchPatch to target numerous remote computers, simultaneously.

We highlight the desired target computers in our BatchPatch grid and then select ‘Actions > Execute remote process/command > Create/modify remote command 1’

In the command window you may insert the removal command just as I have done here:

Click ‘Execute’ to launch the command on all of the selected/highlighted hosts in the BatchPatch grid. In my lab the entire process completes in just a handful of seconds. Firefox is removed, and I can go on about my other business. 🙂

Posted in Blog, General, Tutorials | Tagged remote uninstall software, remove firefox, remove software remotely, uninstall firefox | Comments closed

Clearing Column and Grid Contents in BatchPatch

By Scott | Published: May 10, 2018

Beginning with the March 2018 version of BatchPatch we improved the functionality for clearing specific grid contents. In the past there were a handful of pre-defined methods hard-coded into the BatchPatch menu that one could use to clear the contents of a group of columns. However, we would regularly receive requests from our users to add new custom selections. For example maybe John would want to be able to clear columns A, B, and C, but Jill would want to be able to clear columns B, C, and D, and then Mike would come along and want to clear columns C, D, and E. It was always possible to clear a specific set of desired columns, but it was not possible to save a selection list so that you could quickly clear the contents of a custom, pre-defined group of columns over and over and over without having to re-select the group. You would have to either use one of the pre-defined lists that we coded into the app, or you could manually select the list of columns that you would want to clear each and every time you would want to clear them, which was a tedious process.

In the March 2018 version we updated the functionality so that now you can easily select a group of columns that you want to clear, and you can then save that group for easy future clearing. The process is outlined below.

Create Custom Selections Lists for Clearing Column / Grid Contents

Select ‘Actions > Clear column contents > Create/modify selections‘

In the window that appears, select the columns that you want to clear. You could simply click ‘Clear contents of selected columns now‘, which would perform the operation on the currently highlighted rows in the grid, but if you instead specify a title for the selections list, you can then save the list using the double-arrow button. You can see in the screenshot that I have saved a few different entries.
After you save the desired selections and close the window you will now be able to clear columns of the selected rows on-demand very quickly by selecting ‘Actions > Clear column contents > Execute saved selections‘
Additionally, once you have saved a selection list it will appear in the Job Queue window and Scheduled Task window so that you can clear column/grid contents from inside a job queue or scheduled task.

Posted in Blog, General, Tutorials | Tagged clear columns, clear contents, clear grid | Comments closed

BatchPatch Error: -102: Failed to execute the search. HRESULT -XXXXXXXXXX

By Scott | Published: May 2, 2018

BatchPatch Error: -102 is one of the most common errors that users experience. In general, it indicates that the target computer had some type of problem connecting to the update server, which can be either your local WSUS (Windows Server Update Services) server or Microsoft’s public Windows Update or Microsoft Update server.

In your ‘Remote Agent Log’ column you will see the full error, which always includes a HRESULT value. If you closed BatchPatch without saving the HRESULT code, you can still view this in the target computer’s BatchPatch.log and/or BatchPatchError.log, which will both be stored in the remote working directory. The default location is C:\Program Files\BatchPatch unless you have modified the ‘Remote working directory’ location under Tools > Settings > General.

You can think of the HRESULT value as a sort-of ‘reason code’ for the issue. So the -102 value simply means that there was a problem with the target computer’s ability to communicate with or connect to the update server. The HRESULT value will be the reason why there was a problem. Below are most of the HRESULT values that have ever been reported to us, as well as possible explanations for why they might occur.

Note, the HRESULT value is reported in decimal format, but it’s helpful to convert it to hex for the sake of google searching for a solution. The hex value is much more likely to turn up helpful search results in comparison to the decimal value. Please see the bottom of this page for a description of how to convert decimal values to hex. Once you have the hex representation of the HRESULT, you can look it up here to see what it means: Windows Update Error Code List

Various HRESULT values that might be seen with a -102 error

Error -102: Failed to execute the search. HRESULT: -2147012866

0x80072EFE -2147012866 ERROR_INTERNET_CONNECTION_ABORTED
The connection with the server has been terminated.

This error could indicate a proxy configuration problem. For more details on using BatchPatch with an enterprise proxy, please see: using-batchpatch-with-an-enterprise-web-proxy

Alternatively, it’s possible that this error could be caused by any type of application running on the target computer that could sever a network connection. For example, a Host Intrusion Protection/Prevention (HIPS) application, an anti-virus application, or a similar security suite.

Error -102: Failed to execute the search. HRESULT: -2145124322

0x8024001E -2145124322 WU_E_SERVICE_STOP
call was aborted due to service stop or system shut down

This error would usually occur if the Windows Update service on the target computer was in the process of stopping, or if the computer was in the process of rebooting. Make sure the target computer is online and its Windows Update service is started/running.

Error -102: Failed to execute the search. HRESULT: -2145107934

0x80244022 -2145107934 SUS_E_PT_HTTP_STATUS_SERVICE_UNAVAIL
Http status 503 - temporarily overloaded

This likely indicates an issue with your WSUS server. It could be a transient load problem or it could indicate that the server needs a reboot or that the web service is not responding properly.

Error -102: Failed to execute the search. HRESULT: -2145107924

0x8024402c -2145107924 WU_E_PT_WINHTTP_NAME_NOT_RESOLVED
Winhttp SendRequest/ReceiveResponse failed with 0x2ee7 error. Either the proxy server or target server name can not be resolved. Corresponding to ERROR_WINHTTP_NAME_NOT_RESOLVED. Stop/Restart service or reboot the machine if you see this error frequently.

This is the error that we would expect to see if your WSUS were offline or if there were a DNS or proxy problem preventing the target computer from establishing a connection with the WSUS.

Error -102: Failed to execute the search. HRESULT: -2147023838

0x80070422 -2147023838 ERROR_SERVICE_DISABLED
The service cannot be started. If BITS service is disabled by the Administrator, then this error will be seen.

Make sure the Windows Update service and the Background Intelligent Transfer Service (BITS) are started on the target computer.

Error -102: Failed to execute the search. HRESULT: -2147012867

0x80072EFD -2147012867 ERROR_INTERNET_CANNOT_CONNECT
The attempt to connect to the server failed.

Make sure that the target computer actually has access to the internet. If you have a proxy in your environment, this error could indicate a proxy configuration problem. For more details on using BatchPatch with an enterprise proxy, please see: using-batchpatch-with-an-enterprise-web-proxy

Error -102: Failed to execute the search. HRESULT: -2147012894

0x80072EE2 -2147012894 ERROR_INTERNET_TIMEOUT
The request has timed out.

Error -102: Failed to execute the search. HRESULT: -2145124306

0x8024002E -2145124306 SUS_E_WU_DISABLED
non managed server access is disallowed

We have seen this occur when in Group Policy or Local Policy the following setting is enabled Computer Configuration\Administrative Templates\System\Internet Communications Management\Internet Communication settings\Turn off access to all Windows Update features

Error -102: Failed to execute the search. HRESULT: -2145103860

0X8024500C -2145103860

We have only ever seen this occur in the following situation:
–The target computer is configured via Group Policy or Local Policy to search for updates on your local WSUS server (the relevant policy is ‘Computer Configuration\Administrative Templates\Windows Components\Windows Update\Specify intranet Microsoft update service location’)
AND
–In BatchPatch under ‘Tools > Settings > Windows Update‘ the ‘Server Selection‘ value is set to either ‘Windows Update’ or ‘Microsoft Update’
AND
–In Group Policy or Local Policy the following setting is enabled: ‘Computer Configuration\Administrative Templates\Windows Components\Windows Update\Do not connect to any Windows Update Internet locations’

Error -102: Failed to execute the search. HRESULT: -2145123272

0X80240438 -2145123272

We have seen this occur when the WSUS server is offline or non-existent

Error -102: Failed to execute the search. HRESULT: -2145107943

0x80244019 -2145107943 SUS_E_PT_HTTP_STATUS_NOT_FOUND
Http status 404 - object not found

This means that the target computer is not able to connect to the update server. If you are using WSUS, make sure that the server is online and reachable, and make sure your group policy setting for Specify intranet Microsoft update service location is correct. More here on WSUS and group policy. If you are not using WSUS, make sure the target computer has internet access, and make sure your proxy settings are correct. More here on proxies with BatchPatch and Windows Update.

Error -102: Failed to execute the search. HRESULT: -2145107940

0x8024401c -2145107940 WU_E_PT_HTTP_STATUS_REQUEST_TIMEOUT
Http status 408 - server timed out waiting for request

The target computer is trying to connect to the update server, but it’s timing out. This likely indicates either a network issue or an issue with the update server. If you’re using WSUS then it’s probably an issue with the WSUS. If you’re using Windows Update or Microsoft Update then it’s probably a temporary issue with Microsoft’s public update server. If you use a proxy in your environment, this error could also be the result of that. More here on proxy configuration for BatchPatch and Windows Update.

Error -102: Failed to execute the search. HRESULT: -2147024894

0x80070002 -2147024894
ERROR_FILE_NOT_FOUND "The System cannot find the file specified"

This is probably one of the least common errors that one would be likely to see with -102. We have only ever had a small handful of users report it. It indicates that there is a problem with Windows Update on the target computer. It’s not a BatchPatch problem per se. We would expect the same error if you tried to run Windows Update directly on the target computer. When only a search for updates is performed there is no file that BatchPatch provides that could be missing, and yet the error indicates Windows Update cannot find a file that it needs. All of the users who experienced this issue and reported it to us were able to resolve it by manually downloading and installing Silverlight. We believe that the installation of Silverlight likely somehow resets the broken/missing Windows Update components. One of the users reported that the way this issue manifested in the first place was due to sysprep’ing an image that had a feature upgrade applied possibly before completing the multiple reboots that the feature upgrade required to get to 100% installed/rebooted. It is probably the case that after the issue is resolved Silverlight can then be uninstalled. If you experience this issue and have any additional information to provide about the cause or resolution, please contact us and we’ll update this page accordingly.

Error -102: Failed to execute the search. HRESULT: -2145124302

0x80240032 -2145124302
WU_E_INVALID_CRITERIA "Invalid criteria string"

Generally the only reason this would occur is if you try to use a search string intended for a newer OS on an older OS where it isn’t supported. This can happen if you select Search for only optional software updates when you execute a search for updates on a target OS that is not Windows 10/2019 build 1809 or newer.

Error -102: Failed to execute the search. HRESULT: -2146762495

0x800B0101 -2146762495
CERT_E_EXPIRED

Check the certificate on your WSUS. Also check date/time settings on all computers.

Error -102: Failed to execute the search. HRESULT: -2145124297

0x80240037 -2145124297
WU_E_NOT_SUPPORTED "The invoked functionality is not supported."

We have had only a couple of reports of this in the past. Both were the result of the user running a version of Windows on hardware that Microsoft does not support for that version of Windows. Microsoft blogged about the changes to hardware support here: https://blogs.windows.com/windowsexperience/2016/01/15/windows-10-embracing-silicon-innovation/

Both affected users reported success with the following workaround, which attempts to enable Windows Update in cases where it is disabled due to running on unsupported hardware. We do *not* recommend or encourage this approach, nor do we recommend running Windows on unsupported hardware in the first place, but since a couple of our users have reported success with it, we are including it here for reference. Try it at your own risk: https://github.com/zeffy/wufuc/releases

Error -102: Failed to execute the search. HRESULT: -2147024882

0x8007000E -2147024882
WU_E_OUTOFMEMORY

Increase the available RAM to resolve this error.

Error -102: Failed to execute the search. HRESULT: -2145124338

0x8024000E -2145124338
SUS_E_XML_INVALID

While this is not an out-of-memory error, we have seen instances of this error result from not enough available RAM during actions run in offline mode. Increasing RAM resolved the issue in those cases. However, there could be other causes for this error that have nothing to do with available memory.

How to convert HRESULT decimal values to hex

HRESULT codes will be in decimal format, but we usually need to convert them to hex in order to figure out what they mean. The easiest way to do that is with your Windows calculator. Launch calc.exe and switch to the ‘Programmer’ calculator by clicking the button in the upper left corner of the calculator window.

In the Programmer calculator select DEC and paste in your HRESULT value. You can then see the HEX value. In this example I’ve pasted -2147012867, and we can see the HEX value is 80072EFD.

Once you have the hex representation of the HRESULT, you can look it up here to see what it means: Windows Update Error Code List

Posted in Blog, General, Tutorials | Tagged 102, windows update | Comments closed

How to Execute Batch Files (.bat or .cmd) on Remote Computers

By Scott | Published: April 23, 2018

Running batch files on target computers is actually a very easy process using BatchPatch. You can execute the same .bat or .cmd file on numerous remote computers simultaneously with just a few clicks. Perhaps the only confusing aspect of this process is that we won’t use the ‘Remote process / command’ action in BatchPatch to perform this task. It may seem like the intuitive choice to use ‘Remote process / command’, but instead it’s actually much simpler to use the BatchPatch ‘Deployment’ feature to accomplish our goal here. We tend to think of deployments as being specific to installing or deploying a package on target computers, but it’s actually the simplest way to run batch files remotely too. This is because a BatchPatch deployment works by having BatchPatch first copy the desired file or files to the target computer(s), and then once the file or files have been copied, BatchPatch executes the deployment, which in the case of a .bat of .cmd means that BatchPatch will run the batch file using cmd.exe on each of the desired target computers.

In your BatchPatch grid highlight the rows for the desired target computers (this can be any number of rows/hosts), then click ‘Actions > Deploy > Create / modify deployment’

In the ‘Deploy’ window that appears click the triple-dot (…) button to select the batch file to deploy. The file extension of your batch file should be .cmd or .bat

We are going to be deploying a single batch file, so we select the ‘Normal (singular) deployment’ radio button option and then click OK to browse to the location of our batch file. Note, the ‘Multiple update file deployment’ option is only allowed for .msu, .msi, and .msp package deployments.

In the ‘Deploy’ screen you’ll see that the filepath of the .cmd or .bat file is now displayed in the corresponding field. For the sake of this example the only text inside my .cmd file is an ‘IPCONFIG’ command, so I’m going to tick the box to ‘Retrieve console output.’ However, note that the ‘Retrieve console output’ checkbox is not compatible with all deployments, and in some cases ticking this box will cause the deployment to fail outright.

At this point the deployment configuration is complete. It’s really *that* simple. I’m going to click ‘Execute now’ to execute the deployment for the selected row(s) in the grid, but you may optionally save the deployment for future execution by using the double-right-arrow button, or you may apply the deployment to the selected rows without actually executing it by clicking on the ‘Apply deployment…’ button.

Since my batch file contained just a single simple command it executed almost instantly. We see the ‘Deployment: Exit Code: 0’ in blue, and the output of the IPCONFIG command can be viewed in the ‘Deployment Output Log’ column. That’s all there is to it.

Posted in Blog, General, Tutorials | Tagged .bat, .cmd, batch, batch file deployment, remote execution | Comments closed

Using the Task Scheduler to Synchronize a BatchPatch Grid with Active Directory OUs and Groups

By Scott | Published: April 10, 2018

If you want to have BatchPatch automatically synchronize a grid with certain Active Directory organizational units (OUs) and groups at a scheduled time, you can do this now using the Task Scheduler in BatchPatch.

The idea here is that instead of manually adding and/or removing computers from your BatchPatch grid, you can link a grid with any number of Active Directory OUs and groups. Then if you add or remove computers from the Active Directory OUs or groups that are linked to a grid, you can update the grid with the AD changes by simply synchronizing the grid with the linkes OUs and groups. We have a tutorial that demonstrates the basic synchronization functionality here, but today I’m going to show you how to synchronize the grid with a scheduled task instead of kicking it off manually.

The first thing you need to do is link your grid to the desired OUs and/or groups in Active Directory. To do this select ‘File > Synchronize grid with directory‘
In the window that appears enter a single LDAP path to a security group or an organizational unit.
If the logon account that you are using to run BatchPatch is not on the domain of the OU/group that you are adding or simply does not have the required permissions to view the directory, then you’ll need to specify credentials, which you can see I’ve done in the screenshot above. You also have the option to check the ‘Recurse sub-OUs‘ box. This means that the search for computers will include not only the computers in the specified LDAP path but will also contain computers in any sub-OUs in that same path. After you have entered the desired LDAP path, click the button to ‘Verify path and add to list.’ BatchPatch will attempt to connect to your Active Directory at the specified LDAP path. If successful it will list the computers in the specified OU or security group.
The computers contained in the specified OU or group will be listed. This simply helps you verify that you have entered the correct path information to the desired security group or OU. Click OK to include this LDAP path. You’ll see that the path will be added to the list below.
You may link a single BatchPatch grid to any number of OUs and/or security groups. In the screenshot below you can see that I have my grid linked to two different OUs.
At this point if you want to complete a manual synchronization you could simply click the button ‘Synchronize BatchPatch grid now.’ Doing so would initiate a search for all computers in the specified OUs and security groups. You would then be prompted to add those computers to the grid, or if any computers were found in the grid that were not found in the OUs and groups, you would be provided the option to remove those computers from the grid too.
However, for the sake of this tutorial we are not going to complete the synchronization right now. Instead, cancel the Synchronization Results window and instead just click OK on the Synchronization Settings window. Now your LDAP paths are linked to the grid, which means you can initiate the synchronization via scheduled task.

At this point I’m going to select any row in the grid. You could even create a “dummy” row that is expressly for the purpose of synchronizing your grid to AD. To synchronize the entire grid you only need to create a scheduled task for a single row. With the desired row selected, click ‘Actions > Task scheduler > Create/modify scheduled task’.

In the Task Scheduler window that appears choose a synchronization task from the Task drop-down menu. Choose either ‘Synchronize grid with directory (add hosts only)‘ or ‘Synchronize grid with directory (add and remove hosts)‘. Then set a task time/day, and click OK. Make sure to enable the task scheduler by clicking the small clock icon in the upper right corner of the BatchPatch window. Green is enabled. Red is disabled. If the scheduler is disabled, no scheduled tasks will be executed.
I have selected the ‘add and remove hosts’ option so that when the grid synchronization completes, not only will hosts that exist in the OUs/groups be added to the grid if they are not already in the grid, but also any hosts that appear in the grid that do not exist in the linked OUs/groups will be removed from the BatchPatch grid. Note, the row that initiates the synchronization will not be removed from the grid even if it does not exist in the linked OUs/groups. Also note, if BatchPatch fails to connect to one or more of the linked OUs/groups, no host removal will occur. In that case only host addition will occur. BatchPatch errs on he side of caution in this case to prevent erroneous removal because if a linked OU or group cannot be searched for whatever reason, BatchPatch does not know if that OU or group would contain hosts that might otherwise be removed from the grid, so BatchPatch simply leaves them as-is and does not remove them from the grid.

When the task is executed the hosts that exist in the OUs and groups that do not already exist in the grid will be added to the grid. The hosts that exist in the grid that do not exist in the OUs and groups will be removed from the grid, with the exception of the host/row that executed the scheduled task, as mentioned above.

Posted in Blog, General, Tutorials | Tagged active directory, grid synchronization, scheduled task, sync, synchronization, task scheduler | Comments closed

Using Email Notifications to Check Status of Automated Patching Events

By Scott | Published: March 27, 2018

Although we tend to think that BatchPatch really shines when used to execute and monitor patching operations in real-time on numerous remote computers, we have many customers who use BatchPatch to schedule various actions to occur in an automated fashion without any administrator involvement. We don’t recommend this for critical server patching because usually those servers have a very specific up-time requirement, and they need to be patched in real-time with administrator oversight, so that up-time requirements are not violated. But for all of the other times when the target computers can be patched without real-time monitoring, the BatchPatch scheduler is a great way to get things accomplished in the middle of the night without having to be awake while everything is taking place.

Now, the thing with applying Windows updates or deploying software or rebooting many computers via an automated job, whether that be in the middle of the night or on a weekend or some other time altogether, is that the administrator generally always still wants (and needs) to be able to know the status of all the jobs that are being performed without having to actually monitor the process in real-time. For this we recommend using the task scheduler to not only launch the deployments, update jobs, reboots, scripts etc, but also to send email status updates to the administrator, so that he/she can review everything without accessing the BatchPatch console. For the 3AM automated patching windows, wouldn’t it be convenient to wake up in the morning and simply check your email on your mobile phone while still lying in bed in order to determine if all 3AM operations completed without issues?

This link demonstrates the different ways you can send email notifications in BatchPatch, but below I’m going to focus on the specific case of sending a single automated email message to provide status information about all of the hosts in the grid (or about all computers in all of the grids open in the BatchPatch instance).

Configure Default Email Notification Settings

If you have not ever sent email notifications in BatchPatch before, the first thing you need to do is set your defaults.

Select ‘Tools > Settings > Email notifications‘
Fill out all of the fields and use the ‘Send test email’ button to confirm that everything is working.
For this example we are using $grid as our body text. What that means is that when BatchPatch sends the email it will include a copy of the current BatchPatch grid. If you use $allgrids instead of $grid, the email will include a copy of all of the open grids in the BatchPatch instance. Since our goal in this tutorial is to have a single email provide the status of all computers in the grid, we use $grid. If you want your email to only include the status of the single host/row that is being used to send the email, then you could use $row instead.
- $row: If you specify $row in the body, the entire contents of the BatchPatch row that initiates the email notification will be included with any email notification that is sent.
- $grid: If you specify $grid in the body, the entire contents of the grid that contains the row that initiates the email notification will be included with any email notification that is sent
- $allgrids: If you specify $allgrids in the body, the entire contents of the all the grids in the entire BatchPatch instance that contains the row that initiates the email notification will be included with any email notification that is sent.

Now, let’s say that you have a BatchPatch grid where all hosts are scheduled to be updated and rebooted at 3AM. And let’s assume that you expect all operations to be completed with all hosts back online by 3:30AM. Well, you could then choose to send an email notification at 3:30AM or 4AM (or whenever makes sense for your situation) that includes a copy of the entire grid as an HTML attachment to the email message. This way you can review if your patching was successful or not and if all computers have come back online or not yet etc.

Sending an HTML copy of the entire BatchPatch grid via email

Create a new row in your BatchPatch grid. The host name does not really matter since it will be used strictly for sending an email notification. You could even have the host name as ‘EMAILER’ or similar, like in the screenshot below.
Select the ‘EMAILER’ row and choose ‘Actions > Task scheduler > Create/modify’. Then set the task to ‘Send email notification’ for the desired time, which in this case is 03:30. Then click OK to apply that task schedule to the ‘EMAILER’ row.
Lastly, make sure to enable the task scheduler by clicking on the small clock icon in the upper right corner of the BatchPatch grid. If this icon is red, the task schedule is disabled. When the icon is green it means the task scheduler is enabled/running. A scheduled task will only ever be executed if the task scheduler itself is active/enabled/running.

At 3:30AM when the task is executed it will send an email notification using the default settings that you filled out earlier under ‘Tools > Settings > Email notifications.’ This means that an HTML copy of the entire grid will be sent to the email address(es) configured in that screen. Remember we used the $grid variable to specify that we want the entire grid emailed. If you have multiple tabs/grids open in BatchPatch you might instead prefer to use $allgrids.

Posted in Blog, General, Tutorials | Tagged email notifications | Comments closed

BatchPatch Hardware Requirements and Recommendations

By Scott | Published: March 14, 2018

We have never previously posted any specific information about the type of hardware required to run BatchPatch because the reality is that BatchPatch should run fine on almost any modern Windows computer. We have run it without issue on systems with very limited hardware capabilities, but there are still a handful of things worth considering with regard to performance expectations.

RAM: We suggest having at least 2MB of free RAM available on the BatchPatch computer for each simultaneous target computer that you plan to patch. This means if you want to patch 100 target computers all at the same time, then you would need to have at least 200MB of free RAM.

CPU: Generally speaking we have found that on most modern computers it shouldn’t be a problem to patch at least a few hundred target computers at the same time. We have many customers who do more and many who do less. A faster CPU can help with grid performance when patching a very large number of computers, simultaneously. A particularly slow CPU would likely cause noticeable stuttering when trying to patch a large number of computers, so we don’t recommend running BatchPatch on a device with an ultra-low voltage CPU, such as the Atom processor, for example.

Network Interface: BatchPatch has to maintain communication with every target computer during the operation, so it’s a good idea to have a gigabit network connection on the BatchPatch computer, though it’s not absolutely required.

WSUS: If you are using a WSUS, please note that if you instruct a large number of target computers to search for and/or download updates from your WSUS all at the same time, the WSUS computer would need to be able to support all of those connections. WSUS does not have significant hardware requirements, so it’s not necessarily going to be a problem. I only mention it as something to be aware of. We like to use GPO to pre-download the updates to target computers so that when the server maintenance window begins, the updates may be installed immediately on target computers without having to wait for download to complete and without any potential, albeit unlikely, bottleneck at the WSUS. More here.

Maximum Hosts: BatchPatch does not impose any limit to the number of computers that may be added to the grid. However, if you were to add 10,000 target computers to a grid and if you were to try to install Windows updates on all of those computers simultaneously, I can pretty much guarantee that the user interface is going to lock up, even if you are running BatchPatch on a very powerful computer. Our general philosophy has always been to provide the sysadmin with as much flexibility as possible without placing any artificial or seemingly arbitrary restraints on the software as far as performance is concerned. Essentially, we don’t prevent the administrator from shooting him/herself in the foot. However, BatchPatch does provide a couple of performance settings that can be used to make sure something like this does not happen. Under ‘Tools > Settings > General‘ you will find ‘Concurrent Thread Maximum‘ and ‘Concurrent File-Copy Operations Maximum‘.

The Concurrent Thread Maximum setting enables the administrator to specify a maximum number of simultaneous operations that will be allowed in the grid. For example, if this value is set to 100 (default), then if you launch an action on 500 computers all at the same time, the first 100 will begin processing while the other 400 will queue until threads become available from the first 100 as they complete their operations. You can set this value to 0 to remove the cap and allow unlimited simultaneous actions. However, please be mindful that you could cause the GUI to lock up if you try to handle too many actions at once. Though also please note that if the GUI *does* lock up in this case because you tried to process too many simultaneous hosts, usually it will unlock eventually as actions are processed. It is best to leave it alone until it finishes (be patient) rather than forcibly closing the application. I am reminded of one customer who mentioned that he patches approximately 5000 computers simultaneously in one BatchPatch grid. He knows that when he launches the operation that it’s going to cause the GUI to freeze/hang, but he simply leaves it for 45 minutes. When he comes back to it, all 5000 computers have been patched, and the GUI is no longer frozen.

The Concurrent File-Copy Operations Maximum setting enables the administrator to specify a maximum number of simultaneous file copies that the BatchPatch computer will perform when copying files to target computers. This is not limited to files that are copied via ‘Actions > Copy file/folder‘. It also includes files that are copied to targets during Windows Update, such as when cached mode is enabled. The default value is set to 6, which we find to be a good number for most situations. However, there is no problem with increasing this value, if you so desire. It’s hard to know what the best balance is between total number of concurrent copies allowed vs speed of each individual copy. At some point when increasing this value there will likely be diminishing returns.

Posted in Blog, General, Tutorials | Tagged concurrent, hardware, performance, simultaneous, windows update | Comments closed

Creating a Recurring Scheduled Task in BatchPatch

By Scott | Published: March 5, 2018

Today I’m going to talk about the Task Scheduler, recurrence, and the alternative options available to BatchPatch users needing to create tasks that execute more than just one time.

Let’s start with the standard recurrence options available in the Task Scheduler options.

Scheduled Tasks with Standard Recurrence (Daily, Weekly, Monthly)

To create a standard recurring scheduled task, highlight the desired rows/hosts in the BatchPatch grid, and then select ‘Actions > Task scheduler > Create/modify scheduled task.’
In the window that appears you must select the desired task to be executed from the Task drop-down list. Then set the reference time. NOTE: When you modify the reference time, the run time automatically changes accordingly. For all scheduled tasks that have no recurrence option set, the run time will be the same as the reference time. Also when any standard recurrence option is set (daily, weekly, monthly), the run time will be the same as the reference time. However, when you create a recurring task with one of the recurrence options that says “+ X days” you’ll see that the reference time and the run time will differ by the X value, in days. We’ll get into more detail with that option later on in this posting.
Finally, choose your recurrence option – daily, weekly, or monthly. Then click OK to apply the scheduled task to the highlighted rows. Make sure the scheduler is running/enabled, by clicking the clock icon in the upper right corner of the BatchPatch window. When it’s green the scheduler is running/enabled.

Scheduled Tasks with Advanced Recurrence (+ X days)

When it comes to Windows Updates, as patching administrators we all know that Microsoft generally releases updates on the 2nd Tuesday of each month. This day has become known as “Patch Tuesday.” Wouldn’t it be convenient if you could just set a schedule to automatically download and install updates at some time/day that is always X days after Patch Tuesday?

While we do not recommend installing Windows Updates *immediately* after Patch Tuesday, we *do* recommend installing the updates within a couple of weeks of Patch Tuesday. The idea here is all about mitigating risk. There is a real risk involved in installing updates, particularly on production servers, *immediately* after they are released. This is because Windows updates can and sometimes do actually break things. On the flip side, if you wait months to install updates, you leave your machines exposed to vulnerabilities that would be fixed by applying the updates in question. We tend to think the sweet spot for installing updates is usually some time between 4 days and 2 weeks after the updates have been released by Microsoft. This gives ample time for those updates to be tested in your lab instead of in your production environment, and it also gives time for other people around the world to report any issues that they encounter, while still getting the updates applied somewhat soon after they are initially released, thereby protecting your machines from being exposed for any longer than necessary.

So, let’s say your scheduled maintenance window occurs on the first Saturday after Patch Tuesday. While Patch Tuesday is always the 2nd Tuesday of the month, the Saturday that comes after is not necessarily the 2nd Saturday of the month. For example, in the current month (March 2018) the Saturday that comes after the 2nd Tuesday of the month is actually the 3rd Saturday of the month. So if we want to reliably have a scheduled task that always recurs on the Saturday that comes after the 2nd Tuesday, we need to be able to schedule it for “Monthly (2nd Tuesday) + 4 days.” If we instead scheduled it for every 2nd Saturday, we’d encounter many months where we’d end up running the task on the Saturday *before* instead of the Saturday *after* Patch Tuesday. This would obviously be unacceptable. Hence why the BatchPatch recurrence options include functionality for ‘Monthly recurrence + X days’. When you select this option from the ‘Recurrence’ drop-down menu in the BatchPatch Task Scheduler, you’ll notice that the run time is no longer the same as the reference time. The reference time gets set to the actual 2nd Tuesday of the month, while the run time is set to the following Saturday. In each month no matter which day the 2nd Tuesday lands on, with this setting your scheduled task will always end up recurring on the 1st Saturday following the 2nd Tuesday. Pretty cool, right?

Scheduled Tasks with Multiple Tasks Scheduler

If for any reason the recurrence options do not suit your needs or desires, you may always just use the ‘Multiple Tasks Scheduler.’ This feature enables you to set a specific task to run at specific days/times for a given host. For this you would just click the button ‘Create Multiple Scheduled Tasks‘ and then set your desired tasks accordingly. In the screenshot below you can see that I have 3 different run dates and times set for a task. I could populate as many different run dates and times as I want, effectively allowing full customization of the schedule.

Scheduled Tasks with Multiple Rows Per Host in the Grid

The other option that’s always available instead of using the built-in recurrence options and instead of using the built-in ‘Multiple Tasks Scheduler’ is to simply populate the grid with multiple rows for each host. So if you want to set 3 different scheduled tasks for a given host, you can add that host to the grid 3 times. Then in each row you could create a different scheduled tasks, as illustrated in the screenshot below.

Posted in Blog, General, Tutorials | Tagged multiple tasks scheduler, recurrence, remote windows update, scheduled task, task recurrence, windows update | Comments closed

Deploying Windows Feature Upgrades/Updates Remotely to Multiple Computers

By Scott | Published: February 26, 2018

Beginning with BatchPatch version 202004, Windows 10 ‘feature upgrades’ or ‘feature updates’ such as 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2, 21H1, 21H2 etc can all be installed with the normal Windows Update actions in BatchPatch (you must disable cached mode and also check the ‘Upgrades’ classification under ‘Tools > Settings > Windows Update‘). However, the alternate Windows 10 feature update deployment method outlined below can be used with any version of BatchPatch.

Use the Windows 10 Media Creation Tool to obtain the ISO installation media for the version of Windows 10 that you want to deploy. You can download the Windows 10 Media Creation Tool directly from Microsoft at this link. It will enable you to obtain the most recent version of Windows 10, which at the time of this writing is version 1709. You cannot use this tool to obtain anything other than the current/latest version, so if you are needing an older version then you would have to obtain it through some other means, such as through a volume licensing agreement with Microsoft.

Run the media creation tool. When you run the media creation tool you *must* be logged on to the computer as a local administrator. It is *not* sufficient to use ‘run as’ to run the tool with elevation as an administrator. You must actually be logged-on to the computer as the administrator before you run the media creation tool, otherwise the tool will not let you proceed.

Create installation media. When you run the media creation tool you will have the option to either Upgrade this PC now or Create installation media (USB flash drive, DVD, or ISO file) for another PC. Select the option to Create installation media, and then click Next.

Choose the language, the edition, and the architecture when prompted, and then click Next again.

Select destination media type. The media creation tool gives you the option of putting the installation files on a USB flash drive or into a single ISO file. For this tutorial please choose ISO, and then click Next. You will be prompted for a location on disk to save the ISO file. Choose a file destination and wait for the download to complete.

Extract ISO contents. After the ISO download has completed, extract the contents of the ISO file to a new directory on your computer. While you can use almost any extraction tool for this process, I prefer and recommend 7-zip, which is available for free. After the extraction is complete you will have a folder that contains all of the required installation files.

Create the BatchPatch deployment. Select Actions > Deploy > Create/modify. In the Deployment interface, select the setup.exe (from the extracted contents of the ISO) as the file to deploy, and make sure to check the ‘Copy entire directory‘ box and the ‘Leave entire directory‘ box, so that when the target computer is rebooted multiple times during the upgrade/installation, it still has access to all of the files required for the upgrade. ( After the upgrade is complete you may delete the files, but just please make sure that you don’t delete them while the upgrade is still working. Also note, the target computer will reboot multiple times during the upgrade before it’s complete. ) In your deployment configuration you will additionally need to add the following parameters:
/auto upgrade /quiet

Execute the deployment. When you are ready you can either save the deployment to execute later by using the double-right-arrow ‘>>’ button, or you can execute the deployment now for the currently selected rows in the BatchPatch grid by clicking the Execute now button. The deployment will take some time because BatchPatch has to copy multiple GBs of data to the target computers before it can execute the upgrade. When BatchPatch shows Exit Code: 0 (SUCCESS) for a given target computer you should expect that the target will still be working and will still reboot at least one time but possibly multiple times while Windows is upgraded and configured on the target, so be patient and let it do its thing!

NOTE: We have had two reports where a user received the following error:
Deployment: Error: Access to the path '\\TargetComputer\C$\Program Files\BatchPatch\deployment\autorun.inf' is denied.
It’s unclear why these two users experienced this error while many others, including us, have executed the deployment successfully without encountering the error. My guess is it might have something to do with the application used to extract the .ISO file. Nonetheless, if you encounter the error it can be resolved by simply deleting the autorun.inf file from the source directory before beginning the deployment.

Posted in Blog, General, Tutorials | Tagged 1607, 1703, 1709, feature update, feature upgrade, Windows 10, windows 2016 | Comments closed