Free Bulk Windows Update Downloader

By Scott | Published: September 22, 2016

Reminder: The FREE evaluation version of BatchPatch is fully functional. The only limitation is that you can add a maximum of 4 target hosts to the grid at one time, and you cannot run BatchPatch as a service. That said, go ahead and download a copy today and see how amazingly powerful it is while still being extremely simple to setup and operate.

microsoft windows patch management software

Windows Updates:

Download and install Windows Updates on a single computer or on many computers, simultaneously, on-demand or at a scheduled time.

Download the entire Windows Update security updates repository for any Windows operating system. This enables you to then apply Windows Updates to computers that don’t have access to the internet. We call this offline updating or offline patch management, and it’s accomplished in BatchPatch by enabling offline mode. You can even use this method to apply Windows Updates to high-security segregated networks.

Retrieve Windows Update history information from target computers. This feature enables you to quickly and easily view which Windows Updates have previously been applied to computers.

WSUS Alternative / WSUS Replacement

You can use BatchPatch in conjunction with or instead of WSUS.

Software Deployment

You can use BatchPatch to deploy software such as Adobe Flash, Adobe Reader, Java, Skype, Firefox, Chrome, 7-zip, Notepad++, or just about any other application.

Deploy Scripts, Registry Keys, and Standalone Patches

Use BatchPatch to deploy scripts to target computers or deploy standalone patches such as .MSI, .MSU, or .MSP files. You can also use BatchPatch to deploy items such as registry keys. In all cases you can execute these deployments across numerous computers at the same time.

Retrieve Information

BatchPatch is great for quickly and easily retrieving information from many target computers. For example, here are just a few of the items you can retrieve: Available disk space, operating system version, total uptime, started services, currently logged on users, CPU model etc.

Execute Scripts

You are able to use BatchPatch to execute your own custom scripts or queries on many target computers, simultaneously.

Multi-step Execution

You can configure BatchPatch to execute actions in one-click sequences that include not only multiple steps per-host, but also involve multiple interdependent hosts with online/offline dependencies. This means, for example, you can do things like create a one-click sequence to apply Windows Updates to all VM guests on a single VM host, and then apply Windows Updates to the VM host, and then reboot it along with all the guests on it:

Multi-Step Execution Using the Job Queue
Advanced Multi-Row Queue Sequence

2016-09-23-15_40_11-new-1-batchpatch-x100

Posted in Blog, General, Tutorials | Tagged | Comments closed

Remote Execution Context

By Scott | Published: September 15, 2016

In the most recent release of BatchPatch (20160914) we added a new setting for ‘Remote Execution Context’ under ‘Tools > Settings > Remote Execution.’

2016-09-15-14_06_21-settings

This setting determines the execution context used for remote commands and deployments.

SYSTEM: Run the remote process in the SYSTEM account
Elevated token: Run the remote process with the account’s elevated token, if available
Normal: Run the remote process normally
Limited: Run the remote process as a limited user (strips the Administrators group and allows only privileges assigned to the Users group)

In many cases there will be no discernible difference in the behavior of remote commands run under different execution contexts, particularly when comparing SYSTEM with Elevated token. However, in some cases commands might only run successfully under a particular context. We find that using the SYSTEM account works best for most users in most situations, with Elevated token also generally working fine in most cases. There may be some edge cases where a remote command needs to be executed as a regular (non-admin) user, in which case the ‘Normal’ option may be used. We are not aware of any situations where the ‘Limited’ option needs to be used, and frankly it will cause most remote commands and deployment to fail outright, so we don’t recommend using it. However, it’s there just in case, and now everyone has the ability to modify the execution context according to their own needs, depending on the environment that they are working in.

Our belief is that exposing this setting will decrease potential incompatibility issues. That said, if you have a deployment or a remote command that is failing for no apparent reason, you should try modifying the execution context to see if that’s the source of the problem.

Posted in Blog, General, Tutorials | Tagged , , , | Comments closed

Offline Patch Management

By Scott | Published: August 31, 2016

One of the challenges that many administrators face is patch management for offline networks. In many cases it can be a bit of a catch-22. On the one hand we are charged with keeping the computers on the offline network 100% patched and up to date, so that they pass any security vulnerability audits. On the other hand, if the computers are so restricted that they cannot even access the internet or an online-network, it can be very difficult to actually keep the computers 100% patched and up to date.

BatchPatch offers functionality that enables you to deploy both third party software as well as Windows Updates to computers that are members of an offline or segregated network.

For standard third-party software deployment on offline networks, please have a look here: Software Deployment.

For offline Windows patch management, BatchPatch has a few different options to consider, depending on the configuration and security requirements of the environment that you need to patch. Let’s look at those in more detail below.

Partially Offline Patch Management

This mode is for computers that have no direct internet access and no direct WSUS access but are still able to communicate over the network with a computer that has internet access and is able to run BatchPatch.

The administrator launches BatchPatch on the internet-connected computer, and then configures BatchPatch to run in ‘offline mode.’ Once in ‘offline mode’ BatchPatch is used to check each target computer for available updates. Any needed updates are then downloaded by BatchPatch and distributed to the offline computers. The full tutorial is available here: Partially Offline Patch Management

Fully Offline Patch Management for Less Stringent High-Security Networks

This mode is for networks that have no direct internet access and no direct WSUS access and no direct communication with a computer that has internet access. In this mode, the administrator will be required to transfer a single text file from the offline network to an online network.

The administrator launches BatchPatch on a computer connected to the offline network. This computer is used to initiate the scan for available updates on all target computers. When all targets have finished checking for available updates, the BatchPatch computer creates a report of all needed updates. This report is exported to a single text file and transferred to an internet-connected computer via a USB flash drive or whatever method is convenient. On the internet-connected computer, the single text file is loaded into BatchPatch so that BatchPatch can download all of the updates included in the file. Once the updates are downloaded they are transferred back to the offline network where BatchPatch is then used to distribute them to all the target computers. The full tutorial is available here: Fully Offline Patch Management for Lower-Security Networks

Fully Offline Patch Management for More Stringent High-Security Networks

This mode is for networks that have no direct internet access and no direct WSUS access and no direct communication with a computer that has internet access. In this mode, no files are ever transferred from the high-security network to another network.

The administrator launches BatchPatch on an internet-connected computer. BatchPatch is then used to download *all* Windows security updates for whichever operating systems are going to be patched. After all of the updates are downloaded, the entire repository is transferred to the offline network. BatchPatch is then launched on a computer in the offline network, and it is used to distribute all of the previously downloaded updates to target computers. The full tutorial is available here: Fully Offline Patch Management for High-Security Networks

Posted in Blog, General, Tutorials | Tagged , , , | Comments closed

Uninstalling Internet Explorer (IE) 9, 10, 11 from Multiple Computers

By Scott | Published: August 15, 2016

We recently received a request to post a tutorial that demonstrates how to use BatchPatch to remove Internet Explorer (IE) versions 9, 10, and 11 from target computers. No problem. Below is a step-by-step guide to removing previous versions of Internet Explorer.

Microsoft explains here how to use the command line to perform an IE uninstallation. We’re going to utilize this method from inside of BatchPatch to execute the removal on multiple machines simultaneously.

  1. First let’s create a simple cmd/bat file that contains the commands we need to uninstall Internet Explorer. On your computer create a text file and name it something similar to “Uninstall IE 9-10-11.cmd”

  2. Paste the following lines into the body of the cmd file: 
    REM Remove IE 9
FORFILES /P %WINDIR%\servicing\Packages /M Microsoft-Windows-InternetExplorer-*9.*.mum /c "cmd /c echo Uninstalling package @fname && start /w pkgmgr /up:@fname /norestart"

REM Remove IE 10
FORFILES /P %WINDIR%\servicing\Packages /M Microsoft-Windows-InternetExplorer-*10.*.mum /c "cmd /c echo Uninstalling package @fname && start /w pkgmgr /up:@fname /norestart"

REM Remove IE 11
FORFILES /P %WINDIR%\servicing\Packages /M Microsoft-Windows-InternetExplorer-*11.*.mum /c "cmd /c echo Uninstalling package @fname && start /w pkgmgr /up:@fname /quiet /norestart"

    Note, if you only want to remove a particular version of IE instead of removing all 3 versions that we’re removing, then modify the .cmd file to only contain removal code for the versions that you want to remove.

  3. Now we can highlight the desired target hosts in our grid, and then select ‘Actions > Deploy > Create/modify deployment’. We are going to configure the deployment to deploy the .CMD file that we created in the previous step.
    2016-08-15 15_20_37-Uninstall-IE-9-10-11

  4. Finally we can execute the uninstallation by clicking ‘Execute now’ in the ‘Deployment’ window.
  5. When the script completes, it’s not a bad idea to reboot the target computers, which you can do from the BatchPatch console using ‘Actions > Reboot.’
Posted in Blog, General, Tutorials | Tagged , | Comments closed

Deploying Internet Explorer 11 (IE11) to Multiple Computers

By Scott | Published: August 15, 2016

We got a request earlier today asking “How do I deploy IE 11 using BatchPatch?” I’ve posted a tutorial below that explains the process.

  1. First you’ll need to download the offline installer package for IE11 from Microsoft. At the time of this writing, you can find the Internet Explorer 11 Offline Installer for Windows 7 and Windows Server 2008 R2 posted here: https://support.microsoft.com/en-us/help/18520/download-internet-explorer-11-offline-installer. For this tutorial I’ve downloaded the English installer for Windows Server 2008 R2 SP1
    2016-08-15 14_39_56-Download Internet Explorer 11 (Offline installer)
  2. Next select the hosts in the grid that you want to deploy IE11 to. Then select ‘Actions > Deploy > Create/modify deployment.‘ Select the file to deploy, and then add the following parameters. 
    /quiet /norestart

    All of the available command line parameters for the IE setup file are listed here: https://technet.microsoft.com/en-us/library/cc817409.aspx

    For our example, the /quiet is absolutely necessary to tell the installer package to not prompt the user for any input. We need the deployment to complete without any user interaction. The /norestart parameter is optional, but we’ll use it to prevent a restart from occurring until we’re ready to initiate the restart ourselves, using BatchPatch:

    2016-08-15 14_45_20-Deploy .msi .msp .msu .exe .reg .vbs .bat .cmd .ps1 etc

  3. At this point you can click on the ‘Execute now’ button to deploy IE 11 to the selected target computers in the grid. Then wait until it completes. That’s all there is to it! If you used the /norestart parameter just as I did, then you might have to restart your machines in order for the installation to be finalized/completed. You can initiate a restart from the BatchPatch console using ‘Actions > Reboot.’
Posted in Blog, General, Tutorials | Tagged , , , | Comments closed

Remotely Install Java 8 on Numerous Computers Simultaneously

By Scott | Published: August 3, 2016

It looks like the team working on Java has made it easier, finally, to perform offline installations of their software. The tutorial below takes advantage of the Java offline installer to deploy Java 8 Update 101 using BatchPatch. Note, we have an older tutorial on our site posted for deploying Java version 7 to multiple computers. However, it looks like now with the offline installer you should just be able to follow this new tutorial below, even if you are deploying an older version of Java.

  1. Download the offline Java installer for Windows. At the time of this writing, the Java offline installer for Windows is available from here: https://www.java.com/en/download/manual.jsp. Make sure to get the correct version for your target OS (x64 vs x86). For this tutorial I have downloaded the file titled Windows Offline (64-bit) from their site.
    2016-08-03 13_16_18-Java Downloads for All Operating Systems
  2. In BatchPatch, create the deployment. Go to ‘Actions > Deploy > Create/modify deployment’
    ActionsDeployCreateModifyDeployment
  3. In the deployment window, I’ve given a title to the deployment, and I have selected the jre-8u101-windows-x64.exe that I downloaded a moment ago. Additionally, I have added the following command line parameters 
    /s WEB_JAVA=0

    2016-08-03 13_20_43-Deploy .msi .msp .msu .exe .reg .vbs .bat .cmd .ps1 etc

    The /s tells the installer to work silently, without user interaction. This is always necessary when using BatchPatch to perform the installation. If the installer on the target computer requires user interaction, then the deployment will appear to hang indefinitely without ever completing. So, in order to perform a remote installation, we always use the silent installation parameter for the installer package. In this case that parameter is /s. The second parameter that we’re using is WEB_JAVA=0, which tells the installer to configure the Java installation to NOT be available to web browsers.

    Unless you have a very strong reason to enable Java in your web browsers, it is highly recommended to disable it for the sake of protecting your computers. Java enabled in the browser has been a major vector for delivering malware in the past decade, so it’s much safer to keep it disabled.

    You can see all of the available command line installer options here: https://www.java.com/en/download/help/silent_install.xml

  4. Before proceeding to install Java, one important thing to keep in mind is that the Java installer typically needs web browsers to be closed on the target computers. Failing to close any web browsers before installing or uninstalling Java could cause the process to hang or not complete or it might simply require a reboot in order to complete the process. Consider killing all browser sessions with Actions > Services/Processes > Kill specific running process by name to kill firefox.exe, chrome.exe, and iexplore.exe on target computers.

  5. At this point we’re pretty much ready to execute the deployment. If you already have your target computers added to the grid, you can simply highlight them and choose the option to ‘Execute now.’ In my case, I haven’t yet added any hosts to the grid. So instead I’m going to save the deployment using the double-arrow button >>. When you save a deployment it appears in the ‘Saved Deployments’ grid.

    2016-08-03 13_36_42-

  6. I have now added my target host to the grid. I will execute the deployment by selecting my target host(s), and then choosing ‘Actions > Deploy > Execute saved deployments > Java 8u101 x64’

    2016-08-03 13_40_41-

  7. Click OK on the deployment confirmation dialog.

    2016-08-03 13_43_25-new 1 - BatchPatch X1

  8. About a minute later the deployment completes with Exit Code: 0 (SUCCESS).

    2016-08-03 13_46_20-new 1 - BatchPatch X1

    I am able to see on my target computer that the Java installation now appears in the add/remove programs wizard:

    2016-08-03 13_46_51-Win10 on FLY - Virtual Machine Connection

Posted in Blog, General, Tutorials | Tagged | Comments closed

Windows Patch Management without WSUS

By Scott | Published: July 25, 2016

To WSUS or not to WSUS, that is the question!

A lot of folks simply do not want to invest the time or infrastructure to setup a WSUS server, so today we’re going to talk a bit about how to use BatchPatch for Windows patch management as well as 3rd party patch management *without* using WSUS.

Before I get started, I do want to take a moment to highlight that BatchPatch is also able to work great *with* WSUS, which is is both free and easy to install and use, and can be run on a small virtual machine at minimal cost. That said, if you’re scared to use WSUS simply because you think it’s going to add complexity to your life, don’t worry. It truly is quick, easy, and painless to get up and running. We have a WSUS setup tutorial posted here if you need assistance: How to Setup a New WSUS Server from Scratch on Windows Server 2012 R2

WSUS_main

For those of you looking for a patch management solution that does not rely on WSUS, BatchPatch works fantastically as a stand-alone alternative to or replacement for WSUS…

First let me acknowledge that there are always people out there who will say “Don’t bother with a third-party Windows Update patch management solution when you can just use group policy to download and install updates on computers.” However, what these people tend to fail to realize is that in many environments, this kind of methodology simply doesn’t provide an acceptable level of control and monitoring of the process. If you are responsible for an environment where uptime of your servers simply *isn’t* important, then group policy alone might be sufficient. However, if you manage critical servers that cannot be down or offline outside of scheduled maintenance windows, then you will inevitably get into trouble if you try to rely on just group policy alone, especially if your maintenance windows are small. There are a few reasons why this is the case, which I’ll get into momentarily. Ultimately the decision is always yours to make, of course, but do understand that regardless of specific requirements, a patch management tool such as BatchPatch was designed specifically to save you a massive amount of time on systems maintenance, while also minimizing pain and effort. Efficiency is the name of the game… and we all know time is money.

The problem with relying on *only* group policy to handle your entire download, install, and reboot process for Windows Updates

If you’re relying on group policy alone to download, install, and then reboot your critical servers, you cannot monitor the process in real-time. When dealing with any number of servers beyond just a handful, you’re going to need and want to be able to watch the process in real-time to ensure that all applicable updates are successfully installed, that all servers are properly rebooted, and that all servers come back online within your maintenance window and start hosting whatever services they are responsible for hosting. If you don’t have a way to monitor this in real-time, then you are stuck with the following potential issues:

  • Some updates fail to install: In this case, to track down which updates failed to install on which servers is not only difficult to determine quickly, but it also becomes increasingly likely that your maintenance window will end before you find and resolve all the failed update installations, leaving your servers potentially vulnerable until the next maintenance window.

  • The server hangs during reboot either on its way down or on its way back up: If the server hangs during shutdown, then you’ll probably never discover it during your maintenance window. The updates therefore will never be applied completely, and your server will be in a potentially unstable and/or vulnerable state until the next maintenance window. If the server hangs after shutdown but before coming back online, then whatever services it’s hosting will be offline. Since you probably shut off your server alerts during the maintenance window, you won’t learn that the server is offline until the window ends. At that point you’ll be scrambling to get the server back online after the maintenance window is already over. Clearly this is *not* good for service level agreements (SLAs).

  • Services fail to start after reboot: Since you will likely have your alert system disabled during the maintenance window, you won’t discover that critical services never started on particular servers until the maintenance window ends, which again is simply not good for SLAs.

  • Knowing the download/install/reboot status of any given server during the maintenance window is near-impossible: Without real-time monitoring, you simply can’t know/tell what the status of servers are during the maintenance window.

On-Demand Download, Installation, and Monitoring of Windows Updates and Reboots on Numerous Computers

Scenario 1:

BatchPatch Default Mode – No Caching (All computers have access to the internet)

In it’s default configuration, you can use BatchPatch to easily manage the download and installation of Windows Updates on target computers. In this out-of-the-box configuration BatchPatch uses Microsoft’s public Windows Update server to first determine which updates are available to install on each target computer, and then to download and install the applicable updates on each machine, ending with a reboot if required in order to complete the installation process. The whole sequence can be initiated from and monitored by the BatchPatch console with just a single click.

Using BatchPatch To Remotely Install Windows Updates

Scenario 2:

BatchPatch Cached Mode (All computers have access to the internet)

In the online cached-mode configuration, BatchPatch still uses Microsoft’s public Windows Update server to determine which updates are available to install on each target computer. However, instead of each target computer downloading its own copy of any needed / available updates, BatchPatch downloads all updates just one time to a single local repository, and then from there it distributes copies of the updates to target computers. Cached-mode can therefore reduce overall bandwidth usage to the internet, though local network bandwidth usage might be increased.

Using BatchPatch In Cached Mode

Scenario 3:

BatchPatch Cached Mode + Offline Mode (The BatchPatch computer has internet access. Target computers do not have internet access but they do have connectivity to the BatchPatch computer)

In this first offline cached-mode configuration, BatchPatch does not rely on Microsoft’s public Windows Update server to determine which updates are available to install on target computers. Instead, the offline scan file (WsusScn2.cab) that Microsoft publishes each month is downloaded by BatchPatch and used for offline scanning to determine which updates are needed by computers when those computers are not able to access Microsoft’s public Windows Update server.

Using BatchPatch In Offline Mode When BatchPatch Has Internet Access

Scenario 4:

BatchPatch Cached Mode + Offline Mode (Target computers do not have access to the internet, but administrators are able/allowed to transfer or copy files from this network to another network that has access to the internet. BatchPatch is run in two separate instances – one instance on a computer that has internet access in order to obtain updates, and one instance on the offline network in order to deploy the updates to target computers)

In this second offline cached-mode configuration, BatchPatch does not rely on Microsoft’s public Windows Update server to determine which updates are available to install on target computers. Instead, the offline scan file (WsusScn2.cab) that Microsoft publishes each month is downloaded by BatchPatch and used for offline scanning to determine which updates are needed by computers when those computers are not able to access Microsoft’s public Windows Update server.

Using BatchPatch In Offline Mode When BatchPatch Does Not Have Internet Access

Scenario 5:

BatchPatch Cached Mode + Offline Mode (Target computers do not have access to the internet. These computers are connected to a high-security network with strict rules that disallow administrators and users from transferring or copying any files from the high-security network to a lower-security network. BatchPatch is run in two separate instances – one instance on a computer that has internet access in order to obtain updates, and one instance on the offline network in order to deploy the updates to target computers)

In this third offline cached-mode configuration, BatchPatch does not rely on Microsoft’s public Windows Update server to determine which updates are available to install on target computers. Instead, *all* available updates for a given operating system may be downloaded in advance by the administrator. Once pre-downloaded, the update may then be moved to a high-security network for subsequent deployment to computers on that network.

Downloading Windows Updates for Distribution to Offline Computers on High-Security Networks

Posted in Blog, General, Tutorials | Tagged , , , | Comments closed

How to Setup a New WSUS Server from Scratch on Windows Server 2012 R2

By Scott | Published: July 19, 2016

We are starting with a brand new, unmodified, stand-alone installation of Windows 2012 R2.

  1. In the Server Manager, click on ‘Add roles and features.’
    ServerManager_AddRolesAndFeatures
  2. The ‘Add Roles and Features Wizard’ is presented. Click ‘Next.’
    AddRolesAndFeaturesWizard_BeforeYouBegin
  3. For the ‘Installation Type’ we’ll select ‘Role-based or feature-based installation.’
    AddRolesAndFeaturesWizard_InstallationType
  4. For ‘Server Selection’ I’ve selected the server the local machine..
    AddRolesAndFeaturesWizard_ServerSelection
  5. In the ‘Server Roles’ screen, scroll to the bottom and select ‘Windows Server Update Services.’ This will immediately bring up a new window, describing that other features and services are required to be installed. Click ‘Add features’ on this window, and then click ‘Next’ on the remaining window.

    AddRolesAndFeaturesWizard_ServerRoles

    AddRolesAndFeaturesWizard_ServerRoles-SubServicesAndFeatures

  6. For ‘Features’ simply click ‘Next.’
    AddRolesAndFeaturesWizard_Features
  7. On the ‘WSUS’ window, click ‘Next.’
    AddRolesAndFeaturesWizard_WSUS
  8. For ‘Role Services’ we are once again going to leave the defaults as-is and click ‘Next.’
    AddRolesAndFeaturesWizard_RoleServices
  9. For the ‘Content’ screen we need to enter a local directory to keep all of the WSUS content that is downloaded. On my server I’ve selected C:\WSUS. Normally I would use a drive that doesn’t also contain the OS, but for the sake of this tutorial I’m using a virtual machine with only a single drive. Make sure that whatever location you specify has plenty of free space. In this window Microsoft is officially recommending to have at least 6GB of free space, but I’d say shoot for a minimum of 30GB free space, otherwise you’ll end up running out soon and need to do cleanup. Since disk space is relatively cheap these days, it makes more sense to provide plenty of room, so that you have less disk space maintenance to deal with in the future.
    AddRolesAndFeaturesWizard_Content
  10. On the ‘Web Server Role (IIS)’ screen, click ‘Next.’
    AddRolesAndFeaturesWizard_WebServerRoleIIS
  11. On the ‘Role Services’ screen, leave the defaults as-is and click ‘Next.’
    AddRolesAndFeaturesWizard_RoleServices2
  12. On the ‘Confirmation’ screen I have checked the box to ‘Restart the destination server automatically if required.’ Click ‘Yes’ to confirm automatic restarts.
    AddRolesAndFeaturesWizard_Confirmation
  13. Finally click ‘Install’ to proceed with the WSUS installation. The WSUS server along with all required services and features will be installed.
    AddRolesAndFeaturesWizard_ConfirmationInstall
  14. The installation only took about a minute on my lab machine. Next click on ‘Tools > Windows Server Update Services’ in the ‘Server Manager’ window. You will be prompted to complete some post-installation configuration tasks.
    ServerManager_ToolsWindowsServerUpdateServices
  15. We are prompted to ‘Complete WSUS Installation’ and choose whether or not to store updates locally. If you de-select this check box, your WSUS will not download any updates. Instead, it would only be used to control which updates are approved for your target computers. However, updates would then still be downloaded by each target computer directly from Microsoft. This is rarely the desired use for a WSUS server, so we recommend leaving the default as-is to ‘Store updates locally’ for most situations. Click ‘Run’ to run the post-installation task. When it completes a few seconds later, click ‘Close.’
    ServerManager_CompleteWSUSInstallation
  16. After clicking ‘Close’ on the previous screen, the ‘Windows Server Update Services Configuration Wizard’ will be displayed. Click ‘Next’ to proceed.
    WSUSConfig1
  17. Decide whether or not you would like to join the Microsoft Update Improvement Program, and the click ‘Next.’
    MicrosoftUpdateImprovementProgram
  18. If you already have an existing WSUS server in place, you may optionally choose to synchronize the newly installed server from an existing WSUS server. However, I expect that most people following this tutorial will want to synchronize from Microsoft Update. Select your desired source, and then click ‘Next.’
    ChooseUpstreamServer
  19. If your environment requires a proxy server to access the internet, then you can configure the proxy server settings. If no proxy, simply click ‘Next.’
    SpecifyProxyServer
  20. Click ‘Start Connecting’ to continue. This process might take a little while to complete. When it’s done, click ‘Next.’
    StartConnecting

    StartConnecting-Complete

  21. Choose your desired languages, and then click ‘Next.’
    ChooseLanguages
  22. Choose your desired products, and then click ‘Next.’ You can always add more (or remove) later, so start with only the ones that you are sure you need, like the OS updates for whatever operating systems you currently have deployed to target computers.
    ChooseProducts
  23. Choose your desired classifications, and then click ‘Next.’ The default values are just ‘Critical,’ ‘Definition,’ and ‘Security Updates,’ but we strongly recommend that you also include ‘Update Rollups’ and ‘Updates’ because Microsoft releases updates under these two classifications that they deem to be ‘Important.’

    IMPORTANT: Do not select ‘Upgrades’ until after you have installed KB3095113 on your WSUS server. If you enable ‘Upgrades’ before installing KB3095113, then you will need to follow instructions here to fix your WSUS to be able to support Windows 10 feature upgrades like the 1607 anniversary update or the 1703 update.

    Please also note we have noticed that if you install all applicable Windows Updates to the server prior to enabling ‘Upgrades’, then you actually will not be able to install KB3095113 because in the process of installing all applicable updates, the content of KB3095113 appears to be included in one of the other updates, and KB3095113 will not appear in your update history.

    ChooseClassifications
  24. Choose a synchronization schedule. For most environments, once per day is probably sufficient.
    ConfigureSyncSchedule
  25. Lastly, you may choose to begin the initial synchronization. The first synchronization always takes the longest, so at this point you can plan on checking back every hour or two to see if it has completed. Click ‘Finish’ to proceed.
    Finish
  26. Now that the WSUS has been configured, you’ll want to use GPO to configure your target computers to get their updates from your new WSUS. Please review the section titled Our recommended approach to using BatchPatch with WSUS on this page to learn which settings to use.
Posted in Blog, General, Tutorials | Tagged , | Comments closed

Reviewing the Core Functionality that BatchPatch Offers

By Scott | Published: July 11, 2016

Today I’d like to review some of the core functionality that BatchPatch offers. For systems administrators who need a controlled way to install Windows Updates on many computers at the same time, while monitoring their progress, automating the reboot process, and maximizing efficiency during maintenance windows, BatchPatch can’t be beat.

BatchPatch offers an extremely simple and reliable toolset to perform the following tasks (and more):

Additional Resources:

Posted in Blog, General, Tutorials | Tagged , , , , , | Comments closed

Download the Complete Windows Updates Security Repository per Operating System

By Scott | Published: June 28, 2016

In the most recent release of BatchPatch (June 2016) we added new functionality that enables administrators to download *all* Windows security updates for a given operating system. There are various reasons why someone might want or need to do this, but the most common reason that we have encountered is when computers need to be updated but they don’t have internet access, and they are members of a high-security network with strict rules that prevent admins from copying files from computers in the high-security environment to computers in a lower-security environment. At https://batchpatch.com/cached-mode-and-offline-updates we have a number of tutorials posted that explain how to update computers on offline networks.

If you simply want or need to download all of the Windows Updates security updates for a given operating system, below are simple instructions for doing that.

  1. In BatchPatch select ‘Tools > Download offline updates repository’

  2. In the window that appears, tick the box for each operating system that you need updates for. Additionally, select at least one language preference. Older operating systems require separate files for each language while the newer operating systems have multi-lingual files. After selecting the desired options, click OK.
    2016-06-28 16_13_49-Download-offline-updates-repository
  3. Wait while BatchPatch downloads the WsusScn2.cab file from Microsoft, and then parses it to extract the relevant Windows Update download links.
    2016-06-28 16_15_20-WsusScn2-handler
  4. After a minute or so a new window will appear showing a grid full of Windows Update download URLs and filenames.
    2016-06-28 16_18_38-Settings
  5. You can sort the list and remove any updates that you don’t want to download by highlighting the desired rows and right-clicking to select the ‘Delete selected rows’ option. When you’re ready to initiate the download the process, click on ‘Download files to local cache.’

  6. The next window that appears will allow you to control the download process.
    2016-06-28 16_21_02-Settings
  7. If you plan to distribute these updates using BatchPatch, please review the various methods for doing this at https://batchpatch.com/cached-mode-and-offline-updates.
Posted in Blog, General, Tutorials | Tagged , | Comments closed