Windows – what is the best way to keep updated more than 75 windows servers

updatewindowswsus

After virtualising our server infraestructure, in the last two years the number of windows servers has grown from aprox. 20 to 75, mainly by migrating every service of our corporation to his own vm, but we also are deploying new applications that require one or more servers.

In the old times, keeping windows updated take me only 1 hour to do this (boring) task, but now it's coming really time-consuming and also error-prone (too many servers ,some of them are clusters or nbl, and others have services that depends in other servers, that expect the other server is online when it's restarted, so you can't reboot all at one time).

Our workflow is the following:

1- Someone aproves in WSUS the updates of the month after little testing. 2- One time every month, on Friday evening, when almost isn't anyone working, I start the boring task of log in every server, wuauclt /detectnow, click to download updates, click to install, reboot (keeping in mind what other servers are rebooting at the moment), log in again, check if is any pending update after reboot, etc etc.

I searched in internet and I didn't find anything that can help me in this task, I tried to make a c# app that manage all of this without manually login every server, but wuapi.dll is unable to download/install in remote.

So, I think this has to be a common problem, what other people do? As you can expect, we can't leave updates to install automatically or reboot when automatic updates want.

Best Answer

You're in the process of moving from "SMB-management" to "Enterprise management", which can be exiting enough in itself.

Most companies implement some kind of a maintenance window notion, where a maint window is a period of time that the given server is allowed to restart or/and perform maintenance tasks. By doing some careful planning, such as placing domain controllers/DNS Servers in separate maintenance window groups (same with cluster nodes), you should hopefully be able to design server groups where different maintenance window policies are assigned. Some companies use system managagement tools such as Microsoft System Center Config Manager to control both the maintenance windows and patch management, but I know a lot of large companies just relying on WSUS and controlling policies using GPO or registry. For one customer we built GPOs with AD Group filtering, so that sysadmins simply had a "day of week group" they could add their servers to. Servers in the "Monday" group would get patched every monday at 2330, and so on.

So, there's a lot of tooling out there but the first thing to do is to realize your now in the enterprise management business and plan accordingly.

Related Solutions

WSUS – Remotely Trigger Downloaded Update Installation

I finally figured it out. There is a (barely) documented windows update API that you can use to trigger these types of things. I used a modified form of the script found here which is about as close to documentation as you can get.

I modified it as below, taking out the downloading pieces - because i control the download with GPO and WSUS, as well as all of the prompts. Then I inserted some code to reboot the box if needed by the updates.

Set updateSession = CreateObject("Microsoft.Update.Session")
Set updateSearcher = updateSession.CreateupdateSearcher()
WScript.Echo "Searching for updates..." & vbCRLF

Set searchResult = updateSearcher.Search("IsInstalled=0 and Type='Software'")


WScript.Echo "List of applicable items on the machine:"

For I = 0 To searchResult.Updates.Count-1
    Set update = searchResult.Updates.Item(I)
    WScript.Echo I + 1 & "> " & update.Title
Next

If searchResult.Updates.Count = 0 Then
    WScript.Echo "There are no applicable updates."
    WScript.Quit
End If


Set updatesToInstall = CreateObject("Microsoft.Update.UpdateColl")

WScript.Echo  vbCRLF & _
"Creating collection of downloaded updates to install:" 

For I = 0 To searchResult.Updates.Count-1
    set update = searchResult.Updates.Item(I)
    If update.IsDownloaded = true Then
       WScript.Echo I + 1 & "> adding:  " & update.Title 
       updatesToInstall.Add(update) 
    End If
Next

'WScript.Echo  vbCRLF & "Would you like to install updates now? (Y/N)"
'strInput = WScript.StdIn.Readline
'WScript.Echo 

'If (strInput = "N" or strInput = "n") Then 
'   WScript.Quit
'ElseIf (strInput = "Y" or strInput = "y") Then
    WScript.Echo "Installing updates..."
    Set installer = updateSession.CreateUpdateInstaller()
    installer.Updates = updatesToInstall
    Set installationResult = installer.Install()

    'Output results of install
    WScript.Echo "Installation Result: " & _
    installationResult.ResultCode 
    If (installationResult.RebootRequired = True) Then
        Set RebootShell = WScript.CreateObject("Wscript.Shell")
        RebootShell.Run "shutdown.exe -r -t 0"
    End If

    WScript.Echo "Reboot Required: " & _ 
    installationResult.RebootRequired & vbCRLF 
    WScript.Echo "Listing of updates installed " & _
     "and individual installation results:" 

    For I = 0 to updatesToInstall.Count - 1
        WScript.Echo I + 1 & "> " & _
        updatesToInstall.Item(i).Title & _
        ": " & installationResult.GetUpdateResult(i).ResultCode         
    Next
'End If

The next step was to glue this together with psExec - which doesn't like running VBScripts remotely. I put together the following batch file to copy the script locally to the server, then kick off the install with psExec running as a System user:

for /f %%i in (%1) do copy installUpdates.vbs \\%%i\c$
psexec @%1 -s cscript C:\installUpdates.vbs

All you need at this point is to pass the batch script a text file with the names of your computers in it - one per line, and you are good to go. No more logging into every server to kick off windows update installs!

The one issue that is a little annoying, is that this is very much a serial execution, so if you have alot of updates it could take a while. I couldn't find a good way around this, besides breaking up your list of machines and running multiple copies of the batch file. Not the end of the world.

Little bit of an update. I found out that there are some installations that you just need to be interactively logged on with the proper permissions to install. basically if wsus says it failed to install you gotta get on the box. Although this is a nice step up from having to log into EVERY box.

Windows – Low cost WSUS Alternative

Well, I can imagine one way, but the ease of doing it easily depends on which version of Windows Server you are running, or more specifically, whether you will be doing this with or without PowerShell.

If you understand WSUS, and I hope others understand it better than me, you know all it is doing is a proxy, and if configured to load updates from your WSUS server, a cache as well. It then periodically communicates with the clients to check which updates installed and others that failed, recording that info in a central database that make pretty reports. If you break it down into these components, you can see there is hope in making a free alternative for yourself, but you will need to put all the right pieces into place, so long as the caching portion is not a necessity for you and you will let clients talk upstream to Microsoft directly.

Set all clients to automatically receive updates with Group Policy to your liking; I assume you have it if you were using WSUS (since they are both "big boy" tools, to use my own term).
Use VBScript or PowerShell (obviously the latter is easier, hence my original comment) to directly call the update API, or use Powershell, or use either to wrap around a freeware utility like WUInstall to do it for you (I would check licensing for the option though, since there is a Pro pay-for version as well). As for the first two, people have asked before on SF.com, look around. Someone asked about this before, and I doubt it is the first or last time.
A server to to host the database with the status of all your clients. It can be anything really, but MySQL or PostgreSQL would be cheapest; you could just use ODBC with VBS or PowerShell, depending on how much headache you want. If you have a SQL Server instance running, I assume you could talk to that. All you need is something simple to do CRUD operations. A co-worker has done something similar, albeit simpler, to record logons for different subsets of computers across our site and update a MySQL database he queries using phpMyAdmin. This presumes you do not need a pretty interface, and would need reporting for you and your team, not some manager type.
Script the clients to communicate with the server and update the database with their updates installed and errors, etc.. Again, you could use a couple open-source tools and change the database organization to get the same impact, I imagine.

Now, I am sure there will be limitations.

It sounds like you can script the Windows Update API to force only Critical updates. However, the fine-grained control you are looking for would probably be lost unless you invest more time researching the Update API (since that is what WSUS relies on anyway) or look for better freeware tools, or even write your own. If you can figure it out, you can probably blacklist installation of certain KB ID's you want to be skipped. Again, that is how everyone else must do it.
Sexy-looking reports, as I alluded to before.
Many others I forget.

Some benefits:

Better performance (I personally think despite its charms, WSUS requires a lot of overhead for a very simple operation).
Better pushing of client error logging (I come from a WSUS 3.0 shop, and I think it is annoying I often get errors from an update that tell me to check the Event Viewer on the client, which happened to me often). What are we paying for then? I feel like a custom-built solution gives you the power to do better in this department.
More flexibility in how to process the same computer with a different image or vice versa. We work in an environment with a lot of computers, and re-image often; some idiot techs use badly constructed images. As a result, SIDs can be a problem, despite Microsoft assuring us otherwise in all other crap they make except WSUS, according to Mark Russinovich. Now, it is my impression from limited WSUS experience you will have a lot of unique records for the same computer after re-imaging (instead of doing something cool and detecting the same hostname with a different SID or something) or you would have a big mess when techs do not sysprep images properly (we had that happen recently in a big department with their own tech).
A ton of others I forget.

So, in short, you can see I too have thought of this. With a little bit of know-how, you might be able to do something cool on your own. I realize this is a tall order, but I think this would be the cheapest route imaginable.

Best Answer

Related Solutions

WSUS – Remotely Trigger Downloaded Update Installation

Windows – Low cost WSUS Alternative

Related Topic