Forum Replies Created
-
Posts
-
MAC address is for Wake On LAN only. You need to use host name or IP address for everything else.
Please see:
With regard to feature updates (upgrades)… the filter is now there so that BatchPatch recognizes them and distinguishes them from other updates. However, at this time BatchPatch cannot install feature updates through the normal/standard BatchPatch Windows update actions. This is due to how Microsoft is distributing them differently from all other software updates. Instead they can be deployed using the method outlined here:
Remotely Upgrading Windows 10 to the ‘Creators Update’ version 1703 (or to the ‘Anniversary Update’ version 1607)
As for the driver updates in question, it’s a similar situation. In Win 10 and Win 2016 we have noticed that Microsoft doesn’t even show these updates in the Windows Update GUI anymore. BatchPatch still shows them, but they appear to not be installable. Frankly, chipset drivers were probably not ever installable through Microsoft Update. We recommend that if you are using Microsoft Update that you then also use ‘Important/Recommended’ instead of ‘All software updates’ and ‘All driver updates.’ Or at the least I would suggest that you uncheck ‘All driver updates.’
-Doug
Please review the following posting about 106G. The 106G indicates that there was an error retrieving the search results from the update server, while the HRESULT value is the reason code. There may be a solution/resolution in the following posting. You are seeing a different HRESULT, which we have only ever seen or heard of from gestay. The following posting discusses solutions for the same 106G but a different HRESULT. However, I think your problem will be resolved in a similar way. You might even just decide to build a new WSUS (or rebuild your existing one) because that might be the quickest/simplest fix:
It might be caused by your anti malware software blocking psexesvc.exe on the target computers. Try setting a custom name for this process under ‘Tools > Settings > Remote Execution > Use PsExec -r switch to specify remove service name’ You could use something like BatchPatchExeSvc.exe. This might be enough to bypass the anti malware app. If not then you could try whitelisting the exe files in the anti malware app.
See also this posting, which explains the most common reason for getting stuck on “Attempting to initiate Windows Update”: https://batchpatch.com/batchpatch-stuck-attempting-to-initiate-windows-update
Based on reviewing their instructions I think there are a couple things you need to do.
1. From their description it sounds like there are more installation files than just the MCR_R2017b_win64_installer.exe. If there is an entire folder of installation files then you must check the box “copy entire directory” in your BatchPatch deployment configuration.
2. They are saying that you need to create a properties file template, which you can name installer_input.txt. After you input the needed/desired properties into this file according to their instructions, then you can create the deployment.
3. The deployment configuration must copy the entire directory that contains the MCR_R2017b_win64_installer.exe along with the installer_input.txt file to the target computer. This is accomplished by having the installer_input.txt file in the same folder as the MCR_R2017b_win64_installer.exe. Then tick the box as mentioned in step 1 to “copy entire directory”. Additionally you would need to add the following parameter to the parameters field in the deployment configuration of BatchPatch.
-inputFile installer_input.txtYou will *not* need to modify the ‘command to execute’ field in BatchPatch. However, when the deployment is properly configured it should show:
"MCR_R2017b_win64_installer.exe" -inputFile installer_input.txtIt sounds like something in your environment has changed. Access Denied generally means that there is a permissions issue. Please start by going through the troubleshooting guide step by step to help pinpoint where the issue is.
The ‘multiple tasks schedule’ does not support recurrence, and I’m not sure if/when it will. Your options are:
1. Add two rows to the grid with the same target computer in each row. Then create a recurring scheduled task for each row.
2. Use the multiple tasks schedule and simply pick the exact dates and times you want the tasks to run instead of using the recurrence option. You can schedule the tasks as far in advance as you would like, so it would not take very long to schedule a couple years or more worth of monthly tasks.
I hope this helps.
-Doug
I doubt it. I would suggest very carefully reviewing your script. I have not reviewed your script carefully, but the behavior you are describing seems like maybe your script is linking the font paths to ‘\hostnamec$pathfilename.file’ such that Windows locks those files when it boots, instead of linking the font files to a location in C:Windowsfonts. So SYSTEM is locking the files because Windows is using them for font reference instead of using font files in C:Windowsfonts.
This doesn’t really seem like a BatchPatch problem. It might be an issue with your script or perhaps it’s something else, especially considering that you do not experience the problem on all computers where you run the script.
Here is what I can tell you…
1. BatchPatch is not getting wrong info. It submits a scan query to the Windows Update Agent (WUA) on the target computer, and then the WUA does its normal process to determine which updates are available, which it reports back to BatchPatch. The query that BatchPatch uses will be identical on each target computer *unless* you modify the search settings that I described in my previous posting such that you scan some computers with one setting and scan other computers with a different setting.
2. With regard to exempting updates, when you initiate the check for updates locally on a target computer, believe it or not but it is already exempting some updates, which is why you do not see the driver updates that you see when BatchPatch performs the scan. BatchPatch is using a query with a larger scope, in this case, than the local Windows Update interface is using. Both scans are being performed by the WUA. The difference is just with the search query and results filtering. Prior to Win 10 and Win 2016 Microsoft would display the driver updates in search results when scanning for updates using the local Windows Update interface. However, in 10/2016 we have noticed that they never display the driver update results. I have not seen any published reason for this behavior, but I believe its simply due to the fact that installing driver updates through the Windows Update interface is not reliable. I know you said that you are not allowed to exempt updates from scans, but under the hood that’s what is already happening when you use the Windows Update interface locally on the computer, so I still would recommend that you uncheck the ‘Drivers’ box in the BatchPatch search settings. It might be worth a discussion with the security and policy team to all get on the same page.
3. If you are seeing different results on some target computers in comparison to others, it’s not because of BatchPatch. It’s because the WUA on those target computers is returning different results. The only reason it would be returning different results is if the computers have different applications or hardware installed. Or it’s also possible that they are returning different results because some computers are scanning against Microsoft Update while others are scanning against Windows Update. This could occur if you have opted-in to the Microsoft Update service on some computers but not others. You can opt-in or opt-out a target computer by using the BatchPatch action ‘Actions > Windows Update > Opt-in/Opt-out’.
4. You can certainly always hide updates that you do not want to install or that cannot be installed. Then they will not appear in the search results anymore. I know you said you cannot exempt updates, but if you scan for updates and then decide that some of those updates should not be installed (like the HP driver updates you are talking about) then presumably your security team would allow you to simply hide them at the target so that they do not appear in future scans. BatchPatch can hide updates on the target using ‘Actions > Windows Update > Hide/unhide’
5. Lastly, in your original post you said that the updates appear to install but then when you reboot they are not installed. If you look at the BatchPatch.log (default location is C:Program FilesBatchPatchBatchPatch.log on target computers) more closely I think you will find that the updates are failing to install, and there will be a failure code next to each update. We need to improve the way that we are reporting success with some failures in comparison to success with no failures. At the moment, most installations either fail completely, which BatchPatch reports, or they complete successfully, which BatchPatch reports. In less common situations the installation of updates is partially successful (some updates install) and partially unsuccessful (some updates fail to install). BatchPatch reports these as “Succeeded With Errors” but unless you are paying close attention to what is being reported in the grid, you would likely just see the “Succeeded” part or the “Reboot required” part and assume that it was completed without any errors. We’ll work on this for a future build.
I hope this helps.
-Doug
If you are getting updates directly from Microsoft and not from WSUS, then under ‘Tools > Settings > Windows Update’ I would recommend that you change the configuration so that you are only searching for ‘Important’ and ‘Recommended’ instead of ‘All software’ and ‘All drivers.’
-Doug
The account that is being used for integrated security is the account that is used to launch batchpatch.exe. So if you are logged on to the computer as “Domainuser1” and you launch BatchPatch by doubleclicking the batchpatch.exe, then the account that BatchPatch will use for integrated security is “Domainuser1” If you use “run-as” to launch the batchpatch.exe with a different account, then whatever account you specify in the “run-as” dialog will be the account used by BatchPatch for integrated security.
In the current version of BatchPatch the account that was used to launch BatchPatch is displayed in the lower-left corner of the main window. This can be disabled/enabled under ‘Tools > Settings > General > show ‘running as’ user label…’ If you do not see this option then you are not running the latest version of the application.
As for your account lockout situation, I really don’t know what to make of it. It sounds like some type of issue with your environment/configuration, not an issue with BatchPatch. Maybe consider reviewing the security policies in place on the network. Maybe review the security logs on your domain controller(s).
-Doug
If you entered ‘alternate credentials’ for a given row in the BatchPatch grid, then BatchPatch would use those alternate credentials. They are stored per-row. If you didn’t enter them, then BatchPatch will use ‘integrated security’ and try to perform the action using the account that was used to launch BatchPatch.exe.
I cannot imagine any circumstance in which BP would/could trigger your account being locked out. Furthermore, we have never heard any report of similar issues. Lastly, the message that you are seeing “The system cannot contact a domain controller” does not sound like a lockout issue. It’s sound like maybe a DNS issue or a network connectivity issue of some kind, assuming that there is actually a domain controller available but just not able to be reached.
-Doug
Yes you can schedule the ‘advanced multi-row queue sequence’ by using that option in the Task Scheduler. You’ll see in the drop-down menu in the Task Scheduler there is an item called ‘Execute advanced multi-row queue sequence’
-Doug
Colleen – You didn’t mention it, but I assume you are using the ‘Advanced Multi-Row Queue Sequence’ or the ‘Basic Multi-Row Queue Sequence’ right?
From what you have shown me, it looks like the problem is that you have “Wait for host to be detected online” immediately following your “Reboot (force always)” command. So what’s happening is the reboot command is initiated and then a split second later the ‘Wait for host to be detected online’ checks to see if the host is online. In this case your host simply does not have enough time to go offline for the reboot. To rectify the situation you might do something like this instead:
Get last boot time
Get c: disk space
Reboot (force always)
Wait 3 minutes
Wait for host to be detected online
send email notification
OR
Get last boot time
Get c: disk space
Reboot (force always)
Wait for host to go offline and come back online
send email notification
Either one of these should generally work for the most part, but neither is a 100% absolute guarantee.
The potential issue with ‘Wait for 3 minutes’ is that there are times when a host could take longer than 3 minutes to initiate the shutdown sequence before it is rebooted. And so in rare cases you could find that the 3 minutes passes but the host still has not shutdown and rebooted, and so then the ‘Wait for host to be detected online’ will find the host online without it having ever rebooted. You could set the wait time to 5 minutes or 10 minutes (or even just 1 minute) but it’s always a balancing act because you don’t want your process to take forever and you don’t want your process to start the ‘Wait for host to be detected online’ before the host has a chance to go offline. 1 minute would probably be sufficient in most cases, but 3 minutes is probably safer. Or you could do two 1-minute back to back waits to create a 2 minute wait period.
The potential issue with ‘Wait for host to go offline and come back online’ is that BP cannot accurately determine “offline-ness” 100% of the time. It is generally very good at it using the default setting under ‘Tools > Settings > Grid Preferences > Hosts are considered offline after 3 ping timeouts’ but there are cases, particularly with virtual machines, where a host can be rebooted extremely rapidly in under a few seconds. In cases like this the host might go offline and come back online without BP ever officially detecting it offline. What happens in this case is that your queue hangs until the timeout is reached (the timeout value and options are configured in the job queue window under the ‘Special items’). So there is kind of a balancing act to be mindful of. You could minimize the likelihood of this happening by setting the value to ‘Hosts are considered offline after 2 ping timeouts’, but then on the flip side this could create another type of situation where you have a host that is online but there is a network blip of some kind for a few seconds, and then it could trigger BP to think that the host was offline.
I hope this helps! The bottom line is that these options are not 100% infallible. The are designed to help streamline processes, but they have to be used with the understanding that there are edge cases where they might not behave as desired.
-Doug
Thank you for your suggestion. We will consider it.
-Doug
You actually can copy the grid to paste somewhere else. Highlight the desired rows and use ctrl-C to copy. Then ctrl-V to paste wherever. The only caveat here is that if you were trying to just copy a single column you would have to first hide all of the other columns, otherwise you will copy and paste all of the visible columns. As a temp workaround though you could keep Excel open and just paste into Excel and then quickly highlight just the hosts column from there to copy into your chat window.
Also, with regard to exporting… you can export just the host columns to txt file by using ‘File > Export grid > Export current grid host column to .txt file’
I don’t know if either of those options gives you what you are looking for. We’ll see about what we can do in a future version to help with this.
With regard to Excel style row count, this is not possible at the moment. However, we have something coming in the next release which I think will give you what you need here. What it does is when you highlight X number of rows, it shows you at any given time the number of rows that you have highlighted.
-Doug
There is no such feature in BatchPatch. I would suggest you export the consolidated report to a delimited file, and then you can import that file into a spreadsheet where you can manipulate it as desired to get the information that you want. Or you could write a simple script to compare the output to your list.
-Doug
We have not had any reports of this issue occurring for anyone else. It could be something specific to your environment… and it could actually be a permissions issue of some kind, but I just found this, which might help:
See “resolution for issue 2” at this Microsoft link. They suggest installing a particular update to resolve this. More discussion here.
Were you trying to reboot the same computer that BP was running on? So you launched BatchPatch.exe on computerA, but then you put computerA into the grid to try to reboot it? Rebooting “self” is not allowed in some OSes. This is not a BatchPatch restriction but rather is a WMI restriction.
FYI the behavior of ‘shutdown.exe /r /f /t 0’ is effectively identical to ‘Reboot (Force Always)’ so it’s fine to use.
No, that won’t work. I would suggest something more like this:
1: Get pending reboot status + reboot if required (force)
2: Wait 5 minutes
3: Wait for host to be detected online
4: Download and install updates + reboot if required
I’m glad you like the app! Thanks for sharing your feedback. 🙂
You can generate a report of available/applicable/needed updates with ‘Actions > Windows updates > Generate consolidated report of available updates’
-Doug
Excellent. Thanks for letting me know. You’re welcome.
-Doug
Yes, definition updates are the same KB number every time with a different definition number. Based on what you have shown me here and what you have said it appears that the issue is specific to Definition 1.249.211.0, because we see that Definition 1.253.667.0 installed successfully and then was not offered again. And it seems that the 1.249.211.0 is only offered/shown when no other definition update is offered/shown. The problematic update is, in fact, being offered by the Windows Update agent. BatchPatch is not “inventing” the update or pulling it from some cache. There are a couple of things I would suggest as a start.
0. Are you using WSUS? You should see if you can decline this particular definition update on your WSUS. If you are not using WSUS then skip to the next suggestion.
1. Note that you are currently searching for “all software updates” in BatchPatch. I suspect that the reason you do not see this update in the Windows Update control panel is because of the search scope. If you were to change your search preferences in BatchPatch (under ‘Tools > Settings > Windows Update’) to ‘Important’ and ‘Recommended’ instead of ‘all software updates’ I wouldn’t be surprised if you stopped seeing the update appear. In general, when not using WSUS we recommend using ‘Important’ and ‘Recommended’ to best mimic what Microsoft wants you to download/install on the computer.
2. You might simply be able to hide the update from appearing in BatchPatch search results. Following these instructions to hide the update in question might be sufficient.
Hiding Windows Updates Remotely In a Non-WSUS Environment
3. As a last resort I would think that you could uninstall/reinstall MSE on the target computers.
Ok so we see that there is a definition update. And so now we need to see what the ‘Remote Agent log’ or the target computer C:Program FilesBatchPatchbatchpatch.log file says about the installation attempt, not just the search. If you do a “download and install updates” then there will be an entry for that in the log. It will show if the update was installed by BatchPatch or if it failed to install. If it failed to install, there will be a reason code.
I understand that you are saying that there is no update to be applied, but it seems that BatchPatch is finding an update. Just because you don’t see it in the Windows Update control panel on the target computer does not mean that it does not exist.
Also you can look at the history report in BatchPatch (‘Actions > Windows Updates > Generate consolidated report of update history’) which will show the application that has been applying this update in the past.
What is the update that is available? Sometimes you might seen this with a Windows Defender definition update since there is a new one every day.
Also you can/should look at the ‘Remote Agent Log’ column or the BatchPatch.log file from the target computer to see what actually is taking place during the update process. Is there an update that is failing to apply? The failure will be visible in the log.
-Doug
We’ll add this to the list.
Thanks,
Doug
Two points…
1. There is a bug in the current version of BP that prevents the global column display order from being properly loaded when using ‘Tools > Settings > Remember open tabs’
2. The next release of BP will save the column display order with each .bps file instead of globally.