Suppose you don't have access to enterprise-grade Windows patching solutions. In that case, this gem may stand in the gap for SysAdmins that need to mass-manage WSUS updates on a budget.

BatchPatch, an application developed by Cocobolo Software, was initially developed to aid in the facilitation of Windows patches. Still, over time it has morphed into a tool that SysAdmins may find themselves using every day. Let's go over how you can use this to apply Windows patches to some remote servers.

Let's Cover a Few Assumptions

Before we dig into the steps to manage updates on remote servers, we need to cover a few assumptions. Let's assume that your Windows domain environment has an established Windows Server Update Services (WSUS) infrastructure. We're also going to take that any recent updates waiting to be installed are approved via your typical approval process. This also may include specific change control processes, communication cadences, and updates that have been released in a development environment. Either way, you have updates that have been released by Microsoft and they have filtered down and are ready to be released and installed in your environment.

It is also assumed that the account you are logged into and running BatchPatch with has administrative rights on any of the remote computers you will be managing. BatchPatch does have mechanisms in place to run actions as another user, but it is suggested to run BatchPatch with the account that has the access.

Setting Up and Configuring BatchPatch

BatchPatch is quite simple to set up, and in no time, you'll be on your way to a whole new set of tools that may just make your life as a SysAdmin easier. BatchPatch is a standalone executable that does not need to be installed like traditional software. Head over to the BatchPatch download page and grab the latest version. BatchPatch is licensed software, but luckily they let you use the full features of the application, but the free version only allows you to manage four computers at a time.

BatchPatch makes use of a very well-known tool called PsExec by Microsoft Sysinternals. PsExec is a prevalent tool for remote management of Windows systems. If you don't already have this in place, you will need to ensure you have the latest version from Microsoft Docs. You will end up getting the entire PsTools as a .zip file. Just extract PsExec.exe and place it somewhere on the station you will be running BatchPatch on, let's say in C:WindowsSystem32. This will make the next step easier.

Once PsExec.exe is in C:WindowsSystem32, open up a command prompt or PowerShell console window and type the command

        PsExec.exe /?
    

to force the PsExec license agreement to show. These PsExec steps only need to be completed just once. Otherwise, when BatchPatch tries to use PsExec in the background, it won't execute because it's waiting for the license agreement to be accepted.

Now the foundation has been laid. When running BatchPatch for the first time, you need to set a few configuration items. Most of them are self-explanatory. The one thing you will want to make sure you do is tell BatchPatch where your PsExe.exe file is.

If you happened to have clicked through this window, you could easily add the path in the settings of BatchPatch by clicking Tools > Settings in the menu bar. Once in Settings, click on the Remote Execution tab and fill in the path to PsExec.exe wherever you may have placed it. Click OK to save the setting and exit the Settings menu.

Now that PsExec settings are in place, we are ready to start managing computers remotely! These initial steps only need to be done once, so there is no need to worry about repeating them over and over unless you plan to use BatchPatch from another station.

Managing Windows Updates on Remote Servers

The first thing to do is add a list of computers to what BatchPatch calls the grid. From the menu bar, you can quickly add computer names or IP addresses by clicking Grid > Add Hosts... from the menu bar.

Then type or paste your list of remote computers and click OK to add to the grid. Notice that BatchPatch has a variety of ways of adding computers. Some even include pointing to an Active Directory organizational unit to pull in computers.

Select all the servers in the grid by pressing Ctrl+A. Then in the menu bar, select Actions > Windows updates > Download and install updates.

This will force the computers to step through the following:

1. Check-in with WSUS to see what updates are available
2. Download any applicable updates.
3. Install any applicable updates.
4. Report the final status of the installations and whether or not a reboot is required.

A progress bar for each step will appear for each computer in the grid within the Progress column. This is a nice feature to have so you can easily monitor the progress of each step of the process.  Below is an example of what this looks like.

Once all the updates are completed, you will be able to see which computers that need to be rebooted. This information will be found in the Progress column of the grid. If any updates fail, you would also be able to see that information. If you can reboot the computers that need it, select the computers in the grid by holding down Ctrl and clicking each row in the grid. Then in the menu bar, click Actions > Reboot > Reboot (shutdown.exe /r /f /t 0). There are a few different types of reboot commands, but this will do the trick for this example.

You will then get a confirmation pop-up window asking if you are sure you want to take this action. Click OK to confirm, and BatchPatch will send the selected reboot command to the computers you chose to reboot. Another great feature is that BacthPatch doesn't just leave you hanging and wondering when and if the computers actually rebooted or not. The grid will add columns on the fly depending on different actions, so in this case, BatchPacth will start pinging the computers you just chose to reboot and provide feedback in the grid as to their state. This will show up in a column called Ping Reply. Once the computer goes offline and then comes back online, the text in the Ping Reply column will switch to italics to indicate that indeed that computer was online, went offline, and is now back online. That way you can walk away while reboots take place and know confidently that they all came back up without wondering what may be happening!

This is a straightforward workflow for deploying WSUS updates Still, for those SysAdmins out there that don't have enterprise-level solutions, this could be a potent tool to save time and streamline lots of different activities BatchPatch can do.

That's Just Scratching the Surface

Deploying updates may be a huge timesaver already for you, but BatchPatch can do so much more! For instance, those computers that needed rebooting may be critical production servers in your organization that you can't reboot during the day. That's quite alright because BatchPatch has components in which you can schedule reboots to take place overnight or during an established maintenance window. It also has a feature in which it can email you the entire grid contents to get a report of the outcome of a deployment.

BatchPatch is a great tool and can help with automation tasks such as:

• Deployment of applications (.exe, .msi, etc.)
• Running remote .bat, .ps1, .reg, or other type files
• Gathering information from servers or PCs like disk space usage, RAM utilization, OS version, logged in users, software versions, and a lot more
• Setting up of what's called 'Job queues' which you can set a list of various actions and deployments to run on hosts, and then schedule them if needed
• You can even craft Windows 10 version upgrades to groups of PCs

Check out BatchPatch sometime, and after you start using it, you may find yourself asking your organization to purchase it and start scrambling to find any workflows that could be automated with all that it can do.