Solved

Managing unpatched virtual machines

Posted on 2016-11-25
5
100 Views
Last Modified: 2017-01-17
Usually I would look for change management , either manual or automatic patching

I have a customer who has pretty much performed no patching for 2 and a half years. For pretty much of all of their 100 virtual servers

Allied to this VMware tools , hardware versions aren't in line

Usually in my own experience, I would create test environment and apply patches there , a month behind MS Security Bulletin.

Now we're upgrading tools, hardware version currently 8, and the patches next week

Is there a best way to upgrade patches since June 2014?

I have flagged all this at the very start , that its not best practice etc to give them the outline, but I don't want to throw on a load of updates manually either (they have no WSUS, Shavlik ,or SCCM) etc

Any best way to do this? (its very frustrating as they lost 2 servers already that weren't patched, they just dont get it)
0
Comment
Question by:Indie101
  • 3
  • 2
5 Comments
 
LVL 119

Accepted Solution

by:
Andrew Hancock (VMware vExpert / EE MVE^2) earned 500 total points
ID: 41901457
I would recommend, you look at a Patch Management solution, and we use and recommend Shavlik, which if you wish you can integrate with WSUS, but not necessary, scan the VMs, (make sure you have valid backups), and deploy patches.

and then create a deployment plan, of which servers you will rollout to, and scheduled out out of production hours to complete the patching, not patched since 2014, is going to be a lot of patches, e.g. circa 154.

So it's going to take some time, to apply them, but Shavlik will be your quickest solution, OR.... have you considered you could consolidate servers and replace them.
0
 

Author Comment

by:Indie101
ID: 41901471
Thanks Andrew. I had asked you about best ways to patch VMs previously. I suggested Shavlik to them but they weren't interested. (I'm a contractor here 5.1 and 5.5 VCP- 3-4 years in VMware Support) They have a big environment but no ones being keeping an eye on it for some time

This time around I have to go with manual unfortunately, its a bit of a joke but thats the customer, they've been briefed etc on difficulties of this

With a manual download of updates since June 2014, any best plan? Its a file server so no dependent software involved, Windows 2008 R2 64 Bit

I haven't had to plan like this since I did desktop ago 7 years ago. I have explained its not VMware and that VMware will not support it etc but thats all I can do
0
 

Author Comment

by:Indie101
ID: 41901482
No consolidation either, i had looked into that in my first week

Thanks I have a plan in mind just wanted to check this here

Go through security bulletins, highlight and download updates (no office\windows 10 etc) and take it from there, I have one or two test vms, but not a complete standalone vCenter with test vms etc so this is going to take time

Using this

https://technet.microsoft.com/en-us/security/hh778967.aspx
0
 
LVL 119
ID: 41901492
If they don't want to purchase software you are in luck as a Contractor, because they will just have to pay you more to do it.

To be honest with you rather than visiting every server, and downloading the same patches, I would recommend you stand up a WSUS server, install Windows 2012 R2, patch it, install WSUS, sync it with Microsoft, so you have ALL the patches required locally, this will speed up deployment.

and then create a new OU in Active Directory, Create a Group Policy, and move Servers into this Managed Folder.

and then on WSUS Approve Patches.

All this is going to add to the Project and keep you in beers!
1
 

Author Closing Comment

by:Indie101
ID: 41901495
Thanks Andrew, just wanted to confirm what was there. Shavlik or some other tool would be great here
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Clone VM with existing snapshot via Putty 2 53
PowerCLi Script Email and Object Count Issues 13 47
Display on external monitor 8 28
Workspace One/ VDIM/ Airwatch 6 22
In this article, I will show you HOW TO: Create your first Windows Virtual Machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, the Windows OS we will install is Windows Server 2016.
A clone is a duplicate copy. Sheep have been cloned and maybe someday even people will be cloned, but disk cloning (performed by the hard drive cloning software) is a vital tool used to manage and protect data. Let’s look at what hard drive cloning …
Teach the user how to rename, unmount, delete and upgrade VMFS datastores. Open vSphere Web Client: Rename VMFS and NFS datastores: Upgrade VMFS-3 volume to VMFS-5: Unmount VMFS datastore: Delete a VMFS datastore:
This Micro Tutorial walks you through using a remote console to access a server and install ESXi 5.1. This example is showing remote access and installation using a Dell server. The hypervisor is the very first component of your virtual infrastructu…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question