[doug]

The cache does not have any kind of built-in cleaning routine. You can manually clean the cache by simply deleting all of the cache folder contents. If you want to setup a task to do it, then you could use a BatchPatch ‘local command’ under ‘Actions > Local process/command > Create/modify local commands’ such as this, substituting the path to your cache directory:

cmd.exe /C del "F:Some FolderBatchPatch_Cache" /Q

Then just create a scheduled task to execute the local command at the desired time.

-Doug

[doug]

You said “I want batchpatch to run a script against each machine I’ve loaded into batchpatch and this script will not be executed from within the list of machines.”

I don’t understand what you mean when you say “this script will not be executed from within the list of machines.”

There are two ways that BatchPatch can be used to execute a script against a target computer.

1. BatchPatch can be used to deploy a script to a target computer and have that script run on the target computer. For this you would follow the normal deployment process, but the item that you are deploying is a script, not an installation package. There are numerous examples at Software Deployment. There is also a script being deployed as part of this tutorial: Install Windows Updates Only If Sufficient Space Is Detected On Target C Drive

2. BatchPatch can be used to execute a local script on the BatchPatch computer, but you can feed the target computer name into the script, so that the script can operate against the target computer without actually running directly on the target computer. In this case you use a Local command in BatchPatch with the $computer variable used to send the host name into the script as a parameter. An example of this is illustrated inside the following tutorial: Advanced Script Integration with BatchPatch

[doug]

Excellent. Thank you for following up. I’m glad you got it working!

-Doug

[doug]

0x8007000E -2147024882 E_OUTOFMEMORY

I’ve never seen this error before, but note that it is a Windows Update error code. It seems that the Windows Update service does not have enough free memory to perform the check for updates.

-Doug

[doug]

Hugo – The ‘copy file/folder’ works fine with 2016 targets. We have no problems with the functionality here and no customer has ever reported any similar issues before. If you need further assistance troubleshooting this issue, I would suggest that you please email us so that we can trade screenshots more easily. At the moment it is unclear to me what might be going wrong in your case. If you are only having issues with just a 2016 machine, it would seem to imply that there is something with that particular machine’s setup or configuration or permissions that could be the cause of the problem. The fact that the OS is 2016 should have no effect/impact.

Thanks,

Doug

[doug]

This is related to the user account and permissions. I have never seen this particular HRESULT before… is it really 2147022987 or is it actually -2147022987 ? Makes a huge difference when you leave out the negative. I suspect it’s the latter with the negative, which translates to 80070775 for Windows and according to some googling would appear to mean that the user account is locked out or something else related to the user account not being active or permissioned properly.

-Doug

[doug]

Error -198 comes with an HRESULT value. The HRESULT is the value that tells us what the actual reason for the failure is. So, without knowing for sure what the reason is, the fix is harder to determine. However, generally speaking the -198 error usually means that there is a problem with the WsusScn2.cab file. One of the possible problems with this file could be that it is missing a valid signature. You can look at the WsusScn2.cab file in your BatchPatch cache folder to see if has a valid signature. Simply right click on the file and view the properties. In the properties there will be a tab titled “Digital Signatures.” If this tab does not exist, then there is no digital signature on the file. If the tab exists but the signature is bad, then it will tell you that. Either of those situations will cause the -198 error to occur. The signature is not being lost during the file copy on your network. It’s just not on the file in the first place. This is why you need to re-download the file and make sure it has a signature.

If you want a way to auto-redownload and verify signature, BatchPatch can do that. However, in the current version it only does it in one part of the app, which is not the part of the app that you previously used to download it. If you use ‘Tools > Download offline updates repository’ and then check one box from each section in the window that it presents, it will download the WsusScn2.cab file and verify the signature before continuing. Once it downloads successfully you can just quit the window so that it doesn’t do anything else. If it cannot validate the signature it will redo the download until it gets a good file. This way you can just let it keep looping on its own until it gets a good download. Alternatively you can manually download the file from Microsoft using this link: http://go.microsoft.com/fwlink/?LinkId=76054 and then manually check the file properties to make sure there is a valid signature.

In the next version of BatchPatch the other areas of the software that download the WsusScn2.cab file will also validate the signature, but in the current version they don’t do that. They just verify that the download completes successfully, which is unfortunately not enough because it seems that Microsoft is sometimes posting WsusScn2.cab files that do not contain valid signatures. We have been seeing this occur occasionally for the past 6 months. Prior to that it never happened before, which is why the other areas of the app were never written to validate the signature. It was never necessary in the past because simply validating that the download was successful was enough. However, starting about 6 months ago we started seeing Microsoft sometimes have unsigned files on their servers, and so we now need to also verify the signature to make sure it’s good. In our experience, when you repeatedly download the file you will eventually connect to a server that has a signed file.

-Doug

[doug]

Mike – I replied to your email.

-Doug

[doug]

I just tested the same and did not have any problems. My first suggestion to you would be to re-create your grid using the BP GUI. If you have modified the .bps file in a text editor, that might be the cause of the problem.

-Doug

[doug]

This likely means that WMI is broken on the target computers. I would suggest having a look at the following articles for troubleshooting:

WMI Troubleshooting:

https://msdn.microsoft.com/en-us/library/aa394603(v=vs.85).aspx

This fix might work for you too:

http://mikeymurph.me/fix-wmi-service-error/

This fix might also work for you too:

https://www.veritas.com/support/en_US/article.000005356

[doug]

You can view the change log under ‘Help > Check for updates > View change log’

[doug]

I see. This makes sense. I have a few thoughts.

First, I think your goal here is commendable, but this is not a new problem. IT admins have been wresting with the issue of how to handle admin rights for end users for years. You can find many places on the web where this is discussed. I’m sure I have seen the topic posted in Reddit sysadmin subreddit more than one time. To grant and remove admin access on an as-needed basis seems to me not a great solution, but I don’t work at your office, and only you can decide what is best for your environment. You might consider reading through reddit and/or posting there to see what people suggest. There are other IT forums where this topic has been addressed as well, so some googling might get you a better solution.

3. If you gave your users one domain account and one local account, they would use the domain account as their main logon. Their email would be tied to this account as would all of their network privileges. The local account would only be useful for updating applications. It would not be useful for daily logon, so they wouldn’t do that (most likely). I have seen this option work effectively in more than one organization. In most Windows domain environments, giving users a local admin account will not entice them to be logged on all the time with that account because there are too many things that they need to be logged on to their domain account for, with email and network privileges being the two most important usually.

4. You would not need separate batch files. You could use the remote/process command action in BP (just make sure to modify the remote execution context, as previously discussed. This would allow you to spend a little while just one time to create your BP grid to include the proper remote/process command for each row, customized for each username. Then you would save this grid to a .bps file for future use. Then in the future you could just load that .bps file into a grid, select all rows and execute the remote process/command.

7. You could write a vbs or powershell script that finds the currently logged on user and then in that same script then adds the user to the required group (or removes). You would then deploy the .ps1 or .vbs file with BP. It would be the same script for all targets since the script would dynamically handle figuring out the currently logged on user. A couple methods for getting the currently logged on user are described here: https://serverfault.com/questions/32633/how-to-check-who-is-currently-logged-on-to-windows-workstation-from-command-line

I hope this helps.

[doug]

mortega – I’m not sure I fully understand your goal. If you are using BP to install updates, you do not need to have end users in the local admins group. As long as the account that you are using to run BP (or the account that you input in the alternate credentials field in a BP row) is in the local admin group on target computers you’ll be all set to install updates on those computers.

If your goal is to allow users to install their own windows updates, I believe there is a group policy that allows non-admin users to install windows updates, so you can use that.

If your goal is to allow users to install their own software, then you’re asking an IT policy question, not a BatchPatch question. There are a lot of different ways that organizations handle this situation. Some possible options include:

1. Allow users to be admins of their own computers at all times.

2. Do not ever allow users to be admins of their own computers. All software is installed by an IT admin.

3. Provide users with 2 accounts. They have a primary account that they log on to their computers with for every day use. This account is not in the admins group. Then they have a secondary local admin account on their own computer. If they want to install software then they would use run-as to install the software using the local admin credentials.

4. You could use BatchPatch to put the end user of a computer into the local admins group, similarly to how you were trying it. But instead of using %username% you would use the actual username. I’m not sure why you aren’t already doing this, but I assume you have a reason.

5. Create one security group for each target computer. Add that group to the target computer’s local admin group. Then use Active Directory to add/remove the desired user at the desired time. This way since every computer has its own unique security group, you don’t end up giving one user access to another user’s computer.

6. Some other method.

[doug]

Well I did say that you would end up with your account (the account used to launch BatchPatch) as the account that would be added. See my original post.

-Doug

[doug]

OK so let me correct myself… I realize now that I made a mistake.

You can actually use either the remote process/command OR the deployment feature in BatchPatch to successfully accomplish what you are trying to accomplish. However, for either option to work properly you need to change the remote execution context under ‘Tools > Settings > Remote Execution’ to ‘Elevated token’ instead of ‘SYSTEM.’ And so if you are trying to use ‘remote process/command’ to accomplish the task, then you would need to change the execution context for ‘remote process/command’ to be ‘Elevated token.’ If you are trying to use the ‘deployment’ feature of BatchPatch to accomplish this task, then you need to change the execution context for ‘deployment’ to be ‘Elevated token’ instead of ‘SYSTEM.’

NOTE: In many cases there will be no discernible difference in the behavior of remote commands run under different execution contexts. However, in some cases commands might only run successfully under a particular context. We find that using the SYSTEM account works best for most users in most situations, but in the case that we are discussing, SYSTEM will not work as desired, which is why you need to use ‘Elevated token’ instead.

I hope this helps.

-Doug

[doug]

The error code 1 with the batch file would have been when the remote execution context was set to ‘SYSTEM’ instead of ‘Elevated token’ for the deployment. Glad you got it working now.

-Doug

[doug]

OK, so here are your options:

1. Create a deployment to deploy a batch file with your command specified as the content of that batch file. I was able to do this without issue, but you need to make sure that under ‘Tools > Settings > Remote execution’ that the ‘Deployment’ section is set to ‘Elevated token’ and not ‘SYSTEM.’

Note, however, that this still might not give you the desired result. It will put the current user into the administrators group, but the current user is not the end user who is logged on to the target computer. The current user is the account that you used to launch BatchPatch, or it will be the account that you entered into the alternate credentials field for the given row in BatchPatch, if you entered alternate credentials.

2. You can use a remote process/command, but then you cannot use %username%. In that case you must use the actual username.

---

I’m not certain right now why the issue occurs with remote process/command, but I am able to reproduce it. It’s something to do with Windows, not BP. It’s described here too. There is something unexpected happening with environment variables, but I don’t know exactly why. A third option, it seems, would be to use powershell with the method described in the link above. Let me know how it goes and which option you end up using with success.

Thanks,

Doug

[doug]

You sent me the error -198: Failed to add scan package service. HRESULT: -2147024674

and I responded to your email. Please feel free to continue the email thread rather than coming back to this forum page and updating me here.

This is another strange error that seems to imply that you might have something weird going on with your internet connection or your LAN that is causing you to have files corrupted in one way or another. This is highly unusual.

0x8007000D The data is invalid. ERROR_INVALID_DATA.

The issue that you are now having is specific to the WsusScn2.cab file, which previously was working properly for you, but when you deleted your cache and started over, this file would have been re-downloaded from scratch, and it seems that it became corrupted because now the Windows Update Agent is not able to read the file without throwing the above error. You can delete it and try again, but it really seems like there is something about your environment that is going to prevent you from having a lot of success. I wouldn’t be surprised if you end up getting some updates installed successfully while having other updates fail to install due to being corrupted. You can keep trying and see where you get, but just note that the problems that you are encountering are quite unusual and are not BatchPatch issues per se, but rather seem to indicate a problem with your network or internet connection.

[doug]

OK thank you for emailing us. Now we can see why this failed. All of the updates show “Copy To Cache: Failed. HRESULT: -2145099774” and this is why the updates subsequently appear as if they have never been downloaded to the target computers (Downloaded=FALSE)

0x80246002 -2145099774 SUS_E_DM_INCORRECTFILEHASH The file digest did not match the expected value

This would indicate that either the files that are in your BatchPatch cache are corrupt, or the files are being corrupted when they are copied to the target computers. Since you already tried “re-copy/overwrite” setting, I think the most likely cause is that the files in your BatchPatch cache are corrupt. I have never seen an entire cache be corrupt. We have only ever seen this occasionally occur for just a single file here or there. I would suggest that you delete your cache entirely and then start over.

Thanks,

Doug

[doug]

Unfortunately this feature will not work with all scripts in all cases and will sometimes cause a deployment to fail/error. A couple of alternatives:

---

You could use a vbscript file (filename.vbs) with content:

wscript.echo “hello”

---

You could us a powershell file (filename.ps1) with content:

write-host hello

---

[doug]

sal – Unfortunately I don’t have a way for you to cut out the excess. Probably the easiest thing to do when reviewing the report for more than one computer is to select all the desired rows and use ‘Actions > expand rows’

-Doug

[doug]

I’d like to try to help, but this log is incomplete and missing the most important elements. I really would need to see an HTML export. I suggested that you email us using the contact form on our website so that we can email you back to get this file from you.

Thanks,

Doug

[doug]

sal – BatchPatch has built-in functionality to retrieve registry values. Check ‘Actions > Get information > Get registry key/value’

I hope this helps.

-Doug

[doug]

As mentioned previously I really need to see an HTML export. If you can’t post it somewhere then please contact us via the contact form on the website.

-Doug

[doug]

Dsayles – If you are an existing customer then please contact us via the contact form on the main website for assistance with this. If you are not a customer and are using the evaluation version of the application, then in order for me to see what’s going on I would need to see an HTML export (File > Export grid to HTML) that illustrates what is happening. If you are able to post this HTML export somewhere for me view, that would be ideal.

It’s hard for me to tell what is going on here based on your description alone, but from what you said, the only immediate suggestion I can give is to try enabling the following setting and see if that makes a difference. ‘Tools > Settings > Windows update > Recopy/overwrite updates’

-Doug

[doug]

The only way to do this currently is with the export/import option.

Thanks,

Doug

[doug]

This is not currently supported. I’m not sure if/when it will be added.

Thanks,

Doug

[doug]

Please see how-to-send-email-notifications-in-batchpatch

[doug]

Exit code 10 is not a BatchPatch code. It’s coming from the target computer, and it’s either a Windows system error code, or it’s an exit code from the .exe package.

If it’s a Windows system error code, then 10 is

ERROR_BAD_ENVIRONMENT



10 (0xA)



The environment is incorrect.

[doug]

You’re very welcome. Let me know how it goes.

-Doug

[Author]

Posts