[doug]

Thanks, Rich. Please do reply to this thread if/when you have more info. I’m very curious to know if purchasing ESU does the trick.

-Doug

[doug]

Hi DJ –

1. We do usually post some notes on the website in a blog posting with each new version, depending on the nature of the particular release. We plan to post something this week for the version released on Friday. It just hasn’t been published yet. Usually the blog posting will follow the actual release of the new build by several days up to about a week.

2. We don’t publish file hashes. We *do* sign the BatchPatch.exe, which is superior to just publishing file hashes. Scott just wrote a posting, which is now also linked off of the download page, that explains why digitally signing a file is superior to publishing a file hash. You can see it here if you’re curious:

Verifying the Authenticity and Integrity of BatchPatch.exe

[doug]

I wouldn’t be surprised if certificates is one of the methods that Microsoft uses to prevent people who didn’t pay for ESU. I found a wsusscn2.cab from July 2019, and I was able to use it successfully to search for updates on a Windows 7 target. However, when I use the current wsusscn2.cab from Sept 2020, I get the same certificate error that you got.

0x800B0109 -2146762487 CERT_E_UNTRUSTEDROOT

A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider

I think there is a pretty good chance that if/when you pay for ESU, the first thing they do is give you an update that updates your certificate store so that you’re able to continue updating the OS. This is just an educated guess. I can’t say for sure.

[doug]

I don’t know if any of the client triggers will do what you want or not. We don’t use SCCM. We implemented all of the available SCCM client triggers as a convenience to SCCM users, but the details of what the client triggers actually do etc has nothing to do with BatchPatch, so it’s not something that we can provide support for.

[doug]

Triggering ConfigMgr (SCCM) Client Actions Remotely

[doug]

If they are fine when connected to the LAN and are only not working when using DirectAccess, then it seems pretty clear that the issue is with your DirectAccess configuration. I don’t have experience with DirectAccess, so I’m not able to provide much guidance, but based on some very quick and minimal research it appears you have to configure “Manage Out” capability for DirectAccess in order to be able to remotely manage clients from within the LAN. I wouldn’t be surprised if you also have to configure firewall rules specifically for when using DirectAccess.

Troubleshooting Common Errors in BatchPatch

[doug]

Please see this link:

Review the section under ‘Error -102: Failed to execute the search. HRESULT: -2147012867‘

[doug]

We’ll see what we can do.

[doug]

In that case then you should just keep the deployment files on the BP computer or in the same network as the BP computer so that when BP copies the files to target computers it only copies the files in one direction. There is not currently a better or more efficient option available.

[doug]

You don’t have to install BatchPatch on every target computer. The suggestion I made was to install a single instance of BatchPatch in the same geographic location as the target computers so that deployment stays local to the BatchPatch instance.

Alternatively if you keep the BatchPatch installation in a network that is remote to the target computer, then at a minimum you should also keep the deployment files in the same network as the BP installation so that when the deployment runs, it copies files only in a single direction. A better/faster option will be to do what I described previously, which is to install an instance of BatchPatch in the network where the target computers are located.

[doug]

Thank you for your feedback. At this time it is the BatchPatch computer that performs the copy, so for max performance in the scenario that you describe, you would need to run an instance of BatchPatch on the target network, and have that instance perform the deployment.

Thanks.

[doug]

I need more information, please. If you have active support, please contact us directly to work through the issue. That way we can have you send us log files and a grid export for review, which we can’t really do effectively through this forum. Then we should be able to determine exactly what’s happening. Otherwise I’ll just have to take a couple guesses:

The problem you are encountering may be the issue described here: Online Cached Mode Fails to Download Update: Illegal characters in path. HRESULT: -2146233079

I know you said that the issue occurs even when cached mode is disabled, which would indicate that the above link will not help you, but please make sure to read through it carefully and assess your situation before concluding that it’s not the issue that you’re having. However, if the above link does not describe the issue that you’re having, then in that case it might be that you just need to perform the download and install operations in a single action instead of in two separate actions. That is, perform the operation as the single “download + install” action in BP instead of executing “download” and then separately executing “install.” We have very occasionally seen where Windows Update behaves unexpectedly and needs to have these operations executed together instead of separately.

[doug]

Thanks. I just replied to your email. It really doesn’t make any sense to me how/why it would fail only when executed as part of the advanced sequence, but I’ll have a better sense of things after I get the requested items in the email. Let’s switch over to email from this point forward. I will come back and update this thread if/when we figure out what’s going on.

[doug]

Without being able to see the exact detail of everything that is happening, it’s hard for me to know what might be going on. If you have active support with us, you are welcomed to reach out to us directly for troubleshooting assistance. That way we would be able to view more details about what is happening. Otherwise my best suggestions are as follows:

1. You said you’re running a local command. Local commands execute on the BatchPatch computer, not on the target computer. It’s unclear to me exactly how your queue is structured, but if you are running a local command to execute the script, then I assume the script is making a remote call to the target computer. Since you’re using powershell, maybe check the powershell permissions and execution policy to make sure that what you’re doing is not being blocked.

2. Maybe just try a different method for stopping the service. For example instead of using a local command that calls a custom powershell script that makes a remote call to the target computer, maybe just try a remote command directly from BP with the following syntax, substituting the SQL service’s caption instead of ‘DNS Client’ (I don’t know what the exact SQL caption naming is off the top of my head):

WMIC SERVICE where caption='DNS Client' CALL stopservice

[doug]

See section on “RPC server is unavailable” here: Troubleshooting Common Errors in BatchPatch

[doug]

If the IP works but name does not work, it could be an issue with your DNS.

However, you need to look at the *reason* that is printed at the end of the error message to evaluate why the error occurred in the first place. When error 1601 appears it says *what* happened: “Failed to retrieve WMI info”, and then immediately after that it says *why* it happened. For example, here are just two of the possible ways it might appear:

Error 1601: Failed to retrieve WMI info: Access is denied (Exception from HRESULT: 0x80070005)

OR like this:

Error 1601: Failed to retrieve WMI info. The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)

[doug]

I don’t think this is a common problem at all. In fact, maybe that’s one way to convince management. Explain to them that it’s highly unusual to have 200+ servers with no dedicated maintenance window. EVERY company needs a maintenance window to do maintenance. Just like you need to take your car to the mechanic periodically to do preventive maintenance. I have never heard of a company with 200+ servers and no maintenance window. They are asking for trouble.

[doug]

FYI we just tested this: You can use the following syntax inside of a single ‘Remote Command’ in BatchPatch:

NET STOP wuauserv & MOVE C:\Windows\SoftwareDistribution C:\Windows\SoftwareDistribution.old & NET START wuauserv

If you then save the command, you’ll be able to trigger it directly from the BatchPatch menu at any time.

[doug]

We have never seen nor had anyone report these two errors:

0x80244017 -2145107945 SUS_E_PT_HTTP_STATUS_DENIED Http status 401 - access denied

SUS_E_PT_HTTP_STATUS_DENIED seems like it would be a result of a permissions issue on your WSUS server’s IIS instance. I’m not sure how/why it would be fixed by resetting Windows Update on the target, but I’m glad that worked for you.

0x80244010 -2145107952 SUS_E_PT_EXCEEDED_MAX_SERVER_TRIPS The maximum allowed number of round trips to the server was exceeded

I don’t quite know what to make of SUS_E_PT_EXCEEDED_MAX_SERVER_TRIPS. It’s very peculiar. My guess is it would either be related to your WSUS server’s IIS configuration, or perhaps it could be the result of some weird network behavior or problematic routing configuration.

[doug]

We’ll consider this.

FYI you could also put this into a 3 line bat/cmd file. Then create a BP deployment to deploy that bat/cmd file whenever you want. Or you could make it a powershell script and either create a deployment for it the .ps1 file, or don’t even put it in a .ps1. Instead you could just combine the three lines into a single line with each command separated by a semi-colon. Then run it as a BP remote command.

-Doug

[doug]

Thanks.

[doug]

Thanks.

[doug]

BP does not provide a way for you to customize the HTML grid export.

[doug]

Please see BatchPatch Error: -102: Failed to execute the search. HRESULT -XXXXXXXXXX for more details on this error. We’ve had a handful of users report that installing Silverlight resolved the issue for them.

[doug]

Modify it how?

[doug]

I’m sorry to say I don’t understand you. Just check the boxes you want to include. Then perform the download and installation. Only updates with the classifications that you have checked will be downloaded/installed.

[doug]

The “Search Preferences” checkboxes apply to only the search for updates.

The “Update Classification Filtering” checkboxes apply to only the download and installation of updates.

When you use ‘Check for available updates’ it will search based only on the “Search Preferences.” This means that you will see all different types of updates listed as available for the target computer. However, if you then go to actually perform the download/installation, only the updates that have the classifications that you have ticked/checked/selected will be downloaded and installed. So if you have ONLY “Security Updates” checked, then only updates with the classification ‘Security Updates’ will be downloaded and installed.

[doug]

Very peculiar. I would try adding the IP address directly as a row in BP. Also try adding the FQDN (e.g. “Timson2-ACX.yourdomain.com” instead of just “Timson2-ACX”). See if either of those works.

[doug]

First make sure that the update is visible/available when you check for available updates. If the update is not in the list of available updates, then BP won’t install it because BP won’t know about it. So, if you have used ‘Check for available updates’ and you see that the update is in the list, then BP can install it. You have to select ‘Include “Upgrades”‘ under ‘Tools > Settings > Windows Update’ in order for that update to be included during a download/install operation. Also, in general, if you look in the ‘Remote Agent Log’ column after a download/installation attempt, you can see all the details for if a particular update was skipped, and why it was skipped. If it simply does not appear at all, then it is not being offered to the computer in the first place. In that case, check your WSUS to make sure the update is approved for installation. If you are not using WSUS, make sure that you don’t have any update deferral policy or Windows Update setting in place that would prevent you from seeing a feature update.

[doug]

is there a way to have BatchPatch try and install any pending updates

I’m not really sure what you mean here. BatchPatch installs Windows Updates. That’s what it does.

Or if BatchPatch is done (with the download + Install + Reboot) is Windows up to date and the errors on older cumulative updates irrelevant?

BatchPatch can report which updates are available to download/install for a given target computer, and BatchPatch can download/install those updates. If BatchPatch is reporting that there are no available updates… then it means that based on your current settings/configuration/filters, and based on what your WSUS has approved for installation, there are no available updates for the target computer. In general, with Windows, if you do not install a cumulative update for one month, but then you install the next month’s cumulative update, there would no longer be a need to install the previous month’s missed cumulative update, and under most circumstances BatchPatch would not report that previous month’s cumulative update as available for installation. If BP is reporting it as available/needed, then that means Windows is reporting is as available/needed.

Windows update installation filters that can affect what BatchPatch finds as available and what BatchPatch downloads/installs:

https://batchpatch.com/windows-update-installation-filters

https://batchpatch.com/filter-which-available-updates-are-included-or-excluded-when-downloading-or-installing-windows-updates

[Author]

Posts