[doug]

Very strange. Glad you figured it out!! Thanks for reporting back.

[doug]

Third party tools like BP are not compatible with SCCM or with the WSUS/SUS that is controlled by SCCM.

However, the built-in method would/should work if you change your BP server selection (Tools > Settings > Windows Update > Server Selection) to ‘Windows Update’ or ‘Microsoft Update’.

Yeah, if you’re using the same command/deployment on multiple machines, and it’s working on some but not all, then the method is prob not the issue. I would suggest reviewing the link I posted about about how to troubleshoot feature update issues. I’d also consider which OS build is running on the targets before the upgrade attempt. Are they all the same or are the working ones not the same OS build as the non-working ones? And also consider the hardware of the target systems, which could potentially play a roll. I know you said if you run the setup manually at a machine it always works, but I’m a bit skeptical that that could be true in all cases. Something doesn’t sound right. Running the command remotely or doing it locally/manually really shouldn’t have an impact in this case. Also we have never had any similar reports. We have many people using these methods without any issues, so I’m struggling to guess what could be happening in your case. Though like I said, please start with reviewing the troubleshooting link I posted and see if helps you identify any issues. Let me know what you discover, if anything.

[doug]

What version of BP are you using?

So you’ve tried both methods described at this link, and neither works? ( https://batchpatch.com/remotely-deploying-windows-feature-update-version-20h2-the-october-2020-update-to-numerous-computers ) And both methods report successful despite not actually being successful? And you are definitely rebooting the target computer after applying the update, and then letting the target computer perform the install and reboot as many times as it needs to in order for it to complete the process?

I would suggest starting by looking at this: https://batchpatch.com/troubleshooting-windows-feature-update-upgrade-errors

I will note that in version 20201029 of BP, there was a fix for the built-in method (the method that uses the Windows Update feature in BP, not the deployment setup.exe /auto upgrade /quiet method), where if your target OS was a business edition, it would report success despite not being successful:

20201029
-Fixed issue where Windows 10 feature update preparation step was not running after download of ‘Feature update to Windows 10 (business editions)’, so upon reboot the installation would not be automatically triggered at the target computer

And in the most recent 20210827 release of BP we published a fix for the built-in method (the method that uses the Windows Update feature in BP, not the deployment setup.exe /auto upgrade /quiet method) where if your target OS is a non-English version, it would sometimes report success even though it wouldn’t install.

20210827
-Fixed issue where Windows 10 feature updates for non-English versions of Windows would sometimes not get installed despite BatchPatch reporting ‘Installation Result: Succeeded’

However, it doesn’t sound like either of these would affect you because you’re using the deployment setup.exe /auto upgrade /quiet method. I would, as a start, make sure that you are following the deployment method instructions *exactly* as described at the link at the top of this page. Are you missing the “copy entire directory” and/or “leave entire directory” checkboxes? Is your deployment command identical to the command shown in that tutorial?

[doug]

Glad you got it worked out. FYI we have more on that topic here: The Windows Update Control Panel in Windows 10/2016 is Not Up To Date After Using BatchPatch To Install Updates

[doug]

Sounds like an issue with DPI/scale setting in the OS. Try changing that value in your OS.

[doug]

Thanks.

Ok so the UBR command I gave you above is still the only other option that I can think that would give you similar (but not identical) info. I don’t have any better options to suggest at the moment.

[doug]

I’m curious which version of Windows were you using this successfully on? I don’t think this value started being wrong in 21H1. I think it was long before that. But I’d be curious to know which OS you were most recently using this successfully. Also, what is the actual value that you see? 1601-01-01 ?

Realistically Microsoft should fix this or deprecate/remove it from the API. However, I wouldn’t hold my breath, as their quality control has been only getting worse in recent years.

One possibility would be to query this registry value, which is the update build revision. Essentially it indicates which cumulative update was most recently applied, and it seems like the closest thing to what you’re looking for:

powershell.exe -command "$key = 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion'; $value = 'UBR'; (Get-ItemProperty -Path $key -Name $value).$value"

So, for example if you have OS build 19042, and you have UBR 1110, then you have 19042.1110. If your machines are generally on the same OS build, then you could just look at UBR to get a quick idea of which machines are behind on the monthly cumulative update.

[doug]

Mike – I’m not really sure what you’re doing. If I clear the job queue activity column, then when I double-click the row to expand it, the job queue activity column is gone/empty. If you have other columns with data, then you would need to clear those too. Clearing just the job queue activity column won’t clear data from other columns. You need to clear the particular columns that you want. You can also always just create a brand new grid/tab.

[doug]

All of the data that you see in the BatchPatch grid is contained in that grid. If you save that grid to .bps file, then all of that data is in the .bps file so that when you re-load that .bps file into BatchPatch, the data is still there.

You can delete column contents inside of a particular grid with ‘Actions > Clear column contents’

[doug]

Yes, they have to appear on the same network. BP does not create connectivity where connectivity doesn’t already exist.

[doug]

1. You can also review the grid detail by selecting the desired rows, and then using ‘right-click > expand rows’ option. I think this would probably be better for what you are describing. We probably will not create a keyboard shortcut for viewing cell content because then you would have to tab through soooo many cells to get to the one that you want to view. ‘View cell content’ is really more geared to just be a mouse option, not a keyboard option. This is why for your needs you might find it best to use the ‘expand rows’ option instead.

2. The ‘All Messages’ column sorting is already only based on the visible content. We’ll have a look to see what we can do to improve it.

3. We will consider your other suggestions for a future build. Thank you for the feedback.

[doug]

Sorry I misunderstood. I thought you were saying you wanted to temporarily modify the registry value so that the printers could be installed/updated, and then set the reg value back.

Depending on how your printers are setup, you should generally be able to execute a single command and the command prompt of a target computer to perform the installation. Some quick googling will reveal which command to use in your environment. Once you have figured out which command does what you need and works successfully to perform the installation manually at the command prompt of a given computer, you can then easily port that to run remotely from BatchPatch either in a BatchPatch remote command or in a .cmd file that you then deploy to each target using the BatchPatch deployment feature.

[doug]

You can make registry changes easily with BatchPatch. You don’t need to write an elaborate script. You can just use the Windows ‘REG ADD’ command in a BatchPatch remote command:

https://batchpatch.com/an-alternate-way-to-deploy-a-registry-value-to-remote-computers

Other methods:
https://batchpatch.com/deploy-registry-keys-to-multiple-computers-using-batchpatch

https://batchpatch.com/remote-registry-updates-with-batchpatch

[doug]

If you want to continue to allow non-admin users to install printer drivers, then you can use a registry value to revert the behavior to how it was before the August update. However, this is probably not a great idea to permanently revert.

https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872

But a reasonable option might be to only allow users to install printers if they contact you first. Then when they call you, you can temporarily modify the registry value to enable them to do the printer installation. When complete, you can then undo the registry change.

Another option would be to give all users a local admin account that they are allowed to use only for elevation, such as in cases where they need to install a printer driver.

Another option is to simply make sure you get your printer drivers all included in the image that you deploy to new computers.

[doug]

We’ll consider this for a future build. Thanks.

[doug]

In the lower right corner of the BatchPatch window there is a row count value. It shows selected rows / total rows.

[doug]

We aren’t aware of any changes at this time.

[doug]

There is not such an option in BP, but we will consider it for a future build. In the meantime I would suggest you simply move your disabled computers into their own OU in the directory, then don’t synchronize that OU.

[doug]

‘Tools > Settings > General > Remember open tabs from last session’

[doug]

There is not currently a built-in way to share them. However, you can use ‘Tools > Export’ to export the user-defined items to a file. You can then use ‘Tools > Import’ to import them somewhere else. Also these items are stored in each user’s profile under C:\Users\%USERNAME%\AppData\Local\Cocobolo_Software,_LLC\BatchPatch\user_defined\user_defined.xml

[doug]

Excellent!

[doug]

OK let’s do a couple of things.

1. Are you using the latest version of BatchPatch? Start with just making sure you have the latest version of BP. (Help > Check for updates)

2. Next, make sure that the service instance is up to date. If you go to ‘Tools > Run BP as service’ is there an update available? If yes, apply it. If there is no update available, there will be no option available to “update service.”

3. Start with a brand new grid. Do not use/load an older grid/.bps file.

4. In the new grid create a scheduled task, but don’t use the email notification option. Instead create a scheduled task to ‘Execute job queue’, and make sure the task is set for a time a few minutes in the future. Then save the grid and send it to the service instance. Then launch the service instance viewer so that you can watch it in real-time. To do this go to ‘Tools > Run BP as a service’ and then select the .bps file in the list of “Currently active .bps files”, and then click ‘Launch selected .bps file in viewer’.

The goal here first is to see if there is an issue specifically with ‘Send email notification’ running in the service (or perhaps with how you are using ‘Send email notification’) or is there an issue with *any* scheduled task running in the service instance. So I want to know if ‘Execute job queue’ works in the service instance or not. The job queue itself can remain empty, so when ‘Execute job queue’ runs at the scheduled time, the ‘All Messages’ column will show something like this:

08/01 20:54:47> Job Queue: Queue is empty
08/01 20:54:47> Job Queue: Queued…
08/01 20:54:47> Scheduled Task: Initiating ‘Execute job queue’ – Sunday – 08/01/21 – 20:54.

[doug]

You have to add a grid to the service instance. You can do this by either right-clicking on the tab header of a grid and choosing ‘Send grid to service instance’ or you can manage which grids are in the service instance under ‘Tools > Run BatchPatch as a service’

https://batchpatch.com/running-batchpatch-as-a-service

[doug]

The link you posted contains simple instructions for how to implement a workaround for the vulnerability:

Vulnerable systems can enable ACL inheritance for files in the %windir%\system32\config directory by running the following command from an elevated prompt:

icacls %windir%\system32\config\*.* /inheritance:e
Once the ACLs have been corrected for these files, any VSS shadow copies of the system drive must be deleted to protect a system against exploitation. This can be accomplished with the following command:

vssadmin delete shadows /for=%systemdrive% /Quiet
Confirm that VSS shadow copies were deleted by running vssadmin list shadows again. Note that any capabilities relying on existing shadow copies, such as System Restore, will not function as expected. Newly-created shadow copies, which will contain the proper ACLs, will function as expected. Please see KB5005357 for more details.

Each of the three commands mentioned above can be simply dropped, individually, into a ‘Remote Command (Logged Output)’ in BatchPatch.

icacls %windir%\system32\config\*.* /inheritance:e
vssadmin delete shadows /for=%systemdrive% /Quiet
vssadmin list shadows

[doug]

Not really. Currently the only other way to do it would be to modify the queue to run in a loop every 15 minutes, and to insert a custom script that checks the time of day and terminates the loop if the time of day is between 1900 and 0700. However, while this other method job queue would only be several steps instead of ~96 steps, I’m not sure that it’s any easier since it involves creating a custom script.

We’ll consider other simpler options for a future version.

[doug]

This information is pulled from the Windows Update Agent (WUA) history database on the target computer. We’ll take a look to see if we have any way to improve/fix this, but I think it is probably stored in the database in such a way that I don’t think there is anything we can do. I don’t think it’s something that BatchPatch has any control over. If we figure out a way to improve/fix it, we’ll do that in a future version. Thanks.

[doug]

Please see: Troubleshooting Common Errors in BatchPatch

[doug]

What is “Executing export report” ? Please be as specific and detailed as possible to describe exactly what you are clicking on, and then exactly what you are seeing when you click on that.

[doug]

I’m not sure what could be causing that aside from everything I mentioned previously. Did you try the suggestions that were posted further up above? And to create brand new everything from scratch, including brand new deployment configuration, brand new grid, etc, along with everything else suggested in the posting I made a few days ago.

[doug]

‘Actions > Windows Updates > Check for available updates’ not ‘Help > Check for updates’

[Author]

Posts