Remote Windows Update Script

Many sysadmins love to write scripts to solve the problems that exist in their environments. This is something we understand very well. 🙂 If you’re reading this right now then one major problem that you probably face is having to regularly ensure that your computers are completely up to date. However, some problems either aren’t so easily solved by a simple script, or are a huge time-drain to get up an running in a way that is useful enough to deploy in a production environment. When it comes to Windows Updates, in particular, frequently it’s not sufficient to simply deploy a script to remotely initiate Windows Update. As an IT administrator you often need more control. After all, if something doesn’t work right or if you can’t efficiently monitor the process, things can quickly become unwieldy, particularly when you’re working with a limited time window with critical servers that absolutely have to be online outside of maintenance periods. BatchPatch was created with the goal of helping to ease the patch management burden on systems administrators. After all, they don’t call it ‘patch installations’ for a reason. It’s a process… it’s something that, unfortunately, really has to be managed! Hence the term ‘patch management.’

In the most basic configuration for the simplest environments the goal might just be to download and install Windows Updates on all networked computers and then trigger them to reboot. Even in this seemingly straightforward process there’s actually a lot that can go wrong, especially when you are dealing with a lot of computers, and especially when there is a time crunch. And as you surely already know, there is virtually *always* a time crunch. How does the saying go? “Too much to do, too little time!” For example, what happens if a couple of computers don’t come back online after they are rebooted? If you don’t have a system that monitors uptime, how do you discover that these computers never came back online? If you do have a system that monitors uptime, usually it’s going to be disabled during the maintenance window so that it doesn’t buzz away with false alarms for every single rebooted computer. The problem here is that you won’t find out which computers haven’t come back online until *after* you’ve re-enabled your monitoring service *after* the maintenance has ended, which is too little too late!

In many environments there is a much higher degree of complexity, so the goal can’t always be as simple as downloading and installing Windows Updates on all networked computers and then triggering them to reboot. Sometimes, for example, there are dependencies across multiple computers. Maybe one computer can’t be offline unless another computer is online, and vice versa. Or maybe there are services on certain machines that have to be stopped before applying updates, and then those same services have to be re-started after the updates have been applied, with verification that the services are running properly. You might realistically want or need to execute a series of actions, in sequence, across numerous computers. And with all of this you still have the most basic requirement of needing to be able to monitor the process in real-time to make sure that when the maintenance window ends you have actually completed the entire process with all servers and services verified as being back online and performing their normal duties. Without a tool dedicated to help you with this process you’d be looking at spending practically all your working hours on patch management, which simply isn’t realistic in the IT industry. You are always going to have too much to do with too little time to do it, so choose wisely to help save yourself time and energy!

Posted in Blog, General | Tagged , | Comments closed

An Alternate Way to Check if Computers Have a Particular Windows Update Installed

BatchPatch provides a way for you to generate an update history report for all of your computers to see which computers have installed or have not installed particular updates. There is a tutorial that illustrates this method for update history reporting here: Create a Consolidated Report of Windows Update History

However, there is another way to accomplish this task that I’d like to share with you here. If you have any issues with the other method or if that method isn’t providing the information to you in a way that suits your needs, you could try this alternate method to figure out if a particular Windows Update has been or has not been installed on target systems. Depending on the situation you might find one method more suitable or desirable than the other.

Let’s say for the sake of this example that the update you want to check your computers for is KB3150513. We can use a WMIC command to ask Windows if this update is already installed or not. The command line syntax would be:

WMIC QFE WHERE HotFixID='KB3150513' GET HotFixID

Another way to write this command is:

WMIC PATH Win32_QuickFixEngineering WHERE HotFixID='KB3150513' GET HotFixID

And if you want to look for more than one update, you can also structure your command as follows:

WMIC QFE WHERE (HotFixID='KB3150513' or HotFixID='KB4015217' or HotFixID='KB4015438' or HotFixID='KB4014329' or HotFixID='KB4013418') get HotFixID

If you were to run one of the above commands at the command prompt of a given computer, you would see something like this. Note that in the second command only 2 of the specified KB IDs were found, so only 2 were printed in the result list:

However, it’s not all that practical to log on to every single target computer just to run the command above. After all, that’s why you have BatchPatch in the first place– so that you can execute commands and retrieve information from numerous computers, simultaneously. To execute one of these commands from BatchPatch on numerous target computers you can simply use the ‘Remote command (logged output)’ feature in BatchPatch.

  1. Go to ‘Actions > Execute remote process / command > Create / modify remote commands (logged output)’
  2. In the window that appears we need to add a new row and insert our command, as shown in the screenshot below:
  3. After clicking OK to the ‘remote commands (logged output)’ window we can now simply select the desired rows in the grid (I only have one computer available for testing at the moment), and then select ‘Actions > Execute remote process / command > Execute saved remote commands (logged output)’ and then click on the desired command that we just created a moment ago.
  4. When the query completes, if it finds the specified update has been installed, then it will display just like my screenshot below. If the update is not found, then the result will be empty instead.
Posted in Blog, General, Tutorials | Tagged , , , | Comments closed

Deploy a Specific Windows Update KB ID

Today I want to spend some time clarifying the answer to a question that we commonly receive. Some BatchPatch users want to simply deploy a particular Windows KB update to target computers. They essentially want to be able to just enter a KB ID number into the BatchPatch GUI, with BatchPatch then handling the rest of the process. However, this is not quite how it works. Below I will explain your options for deploying a specific Windows KB update.

Why Can’t I Simply Enter a KB ID Number and Have BatchPatch Handle the Rest?

Well, actually you *can* enter a KB ID directly into BatchPatch, but you need to first understand what this accomplishes in the software so that you are not confused if/when the update KB ID that you specified does not get installed.

If you use BatchPatch to initiate a Windows Update action on target hosts, BatchPatch first has to initiate a scan for available updates, and then once it finds updates that are available to the particular computer, it will download and install those updates based on any preferences and filters that you have previously configured in BatchPatch.

That said, BatchPatch allows you to enter a filter list of KB ID numbers that you want to be included during the download/install process. When the ‘include’ filter list is utilized, only updates that are on that list will be installed. Any other update that BatchPatch finds as “available” that is *not* also on the ‘include’ filter list will simply not be downloaded/installed. However, it’s also the case that if a KB ID is on the ‘include’ list but that KB ID is not found as “available” to the computer, then that KB update will *not* be installed.

The primary issue that users are sometimes confused by is that they expect if they enter a particular KB ID into the ‘include’ filter list that it will automatically always be installed. However, that is simply not the case. The ‘include’ filter list lets the administrator filter the list of “available” updates so that only a subset of those available updates are installed. If an update is not available to the computer then it does not matter if it’s in the filter list or not, it cannot and will not be installed via this method.

We demonstrate how to use the filter lists in this tutorial: Remotely Install Only a Subset of Available Windows Updates

Is It Possible to Directly Install a Specific KB ID Without First Scanning for Available Updates?

You may, in fact, do a direct KB update deployment, if you desire. However, in this case you would then have to make sure that you not only have the correct update file for the target computer’s operating system, but you would also have to make sure that the target computer actually needs the update. If it does not need the update or if it’s the wrong OS, the deployment will fail. To deploy a standalone KB update file you would first need to download the update file from Microsoft. Usually the standalone updates come in the .MSU flavor, but they could also be packaged as .EXE, .MSI, or .MSP in some cases. You might even occasionally find a different package type altogether.

Once you have downloaded the desired KB update, you may follow the tutorial at the following link to deploy it directly to target computers:
Remote Script Deployment – Install Multiple .MSU Files in a Single Action on Remote Computers

2015-01-08 14_15_12-new 1 - BatchPatch X6

Posted in Blog, General, Tutorials | Tagged , , | Comments closed

Protecting Your Machines from the WannaCry Malware

By now most of you have surely read about the new WannaCry ransomware malware that has recently been disabling computers and networks all over the planet. Protecting your computers is very easy, but you have to care enough to make sure that you’ve done what needs to be done!

Deploying the WannaCry Patch to Current / Supported Operating Systems

In March Microsoft released a Windows update to fix the file-sharing vulnerability that WannaCry utilizes to install itself in systems. If you have been regularly installing Windows updates on your computers then you should already be safe. Make sure that you have the March updates installed, but also use this time to evaluate your entire patching policy. Do you patch semi-annually or quarterly? It is my opinion that if you are not patching every single month to apply the latest Windows updates, then you are inviting malware into your network. In 2017 if you want to keep your computers and network virus-free, the absolute number one most important and simplest thing that you should be doing is applying Windows updates relatively soon after they are released by Microsoft.

Yes, it’s true that when Microsoft releases updates they can sometimes cause problems or wreak havoc on systems, so we do *not* advocate installing Windows updates on production computers on the same day that they are released. We believe the best option 99% of the time is to wait approximately 1 week after Windows updates are released before you deploy them to all of your systems. However, you *should* deploy them to your test lab on the day they are initially released, or the day after. Then wait a week to see if you have any problems in your lab and to see if any problems are reported by other users across the internet. If any patches are determined to cause problems, do your research to make the determination whether or not you should install the patches or wait for a re-release from Microsoft.

The following links demonstrate how to keep your computers up to date with BatchPatch. You may use any of these tutorials to make sure that you are protected from WannaCry:

https://batchpatch.com/using-batchpatch-to-remotely-install-windows-updates
https://batchpatch.com/remotely-install-only-a-subset-of-available-windows-updates
https://batchpatch.com/remotely-installing-windows-updates

The following link demonstrates how to see which updates have already been installed on target systems:

https://batchpatch.com/create-a-consolidated-report-of-windows-update-history

Deploying the WannaCry Patch to Unsupported / Old Operating Systems (Windows XP, Windows 2003, Windows 8)

With regard to WannaCry and older operating systems… up until a couple of days ago no patch existed for unsupported operating systems such as Windows XP, 2003, and 8. If you are still using one of these unsupported operating systems in your company, then you need to seriously consider why that’s the case. At this point in 2017 there is really almost no good reason to still be running one of these OSes, and even if you have a good reason for running one of these OSes in a corporate environment, you should still be looking to move away from them ASAP. If you’re a home user and you never got off of XP or 8, this should be a wake-up call. Your personal computer is just as vulnerable to WannaCry as any corporate machine.

If you are trying to deploy the WannaCry fix to your XP, 2003, or 8 computers, you have two options. You can use BatchPatch to apply the available Windows Updates using one of the methods outlined below in the following tutorials:

https://batchpatch.com/using-batchpatch-to-remotely-install-windows-updates
https://batchpatch.com/remotely-install-only-a-subset-of-available-windows-updates
https://batchpatch.com/remotely-installing-windows-updates

Alternatively you may deploy the standalone offline patch installer file to your target computers using the BatchPatch ‘deployment’ feature. The patch for each of the above-mentioned unsupported operating systems is linked off the bottom of this page: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

Instructions for deploying standalone exe, msi, msu, and msp files can be found at https://batchpatch.com/software-deployment but don’t forget about the silent /quiet installation parameter! More on that here: https://batchpatch.com/understanding-and-discovering-the-silent-parameters-required-to-remotely-deploy-software-with-batchpatch

Posted in Blog, General, Tutorials | Tagged , , | Comments closed

Remote Registry Updates with BatchPatch

Pretty much every systems administrator will need, at one point or another, to apply a registry update, remotely, to multiple computers. Today I’m going to show you how that can be accomplished quickly and easily using BatchPatch.

  1. Before we do anything please note that if you are going to be deploying a registry key/value to the HKEY_CURRENT_USER (HKCU) hive of the target computer(s), then you need to make sure that your ‘Remote Execution Context‘ is set to ‘Elevated token‘ and not ‘SYSTEM‘.

    If you are deploying a registry key/value to the HKEY_LOCAL_MACHINE (HKLM) hive of the target computer(s), then your ‘Remote Execution Context‘ can be set to either ‘SYSTEM‘ or ‘Elevated token‘. More details here: ‘Remote Execution Context

    Also note that if you deploy a key/value to HKCU, the current user is the user that you are using to run the action in BatchPatch. This is the user that launched the BatchPatch.exe, or if you have specified alternate credentials for the row in BatchPatch where this command is being executed, then the alternate credentials you specified will be the current user for the operation. In most cases this is probably not the user that you want the key to be created for. Presumably you want the key to be created in HKCU for the user of the target computer, not the user that is performing the key/value deployment in BatchPatch. For more information on deploying a registry key/value to the actual users of a computer, as opposed to the user that is executing the deployment in BatchPatch, see here.

  2. Let’s look at the registry key that we plan to update. In the screenshot below you can see that I have the ‘Enable’ DWORD currently set to a value of 1 for HKLM\SOFTWARE\FileZilla 3\fzshellext
  3. For the sake of this example, let’s modify the value and change it from 1 to 0. Prepare a text file that looks like the one I have posted in the screenshot below. You can also create a file like this by using ‘File > Export’ in the Registry Editor window. Then simply modify the resulting file to fit your requirements. I have saved the file to my desktop as FileZilla.reg
  4. We can now use BatchPatch to deploy the FileZilla.reg file to our desired target computers, which will have the effect of creating and applying the specified registry key and value on computers that do not have the key/value in the first place. For computers that already have the registry key and value, it will update the value to the value that we specified in our .reg file. So in my case I already have the key/value in my registry, but I have a value of 1. Since my FileZilla.reg file has the value as 0, once I have successfully deployed the reg file using BatchPatch, the registry value on my test computer will be changed from 1 to 0.
  5. In BatchPatch highlight the desired target computers, and then select ‘Actions > Deploy > Create/modify’
  6. In the deployment window, create the deployment as I have in the screenshot. All I’ve done is used the … browse button to locate the FileZilla.reg file. No other configuration needs to be made. The ‘command to execute’ will be automatically populated by BatchPatch when the .reg file has been selected.
  7. At this point I can execute the deployment by clicking on the ‘Execute now’ button. I could alternatively save the deployment for later execution by using the >> button, but in this instance I have no need to do that, so I’ll just execute it immediately.
  8. Execution completed almost immediately, and I got a blue Exit Code 0 (SUCCESS) message.
  9. We can confirm, if desired, that the change was successful by using ‘Actions > Get information > Get registry key/value. We simply enter the registry key that we want to view.
  10. We can view the output of the above command to verify that our DWORD value is now 0 instead of the previous value of 1.
Posted in Blog, General, Tutorials | Tagged , , , | Comments closed

Deploying a Standardized Hosts File to Multiple Computers on a Network

Recently someone asked us how they could use BatchPatch to replace the ‘hosts’ file on all target computers in their network with a customized ‘hosts’ file that had been created by the IT department. BatchPatch can do this very quickly and painlessly.

First, let’s briefly discuss the ‘hosts’ file for those of you who aren’t familiar with it. Essentially it’s just a text file that Windows uses to map host names to IP addresses. The functionality is similar to the primary functionality of DNS, but instead of requiring a full DNS server, it’s literally just a file on your computer. And if you are using a ‘hosts’ file in conjunction with DNS, the entries in your computer’s ‘hosts’ file will actually override any mappings in DNS for the same hosts.

In Windows, the ‘hosts’ file is located in:

C:\Windows\System32\drivers\etc\hosts

The default file has the following contents:

# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host
 
# localhost name resolution is handled within DNS itself.
#	127.0.0.1       localhost
#	::1             localhost

Perhaps you have a reason to add some custom mappings to all of the computers in your network, like shown in the hosts file below:

# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host
 
# localhost name resolution is handled within DNS itself.
#	127.0.0.1       localhost
#	::1             localhost
 
 
172.16.45.46 mail.yourdomain.com
172.16.45.47 sql.yourdomain.com
172.16.45.48 file.yourdomain.com

Here is how to deploy your custom hosts file to multiple computers in your network:

  1. Prepare your hosts file and save it to any location on your computer.
  2. In BatchPatch select ‘Actions > Copy file/folder > Create/modify file or folder copy
  3. Select or input your source file’s full path. The destination folder will be:
    C:\Windows\System32\drivers\etc

    Make sure to check the ‘Overwrite’ box so that the hosts file on the target computer will be overwritten with your new/custom hosts file.

  4. Finally click the ‘Execute now’ button to copy the file to the selected target computers.
Posted in Blog, General, Tutorials | Tagged , , | Comments closed

Remotely Manage Windows Updates and Reboots on Your Network

Today we are going back to the basics! The core functionality that BatchPatch offers is the ability to easily manage Windows Updates on multiple remote computers, simultaneously. This means that you can do the following:

  • Check a group of computers to see which updates they have available, and optionally produce a consolidated report of the results.
  • Download and/or install available Windows updates on a group of computers, simultaneously, while managing the entire process from a single console. Optionally and automatically reboot the computers after the updates have been installed.
  • Download and/or install only a subset of the available Windows updates on a group of computers.
  • Check which updates have previously been installed on target computers, and optionally produce a a consolidated report of the results.
  • Hide or unhide updates that are visible at the target computer. Once an update has been hidden, it will no longer appear in the list of available updates until/unless it is subsequently unhidden.
  • Reboot or shutdown target computers with real-time monitoring.
  • Create a queue of multiple actions to execute on targets hosts, such as download updates, install updates, reboot, wait for machine to come back online, download updates, install updates, reboot. You can include your own custom scripts, software installations, file copies, registry additions etc.
  • Create scheduled tasks to execute any action or queue.
  • Setup a task to use Wake on LAN to wake up your computers, download and apply Windows updates, reboot, wait 10 minutes, then shutdown.
  • Notify logged-on users of upcoming events or impending reboots.
  • Check target computers to see if the are waiting to be rebooted in order for update installation processes to be completed, and optionally automatically reboot the computers too.
  • Configure email notifications to keep you apprised of task status for tasks that are scheduled outside of working hours.
  • Monitor which services or which automatic services have not started after updates have been applied and computers have been rebooted. Optionally and automatically start the stopped automatic services.

In addition the core functionality described above, BatchPatch also has additional functionality to help manage remote computers.

  • Deploy third party software to target computers.
  • Deploy .MSI packages as well as .MSP, .MSU, .EXE, and pretty much any type of package available.
  • Deploy registry keys/values
  • Deploy and / or execute scripts remotely such as PowerShell (.PS1), VBScript (.VBS), Batch (.CMD and .BAT)
  • Collect information from target computers such as last bootup time, MAC address, hardware information like CPU specs, computer model, available disk space etc.
  • Copy files and folders.
  • Coordinate tasks that have multiple computers dependencies so that, for example, computers can be updated and rebooted in various sequences, or so that only certain computers in a group are taken offline at a given time.

As always you are encouraged to peruse the tutorials on this site. You might find new ways to do things more easily that you hadn’t previously known about. Don’t hesitate to contact us with any questions, comments, or concerns.

Posted in Blog, General, Tutorials | Tagged , , , | Comments closed

Using the HTML Export Feature to Produce Reports

One of the most common questions we get from customers and non-customers is “how do you produce a report of available updates on numerous computers?” There are two basic ways to accomplish this task. The option that you select depends mostly on how you want the report to look. The first method I’ll demonstrate is the HTML export method, as this posting is titled. The second method will illustrate how to export in grid format, so that you can subsequently import into your favorite spreadsheet application for further manipulation and formatting.

Method 1:

The HTML export method enables you to put the actual BatchPatch grid contents into a format that is viewable on any computer, regardless whether or not BatchPatch is installed.

  1. The first order of business is to get the information that you want to display in the report. If we want to display the list of available updates, then I’ll start by executing ‘check for available updates’ on the hosts in the grid.

  2. When the results of the query return we just need to adjust the grid to show only the information that we want in the HTML export. For the sake of this example I only want to display the host name and the report of updates found, which is displayed in the ‘Remote Agent Log’ column. I have hidden all the other columns by right-clicking on the grid column header and deselecting the appropriate checkboxes. You may alternatively use ‘Tools > Customize visible columns’ to display the same checkbox list of columns.
  3. Now that we have only the columns that we want to appear in the HTML report visible in the grid, we can export the grid to HTML using ‘File > Export grid > Export current grid to HTML’
  4. The resultant HTML file displays the grid at the top, and it’s clickable, so that if you click on a cell in the grid it takes you directly to that cell’s corresponding data location in the HTML file. This makes a very convenient little report that can be displayed on any computer.

Method 2:

In the case of creating a report of available updates or a report of previously installed updates on target hosts, you have a second report option in BatchPatch. ‘Actions > Windows updates > Generate consolidated report of available updates’ and ‘Actions > Windows updates > Generate consolidated report of Windows update history’ will give you the information in a format that can be imported into your favorite spreadsheet application.

  1. For this example we will execute ‘Actions > Windows updates > Generate consolidated report of available updates’
  2. When the report executes it opens a new report viewer window, and the results of each target host query are populated in the new window as soon as they return.
  3. Once the data is displayed in the viewer you can use the ‘Export report’ menu item to export the grid to a delimited file or XML.
  4. Once you have exported the report you can use your preferred spreadsheet application to import it for further manipulation or formatting.
Posted in Blog, General, Tutorials | Tagged , , | Comments closed

Install Windows Updates Only If Sufficient Space Is Detected On Target C: Drive – Custom Scripting in BatchPatch

Today I’m going to demonstrate an ‘advanced’ concept in BatchPatch. We will use a combination of features, including the Job Queue, the Deployment feature, and bit of custom scripting to achieve the desired effect. The goal here is to illustrate how you can use BatchPatch to accomplish something that might not be directly built-in to the software.

The goal:

Instruct BatchPatch to download and install Windows Updates on selected target computers ONLY if the target computers first past a check to see if they have enough disk space on their C drives. ‘Enough’ disk space is any number of megabytes that you choose.

Summary:

Use the BatchPatch Job Queue to execute the following steps:

  1. Deploy a script to target computers that returns 0 if the amount of available C drive space is above the threshold that we set. If the amount of free space is below our threshold, then return 1.
  2. Use the Job Queue feature ‘Stop queue execution if previous action fails/errors’
  3. Execute ‘Download and install updates + reboot if required’ (or any desired action)

How to do it:

  1. I’ve created a very simple vb script that checks for free space on the C: drive and returns 0 if the number of megabytes free is greater than or equal to 500. If there are fewer than 500 megabytes free on C, then the script returns 1. Of course you can modify the threshold to be any number that you want. The contents of my script are below:
    'Gets the free space on C drive.  If free space is less than specified threshold return 1. Else return 0.  
    'Cocobolo Software LLC April 2017.
     
    on error resume next
    Err.Clear
     
    Dim freeMB
    Const MBCONVERSION = 1048576
     
    Set objWMIService = GetObject("winmgmts:\\localhost\root\cimv2")
     
    'Get C drive space
    Set colLogicalDisk = objWMIService.ExecQuery("Select * from Win32_LogicalDisk")
    		For Each objLogicalDisk in colLogicalDisk
    			If objLogicalDisk.DeviceId = "C:" Then					
    				freeMB = objLogicalDisk.freespace/MBCONVERSION
    			End If
    		Next
     
    If freeMB < 500 Then
    	wscript.quit(1)
    Else
    	wscript.quit(0)
    End If
  2. Save the script. The contents of the script above need to be saved in a text file with a .vbs file extension. For the sake of this example my script is called “DiskCheck.vbs”
  3. Create a deployment. The deployment will be used to copy the vbscript to the target computers, execute it, and retrieve the exit code. To create your deployment select ‘Actions > Deploy > Create / modify.’
  4. Browse to the location of your DiskCheck.vbs file, and then give the deployment a title. Click the ‘>>’ button to save the deployment. The screenshot below shows the configured deployment.
  5. With your deployment created and saved you can now setup your Job Queue. Go to ‘Actions > Job Queue > Create / modify.
  6. Select the desired steps of the queue. The first step executes the deployment that we created earlier. The second step tells BatchPatch to halt the queue if the previous action fails/errors (a script is considered failed/errored if it returns any non-zero value). The third and final step of the script is to execute whatever action is desired such as ‘Download and install updates.’ The screenshot below shows what your queue should look like:
  7. All we have to do now is execute the queue. Click ‘Execute now’ (or alternatively save the queue first and then execute it directly from the BatchPatch Job Queue menu). In the screenshot below you can see that I had less than 500 MB free on the target computer, and so the job queue halted, as desired. If there were 500+ MB available, then the job queue would have executed the final step to download and install updates.
Posted in Blog, General, Tutorials | Tagged , , , | Comments closed

Removing Windows Updates Remotely from Windows 10 and 2016

In BatchPatch we have a menu item ‘Actions > Windows updates > Uninstall individual update’ that you can use to easily remove a single Windows update from numerous target computers, simultaneously. This command invokes wusa.exe on target computers to uninstall the desired update. We have a tutorial posted for this feature here. The only problem is that beginning with Windows 10 and 2016, this feature no longer works. You can still use it without issue to uninstall updates on older OSes such as Windows 7, Windows 2008, and Windows 2012, but for whatever reason Microsoft removed some of the functionality from wusa.exe on newer operating systems. You can’t use wusa.exe with the /quiet parameter to remove an individual Windows update from Windows 10 or Windows 2016. We agree, this is pretty darn annoying.

In the next release of BatchPatch we will have a new macro that allows you to remove an update from Windows 10 or 2016, but in the meantime if you need to remove an update from one of these newer operating systems, here is what you need to do:

  1. Select the desired hosts in the grid and choose ‘Actions > Execute remote process/command > Create/modify remote command 1’
  2. In the remote process/command window you’ll enter the following command. Replace KB4014329 with the KB ID of the update that you would like to remove.
    cmd.exe /c echo . | powershell.exe -ExecutionPolicy Bypass -command "$SearchUpdates = dism /online /get-packages | findstr 'Package_for'; $updates = $SearchUpdates.replace('Package Identity : ', '') | findstr 'KB4014329'; DISM.exe /Online /Remove-Package /PackageName:$updates /quiet /norestart"

  3. At this point you can either click ‘Apply command to row(s) without executing’ so that you can execute it later. Or you can just click ‘Execute’ which will apply the command to the row(s) and then execute it immediately. Additionally, if you need/want to save this command for future use you can also add it to ‘Actions > Execute remote/process command > Create/modify remote commands.’ Once added there it will appear in the BatchPatch actions menu for future use.

That’s really all there is to it. As mentioned above, we will be adding a macro for this command in the next version of BatchPatch, so that you can more easily execute it by simply providing the KB ID of the update that you want to remove. However, for the time being, this is your best bet for remotely removing an update from numerous computers. Of course there is always the option of going to each computer one by one to remove the update manually, but that’s a pain, especially when dealing with numerous computers.

Posted in Blog, General, Tutorials | Tagged , , , | Comments closed