Removing Adobe Flash Player from Multiple Remote Computers

By Scott | Published: November 17, 2016

Last year we posted one method for removing / uninstalling Adobe Flash from multiple computers (uninstall-adobe-flash-player-from-multiple-computers), but there is another method that might be easier or work better, depending on your situation, so I’m going to explain that process below.

Adobe has a Flash player removal utility available from the following link that makes it simple to remove any Flash plugins. When you deploy that utility with BatchPatch you can quickly/easily handle numerous computers, simultaneously.

Adobe Flash Player Removal Utility

As noted on the top of the Adobe Flash Player Removal Help Page, the removal utility will not work for the Flash Player included with Microsoft Edge or Internet Explorer on Windows 8 and later or with Google Chrome on all supported operating systems. For those situations you would simply enable/disable Flash in the browser, as described here.

To remove the Adobe Flash Player Plugins using BatchPatch with the “uninstall_flash_player.exe” utility, here’s all you need to do:

  1. Highlight the desired hosts in the BatchPatch grid, and the select ‘Actions > Deploy > Create/modify deployment’
    2016-11-17-14_19_12
  2. In the deployment window you’ll need to select the file to deploy as the “uninstall_flash_player.exe” like in the below screenshot. Additionally, you must add the -uninstall parameter in order to execute this installation remotely, unattended and silently.
    2016-11-17-14_17_06-deploy-msi-msp-msu-exe-reg-vbs-bat-cmd-ps1-etc
  3. Once you have the deployment configured, you can simply go ahead an execute it by clicking ‘Execute now.’ Any host that is selected in the grid will be affected. When the deployment completes, BatchPatch will display ‘Exit Code: 0 (SUCCESS).’
    2016-11-17-14_25_04-new-1-batchpatch-x1
Posted in Blog, General, Tutorials | Tagged , , | Comments closed

The Best Way to Patch an Isolated Network Environment

By Scott | Published: November 9, 2016

We have talked a lot about offline patch management with BatchPatch, and today will be no exception. We truly believe that BatchPatch provides the best, simplest, least expensive way to apply updates to machines on isolated networks. (We also happen to believe that BatchPatch is the best, simplest, and least expensive option for updating machines that are *not* on isolated networks!) Many organizations have at least one high-security network that is either completely offline or sometimes just minimally connected, which makes Windows Updates and patching the computers in said network much more challenging than it would otherwise be.

BatchPatch addresses the need for offline patch management of isolated networks by allowing the administrator to use an internet-connected computer to pre-download all updates that are required by computers on the offline network so that he/she can then copy the update files to the isolated network. From there BatchPatch is able to distribute the updates to all of the computers on that same offline network segment. This way the machines on the offline network do not ever have to connect to the internet nor to another online network segment. Furthermore, BatchPatch provides a couple of different methods for handling offline patch management, such that if you are not even able to remove a single text file from the offline network due to stringent security requirements, BatchPatch can still work by enabling the administrator to only move/copy files in one direction *to* the high-security network without ever having to remove any files *from* the high-security network.

The main page we have setup to discuss ‘Cached Mode’ and ‘Offline Updates’ is here: https://batchpatch.com/cached-mode-and-offline-updates

Additionally, we address offline Windows Update options in more detail here: https://batchpatch.com/offline-windows-update

If you aren’t sure about how well BatchPatch will work in your environment, the good news is that the evaluation is totally free and allows you to patch up to 4 computers, simultaneously. You can download it from https://batchpatch.com/download

If you have any questions about the application, licensing, pricing, trials, quotes, invoices, POs etc, please reach out to us through the contact form at https://batchpatch.com/contact

2016-11-09-17_54_45-settings

Posted in Blog, General, Tutorials | Tagged , | Comments closed

How to Automate Windows Updates with Multiple Patch and Reboot Cycles

By Scott | Published: October 18, 2016

Anyone who has worked with Windows Updates for any length of time has encountered the situation where after downloading/installing updates and rebooting, all of a sudden after the computer comes back online there are new updates available, even though all available updates were installed before the reboot. This seems to be an unavoidable fact with Windows Updates some months where an update simply will not be “available” until after certain other updates have been installed. And while it certainly isn’t a big deal to just install the newly available updates and reboot a second time when you’re dealing with a single computer, if you’re dealing with a lot of computers or you have a brief maintenance window to work with, things tend to get complicated very quickly. Soon you find yourself at the end of the maintenance window with machines offline that need to be online, and confusion about which machines have been rebooted twice and which ones have only been rebooted once etc. Wouldn’t it be nice if you could have a one-click way to launch a cycle of multiple updates and reboots across many computers, simultaneously? BatchPatch to the rescue! Here’s how you can use BatchPatch to automate a sequence of multiple update plus reboot cycles.

BatchPatch’s Job Queue Feature:

In BatchPatch we select the hosts that we want to update, and then we select ‘Actions > Job Queue > Create/modify job queue’

One option for a typical update + reboot cycle is illustrated in the screenshot below. The steps are as follows:

1. Download and install updates + reboot always
2. Wait 10 minutes
3. Download and install updates + reboot if required

2016-10-18-16_00_35

A second option for a typical update + reboot cycle is illustrated in the following screenshot. In this job queue we utilize the BatchPatch built-in option to ‘Wait for host to go offline and come back online.’ A host is determined to be offline when X pings timeout/fail, where X is an integer defined under ‘Tools > Settings > Grid preferences > Hosts are considered offline after X ping timeouts.’ The default value for this setting is 3, and that works great for physical computers. We recommend a value of 2 for virtual machines that are able to reboot extremely quickly. A host is determined to be back online after it both responds to pings AND also responds to WMI queries.

The steps are as follows:

1. Download and install updates + reboot always
2. Wait for host to go offline and come back online
3. Wait 1 minute
4. Download and install updates + reboot if required

2016-10-18-16_00_52

If you want, you can add even more steps to the job queue, whether that be for an additional update + reboot cycle or if you need to execute a custom script or retrieve some info from host computers. However, for our purposes, 2 cycles of update + reboot is sufficient.

Once you have a job queue created you execute it right away for the selected hosts in the grid using the ‘Execute now’ button, or you can save the queue using the ‘>>’ button for later execution. Once a queue has been saved, then to execute it for a given set of hosts/rows in a grid, you would simply highlight the hosts and select ‘Actions > Job Queue > Execute saved job queues > *Your job queue name*’

Posted in Blog, General, Tutorials | Tagged , | Comments closed

The Best Way to Patch an Isolated Network

By Scott | Published: October 11, 2016

One of our goals with BatchPatch is for it to be the best tool for patching isolated networks. We think it provides the simplest method for applying Windows Updates in bulk to computers on segregated and/or offline networks. When dealing with isolated/segregated networks, there are typically some additional challenges involved in keeping computers up to date. The computers typically will not have internet access, and usually the computers will also not have physical connectivity to other networks. This ‘air gap’ presents a significant obstacle for the administrators, especially in cases where the segregated network has very strict rules due to its high-security designation. After all, the purpose for an air-gapped network is usually to increase the overall security of the connected computers. On the one hand, keeping computers patched and up to date is paramount to maintaining security of the network, but other hand, how do you patch the computers if they are not connected to anything?

We describe, in detail, all of the cached mode and offline update options in BatchPatch at this link: Cached Mode and Offline Updates

2016-10-11-15_54_31

There are two basic options that BatchPatch provides for patching an air-gapped network of computers

Option A: On an internet-connected computer, pre-download *all* Windows Update security updates for the operating systems that you plan to patch. Then bring all of those updates on a hard drive to the offline network and use BatchPatch to apply them to all of the computers.

The advantage of option A is that files never need to be transferred from the offline network to an online network. In high-security environments this might be particularly useful because change-management requirements might make it very difficult or perhaps impossible to remove files from the offline, high-security network.

The disadvantage of option A is that you have to download *all* available security updates for a given OS, which might take some time.

Step-by-step tutorial for option A: Patching an isolated environment with strict security rules

Option B: First run BatchPatch on the offline network so that it can produce a report of all the security updates that are needed by computers. Take the report to a computer that has internet access, and then use BatchPatch to download the needed updates from the report. Then bring the downloaded updates from the internet-connected computer to the offline network where you can then use BatchPatch to apply those updates to the computers that require them.

The advantage to option B is that you will only need to download the exact/specific security updates that are required by computers on the offline network. This might be a significant time saver over option A.

The disadvantage to option B is that it requires taking a simple BatchPatch text file report from the offline network to an internet-connected computer. Security restrictions and/or change-management protocol may make this a very difficult or impossible task in some environments.

Step-by-step tutorial for option B: Patching an isolated environment with less stringent security rules

Posted in Blog, General, Tutorials | Tagged , , | Comments closed

Automated Windows Patching

By Scott | Published: September 28, 2016

Today I’d like to go over the automation options that BatchPatch provides for downloading and installing Windows updates on multiple computers.

Update + Reboot Cycle

First let’s look at the ‘Update + Reboot Cycle’ feature, which is available on the ‘Actions’ menu. Select ‘Actions > Windows updates > Update + reboot cycle > Modify default cycle settings’
2016-09-28-19_53_18-program-manager

You’ll be presented with a warning that informs you that you’re about to modify a global setting.
2016-09-28-19_56_14-important-notification
Click OK to proceed. The window that appears allows you to modify the default settings for the ‘Update + reboot cycle’ action. Essentially this is just a simplified version of our ‘Job Queue’ feature. In addition to being simplified, it’s also a global setting, whereas the normal ‘Job Queue’ is configured on a per-row basis. For most users in most situations we actually recommend the job queue because it provides the most complete control. We’ll go over the ‘Job Queue’ further below, so you may skip straight to that section if you prefer.

2016-09-28-20_02_03-update-reboot-cycle-settings-these-settings-are-saved-and-apply-to-all-rows

We can modify the default cycle to be whatever we desire, but a simple cycle that works for most situations is just 3 steps:

*Download and install updates + reboot always
*Wait for host to go offline and come back online
*Download and install updates + reboot if required

Click OK to save the default cycle settings. Next you can execute the cycle for hosts that have been selected in the grid by selecting the desired hosts and then click ‘Actions > Windows updates > Update + reboot cycle > Execute cycle’. You’ll be presented with a confirmation dialog that explains what you’re about to execute on the selected hosts in the grid.
2016-09-28-20_06_42-confirm-update-plus-reboot-cycle-execution

Click OK to execute the cycle on the highlighted hosts. That’s all there is to it.

Job Queue

The job queue is the more advanced version of the update + reboot cycle. It has more options, it enables you to save your queues, and it allows you to apply queues on a per-row basis, so you can have one separate job queue for each row/host, or you can have one job queue for all hosts, or one queue for some hosts and another queue for other hosts and so on. To launch the job queue configuration window, select ‘Actions > Job Queue > Create / modify job queue’
2016-09-28-20_11_43-job-queue

In this form you can create a custom job queue and save it or apply it directly to a given row or set of rows in the BatchPatch grid. You can add your own custom remote command or deployments to the queue, along with numerous built-in actions. In the screenshot below I’ve created a simple queue, and then I’ve gone ahead and saved it by using the ‘>>’ button.

2016-09-28-20_14_59-job-queue

You can also execute the queue directly right now on the currently selected rows by using the ‘Execute now’ button, but in this case since I’ve saved the queue, I’m now going to close the Job Queue window and then execute the queue from the BP Actions menu instead. When I click ‘Actions > Job queue > Execute saved job queues,’ my own queue now appears under the title I gave it, ‘Standard Queue for Update + Reboot Cycle.’ I can select that menu item to execute that queue on the currently selected rows in the grid.

2016-09-28-20_26_57-settings

Task Scheduler

We can now bring together these automation options with the task scheduler, which lets us execute the ‘Job Queue’ or ‘Update + reboot cycle’ at a scheduled time/day.

I’ve selected ‘Actions > Task scheduler > Create/modify scheduled task.’ In the screenshot below you can see that I have selected the Job Queue that I created above. I can click OK to apply that scheduled task to each selected row.

2016-09-28-20_35_57-task-scheduler

At this point the only thing left for me to do is enable the task scheduler, which I can do by clicking on the red clock icon in the upper right corner of the window. Clicking on it one time turns it green and enables it. Once enabled, any tasks that are scheduled for a future time/date will run when that time/date is reached.

2016-09-28-20_32_17-settings

Posted in Blog, General, Tutorials | Tagged , , | Comments closed

Free Bulk Windows Update Downloader

By Scott | Published: September 22, 2016

Reminder: The FREE evaluation version of BatchPatch is fully functional. The only limitation is that you can add a maximum of 4 target hosts to the grid at one time, and you cannot run BatchPatch as a service. That said, go ahead and download a copy today and see how amazingly powerful it is while still being extremely simple to setup and operate.

microsoft windows patch management software

Windows Updates:

Download and install Windows Updates on a single computer or on many computers, simultaneously, on-demand or at a scheduled time.

Download the entire Windows Update security updates repository for any Windows operating system. This enables you to then apply Windows Updates to computers that don’t have access to the internet. We call this offline updating or offline patch management, and it’s accomplished in BatchPatch by enabling offline mode. You can even use this method to apply Windows Updates to high-security segregated networks.

Retrieve Windows Update history information from target computers. This feature enables you to quickly and easily view which Windows Updates have previously been applied to computers.

WSUS Alternative / WSUS Replacement

You can use BatchPatch in conjunction with or instead of WSUS.

Software Deployment

You can use BatchPatch to deploy software such as Adobe Flash, Adobe Reader, Java, Skype, Firefox, Chrome, 7-zip, Notepad++, or just about any other application.

Deploy Scripts, Registry Keys, and Standalone Patches

Use BatchPatch to deploy scripts to target computers or deploy standalone patches such as .MSI, .MSU, or .MSP files. You can also use BatchPatch to deploy items such as registry keys. In all cases you can execute these deployments across numerous computers at the same time.

Retrieve Information

BatchPatch is great for quickly and easily retrieving information from many target computers. For example, here are just a few of the items you can retrieve: Available disk space, operating system version, total uptime, started services, currently logged on users, CPU model etc.

Execute Scripts

You are able to use BatchPatch to execute your own custom scripts or queries on many target computers, simultaneously.

Multi-step Execution

You can configure BatchPatch to execute actions in one-click sequences that include not only multiple steps per-host, but also involve multiple interdependent hosts with online/offline dependencies. This means, for example, you can do things like create a one-click sequence to apply Windows Updates to all VM guests on a single VM host, and then apply Windows Updates to the VM host, and then reboot it along with all the guests on it:

Multi-Step Execution Using the Job Queue
Advanced Multi-Row Queue Sequence

2016-09-23-15_40_11-new-1-batchpatch-x100

Posted in Blog, General, Tutorials | Tagged | Comments closed

Remote Execution Context

By Scott | Published: September 15, 2016

In the most recent release of BatchPatch (20160914) we added a new setting for ‘Remote Execution Context’ under ‘Tools > Settings > Remote Execution.’

2016-09-15-14_06_21-settings

This setting determines the execution context used for remote commands and deployments.

SYSTEM: Run the remote process in the SYSTEM account
Elevated token: Run the remote process with the account’s elevated token, if available
Normal: Run the remote process normally
Limited: Run the remote process as a limited user (strips the Administrators group and allows only privileges assigned to the Users group)

In many cases there will be no discernible difference in the behavior of remote commands run under different execution contexts, particularly when comparing SYSTEM with Elevated token. However, in some cases commands might only run successfully under a particular context. We find that using the SYSTEM account works best for most users in most situations, with Elevated token also generally working fine in most cases. There may be some edge cases where a remote command needs to be executed as a regular (non-admin) user, in which case the ‘Normal’ option may be used. We are not aware of any situations where the ‘Limited’ option needs to be used, and frankly it will cause most remote commands and deployment to fail outright, so we don’t recommend using it. However, it’s there just in case, and now everyone has the ability to modify the execution context according to their own needs, depending on the environment that they are working in.

Our belief is that exposing this setting will decrease potential incompatibility issues. That said, if you have a deployment or a remote command that is failing for no apparent reason, you should try modifying the execution context to see if that’s the source of the problem.

Posted in Blog, General, Tutorials | Tagged , , , | Comments closed

Offline Patch Management

By Scott | Published: August 31, 2016

One of the challenges that many administrators face is patch management for offline networks. In many cases it can be a bit of a catch-22. On the one hand we are charged with keeping the computers on the offline network 100% patched and up to date, so that they pass any security vulnerability audits. On the other hand, if the computers are so restricted that they cannot even access the internet or an online-network, it can be very difficult to actually keep the computers 100% patched and up to date.

BatchPatch offers functionality that enables you to deploy both third party software as well as Windows Updates to computers that are members of an offline or segregated network.

For standard third-party software deployment on offline networks, please have a look here: Software Deployment.

For offline Windows patch management, BatchPatch has a few different options to consider, depending on the configuration and security requirements of the environment that you need to patch. Let’s look at those in more detail below.

Partially Offline Patch Management

This mode is for computers that have no direct internet access and no direct WSUS access but are still able to communicate over the network with a computer that has internet access and is able to run BatchPatch.

The administrator launches BatchPatch on the internet-connected computer, and then configures BatchPatch to run in ‘offline mode.’ Once in ‘offline mode’ BatchPatch is used to check each target computer for available updates. Any needed updates are then downloaded by BatchPatch and distributed to the offline computers. The full tutorial is available here: Partially Offline Patch Management

Fully Offline Patch Management for Less Stringent High-Security Networks

This mode is for networks that have no direct internet access and no direct WSUS access and no direct communication with a computer that has internet access. In this mode, the administrator will be required to transfer a single text file from the offline network to an online network.

The administrator launches BatchPatch on a computer connected to the offline network. This computer is used to initiate the scan for available updates on all target computers. When all targets have finished checking for available updates, the BatchPatch computer creates a report of all needed updates. This report is exported to a single text file and transferred to an internet-connected computer via a USB flash drive or whatever method is convenient. On the internet-connected computer, the single text file is loaded into BatchPatch so that BatchPatch can download all of the updates included in the file. Once the updates are downloaded they are transferred back to the offline network where BatchPatch is then used to distribute them to all the target computers. The full tutorial is available here: Fully Offline Patch Management for Lower-Security Networks

Fully Offline Patch Management for More Stringent High-Security Networks

This mode is for networks that have no direct internet access and no direct WSUS access and no direct communication with a computer that has internet access. In this mode, no files are ever transferred from the high-security network to another network.

The administrator launches BatchPatch on an internet-connected computer. BatchPatch is then used to download *all* Windows security updates for whichever operating systems are going to be patched. After all of the updates are downloaded, the entire repository is transferred to the offline network. BatchPatch is then launched on a computer in the offline network, and it is used to distribute all of the previously downloaded updates to target computers. The full tutorial is available here: Fully Offline Patch Management for High-Security Networks

Posted in Blog, General, Tutorials | Tagged , , , | Comments closed

Uninstalling Internet Explorer (IE) 9, 10, 11 from Multiple Computers

By Scott | Published: August 15, 2016

We recently received a request to post a tutorial that demonstrates how to use BatchPatch to remove Internet Explorer (IE) versions 9, 10, and 11 from target computers. No problem. Below is a step-by-step guide to removing previous versions of Internet Explorer.

Microsoft explains here how to use the command line to perform an IE uninstallation. We’re going to utilize this method from inside of BatchPatch to execute the removal on multiple machines simultaneously.

  1. First let’s create a simple cmd/bat file that contains the commands we need to uninstall Internet Explorer. On your computer create a text file and name it something similar to “Uninstall IE 9-10-11.cmd”

  2. Paste the following lines into the body of the cmd file: 
    REM Remove IE 9
FORFILES /P %WINDIR%\servicing\Packages /M Microsoft-Windows-InternetExplorer-*9.*.mum /c "cmd /c echo Uninstalling package @fname && start /w pkgmgr /up:@fname /norestart"

REM Remove IE 10
FORFILES /P %WINDIR%\servicing\Packages /M Microsoft-Windows-InternetExplorer-*10.*.mum /c "cmd /c echo Uninstalling package @fname && start /w pkgmgr /up:@fname /norestart"

REM Remove IE 11
FORFILES /P %WINDIR%\servicing\Packages /M Microsoft-Windows-InternetExplorer-*11.*.mum /c "cmd /c echo Uninstalling package @fname && start /w pkgmgr /up:@fname /quiet /norestart"

    Note, if you only want to remove a particular version of IE instead of removing all 3 versions that we’re removing, then modify the .cmd file to only contain removal code for the versions that you want to remove.

  3. Now we can highlight the desired target hosts in our grid, and then select ‘Actions > Deploy > Create/modify deployment’. We are going to configure the deployment to deploy the .CMD file that we created in the previous step.
    2016-08-15 15_20_37-Uninstall-IE-9-10-11

  4. Finally we can execute the uninstallation by clicking ‘Execute now’ in the ‘Deployment’ window.
  5. When the script completes, it’s not a bad idea to reboot the target computers, which you can do from the BatchPatch console using ‘Actions > Reboot.’
Posted in Blog, General, Tutorials | Tagged , | Comments closed

Deploying Internet Explorer 11 (IE11) to Multiple Computers

By Scott | Published: August 15, 2016

We got a request earlier today asking “How do I deploy IE 11 using BatchPatch?” I’ve posted a tutorial below that explains the process.

  1. First you’ll need to download the offline installer package for IE11 from Microsoft. At the time of this writing, you can find the Internet Explorer 11 Offline Installer for Windows 7 and Windows Server 2008 R2 posted here: https://support.microsoft.com/en-us/help/18520/download-internet-explorer-11-offline-installer. For this tutorial I’ve downloaded the English installer for Windows Server 2008 R2 SP1
    2016-08-15 14_39_56-Download Internet Explorer 11 (Offline installer)
  2. Next select the hosts in the grid that you want to deploy IE11 to. Then select ‘Actions > Deploy > Create/modify deployment.‘ Select the file to deploy, and then add the following parameters. 
    /quiet /norestart

    All of the available command line parameters for the IE setup file are listed here: https://technet.microsoft.com/en-us/library/cc817409.aspx

    For our example, the /quiet is absolutely necessary to tell the installer package to not prompt the user for any input. We need the deployment to complete without any user interaction. The /norestart parameter is optional, but we’ll use it to prevent a restart from occurring until we’re ready to initiate the restart ourselves, using BatchPatch:

    2016-08-15 14_45_20-Deploy .msi .msp .msu .exe .reg .vbs .bat .cmd .ps1 etc

  3. At this point you can click on the ‘Execute now’ button to deploy IE 11 to the selected target computers in the grid. Then wait until it completes. That’s all there is to it! If you used the /norestart parameter just as I did, then you might have to restart your machines in order for the installation to be finalized/completed. You can initiate a restart from the BatchPatch console using ‘Actions > Reboot.’
Posted in Blog, General, Tutorials | Tagged , , , | Comments closed