Windows – Automate Windows update on multiple Virtual servers

updatevirtual-machineswindowswindows-server-2008

hope you guys can help. I work for a tech support company that manages servers for many clients in a virtual environment. We personally host about half the clients, while the others have onsite servers.

I am trying to find a good way to go about managing the windows update process for all the servers.That is one thing our company has been slacking on a bit since everything has to be done after hours. Each client will be on its own network. Servers range from Windows server 2003 to 2012.

I know there are ways to automatically download and install updates, and even ways to schedule a reboot, but there are a few things I need to worry about.

We don't want these servers doing update related task during production hours
We need to create a snapshot before running the updates in case something goes wrong and we have to revert.
1. Servers have to be operational when the business opens.

I know VMware has an update manager, but that doesnt seem to update the OS, only the VM's. I have seen talk about WSUS, but I don't quite understand how that works yet, or how to include the snapshot requirement also.

So I am looking to see if anyone knows a good process that would create a VM snapshot, download and install updates, and then restart the server all after hours and automatically. If everything works, good, if not, revert back to snapshot.

Ideally, if we can somehow set it up to do installs in stages, or to prevent specific updates from being downloaded, that would also be good.

Best Answer

WSUS is definitely what you are looking for. It can do everything your looking for in terms of updates including requiring you to approve updates and allowing different update groups.

You'll need to look for a different solution for the imaging however products such as veeam or other backup solutions for virtual systems will usually be able to do this.

In my environment I would write a small powershell script that would do the following.

-Start a backup of the system with Veeam -Once that backup finishes check the time (Just to be sure)[Exit if too late] -Start running updates using WSUS, reboot system -Wait to see if system is back up, if its not up after x minutes have VMWare force the system down and have Veeam do a recovery of the previous backup.

Related Solutions

Windows server 2003 R2 cumulative updates

If you can put up a WSUS server you can have it download the updates once and distribute them to other machines. You can modify the local group policy of each machine, if you don't use Active Directory (and thus can't use a Group Policy Object), to direct them to your WSUS server.

Failing WSUS, you might consider downloading all the pending updates and use a tool like nLite to slipstream the updates onto your installation media.

This is a real hack, but one other thing you could do would be as follows:

Install one of the machines and allow it to download updates from the "Windows Update" site and present you with a "Ready to install updates" dialog. Then, perform the following:

Stop the "Automated Updates" service.
Open a command prompt and paste in the following commands:

cd %SystemRoot%\SoftwareDistribution\Download
for "usebackq delims=" %i in (`dir /s /a /b update.exe`) do start %i /nobackup /passive /norestart
for "usebackq delims=" %i in (`dir /s /a /b update.exe`) do start %i /n /passive /norestart

(Those commands will install most of the pending updates silently w/o making backup copies of the replaced files. Be aware that .NET Framework update, MSXML updates, and application updates won't be installed by this method.)

Install the other 2 machines but don't allow them to perform updates automatically. Copy the contents of the "%SystemRoot%\SoftwareDistibution\Download" directory from the first machine to each of the remaining machines and perform the procedure above on those machines.
Remove the contents of the "%SystemRoot%\SoftwareDistibution" on both machines while the "Automated Updates" service is stopped, then reboot and allow the machines to detect updates again. The remaining ".NET Framework" and other updates will be detected and installed.

(That procedure is basically what I do when prepping a new machine w/ updates from WSUS. I manually execute the updates that don't install via the "for ..." loops when they're done, then clean the machine up. I detest having the "$NtUninstall..." directories on brand new machines, and that method prevents them from being created...)

Windows – Best way to fully update a new installed Windows

Perform instructions below at your own risk: To automate windows update these instructions may or may not work for your system however it appears to work to an extent for Windows 7 as these instructions were tested on Windows 7.

MUST READ: 1. If the step below does not work verify then you are most likely part of a domain and your security policy may not allow you to perform steps below! 2. UAC prompts were also disabled for the duration of the windows updates so the batch files can run without interruption; be careful to restore this to default when done

Caution this step will make your computer less secure, immediately remove this after your computer is completely up to date. Set a reminder for 24 hours later if need be:

1. First you will have to make sure your computer automatically logs into a user. You can do this by clicking start menu, type "netplwiz", press enter or open the wizard, under the users tab, select your username, and un-check "require password", type your password, close this window.

2. Create 3 batch files to start the automated process. (Open notepad paste each code into a separate notepad and perform a save as corresponding_file_name.bat)

One. Save as: any_name.bat then copy this batch file to your startup folder for the user you made auto login. (Click start > All Programs > Startup)

start "" c:\autoupdate1.bat
exit

Two. Save as: autoupdate1.bat then copy this to C:\ drive

wuauclt /detectnow
wuauclt /updatenow
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired" > nul && shutdown -r -t 0
start "" c:\autoupdate2.bat
exit

Three. Save as: autoupdate2.bat then copy this to C:\ drive

ping 127.0.0.1 -n 61 > nul
start "" c:\autoupdate1.bat
exit

Restart or open the batch file in the startup folder and watch the magic begin!

3. When it is completely done updating just delete the batch files from the startup folder & c:\ drive

Once again follow these instructions at your own risk as it can create an endless loop if you do not know how to stop this process by removing it from the startup folder or going into windows under safe-mode to remove the batch files

Final notes: If you run into issues running the batch files chances are you may have to look up how to disable UAC prompts for your Windows version

Best Answer

Related Solutions

Windows server 2003 R2 cumulative updates

Windows – Best way to fully update a new installed Windows

Related Topic