How to enforce BatchPatch to complete update a server/client

[jwiseguy]

Hi Doug,

BatchPatch has several settings that you can use. What is the optimal setting when you want to complete update a server. I want to absolutely sure the server has installed all the updates.

1. Download and install updates + reboot always

2. Wait for host to go offline and come back online

3. wuauclt.exe /resetauthorization /detectnow

4. Wait 1 minute

5. Download and install updates + reboot always

6. Wait for host to go offline and come back online

6. Wuauclt.exe /resetauthorization /detectnow

7. Wait 1 minute

8. Download and install updates + reboot if required

Health Check options:

6. Start stopped automatic services

7. Get stopped automatic services

8. Get C. disk space

9. Send email notification

[jwiseguy]

If anyone else knows this or have a good advice. Please give a reply.

[doug]

Hi jwiseguy – What you have listed is certainly fine. It seems like overkill to me, but there’s nothing wrong with it. I found that 99% of the time just a one time ‘download and install + reboot if required’ is sufficient. Occasionally a new update might appear after all other updates are installed, so a cycle that includes downloading/installing updates twice is probably sufficient. The third time is likely unnecessary. But overall what you’re doing is fine and it’s certainly not going to cause any problems. It should certainly ensure that you’ve downloaded and installed all available updates.

Note, when you say “all” updates, you might consider modifying your filters under ‘Tools > Settings > Windows Update.’ The only way to install EVERY possible update is to search for ‘Software’ and ‘Drivers’ and ALSO check all the boxes under ‘Update Classification Filtering.’ If you search for only ‘Important’ and/or ‘Recommended’ updates, some optional updates will not be installed. However, these may be updates that you don’t want installed. On my non-WSUS machines I use the ‘Important’ plus ‘Recommended’ checkboxes to download/install the updates that Microsoft deems important.

-Doug

[jwiseguy]

Hi Doug – You have absolutely right I want to be sure that every server has download and installed all the updates. Sometimes you see that after a reboot the server finds again new updates. I think we must try to see which option works best for us.

Maybe we keep it simple in the beginning and finetune it later.

[booster]

Hi jwiseguy

In my personal environment maintenance windows are exceptions and I’m facing the same question. What I can add:

a) try to manage your AV software to reduce the time of KB install

b) The step “wuauclt.exe /resetauthorization /detectnow” was only necessary for server not able to end a “check for available updates” (done prior the maintenance windows), otherwise I use it only for debugging (check my post on this forum for my particular case)

c) The point 4, “1 min”, is “5 min” in my setup. the 1 min is not enough when:

-host is patched

-reboot initiated by BP

-the update process continue after the reboot and initiate itself a second reboot

When this sequence occurs, the “Wait for host to go offline and come back online” is passed sometimes before the second reboot and the sequence failed. The 5 min solved the problem

d) My sequence plans 3 loops of KB detection, but I’m not forcing the reboot during loop 2 and 3 (may be unnecessary if all done during the first loop). I means for your:

Starting point 5:

Download and install updates + reboot if required

wait 1 min ##necessary otherwise next step is sometimes detected during the reboot process

Wait for host to be detected online

wait 5 min ## see point c), same explanation

++ again the the process for the 3rd loop if necessary

Obviously these comments are not general and applies to the environments I manage, I hope something will be useful for you

Regards

booster

[jwiseguy]

Hi Booster – I have changed my winning sequence 🙂 and use your advice.

1. Get stopped automatic services (To prove if automatic services already stopped before patching the server)

2. Download and install updates + reboot always (First Install)

3. Wait for host to offline and come back online

4. Wait 5 minutes

5. Download and install updates + reboot if required (Second Install if needed)

6. Wait 5 minutes

7. Download and install updates + reboot if required (Third Install if needed)

8. Wait 5 minutes

9. Start stopped automatic services

10. Get stopped automatic services

11. Get C disk space

12. Send email notification

Now a have 3 loops of Microsoft Updates detection. And yes 15 min. of total time of waiting but this sequence is start at night so this is for me not a problem.

[booster]

Hi jwiseguy

Seems good :), additional comments below:

a) Step 9: did you get at this point automatic services no running? The server is rebooted during step 2, and maybe a second time at step5 and step7. So far, manually stopped services should already run, but maybe you faced an issue with some stopped services. If the answer is yes, can you please share the list of problematic services?

b) During last steps I often add “Get last boot time” to help troubleshooting, if necessary

C) loop2 and 3: my last runs point me to the following sequence:

Download and install updates + reboot if required

wait 1 min ##necessary for next step

Wait for host to be detected online ## to start the next “wait” after the reboot

wait 5 min ##if a 2nd reboot is initiated by a KB after the 1st one

This block is the one I use for each loop following the initial one. I’m sure yours will work too anyway

Regards

Booster

[Author]

Posts