BatchPatch Forums Home › Forums › BatchPatch Support Forum › WSUS still reports 103 updates after running BatchPatch
- This topic has 8 replies, 2 voices, and was last updated 7 years, 9 months ago by doug.
-
AuthorPosts
-
February 13, 2017 at 5:10 pm #9327flowbassParticipant
We are running BP in both Cached and Offline modes on freshly built W2K12 R2 servers at our central location before deploying them to our remote sites with no Internet connection and very slow WAN links. We found close to 100 updates using BP which was great.
However, when we added the servers to our AD Domain and had them check in with our local WSUS it showed we still had 103 updates to apply. We would like to get Security, Critical, Updates, Update Rollups, and Feature Packs all applied before we ship these servers out to the field. Can BP accomplish this for us or does it only apply Security Updates?
February 13, 2017 at 5:25 pm #11518dougModeratorflowbass – When you use ‘offline mode’ only security updates can be applied. To apply other updates you must disable offline mode.
-Doug
February 13, 2017 at 6:56 pm #11519flowbassParticipantOk thanks Doug for the quick response. We were afraid of that.
Question for you: Do you know of another approach to patch up servers that have already been deployed out in remote locations that do not have Internet access and are connected to a slow WAN link (1.5mbps)back to the central WSUS? We are really scratching our heads on this one.
February 13, 2017 at 7:12 pm #11520dougModeratorA couple of possible approaches come to mind…
1. If you run BatchPatch inside the remote location in cached mode with all of the computers in that remote location pointing to the WSUS, then BP will pull updates from the WSUS to its local cache, so that it can then distribute them to target computers. Only a single copy of each required update will be pulled across the WAN link in this case, reducing the bandwidth required.
2. If you run a downstream WSUS server in each remote location this would give you a similar advantage. The downstream WSUS can pull updates across the WAN link, and then those updates can be distributed to the target computers without having to pull multiple copies of updates across the WAN link.
-Doug
February 15, 2017 at 5:44 pm #11522flowbassParticipantDoug – It looks like the first scenario is what would work best for us. We are trying to initially keep the Windows updates process off the WAN link for now since our connections are really slow. Once we get our 4 or 5 sites caught up then we will start using our WSUS, AD, and Group Policy.
Here is what I am wanting to. Let me know if this will work and if there any settings I need to make sure I select before trying this:
1. Use our WSUS server that does have Internet access to download the necessary files from Microsoft’s update site based on what our existing remote Windows machines need; this means getting “all” updates, i.e., security, critical, updates and update rollups, etc., etc.
2. Take the files that were downloaded and then copy them to a USB stick and then FedEx the stick to an admin person at the remote site.
3. Have them plug the USB stick in to the machine that has BatchPatch and PSExec installed and then copy the cache directory from the USB stick to the local C:BPCache directory and then deploy the updates from that machine to the local hosts.
Again, wanting to initially get our four or five sites that we have already deployed machines to caught up by not having to saturate the slow WAN link. And of course to get “all” Microsoft updates. Not just Security.
Thank you again sir.
February 15, 2017 at 6:50 pm #11523dougModeratorflowbass –
Here is what I would suggest.
Run BatchPatch in the same network as the WSUS because BatchPatch will be downloading updates from the WSUS into the BatchPatch cache. BatchPatch must be able to communicate with the target computers across the WAN, and the target computers must be able to communicate with the WSUS across the WAN. The target computers will not download their updates from the WSUS across the WAN, but they do need to be able to search the WSUS to determine which updates they need.
When you run BatchPatch you will run it with cached mode enabled (do not enable offline mode). Enter all of the target computers into the BatchPatch grid. You will need to execute ‘Actions > Windows Updates > Retrieve consolidated URL list of available updates’ for all hosts in the grid. However, to avoid congesting your WAN link you might want to do this in small batches or even one row at a time. You can use the row execution interval in BatchPatch (Tools > Row execution interval) as a way to select ALL hosts and execute that action, but to execute that action only one row at a time with X seconds in between each row. You specify X seconds in ‘Tools > Row execution interval’).
Once all hosts have completed ‘Retrieve consolidated URL list of available updates’ you will be able to either save that URL list for later or select ‘Download files to local cache’ in the URL list window that appears.
Once you have downloaded all the required files to the BatchPatch local cache you would need to FedEx that cache to the remote location.
Now in the remote location run an instance of BatchPatch with cached mode enabled (do not enable offline mode) on the computer that has the local cache attached. Make sure in ‘Tools > Settings > Windows update’ that the ‘Local update cache directory’ value is set to the be the folder that contains all of the update files.
In BatchPatch select all of the target hosts and choose ‘Download and install updates + reboot if required’. The target hosts will once again be executing their search for updates on the WSUS across the WAN link, so you might want to use the row execution interval again or manually control how many hosts run at any one time. However, the “download” in this case will be BatchPatch pushing the update files from its local cache to the target computers. And since BatchPatch will be running with the local cache inside the remote network, the updates will not traverse the WAN link.
I hope this helps.
-Doug
February 15, 2017 at 7:30 pm #11524flowbassParticipantAwesome! That is exactly what I was looking for. Luckily each site only has five or six Windows machines so the retrieval of consolidated URLs list of available updates shouldn’t be that slow. You would think. Again, very slow connection speeds. Less than 1.5Mbps. I’ll keep you posted on this forum on how it goes.
Thanks again!
February 15, 2017 at 8:47 pm #11525dougModeratorYou’re very welcome. Let me know how it goes.
-Doug
April 4, 2017 at 3:16 pm #10836flowbassParticipantDoug,
Waned to let you know that your steps provided above worked flawlessly. This is going to really help us get our Windows machines updated that have already been deployed out in the field and are connected to slow (less than 600kpbs) WAN links. We will also be using this tool to update all of our Windows VM templates without having to join them to the domain, add to DNS, GPO processing, etc.,etc. This tool will remove all the up-front work associated with keeping your Windows templates current and updated with the latest MS Windows and Office security patches.
What a great tool!
Thanks again,
Flowbass
-
AuthorPosts
- You must be logged in to reply to this topic.