Server 2016 and windows 10 check for update issues

[thenew3]

We’ve noticed a strange issue with batchpatch and Windows Server 2016 & Windows 10.

When we run a windows updates check on the machine locally, nothing is found, but when we run a “Check for available updates” from batchpatch, these same machines return 5 to 6 updates.

All the updates are HP printer drivers released in December 2012.

When I use batchpatch to install these updates, it says installed successfully but then a successive “check for available updates” return the same 5 to 6 HP printer drives again.

This is not affecting all windows 2016 and windows 10 machines, but just a small percentage (about 10%).

We do not use WSUS, we get updates directly from microsoft.

How do we fix this issue? We are on latest batchpatch build 2017.7.13.16.24

Thanks

[doug]

If you are getting updates directly from Microsoft and not from WSUS, then under ‘Tools > Settings > Windows Update’ I would recommend that you change the configuration so that you are only searching for ‘Important’ and ‘Recommended’ instead of ‘All software’ and ‘All drivers.’

-Doug

[thenew3]

Thanks Doug, unfortunately our security dept requires us to scan all machines against microsoft for all updates. We are not allowed to exempt any updates including drivers.

What’s strange is that this issue only started occurring about a week ago and on virtually identical machines. (i.e. I would have two identical windows 2016 servers, one would show 0 updates while another would show 6 hp printer driver updates pending through batchpatch) both machines would show no updates if you login to them and manually run a check against MS.

So some how either batchpatch is getting wrong info, or it’s checking against MS in a different manner and only applying that to some (random it seems) machines.

[doug]

Here is what I can tell you…

1. BatchPatch is not getting wrong info. It submits a scan query to the Windows Update Agent (WUA) on the target computer, and then the WUA does its normal process to determine which updates are available, which it reports back to BatchPatch. The query that BatchPatch uses will be identical on each target computer *unless* you modify the search settings that I described in my previous posting such that you scan some computers with one setting and scan other computers with a different setting.

2. With regard to exempting updates, when you initiate the check for updates locally on a target computer, believe it or not but it is already exempting some updates, which is why you do not see the driver updates that you see when BatchPatch performs the scan. BatchPatch is using a query with a larger scope, in this case, than the local Windows Update interface is using. Both scans are being performed by the WUA. The difference is just with the search query and results filtering. Prior to Win 10 and Win 2016 Microsoft would display the driver updates in search results when scanning for updates using the local Windows Update interface. However, in 10/2016 we have noticed that they never display the driver update results. I have not seen any published reason for this behavior, but I believe its simply due to the fact that installing driver updates through the Windows Update interface is not reliable. I know you said that you are not allowed to exempt updates from scans, but under the hood that’s what is already happening when you use the Windows Update interface locally on the computer, so I still would recommend that you uncheck the ‘Drivers’ box in the BatchPatch search settings. It might be worth a discussion with the security and policy team to all get on the same page.

3. If you are seeing different results on some target computers in comparison to others, it’s not because of BatchPatch. It’s because the WUA on those target computers is returning different results. The only reason it would be returning different results is if the computers have different applications or hardware installed. Or it’s also possible that they are returning different results because some computers are scanning against Microsoft Update while others are scanning against Windows Update. This could occur if you have opted-in to the Microsoft Update service on some computers but not others. You can opt-in or opt-out a target computer by using the BatchPatch action ‘Actions > Windows Update > Opt-in/Opt-out’.

4. You can certainly always hide updates that you do not want to install or that cannot be installed. Then they will not appear in the search results anymore. I know you said you cannot exempt updates, but if you scan for updates and then decide that some of those updates should not be installed (like the HP driver updates you are talking about) then presumably your security team would allow you to simply hide them at the target so that they do not appear in future scans. BatchPatch can hide updates on the target using ‘Actions > Windows Update > Hide/unhide’

5. Lastly, in your original post you said that the updates appear to install but then when you reboot they are not installed. If you look at the BatchPatch.log (default location is C:Program FilesBatchPatchBatchPatch.log on target computers) more closely I think you will find that the updates are failing to install, and there will be a failure code next to each update. We need to improve the way that we are reporting success with some failures in comparison to success with no failures. At the moment, most installations either fail completely, which BatchPatch reports, or they complete successfully, which BatchPatch reports. In less common situations the installation of updates is partially successful (some updates install) and partially unsuccessful (some updates fail to install). BatchPatch reports these as “Succeeded With Errors” but unless you are paying close attention to what is being reported in the grid, you would likely just see the “Succeeded” part or the “Reboot required” part and assume that it was completed without any errors. We’ll work on this for a future build.

I hope this helps.

-Doug

[Author]

Posts