Tool to test Windows Updates

Posted on 2009-07-08
Last Modified: 2012-05-07
We have a client with a requirment to have all Windows updates thoroughly tested before deployment.  The problem that arises is that it is a cumbersome task to go through each Security update, etc.  Is there a site devoted to Windows Updates where issues are posted as they arise?  What is the most efficient way to test Windows updates and patches?  The client in question is a life critical organization where they can only afford 2 hours of downtime a month so cannot have their systems down longer than the patches take to install.
Question by:advserver

Accepted Solution

ou_dober earned 300 total points
ID: 24806919
I would create a small lab (virtual or physical with a few servers and workstations). Try to get the lab machines as close to a production state as possible.  If using WSUS - create a distribution container with these lab machines.  It might be helpful to create a TestOU in AD and add them to it as well for future testing with other Windows components like GPO's.

Load Update Compatibility Evaluator (UCE) onto all the test machines. For more info.

Ensure that all event logs are set to verbose for the test machines so that you can review errors from the updates should they occur.

Once the lab is built, manually or automatically distribute via WSUS the patch you want to test on the test machines.  UCE and the event logs are going to your tell-tells for problems.

I would recommend reading this patch management process by SANS to get a general idea of what you want to drive out.

Once you get a plan of how you want to process patches in your business, start picking off pieces to automate it to reduce time.  Microsoft TechNET is a decent places to watch for issues along with just googling the KB or update itself to see what pops up.


Assisted Solution

ThaVWMan earned 100 total points
ID: 24806925
Your situation would be well served with a virualized environment.... VMWare and/or citrix both have a lot of tools/products that would allow you to basically have an environment where you could apply the patches to the system, and should they cause problems, roll back to the pre patch time with little effort.  Other than some set up like that, you would be forced to have a Production system and a test system where you could apply the patches to the test system prior to doing them on the prod system.  That is really the best any only way to truly test out patches and updates to see how they affect your environment.  No two systems are the same.
LVL 17

Assisted Solution

OriNetworks earned 100 total points
ID: 24811061
I agree with both suggestions but if budget allows, it would be great to get some physical machines for this testing lab that are the same model as what you have. I suggest this becuase some updates that are pushed out may have an effect on hardware specific drivers. For example, one time I saw a server with network cards teamed together. After a windows update, the network connection 'broke'. There was also a time where an update caused the network connection to simply drop until the server was restarted.

Of course this option isnt always possible since it is an expensive investment. It sounds like the biggest thing you might want to test for is application compatibility. As another example, an organization I worked for had custom web applications that looked for the users log on name. After windows updates, none of the workstations could log onto the web application becuase it couldnt read the username anymore. Of course this was later repaired by microsoft but caused a good few hours of downtime before a workaround could be created.

Using WSUS is a good way to track specific updates and push them out as they are approved. For testing, I would suggest making a check list of all functions and internal applications that should be tested after an update. You can also sign up for advanced notification of new updates

You may also considering pushing updates in waves. So instead of all clients or servers updating at the same time, you can push updates to certain clients Wednesday, some other clients Thursday, etc. This might help avoid everyone being effected by unforseen errors at once and let you stop the update from being pushed out before the scope grows and everyone else has a problem.
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.


Author Comment

ID: 24812722
The problem that we run into is that it is impossible to have replica virtual or physical environments of all the client networks.  With the client in question an explanation is required for the installation of every update along with the assurance that nothing will break upon completion.  Even with a lab environment which is similar to the client's the chance still is there that one of the updates will not play nice once it's installed even if there were no ill effects in the lab.

Thank you very much for your responses.  I guess it is safe to say that when it comes to Microsoft Updates there is only so far you can go with testing and researching prior to installing before you are left to crossing your fingers during installation.  

All three posts are acceptable solutions. Thank you!

Assisted Solution

ou_dober earned 300 total points
ID: 24813971

One last thing to consider is that you can do trend set patch management for another non-critical client  that is similar to your critical client if that is possible.  Put the standard client safely near bleeding edge on patches and trend/document changes and challenges as needed.  This is basically making one of your clients into a patch lab of course with their blessing first.

By doing this, you prove that the patches are working appropriately in a production environment similar to your critical client.  You can also scale back the deployment time of the patches for the critical client from the standard client mentioned above to establish a greater stability time to show stronger success of the patches being deployed.

Clients have a tendency to swing very heavy on the pendulum of patching.  Either I want it all now or you better make sure I need it and it will work perfect before you put them on our systems.  Aside from this, I would still recommend creating a mini lab environment (virtual or physical) to at least perform alpha testing on machines before pushing out to any of your clients.  There are many cost benefits that can be incurred from this but that is another thread.


PS ~ Please don't forget to divide and post points for our answers.

Author Comment

ID: 24814906

Thank you for your response.  I have been relying on clients who do not operate 24hrs and have the flexibility to have their servers rebooted and down for extended periods of time after hours if necessary.  I wish it didn't have to be a game of Russian Roulette when it comes to loading patches, especially those deemed critical.  Thank you to everyone once again for your suggestions!

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question