- This topic has 7 replies, 2 voices, and was last updated 7 years, 11 months ago by .
-
Posts
-
Hello,
I am currently evaluating BatchPatch. I think the best solution for my environment will be to use “offline mode” and “cached mode” to save on bandwidth and make the client computers check for updates from the offline file. I configured BatchPatch in “offline mode” and “cached mode” as per these instructions:
I then attempted to run both with a set of domain administrator credentials as well as a local administrator, but in both cases on several different test machines, it fails with this error:
-198: Failed to add scan package service. HRESULT: -2146885619
Note that copying over wsusscn2.cab seems to work fine, it’s just a step after that which is failing. I tried disabling Windows Firewall completely but that did not improve the situation. What can I do to debug this error and get it working?
Thanks!
The only time we have ever seen a failure to add the scan package service is when the wsusscn2.cab file is corrupt/partial/incomplete. To resolve this, delete the wsusscn2.cab file in the BatchPatch cache folder. This will force BatchPatch to re-download the file and re-copy it to target machines for consumption.
The actual error code is produced by the Windows Update Agent, and its translation is:
0x8009200D -2146885619 Crypt_E_Bad_Msg Not a cryptographic message or the cryptographic
message is not formatted correctlyYou may also see this message, which has a similar cause:
0x80096010 -2146869232 Trust_E_Bad_Digest The digital signature of the object did not verifyI believe that this message confirms that the wsusscn2.cab file that you have is likely failing a signature validity check, so you should re-download it and try again.
Separately, I would personally suggest/recommend that unless you are truly very bandwidth-contrained that you just use regular mode (not cached mode and not offline mode) because regular mode will be significantly faster, and because it is less complex.
Additionally, if you really want to use cached mode, then go ahead. It certainly works nicely. However, I would then suggest that you do not use offline mode unless you truly require it. Offline cached mode will be even slower than online cached mode, and it also does not include 100% of the updates that Microsoft offers via the regular Windows Update channel. It really is intended for usage on computers that have no access to update with the other methods. Again, it works nicely, but I think it’s only worth using in situations where the other options are not possible.
This is just my personal opinion. You are of course welcomed to use any of the options that you desire.
-Doug
OK glad you got it figured out. You can use ‘Tools > Delete remote working directory’ to get rid of that dir on all the systems, but just be careful and use it with caution, of course.
As for slow check for Windows Updates on some systems, please have a look at this link, which might resolve your issue: checking-for-available-windows-updates-on-windows-7-targets-take-too-long
Generally speaking I have never witnessed better performance from the WsusScn2.cab vs online Windows Update, but you can see how it goes.
The WsusScn2.cab file will only provide you with security updates, but in our tests we have found that inevitably it seems to not include some updates that one would expect to be included. This is something that you’ll have to test and compare and decide for yourself.
-Doug
‘-198: Failed to add scan package service. HRESULT: -2146885619’
We have now been able to reproduce the above error. It seems that in some cases when downloading the WsusScn2.cab file from Microsoft, there is no digital signature on the file. This seems to be due to some kind of error/mistake at Microsoft, but it’s hard to say for sure. This month, in particular, I’m seeing this behavior for the first time. I suspect that they have multiple copies of the file hosted on their servers, and they simply forgot to sign one of them. When you download the file from them, depending on which server you download it from, you either get a signed or unsigned version.
You can confirm the digital signature by right-clicking on the file and selecting ‘Properties > Digital Signatures,’ which you can see in the screenshot below.
If the ‘Digital Signatures’ tab is missing, then you will receive the following error in BatchPatch when using offline cached mode:
‘-198: Failed to add scan package service. HRESULT: -2146885619’
To resolve the issue, delete the wsusscn2.cab file from your BatchPatch cache folder, and then let BatchPatch re-download the file. Verify that on the re-downloaded file the signature is intact.
At the time of this writing, even though BatchPatch will download a new WsusScn2.cab file to the BatchPatch cache directory, it will not replace the WsusScn2.cab file on target computers if the file appears to BatchPatch to be the same version of the file. In a future release of BatchPatch we will likely provide functionality to overwrite the target computer WsusScn2.cab even if the source file is the same version. However, until such a time when this functionality exists in BatchPatch, you will need to delete the missing-signature-WsusScn2.cab file on target computers, so that BatchPatch can copy the signature-included-WsusScn2.cab file.
To delete the WsusScn2.cab file on target computers you may use the following BatchPatch command:
Remote Command 3/4 (logged output):
del /Q "C:Program FilesBatchPatchwsusscn2.cab"BatchPatch has a built-in feature ‘Actions > Windows Updates > Update + reboot cycle’ that will enable you to customize a routine to continually download/install + reboot over and over as many times as you want. This ‘Update + reboot cycle’ is essentially just a BatchPatch ‘Job Queue’ so you can also use the ‘Job Queue’ feature to do the same under ‘Actions > Job Queue > Create/modify’
-Doug
- You must be logged in to reply to this topic.