[doug]

This is already an available feature in the application. Go to ‘ Actions > Windows Updates > Generate consolidated report of update history ‘ From there you have two options. You may enter the KB number or update title into the ‘Filter by title (include)’ section, or you may run the report for all installed updates with no filter. If you run the report for ALL updates, then when you get the results list you would simply sort by update title or KB number to see which machines do not have it. If you run the report to JUST include the particular update in question, then you’ll have your answer that way too.

-Doug

[doug]

BatchPatch has a deployment feature that lets you deploy exe, msi, msp, msu, vbs, ps1, and more. I just downloaded the XP patch from Microsoft, and it’s in exe format. In this case you probably would need to add the /quiet switch in the deployment parameters.

There are numerous tutorials for deploying exe files to remote computers here: BatchPatch Software Deployment

[doug]

Thank you for the suggestion. We will consider this for a future build. In the meantime you can add almost any custom ‘get’ command that you want by using the ‘Get information’ user-defined commands under ‘Actions > Get info > Create/modify’

These two commands will give you CPU info and disk space, respectively:

WMIC CPU get name, caption, maxclockspeed, systemname

WMIC PATH Win32_LogicalDisk where "drivetype=3" GET deviceid, volumename, freespace, size

There are numerous other command examples displayed in the ‘help’ section of the ‘Create / modify’ window. I hope this helps.

-Doug

[doug]

Thanks for the info, Booster. I’m sorry that you had to experience such crashing. We’ll see what we can do to address this, likely in the next release.

-Doug

[doug]

Most likely yes that will break BatchPatch. I would suggest you test it and see.

-Doug

[doug]

Regarding question number 1:

I don’t see any obvious issues. I don’t know what your textual filter was set to, but according to the remote agent log there are two important things to note:

1. In the section that says “::Begin filtering collection,” updates are skipped there because “Reason: Update not in ‘IncludeSpecificUpdatesList'” which means that your textual filter did not include the update.

2. In the section that says “::Begin adding downloaded items to installer collection,” updates are skipped there because they were not downloaded yet. For this action you chose ‘Install downloaded updates’ which will only install updates that had already been downloaded to the computer. These updates were never downloaded, and so they could not be installed with ‘Install downloaded updates.’ They would need to be installed with ‘Download and install updates.’

---

Regarding question number 2:

‘::Begin offline search’ indicates that you chose the action ‘Install downloaded updates.’ This is NOT the same as when ‘offline mode’ is enabled in BatchPatch. The ‘Install downloaded updates’ search is performed ‘offline’ because BatchPatch searches the target computer (*not* the WSUS server and *not* Microsoft’s Windows Update server) to see which updates it already/previously downloaded.

When ‘offline mode’ is used the remote agent log instead says “::Begin ‘offline sync service’ search.”

[doug]

The error that you received is:

0x80072EE2 -2147012894 ERROR_INTERNET_TIMEOUT The request has timed out.

This means that the target computer is having problems connecting to the WSUS server. Is this the only computer that produces this error? Do you have a proxy in your environment? This error could be due to a proxy issue. If you are using a proxy in your environment, then that’s probably the reason. Please review the following link to see how to resolve proxy issues:

Using BatchPatch with an Enterprise Web Proxy

-Doug

[doug]

I would suggest starting with these pages:

https://en.wikipedia.org/wiki/DCE/RPC

http://wiki.wireshark.org/DCE/RPC

[doug]

Opening those ports is not sufficient. WMI, which is one of the protocols used by BatchPatch, relies on dynamic port configuration for its connections, which means that the actual ports used for a given connection are established on-the-fly at the time of connection. Each connection will end up using different ports. You would additionally need to modify your network/hardware firewall to enable/allow DCE/RPC. More info here:

BatchPatch Port Requirements

-Doug

[doug]

Thanks, Mats. We’ll consider how to incorporate this in a future version.

-Doug

[doug]

We have unfortunately not had any success delivering this update through BatchPatch in a standalone configuration. I believe it may/should work if you are delivering the update through WSUS, but if there is no WSUS it does not seem to work at all.

-Doug

[doug]

Thanks for the suggestion, Mats. We will consider this for a future build. Do you happen to have a saved .bps file from a previous run from last month? That file would likely contain the IPs, right?

-Doug

[doug]

Generally speaking, a reboot shouldn’t really ever be required. As for some kind of “smother” way to kill processes, BP can only currently do this for processes it knows about such as for the Windows Update menu actions that are built-in to BP. But when you execute custom commands and/or processes, BP doesn’t really know what exactly it would need to be killing. You can certainly use BP to kill remote processes by name, but you would have to insert the names yourself.

[doug]

The issue that you are describing sounds like BatchPatch was not the cause of the problem but rather was a symptom of an issue that occurred with the operating system. This is why you had to reboot the system to get things working again.

-Doug

[doug]

The cache does not have any kind of built-in cleaning routine. You can manually clean the cache by simply deleting all of the cache folder contents. If you want to setup a task to do it, then you could use a BatchPatch ‘local command’ under ‘Actions > Local process/command > Create/modify local commands’ such as this, substituting the path to your cache directory:

cmd.exe /C del "F:Some FolderBatchPatch_Cache" /Q

Then just create a scheduled task to execute the local command at the desired time.

-Doug

[doug]

You said “I want batchpatch to run a script against each machine I’ve loaded into batchpatch and this script will not be executed from within the list of machines.”

I don’t understand what you mean when you say “this script will not be executed from within the list of machines.”

There are two ways that BatchPatch can be used to execute a script against a target computer.

1. BatchPatch can be used to deploy a script to a target computer and have that script run on the target computer. For this you would follow the normal deployment process, but the item that you are deploying is a script, not an installation package. There are numerous examples at Software Deployment. There is also a script being deployed as part of this tutorial: Install Windows Updates Only If Sufficient Space Is Detected On Target C Drive

2. BatchPatch can be used to execute a local script on the BatchPatch computer, but you can feed the target computer name into the script, so that the script can operate against the target computer without actually running directly on the target computer. In this case you use a Local command in BatchPatch with the $computer variable used to send the host name into the script as a parameter. An example of this is illustrated inside the following tutorial: Advanced Script Integration with BatchPatch

[doug]

Excellent. Thank you for following up. I’m glad you got it working!

-Doug

[doug]

0x8007000E -2147024882 E_OUTOFMEMORY

I’ve never seen this error before, but note that it is a Windows Update error code. It seems that the Windows Update service does not have enough free memory to perform the check for updates.

-Doug

[doug]

Hugo – The ‘copy file/folder’ works fine with 2016 targets. We have no problems with the functionality here and no customer has ever reported any similar issues before. If you need further assistance troubleshooting this issue, I would suggest that you please email us so that we can trade screenshots more easily. At the moment it is unclear to me what might be going wrong in your case. If you are only having issues with just a 2016 machine, it would seem to imply that there is something with that particular machine’s setup or configuration or permissions that could be the cause of the problem. The fact that the OS is 2016 should have no effect/impact.

Thanks,

Doug

[doug]

This is related to the user account and permissions. I have never seen this particular HRESULT before… is it really 2147022987 or is it actually -2147022987 ? Makes a huge difference when you leave out the negative. I suspect it’s the latter with the negative, which translates to 80070775 for Windows and according to some googling would appear to mean that the user account is locked out or something else related to the user account not being active or permissioned properly.

-Doug

[doug]

Error -198 comes with an HRESULT value. The HRESULT is the value that tells us what the actual reason for the failure is. So, without knowing for sure what the reason is, the fix is harder to determine. However, generally speaking the -198 error usually means that there is a problem with the WsusScn2.cab file. One of the possible problems with this file could be that it is missing a valid signature. You can look at the WsusScn2.cab file in your BatchPatch cache folder to see if has a valid signature. Simply right click on the file and view the properties. In the properties there will be a tab titled “Digital Signatures.” If this tab does not exist, then there is no digital signature on the file. If the tab exists but the signature is bad, then it will tell you that. Either of those situations will cause the -198 error to occur. The signature is not being lost during the file copy on your network. It’s just not on the file in the first place. This is why you need to re-download the file and make sure it has a signature.

If you want a way to auto-redownload and verify signature, BatchPatch can do that. However, in the current version it only does it in one part of the app, which is not the part of the app that you previously used to download it. If you use ‘Tools > Download offline updates repository’ and then check one box from each section in the window that it presents, it will download the WsusScn2.cab file and verify the signature before continuing. Once it downloads successfully you can just quit the window so that it doesn’t do anything else. If it cannot validate the signature it will redo the download until it gets a good file. This way you can just let it keep looping on its own until it gets a good download. Alternatively you can manually download the file from Microsoft using this link: http://go.microsoft.com/fwlink/?LinkId=76054 and then manually check the file properties to make sure there is a valid signature.

In the next version of BatchPatch the other areas of the software that download the WsusScn2.cab file will also validate the signature, but in the current version they don’t do that. They just verify that the download completes successfully, which is unfortunately not enough because it seems that Microsoft is sometimes posting WsusScn2.cab files that do not contain valid signatures. We have been seeing this occur occasionally for the past 6 months. Prior to that it never happened before, which is why the other areas of the app were never written to validate the signature. It was never necessary in the past because simply validating that the download was successful was enough. However, starting about 6 months ago we started seeing Microsoft sometimes have unsigned files on their servers, and so we now need to also verify the signature to make sure it’s good. In our experience, when you repeatedly download the file you will eventually connect to a server that has a signed file.

-Doug

[doug]

Mike – I replied to your email.

-Doug

[doug]

I just tested the same and did not have any problems. My first suggestion to you would be to re-create your grid using the BP GUI. If you have modified the .bps file in a text editor, that might be the cause of the problem.

-Doug

[doug]

This likely means that WMI is broken on the target computers. I would suggest having a look at the following articles for troubleshooting:

WMI Troubleshooting:

https://msdn.microsoft.com/en-us/library/aa394603(v=vs.85).aspx

This fix might work for you too:

http://mikeymurph.me/fix-wmi-service-error/

This fix might also work for you too:

https://www.veritas.com/support/en_US/article.000005356

[doug]

You can view the change log under ‘Help > Check for updates > View change log’

[doug]

I see. This makes sense. I have a few thoughts.

First, I think your goal here is commendable, but this is not a new problem. IT admins have been wresting with the issue of how to handle admin rights for end users for years. You can find many places on the web where this is discussed. I’m sure I have seen the topic posted in Reddit sysadmin subreddit more than one time. To grant and remove admin access on an as-needed basis seems to me not a great solution, but I don’t work at your office, and only you can decide what is best for your environment. You might consider reading through reddit and/or posting there to see what people suggest. There are other IT forums where this topic has been addressed as well, so some googling might get you a better solution.

3. If you gave your users one domain account and one local account, they would use the domain account as their main logon. Their email would be tied to this account as would all of their network privileges. The local account would only be useful for updating applications. It would not be useful for daily logon, so they wouldn’t do that (most likely). I have seen this option work effectively in more than one organization. In most Windows domain environments, giving users a local admin account will not entice them to be logged on all the time with that account because there are too many things that they need to be logged on to their domain account for, with email and network privileges being the two most important usually.

4. You would not need separate batch files. You could use the remote/process command action in BP (just make sure to modify the remote execution context, as previously discussed. This would allow you to spend a little while just one time to create your BP grid to include the proper remote/process command for each row, customized for each username. Then you would save this grid to a .bps file for future use. Then in the future you could just load that .bps file into a grid, select all rows and execute the remote process/command.

7. You could write a vbs or powershell script that finds the currently logged on user and then in that same script then adds the user to the required group (or removes). You would then deploy the .ps1 or .vbs file with BP. It would be the same script for all targets since the script would dynamically handle figuring out the currently logged on user. A couple methods for getting the currently logged on user are described here: https://serverfault.com/questions/32633/how-to-check-who-is-currently-logged-on-to-windows-workstation-from-command-line

I hope this helps.

[doug]

mortega – I’m not sure I fully understand your goal. If you are using BP to install updates, you do not need to have end users in the local admins group. As long as the account that you are using to run BP (or the account that you input in the alternate credentials field in a BP row) is in the local admin group on target computers you’ll be all set to install updates on those computers.

If your goal is to allow users to install their own windows updates, I believe there is a group policy that allows non-admin users to install windows updates, so you can use that.

If your goal is to allow users to install their own software, then you’re asking an IT policy question, not a BatchPatch question. There are a lot of different ways that organizations handle this situation. Some possible options include:

1. Allow users to be admins of their own computers at all times.

2. Do not ever allow users to be admins of their own computers. All software is installed by an IT admin.

3. Provide users with 2 accounts. They have a primary account that they log on to their computers with for every day use. This account is not in the admins group. Then they have a secondary local admin account on their own computer. If they want to install software then they would use run-as to install the software using the local admin credentials.

4. You could use BatchPatch to put the end user of a computer into the local admins group, similarly to how you were trying it. But instead of using %username% you would use the actual username. I’m not sure why you aren’t already doing this, but I assume you have a reason.

5. Create one security group for each target computer. Add that group to the target computer’s local admin group. Then use Active Directory to add/remove the desired user at the desired time. This way since every computer has its own unique security group, you don’t end up giving one user access to another user’s computer.

6. Some other method.

[doug]

Well I did say that you would end up with your account (the account used to launch BatchPatch) as the account that would be added. See my original post.

-Doug

[doug]

OK so let me correct myself… I realize now that I made a mistake.

You can actually use either the remote process/command OR the deployment feature in BatchPatch to successfully accomplish what you are trying to accomplish. However, for either option to work properly you need to change the remote execution context under ‘Tools > Settings > Remote Execution’ to ‘Elevated token’ instead of ‘SYSTEM.’ And so if you are trying to use ‘remote process/command’ to accomplish the task, then you would need to change the execution context for ‘remote process/command’ to be ‘Elevated token.’ If you are trying to use the ‘deployment’ feature of BatchPatch to accomplish this task, then you need to change the execution context for ‘deployment’ to be ‘Elevated token’ instead of ‘SYSTEM.’

NOTE: In many cases there will be no discernible difference in the behavior of remote commands run under different execution contexts. However, in some cases commands might only run successfully under a particular context. We find that using the SYSTEM account works best for most users in most situations, but in the case that we are discussing, SYSTEM will not work as desired, which is why you need to use ‘Elevated token’ instead.

I hope this helps.

-Doug

[doug]

The error code 1 with the batch file would have been when the remote execution context was set to ‘SYSTEM’ instead of ‘Elevated token’ for the deployment. Glad you got it working now.

-Doug

[Author]

Posts