Using WSUS for Server Clients
In my environment I use WSUS 2.0 for my 1000+ Servers, mostly W2K3. Up until now I've only really used it for reporting and to get a idea of my update levels. We have a really strict policy and basically no maintenance windows to take down servers for patching. However, I need to address this because of recent audit failures. So I ran across a article from Microsoft that seemed to be something I could implement, however I don't see how I can scrpit this.
Microsoft states that "Create a script to automate installing the updates and then restarting of your server. This script would have the effect of a "button" you would push to initiate all this, therefore the updates install and the server restarts when you run the script. You can do this at the most appropriate time. For more information about creating scripts to automate Automatic Updates tasks (for example downloading and installing updates on server and client computers), see Windows Update Agent Software Developer's Kit (http://msdn2.microsoft.com/en-us/library/ms825116.aspx)".
Here is the link to the artical http://technet.microsoft.com/en-us/updatemanagement/bb245828.aspx
Has anyone created a script that would automate installing updates and restarts?
Thanks in advance for your help.
Microsoft states that "Create a script to automate installing the updates and then restarting of your server. This script would have the effect of a "button" you would push to initiate all this, therefore the updates install and the server restarts when you run the script. You can do this at the most appropriate time. For more information about creating scripts to automate Automatic Updates tasks (for example downloading and installing updates on server and client computers), see Windows Update Agent Software Developer's Kit (http://msdn2.microsoft.com/en-us/library/ms825116.aspx)".
Here is the link to the artical http://technet.microsoft.com/en-us/updatemanagement/bb245828.aspx
Has anyone created a script that would automate installing updates and restarts?
Thanks in advance for your help.
ASKER
I wanted to create a scrpit for the Servers to download, install and reboot. I could set up a policy for the updates to download, however I would have to manually log onto the 1000+ servers to run the installs and reboots. I was hoping I can script that and MS says you can using the Windows Update Agent Software Developer Kit.
There are a lot of scripts already written for specific tasks like this. Personally, I hate writing code or batch files.
Where I was going with the GPO:
GPO is much like the settings of the local computer. You can elect download updates from your WSUS server automatically. Then you can also elect your server and/or client to reboot automatically after the updates download happens. Or you can elect for your update to prompt the user to reboot after the updates are downloaded. These are just GPO settings.
In either case, after reboot, you will end up at a log on screen. I don't know if there is an automatic login script that will put your credentials in and log onto the server for you. I can see an issue with being stuck at a login prompt.
Where I was going with the GPO:
GPO is much like the settings of the local computer. You can elect download updates from your WSUS server automatically. Then you can also elect your server and/or client to reboot automatically after the updates download happens. Or you can elect for your update to prompt the user to reboot after the updates are downloaded. These are just GPO settings.
In either case, after reboot, you will end up at a log on screen. I don't know if there is an automatic login script that will put your credentials in and log onto the server for you. I can see an issue with being stuck at a login prompt.
ASKER
That's the issue with the GPO's with WSUS. I can't have servers reboot automaticaly after updates have been installed. These are not workstaions for users, this is my data center, so having people select when to reboot is not a option either. I have specific maintenance windows when this can be done. So if I could scpirt it I can execute the script and have the update(s) download\install and reboot my servers.
Let me see If I can invite a script Genius to help us out.
ASKER
I appreciate it, thanks
Hi there!
OK, so you have 1000+ servers that require maintenance at specific times. Not such a big task.
You say you're using WSUS 2.0 right now. Here's what I would do.
1) Download and update WSUS 2.0 to WSUS 3.0 - read the requirements for this install - you'll need .NET framework, Microsoft Report Viewer and MMC 3.0 on the WSUS server before you upgrade.
2) Use the /g switch when upgrading to preserve whatever local datastore you have.
3) Create target groups of servers that can be patched at the same time. You may have 50 groups - no big deal.
4) Now.....the trick is to group these server into OUs where the servers in each OU match the groups you created above. If this doesn't work for you then we can use GPO Security Filtering instead.
5) In the new WSUS console select the options you want - Language, sync time and products you want to patch.
6) Sync it - this may take all night. Set your Automatic Sync time for 3am.
7) Create GPOs - one for each target group you created in step 3. Name them accordingly so you can keep track of them. Set the Windows Update options per GPO that match your maintenance times - ie/each GPO will have settings like Download and Install updates at 9pm. Set the check for update Interval for 12 hours. Of course each target will have a different time.
8) Do not Automatically approve any updates.
9) When you decide to approve an update then apply it to the target groups you want to receive it - the morning of the patch night. This is going to be important and as much work as scripting installations.
10) Sync the WSUS server manually - this will take your approved updates and download them to the WSUS server for deployment.
11) The servers should pickup the patches before the stated update time in the GPO and reboot automatically provided there are no Admins logged in.
Is any of this making sense? WSUS is completely configurable with Target groups - however, it's key to remember that there is a process for servers when you stagger patches across multiple groups.
If you still want a script solution - that'll be ugly - let us know.
OK, so you have 1000+ servers that require maintenance at specific times. Not such a big task.
You say you're using WSUS 2.0 right now. Here's what I would do.
1) Download and update WSUS 2.0 to WSUS 3.0 - read the requirements for this install - you'll need .NET framework, Microsoft Report Viewer and MMC 3.0 on the WSUS server before you upgrade.
2) Use the /g switch when upgrading to preserve whatever local datastore you have.
3) Create target groups of servers that can be patched at the same time. You may have 50 groups - no big deal.
4) Now.....the trick is to group these server into OUs where the servers in each OU match the groups you created above. If this doesn't work for you then we can use GPO Security Filtering instead.
5) In the new WSUS console select the options you want - Language, sync time and products you want to patch.
6) Sync it - this may take all night. Set your Automatic Sync time for 3am.
7) Create GPOs - one for each target group you created in step 3. Name them accordingly so you can keep track of them. Set the Windows Update options per GPO that match your maintenance times - ie/each GPO will have settings like Download and Install updates at 9pm. Set the check for update Interval for 12 hours. Of course each target will have a different time.
8) Do not Automatically approve any updates.
9) When you decide to approve an update then apply it to the target groups you want to receive it - the morning of the patch night. This is going to be important and as much work as scripting installations.
10) Sync the WSUS server manually - this will take your approved updates and download them to the WSUS server for deployment.
11) The servers should pickup the patches before the stated update time in the GPO and reboot automatically provided there are no Admins logged in.
Is any of this making sense? WSUS is completely configurable with Target groups - however, it's key to remember that there is a process for servers when you stagger patches across multiple groups.
If you still want a script solution - that'll be ugly - let us know.
ASKER
I apologize I haven't answered sooner.
In theory your solution looks good however it's way to much manually work for me and my team. My environment changes on a daily basis and I would have to constantly adjust the members of all these WSUS groups. Plus the Frequency Detection is not exactly what I was looking for, there is no exact time, there's this zero minus 20 percent algorithm, why they designed it that way is anyone's guess.
What I was looking for was a script that would reference a text file that contained the servers that I wanted to be patched. The servers then could contact the WSUS server and download, install and reboot.
I know there are other products for this, would you guys recommend a particular vender?
Thanks again.
In theory your solution looks good however it's way to much manually work for me and my team. My environment changes on a daily basis and I would have to constantly adjust the members of all these WSUS groups. Plus the Frequency Detection is not exactly what I was looking for, there is no exact time, there's this zero minus 20 percent algorithm, why they designed it that way is anyone's guess.
What I was looking for was a script that would reference a text file that contained the servers that I wanted to be patched. The servers then could contact the WSUS server and download, install and reboot.
I know there are other products for this, would you guys recommend a particular vender?
Thanks again.
You can't script the use of WSUS that way.
You can, however, script patch installation remotely from a UNC path. This would amount to creating text files with your servernames (one file per reboot group) then calling PSEXEC to run a cmd file with the series of patches before the reboot.
You can, however, script patch installation remotely from a UNC path. This would amount to creating text files with your servernames (one file per reboot group) then calling PSEXEC to run a cmd file with the series of patches before the reboot.
ASKER
According to Microstf you can. Look at the link in my first post..
"Create a script to automate installing the updates and then restarting of your server. This script would have the effect of a "button" you would push to initiate all this, therefore the updates install and the server restarts when you run the script. You can do this at the most appropriate time. For more information about creating scripts to automate Automatic Updates tasks (for example downloading and installing updates on server and client computers), see Windows Update Agent Software Developer's Kit"
"Create a script to automate installing the updates and then restarting of your server. This script would have the effect of a "button" you would push to initiate all this, therefore the updates install and the server restarts when you run the script. You can do this at the most appropriate time. For more information about creating scripts to automate Automatic Updates tasks (for example downloading and installing updates on server and client computers), see Windows Update Agent Software Developer's Kit"
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
For Client going to your server for updates, a GPO can be created.
http://technet2.microsoft.com/windowsserver/en/library/4ac8d574-f48e-4d9d-86c9-9aeb0f57e7501033.mspx
Two different tasks, both are minimal admin time if the settings are configured.