Forum Replies Created
-
Posts
-
Interesting behavior… Not sure what to make if it at the moment but thx for letting me know.
Yes, BP needs to be running in order for the task scheduler to operate.
-Doig
Yes, BP has to create the folder. However, it’s unclear to me why you’d be able to “check for available updates” in BP when the computer is online, but if you wake it up and then try to “check for available updates” in a single job queue, it gets access denied. Sounds like odd behavior. I wonder what would happen if you put a few additional commands in the job queue, in between the wait 15 min and the “check for available updates.” So for example if you did something like:
1. wake on lan
2. wait 15 min
3. get last boot time
4. get c drive space
5. get stopped automatic services
6. wuauclt.exe /resetauthorization /detectnow
7. download available updates
What happens? Does every step fail with access denied? Or does the first one fail with subsequent ones working?
veix – I’m surprised that you’re able to get psexec to work in the way that you specified without having to use cmd.exe /C because I’m not able to get that to work. Additionally, I’m not able to get it to work even WITH the cmd.exe unless I specify the -u and -p switches to pass credentials to the other computer. This is expected behavior, due to how impersonation works. If I’m on computer A, and I want to run a .bat on computer B, but the .bat file is located on computer C, then this can only be done if I first pass credentials from computer A to computer B, where computer B then uses those credentials to access the .bat file on computer C. If I don’t pass credentials and instead rely on integrated security, computer A can access computer B, but on computer B there is no network access to connect to computer C. This is simply a fact of how impersonation works.
All that said, the BatchPatch code has not changed for the “remote script process” functionality, so I’m unsure how you would have had anything different work in an older version of BatchPatch.
Regarding your 2 questions…
1. Yes, alternate credentials are not ideal because they are passed in clear text to the remote computer. However, in a modern switched network environment, this is generally not necessarily all that big of a deal because the network traffic and clear text password will not be exposed to other computers on the network. Regardless of whether or not it’s ideal, it’s the only way to accomplish exactly what you’re describing, as far as I’m aware.
HOWEVER, as I suggested in the previous posting, you can use BatchPatch’s “Patch Deployment” feature, which will do exactly what you want and will NOT require alternate credentials. BatchPatch will reach out to the network share and get the .bat file, and then BatchPatch will copy that .bat file to the target computer and execute it. This scenario does NOT require alternate credentials because there is only a single hop (no double hop as in the first example).
I hope this helps.
-Doug
Hi Laurie, it sounds like maybe 5 minutes simply isn’t enough time for the computer to come online after the wake on LAN packet is sent. Have you tried waiting longer… Maybe 10 or 15 min instead of 5?
-Doug
Hi veix –
1. You’ll need to specify alternate credentials for this work. This is because when you connect to the target computer with integrated security, the target computer then tries to connect to a different network location but doesn’t have network access because it’s impersonating. So, if you specify alternate credentials, those credentials are first passed to the target system where they can be used natively without impersonating, and in that case they will have access to the network share.
2.
To PsExec a .bat file from the command line you’d have to do the following:
psexec \targetServer -u domainusername -p password cmd.exe /C "\networksharesomebatfile.bat"To do the equivalent in BatchPatch, enter the following into the “Remote script/process” window:
cmd.exe /C "\networksharesomebatfile.bat"Alternatively you could actually use the “Patch Deployment” feature in BatchPatch to do this. Just specify the .bat file as your “Installer file” in the “Patch Deployment” window, and then BatchPatch will take care of the rest. In this case you would not have to use alternate credentials because BatchPatch will actually copy the .bat file directly to the target machine and execute it there. I hope this helps.
-Doug
Ok, thanks for the detailed info. I was able to track down the problem. It has now been fixed and published. The first fixed build is 2013.1.16.21.22
-Doug
Xenophane – Thanks for posting. I have some questions.
1. What version of BatchPatch are you using? Check Help > About
2. Does the target machine have any room on its C drive or is it 100% out of space?
Thanks,
Doug
Thanks for the suggestion. We’ll consider this for a future build.
-Doug
Thanks! Im really happy to hear that you like the app. Unfortunately the current build doesn’t allow you to leave the files on the target. We can look into adding this option in a future build although I’d need a bit more info from you because right now it gets copied to a temp sub directory in the remote working directory, and this temp folder would not be a safe long term location. For the time being your best bet would be to have a separate script (you could use BP for this too) that copies the Msi back to the target after the installation is complete. However, I also then wonder where the Msi needs to be located in order to be found by the application that’s looking for it. Presumably it marks the original file location in some way so that it might actually require it to live in the temp BP working directory if that’s where it was originally installed from? Not sure.
-Doug
Thanks for the information. We’ll update this to work as expected in a future build. However, in either case, the immediate solution and the recommended way to avoid any issues, in general, is to put PsExec in your Windows PATH. So, for example you can just drop PsExec.exe in the C:Windows or C:WindowsSystem32 folder, and then you’ll never have an issue again. Or simply set the PATH to wherever you have the PsExec.exe – https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/path.mspx?mfr=true
We have heard of a few cases where a user has put psexec.exe in the PATH but for some reason has still had trouble, but then after moving psexec to the same location as the BatchPatch.exe, the problem disappeared. It’s not exactly clear why for some users the behavior is different. However, in either case we will address this in a future build so that it’s possible to hardcode into BatchPatch the location of psexec.
edpa – this isn’t going to work, unfortunately.
-Doug
Hi Mark – thanks for the suggestion. Could you explain to me how this would be useful? What I mean is that I don’t see why anyone would need to regularly run this command in his/her environment. It seems like something that someone would only need to run every once in a great while, or never, or only for a particular misbehaving machine. What am I missing here? Also, I assume you are now running this command manually in BP but you’re asking for it to be hardcoded so that you don’t have to manually type it in, yes? Thanks.
-Doug
Thanks for the suggestion. We’ll consider hardcoding this into a future build. In the meantime you can still accomplish this in BatchPatch by hardcoding your own commands in the “user-defined” commands section (see Actions > Remote Process > Create/modify user-defined commands).
You would want to create the following two commands:
WMIC SERVICE where (DisplayName='Windows Update') CALL ChangeStartMode AutomaticWMIC SERVICE where caption='Windows Update' CALL startservice-Doug
Ajo – we will consider this for a future build, but I cannot make any guarantees. We’ll need to think through the pros and cons.
Thanks,
Doug
A normal reboot via WMI is initiated first. If it fails, then a force reboot via WMI is initiated. This is the same as the “reboot (force, if required) option.”
-Doug
I will get back to you on this soon…
Unfortunately I don’t believe the issue has anything to do with 32 vs 64. There’s something else that SCCM is doing with the target WSUS server, that I believe is the source of this problem. In SCCM 2007, I believe that SCCM essentially takes over the WSUS server that it’s linked to, and this is the cause for WUA searches returning no results. For example, if you look at HKLMSOFTWAREPoliciesMicrosoftWindowsWindowsUpdate on a machine that you’re trying to patch with BatchPatch, you’ll see the WUServer and WUStatusServer registry entries, which will be populated with the update server that SCCM is configured to use. If you have a separate WSUS server that is not linked to SCCM, you can manually change these reg keys to point to the unlinked WSUS server, and then you’ll see that BatchPatch finds updates to download/install.
-Doug
Thanks! We appreciate the kind words and your business.
-Doug
Thanks for the suggestion, Andrew. We’ll look at doing this in a future build.
-Doug
Thanks for the suggestion. We’ll look into adding this in a future build.
-Doug
Thanks for sharing. That’s very helpful.
-Doug
Hey jagablack – I’m really glad to hear you like the tool!
BatchPatch port requirements are as follows:
Remote connections are established in a couple different ways, depending on the action selected in the software. Most of the Windows Update and Remote Patch/Software/Script Deployment actions use PsExec in one way or another plus remote fileshare access. These will generally require ports 135 and 445. The reboot, shutdown, and most “Get Information” actions use WMI, which has different and more complicated port requirements explained below. However, you’ll also notice that there are alternate reboot and shutdown methods in BatchPatch, which use a shutdown.exe instead of WMI. In these cases shutdown.exe is initiated with PsExec and so has the same port requirements of 135 and 445 mentioned above.
With regard to WMI, it uses dynamic ports, which makes it more difficult to setup proper ACLs in an enterprise firewall. There are lots of articles about WMI ports on the web and Microsoft’s site, so feel free to take a look around at some of those for more info. It is theoretically possible to set static WMI ports, but in practice I’m not sure this is ever really feasible, and we also haven’t tested it at the time of this writing. See here for more info: http://msdn.microsoft.com/en-us/library/windows/desktop/bb219447%28v=vs.85%29.aspx
Hope this helps.
-Doug
twoj – thanks for the comments.
You can see what hotfix is currently being installed by middle-clicking on the progress bar field. We’ve been considering better/other ways to display this information, but for now this is the cleanest way that we’ve been satisfied with.
We’ve been considering categories or tabbing functionality for a while in order to be able to group machines in a single batchpatch.exe process, but we’re not yet sure if this is something we’ll implement. In the meantime, we strongly recommend categorizing by using different batchpatch.exe processes. Launch one instance of BatchPatch for each category you want. This has the advantage of providing insulation between the processes, so that you don’t have all your eggs in one basket, so to speak.
-Doug
Thanks, Don for posting the solution: http://batchpatch.com/forum/topic/error-1-here-also
“I saw the other posts but no resolution. psexec EULA accepted. No log file created. I do see the remote agent getting copied however. Running it as a DA.
I’d REALLY like for this to work and would purchase ASAP if this issue could be explained/resolved.
Thanks!
Solved – saw another post regarding the log not being found, it indicated that the version of psexec might be too old – downloaded the newest version and it seems to be working now.”
First, make sure you have the latest version of BatchPatch. Then take a look at the following links posted below. Before you can deploy software or run any exe remotely you need to determine what command line switches are required to perform a silent installation. If you don’t, then the exe will get copied to the remote machines, but when it’s executed it will hang indefinitely while waiting for user input to click through the installer prompts, but the installer won’t be visible anywhere.
How to Push .NET to Remote Hosts
Remotely Installing Software Patches, Hotfixes, or Updates with BatchPatch
You don’t have to configure BatchPatch in any special way. All you’ll want to do is setup a group policy to control how your computers receive updates. See http://technet.microsoft.com/en-us/library/cc708536(v=ws.10).aspx We recommend choosing the option to have your computers download but NOT install updates automatically. Then use BatchPatch to initiate the installation and reboot process.
-Doug
Most of our customers use a WSUS server to filter which updates get applied to computers. However, in the absence of a WSUS server, you may use the filtering options that BatchPatch provides in “Tools > Settings > Remote Agent Settings” to control which updates get applied to the machine. These options allow you to filter by “Update Classification.” If you first run “Actions > Windows Updates > Check For Available Updates” you’ll be able to see which update classification the packs fall under, and then you can exclude that particular classification. Unfortunately Microsoft does not publish a classification called “Language Packs.” Instead the Language Packs are classified in one of the other groups. Currently BatchPatch does not allow you to exclude specific update packages by name, although we are considering this for a future build.
I hope this helps. Let me know how it goes. Note, you can setup a WSUS server for free in under 30 minutes on a low-powered machine or virtual machine, so that’s going to be the best bet for the most granularity when it comes to filtering. You only approve the updates that you want to be applied to your machines, and then you can use BatchPatch to initiate the installation.
Thanks,
Doug
We’ll consider this for a future build.
Thanks,
Doug
Andrew – I just published a new build that has a “Recursive Search” option in the Active Directory picker. This will give you what you’re looking for.
-Doug