[doug]

The Windows Update control panel is listing that as an optional update, but in BatchPatch you are searching for only “Important” and “Recommended.” You would need to change the search to all “software updates” or possibly “optional software” in BatchPatch to see the feature update appear as available.

This link covers all of the reasons why there might be a discrepancy between what BatchPatch reports as available and what you see as available in the Windows Update control panel on a given computer:
https://batchpatch.com/batchpatch-and-the-windows-update-control-panel-report-a-different-number-of-available-updates

This link covers how to install feature updates with BatchPatch. There are two methods. If having trouble with one, try the other:
https://batchpatch.com/remotely-deploying-windows-feature-update-version-21h2-to-numerous-computers

[doug]

Which OS is installed/running on the BatchPatch host and which OS is running on the target? Please be as specific as possible with version numbers, build numbers, service packs etc. You can actually see this info using BatchPatch under ‘Actions > Get Info > Get OS Version’

Which version of PsExec are you using?

Is ‘Tools > Settings > Use PsExec -r switch’ in BatchPatch enabled?

Thanks

[doug]

Have a look here: Troubleshooting Errors 1611: 64 , 1620: 64 , 1611: 2250 , 1620: 2250

[doug]

Sounds good. However, just to be clear, when you perform a BatchPatch Deployment operation with logged output, it creates the deployment temp files in a different folder with different name. The default location for deployment logs is C:\Program Files\BatchPatch\deployment (this is defined under ‘Actions > Deploy > Target working directory’. When you select ‘Retrieve console output’ in a BatchPatch deployment, it then creates files in that deployment working directory like this: BatchPatchDeploymentOutputXXXXXXXXX.log. So, since you mentioned specifically BatchPatchRemoteProcessXXXXXXXXX.log, and since a Windows feature upgrade would normally be performed with the BatchPatch “Deploy” feature, not with the “Remote command (logged output)” action, you should probably double-check for the cause of these files since you have BatchPatchRemoteProcessXXXXXXXXX.log files, not BatchPatchDeploymentOutputXXXXXXXXX.log files.

[doug]

The default working directory on target computers is C:\Program Files\BatchPatch

The default location can be modified under ‘Tools > Settings > Remote Execution > Remote working directory’. It sounds like you have modified yours to be C:\Batchpatch, so that is what I will reference for the rest of this posting.

Each time you execute a “Remote command (logged output)” in BatchPatch, it creates a temporary file C:\Batchpatch\BatchPatchRemoteProcessOutputXXXXXXXXX.log where XXXXXXXXX is a random 9-digit number. When execution of that “Remote command (logged output)” is complete, that file is deleted.

You said that you have 20-30GB of files, so that itself is a red flag that indicates to me that you have attempted in the past (or perhaps currently) to execute a “Remote command (logged output)” that produces a massive output, perhaps due to an infinite loop in your command/script, or perhaps not. In any case, the first thing you need to do is examine your process to figure out what would be creating such a large output. In 99% of cases when a BatchPatch user runs a BatchPatch “Remote command (logged output)” the output is tiny because it’s just the output of a simple command like “IPCONFIG” or whatever. Second, BatchPatch does always delete these temporary files upon completion of the “Remote command (logged output)” so if you are seeing these files there, then it means that there was some kind of problem that prevented them from being deleted. One possible cause for them not being deleted is because BatchPatch is being closed while the “Remote command (logged output)” is still running for a given row/host. The other cause for them not being deleted is because they are so excessively large that somehow the deletion process itself is failing.

The bottom line is that if you are seeing very large files there, then you are running (or have in the past) run “Remote command (logged output)” commands/scripts that are producing massive output. You’ll need/want to address this by modifying whatever “Remote command (logged output)” commands/scripts you are running. In the meantime you should then also delete those large files, as they are temp files. The fact that they are still present indicates that there was a problem of some kind that prevented them from being deleted.

[doug]

I don’t think Microsoft includes definition updates in the WsusScn2.cab file for offline updating. If they do include it, then BatchPatch will install it, but based on my recollection and a quick test here, they do not include it. I also tested installing the latest cumulative update to see if it included an update for the virus definitions, but it does not appear to include it.

That said, to deploy the latest virus definitions to offline computers you can manually download the definitions file from Microsoft, and then you can use the deployment feature in BatchPatch to deploy it to your target systems.

You can get the updates at the link below. The file is delivered as mpam-fe.exe. You create a standard deployment in BatchPatch ‘Actions > Deploy’, like my screenshot below.

Microsoft site to download the latest definitions:
https://www.microsoft.com/en-us/wdsi/defenderupdates

[doug]

Defender automatically installs definition updates daily on its own without BatchPatch. However, BatchPatch will also install definition updates when they are available and have not yet been installed by Defender. You would need the checkbox for ‘Include “Definition updates”‘ checked in the BatchPatch settings.

The client itself would be a software update, not a definition update. My guess is that Microsoft could deliver it under any of the update classifications ‘Critical’, ‘Security’, ‘Updates’, or ‘Update Rollups’ depending on the particular reason the update was published. Generally speaking in most cases you should leave all of the left-side update classification filter boxes checked in the BP settings.

[doug]

I believe the 10/2016/2019 option will work for 11/2022 also. Please try it and let me know if it works or not. Thanks for highlighting. We need to update the GUI there.

[doug]

BP has supported 11 for a long time now. I just checked the website and discovered that while we had updated the ‘System Requirements’ section on the ‘Download’ page months ago, we never updated the ‘System Requirements’ on the main/front/home page (until just now).

[doug]

See the ‘Access is denied’ section here

[doug]

Have a look at the ‘Access is Denied’ section of this posting.

[doug]

I would suggest that you just put the reg file on the BP computer and then deploy it from there.

[doug]

It looks like you showed the update in your WSUS console. You need to first make sure that the update is visible to the target computer when looking at the Windows Update control panel on the target computer. If the update is not visible to the target computer in the Windows Update control panel, then it won’t be visible in BatchPatch either. If the update is visible in the target computer Windows Update control panel but not in BatchPatch then you need to alter your ‘Search Preferences’ in BatchPatch.

1. You need to set the ‘Server Selection’ to ‘Default/managed’ so that BatchPatch uses your WSUS instead of Windows Update or Microsoft Update.

2. Generally speaking if you are using a WSUS to control which updates are presented to target computers, then in BatchPatch you’ll want to set your ‘Search Preferences’ to Software and Drivers (check boxes for both the ‘Search for software updates’ and ‘Search for driver updates’) so that BatchPatch can find any/all updates. The other search preferences such as ‘Important’ and ‘Recommended’ are for when you are not using a WSUS, and they will limit the updates to only the updates that fit in the ‘Important’ or ‘Recommended’ criteria, which may not be the case for your update or other updates that you approve in WSUS.

The ? help bubbles in the Settings window right side border provide further information.

[doug]

I would expect the script to generally continue executing on the target computer in that case even if you were to close BatchPatch, but it’s certainly something that you can just test and see what happens.

[doug]

So, you’re executing a remote script that calls some KB .MSU files directly… Yes, in most cases if you close BatchPatch, the remote script execution that you describe will continue, but I can’t make any guarantees.

[doug]

Tools > Settings > Windows Update > Server Selection > Microsoft Update

[doug]

You’re welcome. I’m glad you got to the bottom of it!

-Doug

[doug]

0x80240031 -2145124303 WU_E_INVALID_FILE

Something is wrong with the WsusScn2.cab file. Delete yours from your BatchPatch cache directory (as defined under ‘Tools > Settings > Windows Update > Local update cache directory’). Then use ‘Tools > Download Microsoft offline scan file’ to download a new one from Microsoft.

[doug]

The link you pasted says you can use the following command to disable the MSDT URL Protocol:

reg delete HKEY_CLASSES_ROOT\ms-msdt /f

You can just put that command into a BatchPatch remote command to execute on target computers and delete that registry key.

[doug]

This is a C0000005 memory access violation error that is being returned when you attempt to run that. It’s not a BatchPatch error. It’s coming from your attempt to execute that syntax, which likely means that your syntax is not correct. And even if I just look at it without knowing anything about TITUS, I see you have “InstallClient_TCO=1 InstallClient_TCO=0” which seems very weird to assign both a 0 and 1 to the same InstallClient_TCO.

I would suggest you start by taking their recommended syntax and running it at the command line without using BatchPatch. Most likely it’s going to give you the same error at the command prompt, indicating that your syntax is no good.

Make sure you can get it working first at the command prompt before you try to put it into BatchPatch. If it can’t complete successfully at the command prompt, then it definitely isn’t going to work in BatchPatch. If it works at the command prompt but not in BatchPatch then there are two things to consider and check in BatchPatch:

1. The account that it’s running under… Make sure that you are using the same account to execute the command in BatchPatch that worked when executing it at the command prompt.

2. Check the remote execution context under ‘Tools > Settings > Remote Execution’ and try to execute it under ‘SYSTEM’. If no luck with SYSTEM, try to execute it using ‘Elevated token’ + ‘Interactive’. To be clear I’m saying that you would select BOTH ‘Elevated token’ and ‘Interactive’ at the same time.

[doug]

You’ll need to figure out what is different between your working machines and your non working machine. There is a permissions problem preventing BP from creating that directory.

[doug]

Under ‘Tools > Settings > Remote Execution’ there is a setting for ‘Remote working directory’ which defaults to C:\Program Files\BatchPatch . For everything I say below I will assume you have not changed this setting, but if you have changed it to a different location, then modify my suggestions accordingly.

BatchPatch is trying to create this directory on the target computer but isn’t able to because of a permissions problem. If you have not specified alternate logon credentials for the row in the BatchPatch grid, then BatchPatch uses integrated security and makes the connection to the target computer with the logon account that was used to launch the batchpatch.exe. This account needs to have permission to create the folder, or if you have specified alternate credentials for the row (Actions > Specify alternate logon credentials), then you would need to make sure that account has the permission. Under normal operating circumstances, the way this is accomplished is by adding the account to the local administrators group of the target computer. Normally that is the only thing that needs to be done. However, if you already have that account in the local admins group of the target computer, then it implies that specific folder permissions were modified in a way that is preventing the remote working directory from being created. So for example, maybe permission on C:\Program Files has been modified in a way that is preventing C:\Program Files\BatchPatch from being created. I can’t say for sure that this is what is happening as you’ll need to evaluate exactly what’s going on, but hopefully you get the idea of where to start looking. Also make sure that the account hasn’t expired etc.

[doug]

Perhaps I misunderstood your first posting. And to be honest I’m not sure I understand what you’re describing in your second posting either. It’s unclear to me exactly what you are experiencing on your machines, so at this point I would need more details from you before I can give you a proper explanation of what is going on and how to resolve it. Can you try to describe again exactly what you are seeing occur in BatchPatch as compared to what you think that you should be seeing? Please be as descriptive as possible. Or if you can share screenshots and logs (HTML grid export would be very helpful), feel free to contact us directly via the contact page on our website for support via email instead of here on the forum.

[doug]

Offline mode does not deliver the exact same set of updates that online mode delivers. This is explained more at the link below:

BatchPatch and the Windows Update Control Panel Report a Different Number of Available Updates

[doug]

Yes BatchPatch will work with child domains. The issue you are encountering is probably one of a couple/few things:

First let’s just consider syntax issues. Example proper syntax for this field is: domainControllerName
or
DC=myDomain,DC=com
or
domainControllerName/DC=myDomain,DC=com

Your syntax does not match any of the above three examples because you have CN=domaincontroller,DC=child,DC=prod,DC=domain,DC=com

I would suggest you instead try each of these and see which one(s) work:
domaincontroller
or
DC=child,DC=prod,DC=domain,DC=com
or
domaincontroller/DC=child,DC=prod,DC=domain,DC=com

My guess is that right there will probably solve your issue. However, if it does not solve it, then I think you prob need to connect to a different domain controller. Basically if you specify a domain controller that is not a global catalog server then I think that could cause a referral to be returned. For this reason, it’s usually better to NOT specify a domain controller but instead just specify the domain (like in the second example above). However, there may be cases where this won’t work and where you need to specify a particular domain controller, in which case you probably need to make sure it is a global catalog server too because otherwise I think it will always return a referral due to it not containing the directory information to handle your LDAP request.

-Doug

[doug]

Thank you for your feedback and suggestions. We really appreciate it!

1: We’ll consider this

2: The sorting of the ‘All Messages’ column is based only one the visible first line of text that you can see in the grid, and it works properly in our tests. Maybe you could email us a screenshot that shows how it is sorting incorrectly for you? In the meantime we will also consider printing the file version info to a separate column

3: Please see ‘Grid > Filter rows in grid’. I think this is what you are asking about. It already exists. If this is not what you were asking, please clarify what you were asking about.

4: We’ll consider this

[doug]

There is not currently any such option.

[doug]

This is not currently possible. Before we would consider adding an option for this I’d be curious to understand why this would be valuable to you. When the email is sent the email itself has a date/time stamp just as all emails do, so what purpose is served by also putting the date/time into the subject line? Let me know your thoughts. Thanks.

[doug]

In that case, one other thing to consider is the basic multi-row queue sequence instead of the advanced. All rows still need to be in the same grid, but you can then just select all rows for a given computer and execute the basic sequence. Each row will execute its job queue one row at a time. Maybe this helps you. Maybe not. Good luck.

[doug]

I know you said “Other than creating one job queue…” but I don’t understand why you’re looking for a different way. The way to handle this is with a single job queue that contains multiple deployments.

While the advanced multi-row queue sequence could actually also be used for this, it would just add additional complexity over the singular job queue method. To do the advanced multi-row queue sequence you would have to put put each row into a single grid (each row in the sequence would have the same host name, so you’d have multiple rows each with the same host name, and they’d have to go into the same grid because the sequence works in a single grid, not across grids), and then you would have to assign a different sequence position number to each row. Effectively, it would create the same result as putting all of the deployments into a single job queue, but it would do it with more complexity.

[Author]

Posts