Today we’re going to take it back to the basics and review some of the core functionality that BatchPatch offers. Specifically we’re going to look at how you can use BatchPatch to download and install Windows Updates on numerous target computers, simultaneously, when those computers are configured to receive updates from a local WSUS server. BatchPatch can, of course, also be used to trigger the update process on computers that are not using a WSUS. In either case, BatchPatch can also monitor the process to completion and optionally execute a reboot, if required by the installation, and monitor the reboot too, to make sure that all computers come back online in a timely manner.
WSUS and Group Policy
If you are utilizing a Windows Server Update Services (WSUS) server then you are going to have a Group Policy (or the corresponding, underlying registry key/value) configured on each of the target computers that is pointing to the WSUS server. For more details on the Group Policy setting, please see BatchPatch Integration with WSUS and Group Policy
If you’re not sure whether or not your target computers are actually configured to use the WSUS, you can use BatchPatch to find out the value of the Group Policy setting mentioned above for your target computers. To do that highlight the desired computers in your BatchPatch grid and select ‘Actions > Windows updates > Get Windows Update configuration’ as shown in the screenshot below.
You can see the results below, which show that my targets are configured to use my local WSUS server, WIN2012R2, for their updating.
“Dual Scan” Considerations
It is important to note that in the case of Windows 10 and Windows 2016 target computers, having a value set for the aforementioned Group Policy actually does not tell the complete story of where those target computers will search for updates. Ever since the introduction of “Dual Scan” by Microsoft, which arrived in late 2017, things have become a bit more tricky. If you determine, using the above method, that your target computers are pointing to a WSUS server, it’s still possible that they will retrieve updates from Microsoft’s public Windows Update or Microsoft Update servers if “Dual Scan” is enabled. To determine, with certainty, whether or not Dual Scan is enabled and whether your machines are going to search for and retrieve updates from your local WSUS server or Microsoft’s public update servers, please review the following two posts carefully:
Deciphering ‘Dual Scan’ Behavior in Windows 10
Applying Windows Updates Remotely
In BatchPatch you should first verify your Windows Update settings under ‘Tools > Settings > Windows Update’. If you want BatchPatch to respect the current configuration of your target computers, then make sure the ‘Server Selection’ value is set to ‘Default / Managed’ as it is in the screenshot below. The ‘Default / Managed’ setting tells BatchPatch to use the target computer configuration to determine where to search for and retrieve updates. If the target computer is configured to utilize your local WSUS, then BatchPatch will do that. If the target computer is configured to utilize Windows Update or Microsoft Update, then BatchPatch will do that.
However, if you want BatchPatch to ignore the target computer settings and search only against Windows Update or Microsoft Update, then you can change the Server Selection value as desired. So for example if you set the BatchPatch Server Selection to ‘Windows Update’ then it does not matter if your target computers are configured via Group Policy to utilize your local WSUS server because BatchPatch will tell them to use Windows Update when BatchPatch initiates its scans. Note, BatchPatch does not modify the target computer configuration in this case. It simply overrides the target computer configuration when actions in BatchPatch are initiated.
When you are finally ready to actually search for, download, and install updates on your target computers, highlight the desired computers in your BatchPatch grid, and then select ‘Actions > Windows updates…’ and the desired operation, whether that be to just check for available updates or to just download available updates or to download and install updates plus reboot etc.