Forum Replies Created
-
Posts
-
SamelCamel – Enterprise environments are typically using something like WSUS to control which updates are approved for their computers, so it’s not really an issue. However, we will definitely consider adding a date filter to BatchPatch.
Thanks,
Doug
SamelCamel – BatchPatch does not have an option to limit updates by date. That said, in order to accomplish this you would have to use BatchPatch to only install specific updates, as described below. You would first decide which updates to install, and then you would set your installation list to install only the updates that you have decided you want to install based on your determination of which are old enough and which are too new, instead of installing all updates:
One other thing that I’d like you to check is just running PsExec at the command line against that target computer. What happens if you run:
psexec \targetcomputer IPCONFIGLet’s make sure that the above command works, as expected.
Assuming the above command works, then I can only think of two other possible issues. If the command does not work, please let me know, and please tell me the exact error message that appears. If the command *does* work, then please read below.
1. When BatchPatch executes a Windows Update action, the first thing it does is deploy the BatchPatchRemoteAgent.exe to the target system in C:Program FilesBatchPatch. However, if that file is already running/locked on the target system, then when BP tries to deploy it, it is unable to overwrite the copy that is already there and running because that copy is locked by the target OS. So, please pay attention to the C:Program FilesBatchPatch dir on the target computer when you initiate the Windows Update action. Let me know what you see. Is the file already there and locked by the target OS? Or are you able to see the file appear and then disappear at the start/end of the action?
2. It’s possible that the BatchPatchRemoteAgent.exe is getting locked by the target system because of some HIPS (host intrusion prevention software) or AV (anti-virus) software or some other similar security software. See if you can disable any software like that on the target, or at least white-list BatchPatchRemoteAgent.exe.
Let me know what you discover.
Thanks,
Doug
OK – Windows 2003 is now working with run-as-service, and the update was published today, though I would still encourage you to run BP on 7/2008 for a better experience. I hope this helps.
-Doug
Rob – The run-as-service solution is beta, and so it is not officially supported right now on any OS. You do not need to raise a support ticket.
The reason I said I’m not sure what we’re doing with it is because I didn’t know if the issue was strictly related to the UAC check, or if the service installation code wouldn’t work as-is on pre-Vista systems even after logic was added around the UAC check.
Also FYI – Microsoft’s extended support for Windows 2003 ended July 14, 2015, though I understand you might still be paying MS for additional support beyond their July 14 cut-off date. However, I can’t guarantee that new features we implement, including run-as-service, will work or be supported on 2003 systems. That said, unless significant code changes are required for it to work on 2003, it is something that we will likely do.
-Doug
Hi DJ –
1. The row execution interval will *not* apply to scheduled jobs.
2. Yes you can scheduled a Job Queue for a future time. Any Job Queue that you save will appear in the list of available tasks when you try to schedule a task.
There are two ways to accomplish what you want to do.
A. You can simply create a scheduled task for each machine that includes the delay. I realize this might be tedious to setup, but it would give you the exact same results as you’re looking for from the row execution interval.
B. You can use the ‘advanced multi-row queue sequence’ Please see the following tutorial:
BatchPatch Advanced Multi-Row Queue Sequence
With the ‘advanced multi-row queue sequence’ you can accomplish exactly what you desire. If after you read through the tutorial you’re still unsure how to do what you need, let me know.
-Doug
curwin – That is certainly peculiar. Thanks for trying jwiseguy’s suggestion. That does help narrow it down a bit. The next thing I would suggest trying is from the computer running BatchPatch to the target computer, what happens when you try to connect to the two following shares?
\targetcomputerc$program filesbatchpatch
\targetcomputeradmin$
Are you able to connect to the two shares? Are you able to create files in the two shares?
Thanks,
Doug
We discovered that this error could occur in cases where alternate credentials is being used and the batchpatchremoteagent.exe is still running from the previous attempt. If the batchpatchremoteagent.exe is running, then when a new attempt to do a “check for available updates” tries to deploy the batchpatchremoteagent.exe, it can’t because the process is running/locked on the target system, and the file can therefore not be replaced. Try executing “Actions > Windows Updates > Kill download/installation” which will kill the batchpatchremoteagent.exe on target systems. Then try again. It seems that under certain circumstances the Windows Update agent hangs indefinitely (or takes nearly forever to return), and so then the batchpatchremoteagent.exe also never completes what it’s doing. There have been multiple updates to the Windows Update Agent recently that were intended to improve performance, so hopefully that helps. You might also consider restarting the Windows Update service on target computers that experienced this issue, though I don’t know if it’s definitely necessary.
I can confirm that the issue occurred because you’re on 2003, and we didn’t account for pre-Vista systems in the code. What I don’t know at the moment is whether or not we will add run-as-service support for pre-Vista systems or we will just fix the error and throw up a messagebox explaining that run-as-service is not supported pre-Vista.
-Doug
Rob, this is *not* a known issue. What OS are you using? We will look into it ASAP.
As a test could you please run ‘Tools > UAC Test’ and tell me what, if anything, happens?
Separately, could you please try launching BatchPatch as administrator, and then try to install the service again. Let me know what happens.
The error that you’re encountering is occurring when BP is trying to check if you’re running as admin before installing the service. It needs to be running as admin to install the service, but for [currently] unknown reasons, it’s crashing during the check to see if it’s running as admin. Normally it would check to see if it’s running as admin, and if not, it would tell you that it can’t continue until/unless you start the application as admin. Unless you’re trying this on Windows 2003/2000/XP? Those old OSes would actually likely cause this error to appear. If that’s the case, please let me know, as we should be able to fix it.
Thanks,
Doug
Soon. 🙂
This is by design. Currently we do not have plans to change this. You can see the total number of hosts in the grid at any time by looking at the title bar of the entire BatchPatch window where it says BatchPatch X35 or BatchPatch X24 etc.
If you close the grid and re-open it, the numbers will be re-created from scratch.
-Doug
Danny – The Firefox silent installation parameters have changed since a couple years ago. According to https://wiki.mozilla.org/Installer:Command_Line_Arguments you now have to download the full installer from http://www.mozilla.org/firefox/all/ and then execute the installer using the -ms parameter instead of /S.
I just tested deploying this with BatchPatch and it worked without any issues.
In your case since you executed the installer using /s, the exe is now running (hidden) and will never close on its own. You will need to manually kill the installer exe on the target host(s) to end it. Then proceed with the installation according to the notes above, using the -ms parameter. Just make sure that you have downloaded the full, offline installer, otherwise you’ll still have problems even when using the correct -ms switch.
I hope this helps.
-Doug
The most recent build (2015-07-20) has run-as-service functionality.
-Doug
Great! Glad you got it worked out. Yes, in a WSUS environment you def want to have the search in BP be the most expansive possible since your WSUS is controlling which updates the clients see. The ‘Important’ and ‘Recommended’ options are really there for non-WSUS environments.
Take care,
Doug
JMK – Here are some thing to check:
1. Make sure that BatchPatch is searching for updates in the same location as the target servers are configured to search when searching manually. So, if a target computer is pointing to a WSUS, but you then have BatchPatch configured to point to Windows Update (in Tools > Settings > Windows Update), for example, there will be a discrepancy.
2. Check your Windows Update filters in Tools > Settings > Windows Update. To ensure that BP sees every possible update, check the box for software updates and driver updates. Also make sure that you aren’t filtering out the download/installation of updates by having the relevant update categories unchecked. The BatchPatch.log file in the target computer working directory will tell you if it’s skipping updates due to filtering. More info about the search settings and download/installation filters here: BatchPatch Windows Update Installation Filters.
3. If you send us an email I can review your logs etc and help you figure out exactly what is going on. I’d want to see the BatchPatch.log from the target computer as well as the WindowsUpdate.log from the target computer. I can say with 99% certainty that this is due to some type of configuration or settings issue or inconsistency and not due to any sort of bug.
Thanks,
Doug
We will be releasing run-as-service functionality in the not too distant future.
jwiseguy – In the meantime, you can use this technique to accomplish the same thing in BatchPatch:
Integrating an exclusion list for ‘Get Stopped Automatic Services’
jwiseguy – I understand why you desire an exclusion option, and we do plan to offer this in a future build. However, I’m not sure what the exact time-line is.
Thanks,
Doug
Scott – If you save the grid to .bps (File > Save) you can import the .bps file into Excel as XML. Alternatively, you can highlight the entire grid and use ctrl-V to copy the grid, and then use ctrl-V to paste it into Excel.
-Doug
Hi Scott – Thank you for your suggestion. I’m not sure if we’ll change the update feature in BatchPatch, but we will consider it.
Currently it will automatically notify you if there is an update available (unless you disable update notifications), but it will not automatically download it for you. However, it does provide a button for you to download it, and then you just have to extract the zip file. It’s a portable application, so there is no formal “installation” per se, so we leave it up to the user to do as he/she pleases.
The steps you followed to hide an update are correct. When you use BatchPatch to hide an update, the “Remote Agent Log” column will show the log of what was completed, and you can confirm that the update was hidden. Also, after you hide an update, if you then do a subsequent search for updates or download/install updates, the “Remote Agent Log” for that action will not include the hidden update, so you can confirm that too. This log is also saved to C:Program FilesBatchPatchBatchPatch.log on the target computer, so you can review it at any time. If you need assistance making sense of your log, feel free to email it to me for review. However, in your case it sounds like the update was hidden but was then later somehow re-released by Microsoft, or the update was never successfully hidden in the first place. I’m not sure, but it should be something that you can easily confirm by reviewing the logs.
-Doug
To close the loop for anyone else who might read this posting:
After reviewing the WindowsUpdate.log we found many errors, primarily 0x80072ee2, 0x80072efe, and 0x8024a005, all of which indicated connectivity problems from the target computer to Microsoft’s servers. The issue was caused because a proxy is in place but the machine was not configured to use the proxy for Windows Update. More is described at the following link:
https://support.microsoft.com/en-us/kb/900935
Essentially the Windows Update service is not able to use the proxy settings that are configured in IE unless it is invoked by the logged on interactive user. So a manual check by the logged on user for Windows Updates can be successful while the Automatic Updates service or the update service initiated by a third party tool such as BatchPatch fails due to lack of connectivity because the proxy is not used. In order for a proxy to be used in these cases it must be configured using netsh or WPAD.
To configure a proxy server by using the Netsh.exe tool:
For Windows Vista and above, Netsh.exe tool is available in place of proxycfg.exe.
To use the Netsh.exe tool to configure a proxy server, follow these steps:
Click Start, click Run, type cmd, and then click OK. At the command prompt, type netsh winhttp set proxy proxyservername:portnumber, and then press ENTER. In this command, replace proxyservername with the fully qualified domain name of the proxy server. Replace portnumber with the port number for which you want to configure the proxy server. For example, replace proxyservername with proxy.domain.example.com and replace portnumber with 80.
OR
Web Proxy Auto Detect (WPAD) settings are configured in either of the following locations in the network environment:
The Domain Name System (DNS) options
The Dynamic Host Configuration Protocol (DHCP) options
For more information about a related topic, click the following article number to view the article in the Microsoft Knowledge Base:
http://support.microsoft.com/kb/816320
The domains to whitelist are:
http://download.windowsupdate.com
http://*.download.windowsupdate.com
https://*.update.microsoft.com
http://*.windowsupdate.microsoft.com
http://windowsupdate.microsoft.com
https://*.windowsupdate.microsoft.com
http://ntservicepack.microsoft.com
If you are using a wpad.dat file to configure your computers’ proxy settings, you can use the following syntax in the wpad.dat file to whitelist the Microsoft domains:
if ( shExpMatch ( url, “*.download.windowsupdate.com/*”) ) { return “DIRECT”; }
if ( shExpMatch ( url, “*.download.microsoft.com/*”) ) { return “DIRECT”; }
if ( shExpMatch ( url, “*.update.microsoft.com/*”) ) { return “DIRECT”; }
if ( shExpMatch ( url, “*.windowsupdate.com/*”) ) { return “DIRECT”; }
if ( shExpMatch ( url, “*.download.windowsupdate.com/*”) ) { return “DIRECT”; }
if ( shExpMatch ( url, “*.windowsupdate.microsoft.com/*”) ) { return “DIRECT”; }
if ( shExpMatch ( url, “*.ntservicepack.microsoft.com/*”) ) { return “DIRECT”; }
if ( shExpMatch ( url, “*.wustat.windows.com/*”) ) { return “DIRECT”; }
Steven – please email me the c:windowswindowsupdate.log file from the target computer that is producing this error.
Thanks,
Doug
Thanks. I responded to your email.
Steven –
“How do we know batchpatch is searching for patch via local WSUS server or Microsoft site?”
Under ‘Tools > Settings > Windows Update’ you can configure where you want the search/download to take place from. You’ll notice that after you set the ‘Server Selection’ to Microsoft Update, your logs will be consistent with that, as you can see in the text you posted:
::Begin online search - Server Selection: Microsoft Updateand
Thu-11:33:48> Windows Update: Attempting to initiate Windows Update (Action: Search for updates and retrieve url list. Server selection: Microsoft Update) ...“When we use the get windows update configuration it show the local WSUS server. However we want batchpatch to use Microsoft site instead. We have set in the tools -> settings -> windows update -> Microsoft Update.”
The ‘Get Windows Update’ configuration tells you where the target computer is configured to search/download. However, when you set the ‘Server Selection’ to Microsoft Update you are *not* changing the target computer’s configuration. You are *bypassing* the target computer’s configuration and connecting to Microsoft Update instead.
“The search is very slow. If we use the normal windows update, it is much faster compare to BP.”
When you use the “normal Windows Update” as you describe, the target computer is searching your local WSUS server, not Microsoft Update. I know this because you indicated that ‘Get Windows Update’ configuration is reporting your local WSUS server. This means that when you perform a search for Windows Updates directly on that target computer using the Control Panel Windows Update GUI, it is searching for updates on your local WSUS. Your local WSUS server is expected to be faster than Microsoft Update because it’s local. However, it also sounds like you are working with limited internet connectivity because under normal circumstances even though Microsoft Update might be slower than your local WSUS server, in most cases it is still reasonably fast.
“If we are perform the windows download and install for not joining domain servers, it is not working.”
You received the following error:
-102: Failed to execute the search. HRESULT: -2147012866-102 indicates that the target computer is having problems with its connectivity to the Microsoft Update servers.
-2147012866 converts to 80072EFE (see http://www.rapidtables.com/convert/number/decimal-to-hex.htm), and when I googled that HEX number 80072EFE I came to the following page, which also indicates/confirms that the problem is related to connectivity from the target computer to the Microsoft servers. Additionally, this is consistent with your earlier description that Microsoft Update was very slow for you. Normally Microsoft Update is not very slow, but if you’re experiencing slowness in some cases or a complete lack of connectivity in other cases, it is an indication that either your internet access is limited connectivity, or perhaps just your connection to Microsoft’s servers is limited:
http://windows.microsoft.com/en-us/windows7/windows-update-error-80072efe-or-80072f76
“I managed to opt-in for microsoft update and perform the download and install for the non domain server. It still fail with the following error.”
This second time you received a different error:
-102: Failed to execute the search. HRESULT: -2145124322In reviewing your log it appears that you executed the ‘Opt-in to Microsoft Update’ action, but you did not wait for it to complete. Before it completed you executed a Windows Update search. While the Windows Update search was taking place, the Windows Update service was restarted by BatchPatch to complete the ‘Opt-in’ process. This is why it generated the new error -2145124322.
“Also could your forum here be upgraded to allow attachment?”
We will consider this. In the meantime if you want to post an image you would have to use a third-party image hosting site such as imgur.
-Doug