[doug]

I just tested the same and did not have any problems. My first suggestion to you would be to re-create your grid using the BP GUI. If you have modified the .bps file in a text editor, that might be the cause of the problem.

-Doug

[doug]

This likely means that WMI is broken on the target computers. I would suggest having a look at the following articles for troubleshooting:

WMI Troubleshooting:

https://msdn.microsoft.com/en-us/library/aa394603(v=vs.85).aspx

This fix might work for you too:

http://mikeymurph.me/fix-wmi-service-error/

This fix might also work for you too:

https://www.veritas.com/support/en_US/article.000005356

[doug]

You can view the change log under ‘Help > Check for updates > View change log’

[doug]

I see. This makes sense. I have a few thoughts.

First, I think your goal here is commendable, but this is not a new problem. IT admins have been wresting with the issue of how to handle admin rights for end users for years. You can find many places on the web where this is discussed. I’m sure I have seen the topic posted in Reddit sysadmin subreddit more than one time. To grant and remove admin access on an as-needed basis seems to me not a great solution, but I don’t work at your office, and only you can decide what is best for your environment. You might consider reading through reddit and/or posting there to see what people suggest. There are other IT forums where this topic has been addressed as well, so some googling might get you a better solution.

3. If you gave your users one domain account and one local account, they would use the domain account as their main logon. Their email would be tied to this account as would all of their network privileges. The local account would only be useful for updating applications. It would not be useful for daily logon, so they wouldn’t do that (most likely). I have seen this option work effectively in more than one organization. In most Windows domain environments, giving users a local admin account will not entice them to be logged on all the time with that account because there are too many things that they need to be logged on to their domain account for, with email and network privileges being the two most important usually.

4. You would not need separate batch files. You could use the remote/process command action in BP (just make sure to modify the remote execution context, as previously discussed. This would allow you to spend a little while just one time to create your BP grid to include the proper remote/process command for each row, customized for each username. Then you would save this grid to a .bps file for future use. Then in the future you could just load that .bps file into a grid, select all rows and execute the remote process/command.

7. You could write a vbs or powershell script that finds the currently logged on user and then in that same script then adds the user to the required group (or removes). You would then deploy the .ps1 or .vbs file with BP. It would be the same script for all targets since the script would dynamically handle figuring out the currently logged on user. A couple methods for getting the currently logged on user are described here: https://serverfault.com/questions/32633/how-to-check-who-is-currently-logged-on-to-windows-workstation-from-command-line

I hope this helps.

[doug]

mortega – I’m not sure I fully understand your goal. If you are using BP to install updates, you do not need to have end users in the local admins group. As long as the account that you are using to run BP (or the account that you input in the alternate credentials field in a BP row) is in the local admin group on target computers you’ll be all set to install updates on those computers.

If your goal is to allow users to install their own windows updates, I believe there is a group policy that allows non-admin users to install windows updates, so you can use that.

If your goal is to allow users to install their own software, then you’re asking an IT policy question, not a BatchPatch question. There are a lot of different ways that organizations handle this situation. Some possible options include:

1. Allow users to be admins of their own computers at all times.

2. Do not ever allow users to be admins of their own computers. All software is installed by an IT admin.

3. Provide users with 2 accounts. They have a primary account that they log on to their computers with for every day use. This account is not in the admins group. Then they have a secondary local admin account on their own computer. If they want to install software then they would use run-as to install the software using the local admin credentials.

4. You could use BatchPatch to put the end user of a computer into the local admins group, similarly to how you were trying it. But instead of using %username% you would use the actual username. I’m not sure why you aren’t already doing this, but I assume you have a reason.

5. Create one security group for each target computer. Add that group to the target computer’s local admin group. Then use Active Directory to add/remove the desired user at the desired time. This way since every computer has its own unique security group, you don’t end up giving one user access to another user’s computer.

6. Some other method.

[doug]

Well I did say that you would end up with your account (the account used to launch BatchPatch) as the account that would be added. See my original post.

-Doug

[doug]

OK so let me correct myself… I realize now that I made a mistake.

You can actually use either the remote process/command OR the deployment feature in BatchPatch to successfully accomplish what you are trying to accomplish. However, for either option to work properly you need to change the remote execution context under ‘Tools > Settings > Remote Execution’ to ‘Elevated token’ instead of ‘SYSTEM.’ And so if you are trying to use ‘remote process/command’ to accomplish the task, then you would need to change the execution context for ‘remote process/command’ to be ‘Elevated token.’ If you are trying to use the ‘deployment’ feature of BatchPatch to accomplish this task, then you need to change the execution context for ‘deployment’ to be ‘Elevated token’ instead of ‘SYSTEM.’

NOTE: In many cases there will be no discernible difference in the behavior of remote commands run under different execution contexts. However, in some cases commands might only run successfully under a particular context. We find that using the SYSTEM account works best for most users in most situations, but in the case that we are discussing, SYSTEM will not work as desired, which is why you need to use ‘Elevated token’ instead.

I hope this helps.

-Doug

[doug]

The error code 1 with the batch file would have been when the remote execution context was set to ‘SYSTEM’ instead of ‘Elevated token’ for the deployment. Glad you got it working now.

-Doug

[doug]

OK, so here are your options:

1. Create a deployment to deploy a batch file with your command specified as the content of that batch file. I was able to do this without issue, but you need to make sure that under ‘Tools > Settings > Remote execution’ that the ‘Deployment’ section is set to ‘Elevated token’ and not ‘SYSTEM.’

Note, however, that this still might not give you the desired result. It will put the current user into the administrators group, but the current user is not the end user who is logged on to the target computer. The current user is the account that you used to launch BatchPatch, or it will be the account that you entered into the alternate credentials field for the given row in BatchPatch, if you entered alternate credentials.

2. You can use a remote process/command, but then you cannot use %username%. In that case you must use the actual username.

---

I’m not certain right now why the issue occurs with remote process/command, but I am able to reproduce it. It’s something to do with Windows, not BP. It’s described here too. There is something unexpected happening with environment variables, but I don’t know exactly why. A third option, it seems, would be to use powershell with the method described in the link above. Let me know how it goes and which option you end up using with success.

Thanks,

Doug

[doug]

You sent me the error -198: Failed to add scan package service. HRESULT: -2147024674

and I responded to your email. Please feel free to continue the email thread rather than coming back to this forum page and updating me here.

This is another strange error that seems to imply that you might have something weird going on with your internet connection or your LAN that is causing you to have files corrupted in one way or another. This is highly unusual.

0x8007000D The data is invalid. ERROR_INVALID_DATA.

The issue that you are now having is specific to the WsusScn2.cab file, which previously was working properly for you, but when you deleted your cache and started over, this file would have been re-downloaded from scratch, and it seems that it became corrupted because now the Windows Update Agent is not able to read the file without throwing the above error. You can delete it and try again, but it really seems like there is something about your environment that is going to prevent you from having a lot of success. I wouldn’t be surprised if you end up getting some updates installed successfully while having other updates fail to install due to being corrupted. You can keep trying and see where you get, but just note that the problems that you are encountering are quite unusual and are not BatchPatch issues per se, but rather seem to indicate a problem with your network or internet connection.

[doug]

OK thank you for emailing us. Now we can see why this failed. All of the updates show “Copy To Cache: Failed. HRESULT: -2145099774” and this is why the updates subsequently appear as if they have never been downloaded to the target computers (Downloaded=FALSE)

0x80246002 -2145099774 SUS_E_DM_INCORRECTFILEHASH The file digest did not match the expected value

This would indicate that either the files that are in your BatchPatch cache are corrupt, or the files are being corrupted when they are copied to the target computers. Since you already tried “re-copy/overwrite” setting, I think the most likely cause is that the files in your BatchPatch cache are corrupt. I have never seen an entire cache be corrupt. We have only ever seen this occasionally occur for just a single file here or there. I would suggest that you delete your cache entirely and then start over.

Thanks,

Doug

[doug]

Unfortunately this feature will not work with all scripts in all cases and will sometimes cause a deployment to fail/error. A couple of alternatives:

---

You could use a vbscript file (filename.vbs) with content:

wscript.echo “hello”

---

You could us a powershell file (filename.ps1) with content:

write-host hello

---

[doug]

sal – Unfortunately I don’t have a way for you to cut out the excess. Probably the easiest thing to do when reviewing the report for more than one computer is to select all the desired rows and use ‘Actions > expand rows’

-Doug

[doug]

I’d like to try to help, but this log is incomplete and missing the most important elements. I really would need to see an HTML export. I suggested that you email us using the contact form on our website so that we can email you back to get this file from you.

Thanks,

Doug

[doug]

sal – BatchPatch has built-in functionality to retrieve registry values. Check ‘Actions > Get information > Get registry key/value’

I hope this helps.

-Doug

[doug]

As mentioned previously I really need to see an HTML export. If you can’t post it somewhere then please contact us via the contact form on the website.

-Doug

[doug]

Dsayles – If you are an existing customer then please contact us via the contact form on the main website for assistance with this. If you are not a customer and are using the evaluation version of the application, then in order for me to see what’s going on I would need to see an HTML export (File > Export grid to HTML) that illustrates what is happening. If you are able to post this HTML export somewhere for me view, that would be ideal.

It’s hard for me to tell what is going on here based on your description alone, but from what you said, the only immediate suggestion I can give is to try enabling the following setting and see if that makes a difference. ‘Tools > Settings > Windows update > Recopy/overwrite updates’

-Doug

[doug]

The only way to do this currently is with the export/import option.

Thanks,

Doug

[doug]

This is not currently supported. I’m not sure if/when it will be added.

Thanks,

Doug

[doug]

Please see how-to-send-email-notifications-in-batchpatch

[doug]

Exit code 10 is not a BatchPatch code. It’s coming from the target computer, and it’s either a Windows system error code, or it’s an exit code from the .exe package.

If it’s a Windows system error code, then 10 is

ERROR_BAD_ENVIRONMENT



10 (0xA)



The environment is incorrect.

[doug]

You’re very welcome. Let me know how it goes.

-Doug

[doug]

flowbass –

Here is what I would suggest.

Run BatchPatch in the same network as the WSUS because BatchPatch will be downloading updates from the WSUS into the BatchPatch cache. BatchPatch must be able to communicate with the target computers across the WAN, and the target computers must be able to communicate with the WSUS across the WAN. The target computers will not download their updates from the WSUS across the WAN, but they do need to be able to search the WSUS to determine which updates they need.

When you run BatchPatch you will run it with cached mode enabled (do not enable offline mode). Enter all of the target computers into the BatchPatch grid. You will need to execute ‘Actions > Windows Updates > Retrieve consolidated URL list of available updates’ for all hosts in the grid. However, to avoid congesting your WAN link you might want to do this in small batches or even one row at a time. You can use the row execution interval in BatchPatch (Tools > Row execution interval) as a way to select ALL hosts and execute that action, but to execute that action only one row at a time with X seconds in between each row. You specify X seconds in ‘Tools > Row execution interval’).

Once all hosts have completed ‘Retrieve consolidated URL list of available updates’ you will be able to either save that URL list for later or select ‘Download files to local cache’ in the URL list window that appears.

Once you have downloaded all the required files to the BatchPatch local cache you would need to FedEx that cache to the remote location.

Now in the remote location run an instance of BatchPatch with cached mode enabled (do not enable offline mode) on the computer that has the local cache attached. Make sure in ‘Tools > Settings > Windows update’ that the ‘Local update cache directory’ value is set to the be the folder that contains all of the update files.

In BatchPatch select all of the target hosts and choose ‘Download and install updates + reboot if required’. The target hosts will once again be executing their search for updates on the WSUS across the WAN link, so you might want to use the row execution interval again or manually control how many hosts run at any one time. However, the “download” in this case will be BatchPatch pushing the update files from its local cache to the target computers. And since BatchPatch will be running with the local cache inside the remote network, the updates will not traverse the WAN link.

I hope this helps.

-Doug

[doug]

Hi Mats –

All you have to do is add each desired OU to the sync list. So like…

DomainContoller/OU=Servers,OU=East,DC=MyDomain,DC=com

DomainContoller/OU=Servers,OU=West,DC=MyDomain,DC=com

DomainContoller/OU=Servers,OU=North,DC=MyDomain,DC=com

DomainContoller/OU=Servers,OU=South,DC=MyDomain,DC=com

Once you have added all of your LDAP paths, then you can synch the grid. That’s all there is to it.

Tutorial: Synchronize BatchPatch Grid With Active Directory OUs and Groups

[doug]

A couple of possible approaches come to mind…

1. If you run BatchPatch inside the remote location in cached mode with all of the computers in that remote location pointing to the WSUS, then BP will pull updates from the WSUS to its local cache, so that it can then distribute them to target computers. Only a single copy of each required update will be pulled across the WAN link in this case, reducing the bandwidth required.

2. If you run a downstream WSUS server in each remote location this would give you a similar advantage. The downstream WSUS can pull updates across the WAN link, and then those updates can be distributed to the target computers without having to pull multiple copies of updates across the WAN link.

-Doug

[doug]

flowbass – When you use ‘offline mode’ only security updates can be applied. To apply other updates you must disable offline mode.

-Doug

[doug]

Sorry for the issue, but thank you for notifying. We published the fix for this a few minutes ago.

-Doug

[doug]

Sent again. Not to the gmail that you are registered with in the forum but to the company email address that you have emailed me from in the past. Feel free to email me if you still have not received my messages.

-Doug

[doug]

I just emailed Jason to discuss further.

Thanks,

Doug

[doug]

Excellent. Glad that works for you.

-Doug

[Author]

Posts