Forum Replies Created
-
Posts
-
Hi Aaron – It is not currently possible to change the columns that are sent via email. The email will include any/all visible columns in the grid. However, we are considering possibilities for customization in a future version.
Thanks,
DougThe same consolidated update history report that you linked an image to above has a column for ‘Result’, which will show failures. That said, I’m unsure how useful this would end up being.
If you use BatchPatch to perform an update installation, BatchPatch will report in the ‘Remote Agent Log’ for that task the details of each update installation (success, failure, etc). The ‘Remote Agent Log’ column in BatchPatch is also saved automatically to the remote agent log file that is stored on the target computer (default location on target is C:\Program Files\BatchPatch\batchpatch.log). You can use the HTML export feature, mentioned in my previous posting, after an update installation task to review the failures. And of course you can review the batchpatch.log file on a target computer to examine the failures from previous tasks. However, aside from the update history report mentioned at the top of this posting there is not another way to pull a “live report” of updates installation failures that took place in the past.
This is a Windows Upgrade error, not a BatchPatch error.
-1047526908 => C1900204
Migration choice (auto upgrade) not available (probably the wrong SKU or architecture)· 0xC1900204
If you modify a job queue, you would have to re-apply that queue to your grids because the queue information is stored in the grid (to make the grid files portable without having to have the original queue created/existing on the server instance of BP- this was a tradeoff decision we made at design time). That said, we do realize this is not a good user experience, and we have plans for improvement.
As a workaround for now you can re-apply it to just a single grid to start. Then save the bps file for that single grid and open it in a text editor and find the change/update that you made. Then you could use the text editor to find/replace across all of your 53 files. Just make sure to test it because if you introduce an extra space or line break or somehow modify the format etc so that BP can’t understand/read it, it won’t work. And needless to say you’ll want to make a backup of your bps files before modifying them like this.
Hello – Thank you for sharing that posting. The simplest thing you can do right now to mitigate this issue is under ‘Tools > Settings > Remote Execution‘ set a value for ‘Use PsExec -r switch‘. When you enter a custom value in this field, the PsExec remote service and named pipe are created with that custom name instead of the default name, PSEXESVC. In this way a malicious user pipe squatting on your target servers as \PSEXESVC won’t have any impact on you because your pipe will be created as \YourCustomName. The malicious user would have to know/guess your custom pipe name in advance in order to cause trouble, which would be very unlikely and require the attack to be targeted at you specifically instead of just a generic attack.
We don’t know at this time when Microsoft will address the issue directly in the PsExec code (they apparently did suggest that they will release an update to PsExec to resolve this, though it’s unclear when), so we are also discussing adding an additional safety measure to BP soon that would enable you to add a pseudorandom number/string to your custom name so that every single action would get a unique remote service and pipe name. This would virtually eliminate any possibility for casual exploitation by making the pipe name even more unguessable, thus further reducing the possibility of any pipe squatting on that name. And we will additionally be considering other possibilities moving forward as well.
One other option you could consider for the time being is you could use PaExec instead of PsExec. We don’t know at the moment if PaExec is technically susceptible to the same kind of pipe squatting attack, but we do know that PaExec already adds a pseudorandom number to its remote service and pipe name, which means that if it were similarly vulnerable, the random pipe name would successfully mitigate the issue by virtue of it being unguessable in a casual attack, as described above. The main downside to PaExec is that if you are specifying alternate credentials for any row in the BP grid, these credentials are *obfuscated* when sent over the network using PaExec but not fully *encrypted* like they are when using PsExec. Realistically, while encryption would certainly be best, lack of encryption in this case is actually not necessarily as bad as it sounds, assuming you are operating on a switched network, but it’s definitely still something to consider if you use alternate credentials. More is explained here about why unencrypted credentials may not be as bad as it sounds, when using a switched network. To be very clear though, we always recommend using encryption whenever possible when passing credentials over a network. The article merely highlights that in some use cases there may be an acceptable risk to the user choosing an unencrypted approach.
Our recommendation is to continue using PsExec but to specify a custom service name as described at the top of this posting. We expect to release an update pretty soon that will further improve upon the custom service name setting by enabling the ability to also append a pseuodrandom number/string to it for each connection, as mentioned previously. However, if you decide you want to use PaExec, then under ‘Tools > Settings > Remote Execution‘ you’ll set a custom path under ‘Use psexec custom filepath‘ and have that filepath point to the location of your paexec.exe. If you choose to use paexec instead of psexec, then you’ll need to uncheck the box for ‘Use PsExec -r switch‘, otherwise it will throw an error when you try to perform any actions that utilize it.
The script generally works for most computers (for example it works on all of the computers we have here without any errors/issues), but if you have a particular machine where the script is not running successfully, then there is something specific to that machine that is causing the issue. You would have to setup some error handling in the script to get to the root of why that particular machine isn’t completing successfully. It could be a transient error with WMI on that computer, and restarting WMI or that computer could possibly resolve it. But it might also be some kind of corruption with the WMI repository or something else altogether. I can’t say for sure.
I provided the script to you as a template to show you an example of the kind of thing that is possible. However, you should customize it for your particular needs/desires:
To get the amount of RAM in use you have to do the calculation TotalVisibleMemorySizeKB – FreePhysicalMemoryKB. You can add this calculation directly in the script.
To get megabyte from kilobyte, you would take the kilobyte value and divide by 1024 or 1000, depending on how you define a MB (as either 1000KB or 1024KB). You can add this calculation directly in the script.
To change the format of the date-time, you’ll need to do some processing of that date-time result, which can also be added to the script. Here is an example: https://stackoverflow.com/questions/29535638/vbscript-how-to-convert-a-date-into-days-and-time
This is not currently possible, but we will consider adding some kind of “append” option for a future build.
In the meantime you would either have turn on the target computer to view the BatchPatch.log to see the history of what BatchPatch did with Windows Updates before the machine was shutdown, or you have two possible workarounds:
1. One option is to use multiple rows per host in the BP grid. So if you put the same “host1” into two separate rows in the grid, and then each row executed a Windows Update action at a different time, you would be able to see the log of both actions in the ‘Remote Agent Log’ column for each row. In this case you would have to take care to ensure that the rows’ executions do not overlap. The ‘advanced multi-row queue sequence’ could be used to ensure that the two rows are executed sequentially. Or you could use scheduled tasks for each row, just making sure that they execute far apart enough in time that they would not ever overlap.
2. Another option is to use “Save current-row HTML export” inside of the job queue. You can run that after each Windows Update action, and then on the BP computer you’ll have the details from the ‘Remote Agent Log’ column for each run saved in those HTML files that are created.
Hello –
1. You can export the grid to delimited file using “File > Export current grid to delimited file”
2. The following command will get the RAM numbers you want (in KB):
WMIC PATH Win32_OperatingSystem GET FreePhysicalMemory, TotalVisibleMemorySize3. We will consider adding the built-in ‘Get RAM usage snapshot’ to the job queue and/or task scheduler so that it can be scheduled to run without a custom command.
4. Below is a script that gets all of the information you asked about. You can incorporate it into BP as a “local command” with the following syntax. BP will pass the target computer name from the ‘Host’ column into the script by using ‘$computer’ as shown here:
Create a local command that looks like this:
cscript "C:\SomeFolderOnBPComputer\Scripts\ScriptSample.vbs" $computerHere is the actual script. Put it in a text editor and save it with a .vbs extension. Modify it as desired to get the results formatted in your preferred way:
'Gets the number of CPU Sockets, Cores, Logical Processors, OSVersion, LastBootUpTime etc. Cocobolo Software LLC December 2020. 'usage: cscript.exe script.vbs COMPUTERNAME strComputer = WScript.Arguments(0) on error resume next Err.Clear 'strComputer = TextBox.value 'InputBox("Enter the Computer Name or IP address") Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") OSVersionCaption = "" 'Get OS Version for CPU info Set colOperatingSystems = objWMIService.ExecQuery("Select * from Win32_OperatingSystem") For Each objOperatingSystem in colOperatingSystems OSVersionCaption = objOperatingSystem.Caption Next 'Get Processor Info (note: it can take a long time to pull info from this class) Sockets = 0 Cores = 0 LogicalProcessors = 0 WMISupport = 1 ProcessorName = "" If InStr(OSVersionCaption,"2003") or InStr(OSVersionCaption,"XP") or InStr(OSVersionCaption,"2000") Then WMISupport = 0 End If Set colProc = objWMIService.ExecQuery("Select * from Win32_Processor") For Each objProc in colProc ProcessorName = objProc.Name Sockets = Sockets + 1 Cores = Cores + objProc.NumberOfCores If Err.Number <> 0 Then Cores = Err.Description Err.Clear End If LogicalProcessors = LogicalProcessors + objProc.NumberOfLogicalProcessors Next If WMISupport = 0 Then LogicalProcessors = Sockets Sockets = "Property is not supported for this OS" Cores = "Property is not supported for this OS" End If OSVersion = "" LastBootUpTime = "" FreePhysicalMemory = "" TotalVisibleMemorySize ="" Set colOS = objWMIService.ExecQuery("Select * from Win32_OperatingSystem") For Each objOS in colOS OSVersion = objOS.Version LastBootUpTime = objOS.LastBootUpTime FreePhysicalMemoryKB = objOS.FreePhysicalMemory TotalVisibleMemorySizeKB = objOS.TotalVisibleMemorySize Next wscript.echo("CPU: " & ProcessorName & vbCrLf & "Sockets: " & Sockets & vbCrLf & "Cores: " & Cores & vbCrLf & "Logical Procs: " & LogicalProcessors & vbCrLf & vbCrLf & "OSVersion: " & OSVersionCaption & " " & OSVersion & vbCrLf & "LastBootUpTime: " & LastBootUpTime & vbCrLf & "FreePhysicalMemoryKB: " & FreePhysicalMemoryKB & vbCrLf & "TotalVisibleMemorySizeKB: " & TotalVisibleMemorySizeKB)The .cab file is extracted by BP into the wsusscn2 folder so that it can be parsed to get the relevant data needed by the “Download offline updates repository” action. What you see in your screenshot is expected/normal. It has nothing to do with why “Download offline updates repository” does not obey “Do not download newest wsusscn2.cab if any version is already cached”. I explained why that’s the case in my previous posting above.
Thanks,
DougI’m not really sure what you’re suggesting. The reason that the ‘Download offline updates repository’ action does not obey the setting ‘Do not download newest wsusscn2.cab if any version is already cached’ is because it was not coded to obey that setting. In that sense it’s not really a “bug” per se but rather by design. However, it makes sense that it ought to obey that setting just like the normal Windows Update actions do, so we’ll look at changing it in a future build.
Thanks. We have confirmed that the ‘Download offline updates repository’ action does not obey the checkbox ‘Do not download newest wsusscn2.cab if any version is already cached’. We’ll look at fixing this for a future build.
I understand that you have ticked the box ‘Do not download newest wsusscn2.cab if any version is already cached’, but which action are you using in the app that is not obeying that checkbox?
If you have the command line syntax to perform your desired operation on a single computer without using BatchPatch, then generally you can use BatchPatch to run that command on multiple target systems to accomplish your goal.
-Doug
Yeah unfortunately I don’t think there is a better way to do what you’re trying to accomplish. Good luck.
Hello – The entire purpose of the advanced multi-row queue sequence is to create a sequence where groups of computers are inter-dependent. It is designed intentionally to have one group only begin when the previous group is 100% done. From what you’re describing, it sounds like you don’t actually want to be using the advanced multi-row queue sequence at all. It sounds like you should be using scheduled tasks that kick off your groups at the specific times desired. So if you want the first 100 machines to start processing at 10PM, and then you want then next 100 to start processing at 10:10PM, followed by the next 100 at 10:20PM, then you should not use the advanced multi-row queue sequence. Instead create a scheduled task for each row to run that row at the desired time. Or… if you still really want to use the advanced multi-row queue sequence, you could create a separate sequence for each group of 100. Then have each sequence only contain a single position for that entire group of 100. In this way, each group of 100 is not dependent on any other group of 100. In this case you won’t actually be creating a “sequence” in the sense that nothing will be happening sequentially. But you’d be using the advanced multi-row queue sequence feature as just another way to schedule a group of 100 targets without applying the scheduled task to all 100 targets. Instead you would apply the scheduled task to the dummy row that starts the sequence, and it would then be responsible for launching the 100 members in the group. But each 100 members would be part of its own advanced multi-row queue sequence, and each 100 would get started independently of the others because each advanced multi-row queue sequence would have its own scheduled task to launch it at the desired time.
Ok great. Glad that works. Thanks.
-Doug
First I would note that the MAC gets logged in the ‘All Messages’ column, so you’ll have the entire history there. I would think that alone should be sufficient because even if the MAC column/field is overwritten with an error or blank, the previous query results are still contained in the ‘All Messages’ field.
However, as a way to accomplish exactly what you want to do, you could have your task check to see if the target computer is online first before trying to obtain the MAC. This way the MAC field will not be overwritten with an error when the machine is offline.
In the current version of BP there is no “Get MAC” option in the job queue, but we will consider adding it. In the meantime you can create a custom remote command (logged output) with the following syntax:
WMIC PATH Win32_NetworkAdapterConfiguration WHERE "IPEnabled=True" GET MacAddressThen create a job queue that looks like this:
Step 1: Wait for host to be detected online
Step 2: Execute your custom command to get the MACOr this queue below actually probably works better for your needs since you want to just run the task periodically:
Step 1: If host is offline, goto label:X
Step 2: Execute your custom command to get the MAC
Step 3: Label:XThen create a scheduled task that executes the job queue at the desired time.
—————
With all of that said, I really don’t understand at all what your actual need is here. I mean to say that I don’t understand why it would ever make sense to continually/repeatedly query a target computer for its MAC address, when MAC addresses do not ever change. Perhaps you could fill me in on more details. The better I understand your actual need, the more likely we would be able to address it sufficiently, if we were to add something to the software for this purpose. However, at the moment I simply don’t understand why you’re repeatedly querying targets for their MACs. On the surface this just doesn’t make sense to me. Thanks.
1602 is returned by the MSI installer. It’s not a BatchPatch error per se. BatchPach just passes through the MSI return code to you.
MSI 1602 exit code means “User cancelled installation.” My best guess is that you have something, perhaps anti-virus software or similar, that is killing the installation. You might be able to get more info by adding the following to your parameters in the deployment.
/log c:\msi_installer_log.txtSee screenshot for illustration/example:
Alternatively you might be able to get more info by running the msiexec command at the cmd prompt manually on a target machine instead of through BatchPatch. So for example if you put the MSI file directly on the target computer and then you ran this command:
msiexec.exe /i "C:\someFolder\someInstaller.msi" /qYou should see it output more detail to the cmd prompt that might help you figure out what is happening.
🙂
You’re very welcome.
Create a ‘remote command (logged output)’ with the following syntax:
time /TThe update reboot cycle was deprecated a few years ago. We finally removed it from the software in this most recent release. Please use the job queue instead. It’s much more powerful and flexible. You can create a custom job queue called “update reboot cycle” if you want. Then just use that in your task.
-Doug
You’re very welcome! 🙂
Sorry to hear that. If you are a licensed customer and want to work through this with us, I would encourage you to contact us directly so that we can have a better look at what might be happening. There’s a good chance that we’ll be able to help you get it working when we can see exactly what you’re doing with screenshots etc. It’s unclear to me at the moment where things might be going wrong. BatchPatch contact form
Thanks,
DougWhen you say the first command was successful– I assume that means you did the first command successfully using ‘Deploy’, not using ‘Remote command’, yes? If yes, I’m thinking that the issue with the second command is probably the quotation marks. Try single quotation marks around the path instead of double quotation marks. Like this:
\\server\vs2019\vs_enteprise.exe update --installPath 'C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional' --quiet --waitLet me know how it goes.
For what you are trying to accomplish… where you want the actual logged-on user to perform a task, I think the primary ways to do this are as follows:
1. If you want to use BatchPatch, then in BatchPatch you can get the list of users who are logged-on to the target computer by using ‘Actions > Get info > Get logged on users’. You could then manually take this information and input it into the ‘Notes’ column in BatchPatch in the format that you need/want it to be. And then you could send $notes as a parameter in your deployment configuration so that $notes gets passed into your script that runs on the target computer. In your script you could then handle the parameter in whatever way you want.
2. Instead of using BatchPatch for this task you could setup your script to run as an active directory logon script for the end-user so that when he/she logs on to the computer, the script runs in the context of his/her logon account.
3. Another option if you want to use BatchPatch is you could incorporate into your script the ability for the script to get the logged-on users directly with your own code, so that you could then use that information in your script to accomplish your end-goal. In this case you would either need to know for sure that there is only a single user who will ever be logged-on to the computer, or you would have to have logic that makes a determination for what to do when multiple logged-on users are detected. Furthermore, you would have to decide how you would obtain the list of logged-on users in the first place. There is not one set way to accomplish this task. Different methods have different advantages and disadvantages.
———————-
The idea that BatchPatch should have a %username% variable is not so straightforward as you imply. For one thing, there can be multiple users logged-on to a computer, so who is %username% in that case? Additionally, something like the $computer variable that BatchPatch currently supports along with $notes, $notes2, $description, $category, and $location… these are variables for use inside of BatchPatch … where these values exist or are inputted by you into the corresponding BatchPatch columns… such that you can then send them as parameters into your scripts/commands that you execute from/in BatchPatch. However, it’s very different for BatchPatch to see that you have used $username inside of a script that will be run remotely (or even just as a parameter sending into the command/script), and then have BatchPatch on-the-fly make a remote connection to the target computer, figure out the logged-on user, then insert that into your command (or modify your script and replace the value for you), and then execute your command/script remotely in a separate action. While this is theoretically possible to do, it’s a very customized kind of action, and it’s applicability would need to be tweaked on a per-use basis, depending on the specific need of the administrator for any particular given task. We try to make BatchPatch as flexible as possible for administrators to then be able to customize for their own needs, so that when they have particular tasks that they need to perform as part of their job, they can get something up and running with minimal effort. However, there are some tasks, such as what you are trying to accomplish, that don’t lend themselves well to having us pre-build in complete end-to-end functionality to accomplish due to the fact that they are quite specific… your exact need will not be identical to someone else’s exact need.
OK that’s very helpful! So now it looks like we have the reason why it isn’t working, which is that there is no preparation step occurring. What I don’t know is why or how that could be getting skipped. I’ve just emailed you to request a HTML grid export for further, closer review. Let’s switch to email for now. Then I’ll come back and update this thread after we (hopefully) get to the bottom of what’s going on.
-Doug
Weird, thanks. In your ‘All Messages’ column after the download/install, but before the reboot, you should have a line that says: “Windows Update: Feature update preparation complete.” Can you confirm that you do see this? Or did it fail? If it failed it would say “Windows Update: Feature update preparation failed: someExitCodeHere”.
Assuming that the preparation process completed without failing, my hunch is that the issue is still being caused by a GPO, though I’m not sure which one. We can’t reproduce it at the moment, and we have no other reports of it as of yet. I’ll let you know if we come up with any other ideas. Please also report back if you test anything else, such as removing *all* Windows Update GPOs before trying again.
And do keep in mind that at least as a workaround, if needed/desired, that you can always deploy the update using the BP deployment feature instead of the BP Windows Update feature, per the link noted a few postings above ( Deploying Windows Feature Upgrades Remotely to Multiple Computers )
Just to confirm… after you modified the GPO and applied it, you ran the download/install/reboot from BP again? And then after the target machine rebooted, it didn’t automatically start the installation? Or did you not try the reboot? I ask because the reboot is necessary before it will proceed with the actual installation, so I just want to confirm that I understood what you did. Thanks.
Authentication to a remote location can be different when going over two hops instead of one. So instead of making a single remote connection, you are effectively making a remote connection to the target computer and then asking it to make a remote connection to the network share, so it’s not an identical procedure. I would suggest you try a couple of things:
1. Try entering ‘Alternate credentials’ in BatchPatch (Actions > Specify alternate logon credentials). See if that makes a difference as compared to when you just use ‘integrated security’.
2. Maybe you can use the BatchPatch action “Copy file/folder” to accomplish your goal?
3. Maybe you can use a BatchPatch local command to accomplish your goal? In this case instead of running the script remotely, you could have a script that runs on the BatchPatch computer (Actions > Execute local process/command), and then there won’t be two hops of authentication, in case the two hops is what is causing the problem.
Also one more thing to note that I’m not sure if you are considering or not… the credentials that you are using to connect BatchPatch to the remote machine (whether that is with integrated security or with ‘alternate credentials’) is not necessarily the account name that you want to be inserted into %username% is it? Because the %username% variable will be the account that is running the script, which I suspect is not the account that you are wanting it to be, though I’m unsure because I don’t know the exact details of what you are trying to accomplish. I just figured I’d mention it here in case that helps at all.
Also, in cases where you use SYSTEM, I don’t think it will ever work properly because SYSTEM only has local privileges, so you would need to use ‘Elevated token’ I think to have a chance at it working properly.
-Doug