[doug]

I doubt it. I would suggest very carefully reviewing your script. I have not reviewed your script carefully, but the behavior you are describing seems like maybe your script is linking the font paths to ‘\hostnamec$pathfilename.file’ such that Windows locks those files when it boots, instead of linking the font files to a location in C:Windowsfonts. So SYSTEM is locking the files because Windows is using them for font reference instead of using font files in C:Windowsfonts.

[doug]

This doesn’t really seem like a BatchPatch problem. It might be an issue with your script or perhaps it’s something else, especially considering that you do not experience the problem on all computers where you run the script.

[doug]

Here is what I can tell you…

1. BatchPatch is not getting wrong info. It submits a scan query to the Windows Update Agent (WUA) on the target computer, and then the WUA does its normal process to determine which updates are available, which it reports back to BatchPatch. The query that BatchPatch uses will be identical on each target computer *unless* you modify the search settings that I described in my previous posting such that you scan some computers with one setting and scan other computers with a different setting.

2. With regard to exempting updates, when you initiate the check for updates locally on a target computer, believe it or not but it is already exempting some updates, which is why you do not see the driver updates that you see when BatchPatch performs the scan. BatchPatch is using a query with a larger scope, in this case, than the local Windows Update interface is using. Both scans are being performed by the WUA. The difference is just with the search query and results filtering. Prior to Win 10 and Win 2016 Microsoft would display the driver updates in search results when scanning for updates using the local Windows Update interface. However, in 10/2016 we have noticed that they never display the driver update results. I have not seen any published reason for this behavior, but I believe its simply due to the fact that installing driver updates through the Windows Update interface is not reliable. I know you said that you are not allowed to exempt updates from scans, but under the hood that’s what is already happening when you use the Windows Update interface locally on the computer, so I still would recommend that you uncheck the ‘Drivers’ box in the BatchPatch search settings. It might be worth a discussion with the security and policy team to all get on the same page.

3. If you are seeing different results on some target computers in comparison to others, it’s not because of BatchPatch. It’s because the WUA on those target computers is returning different results. The only reason it would be returning different results is if the computers have different applications or hardware installed. Or it’s also possible that they are returning different results because some computers are scanning against Microsoft Update while others are scanning against Windows Update. This could occur if you have opted-in to the Microsoft Update service on some computers but not others. You can opt-in or opt-out a target computer by using the BatchPatch action ‘Actions > Windows Update > Opt-in/Opt-out’.

4. You can certainly always hide updates that you do not want to install or that cannot be installed. Then they will not appear in the search results anymore. I know you said you cannot exempt updates, but if you scan for updates and then decide that some of those updates should not be installed (like the HP driver updates you are talking about) then presumably your security team would allow you to simply hide them at the target so that they do not appear in future scans. BatchPatch can hide updates on the target using ‘Actions > Windows Update > Hide/unhide’

5. Lastly, in your original post you said that the updates appear to install but then when you reboot they are not installed. If you look at the BatchPatch.log (default location is C:Program FilesBatchPatchBatchPatch.log on target computers) more closely I think you will find that the updates are failing to install, and there will be a failure code next to each update. We need to improve the way that we are reporting success with some failures in comparison to success with no failures. At the moment, most installations either fail completely, which BatchPatch reports, or they complete successfully, which BatchPatch reports. In less common situations the installation of updates is partially successful (some updates install) and partially unsuccessful (some updates fail to install). BatchPatch reports these as “Succeeded With Errors” but unless you are paying close attention to what is being reported in the grid, you would likely just see the “Succeeded” part or the “Reboot required” part and assume that it was completed without any errors. We’ll work on this for a future build.

I hope this helps.

-Doug

[doug]

If you are getting updates directly from Microsoft and not from WSUS, then under ‘Tools > Settings > Windows Update’ I would recommend that you change the configuration so that you are only searching for ‘Important’ and ‘Recommended’ instead of ‘All software’ and ‘All drivers.’

-Doug

[doug]

The account that is being used for integrated security is the account that is used to launch batchpatch.exe. So if you are logged on to the computer as “Domainuser1” and you launch BatchPatch by doubleclicking the batchpatch.exe, then the account that BatchPatch will use for integrated security is “Domainuser1” If you use “run-as” to launch the batchpatch.exe with a different account, then whatever account you specify in the “run-as” dialog will be the account used by BatchPatch for integrated security.

In the current version of BatchPatch the account that was used to launch BatchPatch is displayed in the lower-left corner of the main window. This can be disabled/enabled under ‘Tools > Settings > General > show ‘running as’ user label…’ If you do not see this option then you are not running the latest version of the application.

As for your account lockout situation, I really don’t know what to make of it. It sounds like some type of issue with your environment/configuration, not an issue with BatchPatch. Maybe consider reviewing the security policies in place on the network. Maybe review the security logs on your domain controller(s).

-Doug

[doug]

If you entered ‘alternate credentials’ for a given row in the BatchPatch grid, then BatchPatch would use those alternate credentials. They are stored per-row. If you didn’t enter them, then BatchPatch will use ‘integrated security’ and try to perform the action using the account that was used to launch BatchPatch.exe.

I cannot imagine any circumstance in which BP would/could trigger your account being locked out. Furthermore, we have never heard any report of similar issues. Lastly, the message that you are seeing “The system cannot contact a domain controller” does not sound like a lockout issue. It’s sound like maybe a DNS issue or a network connectivity issue of some kind, assuming that there is actually a domain controller available but just not able to be reached.

-Doug

[doug]

Yes you can schedule the ‘advanced multi-row queue sequence’ by using that option in the Task Scheduler. You’ll see in the drop-down menu in the Task Scheduler there is an item called ‘Execute advanced multi-row queue sequence’

-Doug

[doug]

Colleen – You didn’t mention it, but I assume you are using the ‘Advanced Multi-Row Queue Sequence’ or the ‘Basic Multi-Row Queue Sequence’ right?

From what you have shown me, it looks like the problem is that you have “Wait for host to be detected online” immediately following your “Reboot (force always)” command. So what’s happening is the reboot command is initiated and then a split second later the ‘Wait for host to be detected online’ checks to see if the host is online. In this case your host simply does not have enough time to go offline for the reboot. To rectify the situation you might do something like this instead:

---

Get last boot time

Get c: disk space

Reboot (force always)

Wait 3 minutes

Wait for host to be detected online

send email notification

OR

Get last boot time

Get c: disk space

Reboot (force always)

Wait for host to go offline and come back online

send email notification

---

Either one of these should generally work for the most part, but neither is a 100% absolute guarantee.

The potential issue with ‘Wait for 3 minutes’ is that there are times when a host could take longer than 3 minutes to initiate the shutdown sequence before it is rebooted. And so in rare cases you could find that the 3 minutes passes but the host still has not shutdown and rebooted, and so then the ‘Wait for host to be detected online’ will find the host online without it having ever rebooted. You could set the wait time to 5 minutes or 10 minutes (or even just 1 minute) but it’s always a balancing act because you don’t want your process to take forever and you don’t want your process to start the ‘Wait for host to be detected online’ before the host has a chance to go offline. 1 minute would probably be sufficient in most cases, but 3 minutes is probably safer. Or you could do two 1-minute back to back waits to create a 2 minute wait period.

The potential issue with ‘Wait for host to go offline and come back online’ is that BP cannot accurately determine “offline-ness” 100% of the time. It is generally very good at it using the default setting under ‘Tools > Settings > Grid Preferences > Hosts are considered offline after 3 ping timeouts’ but there are cases, particularly with virtual machines, where a host can be rebooted extremely rapidly in under a few seconds. In cases like this the host might go offline and come back online without BP ever officially detecting it offline. What happens in this case is that your queue hangs until the timeout is reached (the timeout value and options are configured in the job queue window under the ‘Special items’). So there is kind of a balancing act to be mindful of. You could minimize the likelihood of this happening by setting the value to ‘Hosts are considered offline after 2 ping timeouts’, but then on the flip side this could create another type of situation where you have a host that is online but there is a network blip of some kind for a few seconds, and then it could trigger BP to think that the host was offline.

I hope this helps! The bottom line is that these options are not 100% infallible. The are designed to help streamline processes, but they have to be used with the understanding that there are edge cases where they might not behave as desired.

-Doug

[doug]

Thank you for your suggestion. We will consider it.

-Doug

[doug]

You actually can copy the grid to paste somewhere else. Highlight the desired rows and use ctrl-C to copy. Then ctrl-V to paste wherever. The only caveat here is that if you were trying to just copy a single column you would have to first hide all of the other columns, otherwise you will copy and paste all of the visible columns. As a temp workaround though you could keep Excel open and just paste into Excel and then quickly highlight just the hosts column from there to copy into your chat window.

Also, with regard to exporting… you can export just the host columns to txt file by using ‘File > Export grid > Export current grid host column to .txt file’

I don’t know if either of those options gives you what you are looking for. We’ll see about what we can do in a future version to help with this.

With regard to Excel style row count, this is not possible at the moment. However, we have something coming in the next release which I think will give you what you need here. What it does is when you highlight X number of rows, it shows you at any given time the number of rows that you have highlighted.

-Doug

[doug]

There is no such feature in BatchPatch. I would suggest you export the consolidated report to a delimited file, and then you can import that file into a spreadsheet where you can manipulate it as desired to get the information that you want. Or you could write a simple script to compare the output to your list.

-Doug

[doug]

We have not had any reports of this issue occurring for anyone else. It could be something specific to your environment… and it could actually be a permissions issue of some kind, but I just found this, which might help:

See “resolution for issue 2” at this Microsoft link. They suggest installing a particular update to resolve this. More discussion here.

[doug]

Were you trying to reboot the same computer that BP was running on? So you launched BatchPatch.exe on computerA, but then you put computerA into the grid to try to reboot it? Rebooting “self” is not allowed in some OSes. This is not a BatchPatch restriction but rather is a WMI restriction.

FYI the behavior of ‘shutdown.exe /r /f /t 0’ is effectively identical to ‘Reboot (Force Always)’ so it’s fine to use.

[doug]

No, that won’t work. I would suggest something more like this:

1: Get pending reboot status + reboot if required (force)

2: Wait 5 minutes

3: Wait for host to be detected online

4: Download and install updates + reboot if required

[doug]

I’m glad you like the app! Thanks for sharing your feedback. 🙂

You can generate a report of available/applicable/needed updates with ‘Actions > Windows updates > Generate consolidated report of available updates’

-Doug

[doug]

Excellent. Thanks for letting me know. You’re welcome.

-Doug

[doug]

Yes, definition updates are the same KB number every time with a different definition number. Based on what you have shown me here and what you have said it appears that the issue is specific to Definition 1.249.211.0, because we see that Definition 1.253.667.0 installed successfully and then was not offered again. And it seems that the 1.249.211.0 is only offered/shown when no other definition update is offered/shown. The problematic update is, in fact, being offered by the Windows Update agent. BatchPatch is not “inventing” the update or pulling it from some cache. There are a couple of things I would suggest as a start.

0. Are you using WSUS? You should see if you can decline this particular definition update on your WSUS. If you are not using WSUS then skip to the next suggestion.

1. Note that you are currently searching for “all software updates” in BatchPatch. I suspect that the reason you do not see this update in the Windows Update control panel is because of the search scope. If you were to change your search preferences in BatchPatch (under ‘Tools > Settings > Windows Update’) to ‘Important’ and ‘Recommended’ instead of ‘all software updates’ I wouldn’t be surprised if you stopped seeing the update appear. In general, when not using WSUS we recommend using ‘Important’ and ‘Recommended’ to best mimic what Microsoft wants you to download/install on the computer.

2. You might simply be able to hide the update from appearing in BatchPatch search results. Following these instructions to hide the update in question might be sufficient.

Hiding Windows Updates Remotely In a Non-WSUS Environment

3. As a last resort I would think that you could uninstall/reinstall MSE on the target computers.

[doug]

No problem. Initiating Tasks on Computers that are Frequently Offline

[doug]

Ok so we see that there is a definition update. And so now we need to see what the ‘Remote Agent log’ or the target computer C:Program FilesBatchPatchbatchpatch.log file says about the installation attempt, not just the search. If you do a “download and install updates” then there will be an entry for that in the log. It will show if the update was installed by BatchPatch or if it failed to install. If it failed to install, there will be a reason code.

I understand that you are saying that there is no update to be applied, but it seems that BatchPatch is finding an update. Just because you don’t see it in the Windows Update control panel on the target computer does not mean that it does not exist.

Also you can look at the history report in BatchPatch (‘Actions > Windows Updates > Generate consolidated report of update history’) which will show the application that has been applying this update in the past.

[doug]

What is the update that is available? Sometimes you might seen this with a Windows Defender definition update since there is a new one every day.

Also you can/should look at the ‘Remote Agent Log’ column or the BatchPatch.log file from the target computer to see what actually is taking place during the update process. Is there an update that is failing to apply? The failure will be visible in the log.

-Doug

[doug]

We’ll add this to the list.

Thanks,

Doug

[doug]

Two points…

1. There is a bug in the current version of BP that prevents the global column display order from being properly loaded when using ‘Tools > Settings > Remember open tabs’

2. The next release of BP will save the column display order with each .bps file instead of globally.

[doug]

You can find the change log inside the software under ‘Help > Check for updates > View change log’

Thanks,

Doug

[doug]

I’m actually not certain which setting is controlling what you are seeing there. It might be different depending on which operating system you’re looking at. However, I can tell you that the settings are all generally controlled by group policy or more specifically by the policy’s corresponding registry value (when group policy is applied to a given computer, that computer then updates typically one registry value per applied policy to control the behavior specified by the policy). The location of all the policies in question is:

Computer Configuration > Administrative Templates > Windows Components > Windows Update

You could determine which registry keys/values are associated with the policies that you have in place to control the timing of updates, and then you could use BatchPatch to retrieve the corresponding registry values to determine the settings on the target computers.

However, we recommend that you use group policy (or local policy if the computers are not members of a domain) to prevent automatic updates from automatically installing updates, so there should be *no* schedule set for automatic updates. Then use BatchPatch to install the updates on-demand. This is described in more detail here:

batchpatch-integration-with-wsus-and-group-policy

[doug]

When you say “an update schedule” what exactly do you mean? Please be as specific and detailed as possible.

-Doug

[doug]

How do you currently check if it is disabled? Do you have a command line query that you can run to determine its state? If so, this should be able to be integrated into your BatchPatch remote commands so that it appears in your menu.

how-to-hard-code-your-own-custom-commands-in-the-batchpatch-actions-menu

[doug]

Are you using a local WSUS or are the searches being performed on Windows Update/Microsoft Update? Please try both (you can change the setting under ‘Tools > Settings > Windows Update’ in BatchPatch. I’d like to know if the issue only occurs with one or the other or both.

Please review the following posting about 106G. I don’t believe we have ever seen or heard of your particular HRESULT -2145123271, and I don’t believe we have ever seen 106G occur on Windows 2012R2. However, the 106G we have seen just a handful of times with customers. The 106G indicates that there was an error retrieving the search results from the update server, while the HRESULT value is the reason code. There may be a solution/resolution in this posting:

Error 106G

Also, if you are able to retrieve the relevant lines from your WindowsUpdate.log (C:WindowsWindowsUpdate.log) from the target computer, they might help shed some light. I would suggest searching for 80240439 in the log file to find the appropriate lines. Feel free to share your findings here.

-Doug

[doug]

I would suggest that you start by seeing if you are able to install updates at the control panel of any of these computers *without* using BatchPatch or if you get a similar error when performing the operation directly on the computer. Let me know what happens.

-2145123271 == 0x80240439

Some of these search results might also help: Google 80240439

[doug]

Excellent. Thanks for following up. I’m glad that 2 worked. I also understand that 3 does not scale well. I’ll ask the team to re-work the script so that it can be used for any number of fonts without having to fill in so much code.

-Doug

[doug]

I would suggest a few things to try:

1. Change the ‘remote execution context’ to ‘Elevated token’ and then try again and see if it works.

BatchPatch Remote Execution Context

2. Change the \nasserver path in the script to a local/relative path instead of one that reaches out to a remote server. If your script is made to *not* access a remote path and instead is made to access the files locally (locally on the target computer), I suspect it will work.

Deploying a Script with Relative Instead of Absolute Paths

3. Follow the tutorial linked below that explains another way to deploy fonts:

Remotely Install OpenType (.otf) or TrueType (.ttf) Fonts

Please report back and let us know what you try and what works for you.

Thanks,

Doug

[Author]

Posts