Forum Replies Created
-
Posts
-
Thanks, Matt. Good to know the one-at-a-time method worked. However, I agree it was probably a good idea to just update the framework altogether, so I’m glad you got it all worked out.
-Doug
This is peculiar. Considering all of the entries that state the following…
msipatchregfix-amd64_5011cb29b096fb674a4795ee8fc2f7fdad33863a.exe :: Copy To Cache: Failed. HRESULT: -2147024894…it seems that these .NET updates all utilize the same file (in conjunction with a secondary file that is specific to the particular update and not shared). The -2147024894 means ‘ERROR_FILE_NOT_FOUND’. This is happening because the file is there for the first update, but then BatchPatch deletes it from the target computer temp folder after it successfully caches the file for the first update in the list, and then BP is not able to cache that file for the rest of the updates because it has been deleted. BP does not expect that two updates would have the same filename, so BP deletes the files as it caches them, but apparently there are cases where two updates will utilize the same exact file.
I would suggest trying the following:
1. Delete the files in your cache directory on the BatchPatch computer. Or you can temporarily point the cache location to an empty folder so that when you attempt again BatchPatch will download the update files anew. The goal here is just to make sure you get fresh files in case one or more of the files that currently exist in your BatchPatch cache are corrupt in any way that is preventing them from installing.
2. Check the box ‘Tools > Settings > Windows Updates > Recopy/overwrite updates that have already been cached on target hosts’ You should leave the box checked until all of these updates have been installed and the problem has been resolved.
3. With the above box checked, use BatchPatch filtering to install just a single .NET update at a time. Use ‘Actions > Windows Updates > Filter which updates are included/excluded’ to include just one of the .NET updates at a time. I suspect if you use filtering to install just one update at a time you won’t have any problems, though I can’t say for sure because I have never seen this type of situation before.
-Doug
Offline mode utilizes the WsusScn2.cab file that Microsoft publishes on a monthly basis. This file contains the metadata for security updates that allows the Windows Update Agent to determine which updates are available for the computer in question without requiring internet access or a WSUS to perform the scan. When you scan for Windows Updates using the control panel interface on the computer, it does an online scan for available updates against Microsoft’s public update servers, not the WsusScn2.cab file. The WsusScn2.cab file will never contain *all* updates that the public update servers contain. The WsusScn2.cab file generally contains all security updates and service packs along with various other updates that Microsoft deems important enough to include. When they release an out-of-band patch, such as the KB4056892 that you are referencing, it will appear on their public update servers before they publish a new WsusScn2.cab file that also contains the update. If you want to apply the update to systems that do not have internet or WSUS access before Microsoft publishes a new WsusScn2.cab file, then you would have to download the update manually from the Microsoft catalog, and then you can deploy it to target systems using the BatchPatch ‘Deploy’ feature, following this example:
Remotely Deploy a Standalone .MSU Update to Multiple Computers
When determining how to uninstall a program you need to first test it at the cmd prompt on the target computer WITHOUT using BatchPatch. This way you can determine what the quiet/silent/unattended parameter is.
I just installed FeedReader 3.14 and tested uninstalling with your commands:
“C:Program Files (x86)FeedReader30unins000.exe” /S
“C:Program Files (x86)FeedReader30unins000.exe”
Neither of those commands will perform a silent/quiet/unattended uninstall.
However, the following command works properly to perform a quiet/silent/unattended uninstallation of FeedReader 3.14:
“C:Program Files (x86)FeedReader30unins000.exe” /silent
When you check the box to ‘Run task immediately upon detecting target computer online’ the setting is saved only to the row or rows that you apply it to. Then if you view the task/schedule that is applied to a row that has the setting, then you will see the checkbox is checked. However, if you view the schedule of a row that does not have the setting, then the checkbox will not be checked. Or if you have multiple rows selected when you go to ‘Create/modify scheduled task’ when the Task Scheduler window appears the box will only be checked if all rows have the setting applied. If only one or some of the selected rows have the setting applied then when BP launches the Task Scheduler window, it does not auto-check the box or auto-populate the task/schedule because the multiple rows do not share the same schedule, and only a single schedule can be shown in the window at one time. This does not mean that the setting is not applied to a row that you applied it to. It just means that the GUI won’t show the box checked when you are launching the GUI. If you want to always see it reflect the setting that is applied to the row, then make sure to only have the particular row that you’re interested in selected when you re-open the ‘Create/modify scheduled task window’. I hope this clarifies things for you. It’s a bit tough to explain it clearly in writing, but hopefully you understand what I mean.
-Doug
Unfortunately there is not currently a way to have BP pass the $user to your script the way that it can with $computer. We’ll consider this for a future build.
-Doug
In the current build it’s not possible, but we are working on it for a future version.
Thanks,
Doug
All of the steps are the only/all of the reasons that there would be a discrepancy. How are you determining that there are applicable updates for the computers that BP is not reporting?
What action are you executing? Could you provide the verbatim text from the ‘All Messages’ column, please?
Well I guess the first question is if you are suggesting that BP is reporting an incorrect result, how are you determining that there are applicable updates for the computers that BP is not reporting?
If you have only gone through *most* of the steps, as you said in your posting, I would suggest going through *all* of the steps because all of the steps are all of the possible reasons why BP would give you unexpected results. There really aren’t any other possible reasons, or at least none that we are currently aware of.
-Doug
Please review the BatchPatch FAQ for the following question (number 2 in the FAQ):
“Why does my search for available updates at the Windows Update control panel GUI not report the same number of available updates that BatchPatch reports when I use it to check for available updates on the same target host?”
Hi James – If you have multiple users logging on to a computer, how do you determine the SID of the ‘primary user’ ? What criteria do you use to make the determination of who is primary vs who is secondary?
I’m actually not quite sure what you are referring to. I’ll try to cover all possibilities here…
1. In BatchPatch you have the ability to enter ‘Alternate Credentials’ for any row/host, which enables you to remotely perform actions on a target host with a logon account that is different from the logon that is used to run BatchPatch.exe. When you save a BatchPatch grid to a .bps file, the default behavior is for BatchPatch to encode/obfuscate the ‘Altnerate Credentials’ password that you entered into the row (or rows) in the .bps file. The password is not in plain text, but still this does not provide any real protection because it’s not encrypted, so if you want to *really* protect the .bps file then you need to either use your own encryption or you may use BatchPatch built-in encryption under ‘File > Password protect’. You can also optionally use ‘Tools > Settings > General > Require/force password protection to be used for all grids’ which forces you to use ‘File > Password protect’ for all grids.
2. Windows provides the ability for a computer to automatically logon with username/password that you store in the registry of the computer.
How to turn on automatic logon in Windows
This information is stored in plain text in the registry, and it has nothing to do with BatchPatch other than that BatchPatch provides the ability for you to input the information into a target computer’s registry automatically so that you don’t have to do it manually. BatchPatch provides this feature under ‘Actions > Reboot > Configure autologon after reboot’
I hope this helps.
-Doug
I’ve sent you an email for further troubleshooting and to see screenshots etc.
Dennis – If ‘dual-scan’ is enabled, it really has nothing to do with BatchPatch. BatchPatch doesn’t bypass your local WSUS– it’s a Windows OS issue. Windows is the culprit for this behavior.
Those articles that I linked to previously explain exactly how to determine if dual-scan is enabled and exactly how to disable dual-scan. It is very specific, and the instructions must be followed carefully and exactly. One of the articles even explains the cause of the error that you mentioned (-102: Failed to execute the search. HRESULT: -2145103860) in the ‘Additional Notes’ section. This error is caused by enabling a particular GPO, but that GPO is *not* the solution to disabling dual scan, so it seems to me that you may not have followed the *exact* instructions in the links that I provided to you.
I would ask you again to *please* follow the instructions *exactly.*
You need first confirm if Dual Scan is enabled or not. The process for this is described in the section titled:
‘How To Confirm If “Dual Scan” Is Or Is Not Enabled’ which appears in the following article:
Deciphering “Dual Scan” Behavior in Windows 10
And then if it is enabled you must follow the instructions to disable Dual Scan under the section titled:
‘How to Disable “Dual Scan”‘ which appears in the following article:
Antivirus or other security related software could be the culprit. If you can you should whitelist psexec.exe, psexesvc.exe, and batchpatchremoteagent.exe. Another thing to try is using a custom remote service name under ‘Tools > Settings > Remote execution > Use PsExec – r switch’. This is sometimes enough to bypass antivirus software.
Great! Thanks for confirming that it worked.
-Doug
Grace – When you posted about this last week I asked you to contact support directly to troubleshoot. When you contacted us directly you then told us that you are not going to manage this server anymore and that we should drop the ticket. And now you are posting about this same error again in a new thread. Would you please instead reply to my last email… In that email I had made a suggestion for you to try and also requested more information if that suggestion failed.
Thanks.
BatchPatch does work with Windows 2000 targets (SP3 and SP4). However, we do not officially support Windows 2000. I would recommend reviewing the following link to help get to the bottom of the issue:
‘Access Denied’ is always a permissions problem. Please review the following two links:
I’m glad you got it worked out. When BP installs the service, it does not allow you to change the user. It must be installed as the user that is running BP. In order for it to be set to Local System, someone would have had to have gone into the services console and changed it. This would definitely break it.
-Doug
Based on what you are describing it sounds like you might have “dual-scan” enabled on these computers. Microsoft introduced new behavior to the Windows Update Agent (WUA) recently that can cause computers to scan against Windows Update or Microsoft Update instead of your local WSUS, and it sounds like you might be affected by it.
We have two blog postings about this topic that explain what it is, how to tell if it’s enabled, and how to disable it. Please read through them very carefully and thoroughly. Let me know what you find.
Deciphering “Dual Scan” Behavior in Windows 10
Other possible reasons for why different updates might be displayed when checking for updates directly on the computer through the Windows Update control panel vs checking for udpates through BatchPatch are explained in question 2 in the FAQ
-Doug
You can certainly try uninstalling/reinstalling though I’m not sure that it will have any effect. The error in your service installation log indicates that you cancelled the installation one time when you first went to install it. It’s not a big deal. I assume you were just testing and then soon after you completed the installation, it seems.
We can see in your log that the BatchPatchServiceInstance.exe starts successfully but then stops or is killed soon after. The question is why does it stop or why is it killed. Do you have any software on the computer that could do such a thing? Antivirus? HIPS? Can you also confirm that you are not launching BatchPatch.exe from within the BatchPatch.zip? This can cause issues. You must first extract BatchPatch.zip so that BatchPatch.exe can be launched on its own instead of directly from within the .zip file.
Anything interesting in the BatchPatchService.log file? This file will be in the directory where the service is installed. Default location is C:Program Files (x86)BatchPatchServiceDOMAIN.AccountBatchPatchService.log
Anything interesting in the Windows application log in the event viewer?
Thanks. This is the same error that was in your WindowsUpdate.log that we discussed last week. It’s a Windows Update error, not a BatchPatch error.
0x80072F8F -2147012721 ERROR_INTERNET_SECURE_FAILURE ErrorClockWrong
One or more errors were found in the Secure Sockets
Layer (SSL) certificate sent by the server.Googling I found the following link, which has some potentially helpful information:
If you are not able to resolve it based on the suggestions in that link then might need to keep googling 0x80072F8F and see what other things you can find that help.
You are the only BatchPatch user who has ever reported this error, so it must be something specific to your environment that is causing it.
I would suggest starting by making sure that your BIOS clock and your Windows time in the OS are accurate. If they are off too much from real-time or from your WSUS, that could be the problem. Also make sure that the certificate installed on your WSUS does not have any issues or timestamp problems etc.
Dennis – The entire posting about declining the updates on the WSUS server was for troubleshooting/resolving the 106G error that you originally posted about and that is the main topic for this entire thread. However, now it appears that you are instead talking about the completely unrelated -102 error and not the 106G error. When you first mentioned the -102 error last week I asked you for the HRESULT value, but you never gave it to me and you never again mentioned -102. All subsequent references in both your postings and my postings were to the “106G error.”
In any case, the -102 error should be simple to resolve because it has nothing to do with a problematic update on the WSUS and nothing to do with the complicated 106G error. However, in order to understand why the -102 is occurring we need to know the HRESULT, so once again I shall ask you to please provide me with the HRESULT value for the -102 error. You can find this in the ‘Remote Agent Log’ column as well as in the BatchPatch.log file on the target computer in the BatchPatch remote working directory, which by default is C:Program FilesBatchPatch. It will say:
-102: Failed to execute the search. HRESULT: -XXXXXXXXXX
-Doug
0x80246007 -2145099769 SUS_E_DM_NOTDOWNLOADED The update has not been downloaded.Are you using cached mode? If yes, try ‘Tools > Settings > Windows Update > Re-copy/overwrite updates…’ and see if that fixes it. If not, please contact us at BatchPatch Contact Form to troubleshoot. We will ask you for an HTML grid export (File > Export grid to HTML) along with the target computer C:Program FilesBatchPatchBatchPatch.log file.
Thanks
I think maybe you can fix it by changing the ‘Language for non-Unicode programs’ in Windows, as described by this link: Language for non-Unicode
Yes, you can do this in BatchPatch. Your job queue would look something like this:
Step 1: Run the local command, which executes your script. The script must have a built-in function to wait 1 minute and loop and try again if the result is 1.
Step 2: Use one of the following special job queue items, depending on your needs. Failure/error is any non-0 return value from your script. If your script returns 0 then step 3 will execute. If the script returns a non-0 value then step 2 will terminate according to which item below you have used in the job queue:
*Terminate queue if previous actions fails/errors (terminates just the job queue for just the executing row in the grid. The rest of the multi-row sequence will continue.)
*Abort basic multi-row sequence if previous action fails/errors (terminates the entire basic multi-row sequence)
*Abort advanced multi-row sequence if previous action fails/errors (terminates the entire advanced multi-row sequence)
I hope this helps.
-Doug