Windows – Low cost WSUS Alternative

vmware-workstationwindowswindows-updatewsus

We currently use WSUS and it's fantastic for our workstations and keeping track of what updates our servers need.

I'd sooner not automatically have WSUS install patches in the small hours to our servers, but I would like to be able to click a "update these servers now" button, but without the time involved logging onto each server, firing up IE, going to Windows Update etc.

Are there any suggestions on low cost ways to achieve this please?

I'm aware of Shavlik but across a couple of dozen servers it's not the cheapest option.

If it's relevant the servers are almost all VM's on vSphere.

Thanks a lot.

Best Answer

Well, I can imagine one way, but the ease of doing it easily depends on which version of Windows Server you are running, or more specifically, whether you will be doing this with or without PowerShell.

If you understand WSUS, and I hope others understand it better than me, you know all it is doing is a proxy, and if configured to load updates from your WSUS server, a cache as well. It then periodically communicates with the clients to check which updates installed and others that failed, recording that info in a central database that make pretty reports. If you break it down into these components, you can see there is hope in making a free alternative for yourself, but you will need to put all the right pieces into place, so long as the caching portion is not a necessity for you and you will let clients talk upstream to Microsoft directly.

  • Set all clients to automatically receive updates with Group Policy to your liking; I assume you have it if you were using WSUS (since they are both "big boy" tools, to use my own term).
  • Use VBScript or PowerShell (obviously the latter is easier, hence my original comment) to directly call the update API, or use Powershell, or use either to wrap around a freeware utility like WUInstall to do it for you (I would check licensing for the option though, since there is a Pro pay-for version as well). As for the first two, people have asked before on SF.com, look around. Someone asked about this before, and I doubt it is the first or last time.
  • A server to to host the database with the status of all your clients. It can be anything really, but MySQL or PostgreSQL would be cheapest; you could just use ODBC with VBS or PowerShell, depending on how much headache you want. If you have a SQL Server instance running, I assume you could talk to that. All you need is something simple to do CRUD operations. A co-worker has done something similar, albeit simpler, to record logons for different subsets of computers across our site and update a MySQL database he queries using phpMyAdmin. This presumes you do not need a pretty interface, and would need reporting for you and your team, not some manager type.
  • Script the clients to communicate with the server and update the database with their updates installed and errors, etc.. Again, you could use a couple open-source tools and change the database organization to get the same impact, I imagine.

Now, I am sure there will be limitations.

  • It sounds like you can script the Windows Update API to force only Critical updates. However, the fine-grained control you are looking for would probably be lost unless you invest more time researching the Update API (since that is what WSUS relies on anyway) or look for better freeware tools, or even write your own. If you can figure it out, you can probably blacklist installation of certain KB ID's you want to be skipped. Again, that is how everyone else must do it.
  • Sexy-looking reports, as I alluded to before.
  • Many others I forget.

Some benefits:

  • Better performance (I personally think despite its charms, WSUS requires a lot of overhead for a very simple operation).
  • Better pushing of client error logging (I come from a WSUS 3.0 shop, and I think it is annoying I often get errors from an update that tell me to check the Event Viewer on the client, which happened to me often). What are we paying for then? I feel like a custom-built solution gives you the power to do better in this department.
  • More flexibility in how to process the same computer with a different image or vice versa. We work in an environment with a lot of computers, and re-image often; some idiot techs use badly constructed images. As a result, SIDs can be a problem, despite Microsoft assuring us otherwise in all other crap they make except WSUS, according to Mark Russinovich. Now, it is my impression from limited WSUS experience you will have a lot of unique records for the same computer after re-imaging (instead of doing something cool and detecting the same hostname with a different SID or something) or you would have a big mess when techs do not sysprep images properly (we had that happen recently in a big department with their own tech).
  • A ton of others I forget.

So, in short, you can see I too have thought of this. With a little bit of know-how, you might be able to do something cool on your own. I realize this is a tall order, but I think this would be the cheapest route imaginable.

Related Topic