Link to home
Start Free TrialLog in
Avatar of Jon Blackwell
Jon BlackwellFlag for United States of America

asked on

How does your company handle updates?

My company is using group policy for workstations to check for Microsoft updates on a daily basis. If there are updates, they are downloaded and wait until 5:00 pm Thursdays to apply. This works for the most part, but some users may have already put their machine to sleep by that time, and we aren't forcing reboots. We have enough users that occasionally our help desk has to get involved for manual corrections if the number of machines pending updates climbs too high, which wastes resources. We also use LogMeIn Central for monitoring and deployments.

I am looking for some best practices here. Is anyone forcing reboots after updates? Did you tell users to reboot their machines weekly and put the task in their hands? Or, distribute a company-wide security policy that if a machine receives an update, rebooting is going to happen automatically whether the users like it or not?  I could probably ask 50 more questions about this...
Avatar of arnold
arnold
Flag of United States of America image

Do you use wsus, or updates can be retrieved from local systems?.


do users get notified of updates, reboots?
Don't you have Wake On Lan enabled for your systems?  Do a WoL on your systems at 5:30 pm.  Then let it update.

Also, with so many machines, it would make more sense to use WSUS.  That a major waste of Bandwidth to have so many separate Downloads.
This dilemma is well-known and everyone handles it differently. If security is seen critical, you will need to enforce timely updating. Enforcing update installations means enforcing reboots - enforcing reboots means to be intrusive... no way around.

So if security is so important, teach your users to use "update and shutdown" at the end of the day - it will be offered when installations have been downloaded and have already installed on your schedule, but just the restart is missing. That means: users will not have to attend the machine until it finally shuts down, but they just click "update and shutdown" and go home.

Tell them that if they don't do that, installations will be done automatically with reboots enforced (via WSUS deadline settings) at a time that might not be convenient for them. In other words, it's their own choice to make this process the least intrusive, that's all you can do.
Avatar of Jon Blackwell

ASKER

arnold,
Thanks for your reply, Yes, we are using WSUS. Users get the standard Windows notification of pending updates, but I am finding those are typically ignored. Our users do annual security awareness training that specifically mentions users should not ignore update notifications and they should reboot when requested, but that doesn't seem to be working out too well.
serialband,
Thanks for your reply. No, we don't have WoL enabled on all of our machines. It's always been viewed as too intrusive by some of the higher-ups in my organization.
Check the GPO setting for the newer systems that deal with if updates are pending, not to put the system to sleep to allow for the update yo apply
Avatar of Hello There
Hello There

The way we do it.

If there is a super important security update, you can use a deadline on WSUS. Then you send an informative email that they should reboot or the computers will auto reboot at a specific time. Users usually listen to it. :-)

In other cases, we let users update computers as they wish and they usually update/reboot in 3 days. So it's just fine for less important and functional updates.

However, you always get users that never update and reboot. This is the hard part.
In this case, we monitor all computers when they last rebooted. If there is somebody not updating/rebooting for more than X days, we use Kaspersky Management to send him a message to reboot due to security update, otherwise, the computer will auto reboot in 30minutes. Users can postpone it or reboot (all within the window). It's also possible to set up in Kaspersky (and we use it :-) ) that the pop-up window shows up every 2 minutes. The user is trapped and has no choice now. :-)
The systems are owned by the company.  WoL is less intrusive than other methods.  When the user goes home and their desktop isn't turned on, then you turn it on and let it patch and reboot.  That's much less intrusive than rebooting their systems while they're working on them.


Also, not sure how WoL is intrusive when the system is shut off and the user is home.
WoL is of course nice for this purpose.

If you use hard drive encryption with preboot authentication and don't happen to have the luxury of systems like bitlocker paired with network unlock, you won't be able to use it, though.
We have been testing with the WSUS deadline settings, but have gotten some mixed results. We noticed that only 1 update was installed when the laptop should have installed 6. Are we missing a setting to install all updates?
The updates have to be approved for the specific WSUS group.
Hm, I worked with deadlines only for testing.
But please verify what happens in detail.

It should work like this: if the update is approved for some machine, the update service on that machine will detect it and see the time is already past the deadline, so it will install the update(s) immediately and restart immediately.
Some updates (rare) require several restarts for all to be installed.
Hello There and McKnife,
Thanks for the replies.
 
All the updates were approved for the WSUS test group. However, only one update was set to have a deadline. The thinking was that all the updates would have installed because a reboot occurred.  

If there wasn't a deadline set, and the computer grabbed 6 updates from WSUS at 3 PM, and then the user decided to reboot the computer manually at 5 PM, all of the updates would be installed?  Can setting a deadline for one update change that?

Could it be because the computer had, for example,  5 - 1903 updates and the one 1909 update? The deadline was set only for a 1903 update. Did the 1903 updates even need to be installed?
Since you approve updates with the deadline in WSUS, they are immediately offered to be downloaded and installed on the workstation. But there is no more action taken.
There are two possible scenarios:
1. The user go to Settings -> Updates and click on the Download button. After that, all approved updates start downloading and installing. Then the user is offered to reboot the machine.
2. The user doesn't take any action. Then updates are waiting. After you hit the deadline, updates start downloading and installing. Then the computer reboots.

Basically, this is how it works, however, there are so many things in a play that can affect the behavior of updates. For example, the 22-hour update interval, pending updates, etc. There are many possible scenarios.

I usually set the deadline to the past = updates are downloaded and installed immediately.

I recommend you to read this article about deadlines.
https://docs.microsoft.com/de-de/security-updates/windowsupdateservices/18127631
@McKnife
So if security is so important, teach your users to use "update and shutdown" at the end of the day - it will be offered when installations have been downloaded and have already installed on your schedule, but just the restart is missing. That means: users will not have to attend the machine until it finally shuts down, but they just click "update and shutdown" and go home.

This is still very hard for my users to assimilate, and there is no way around it :/,  now they complain that when they arrive next day morning they cannot start to work because windows is APPLYING UPDATES and FINISHING SETUP, on occations this has lasted for hours to only get to a windows saying REVERTING CHANGES and starting all over again , sometimes I hate windows so much lol
When a computer is turned off, an update that applied during the day has to finalize.
Windows 10 updates os version to version are 5GB and does take time.

If you control when updates are deployed, approve update install via WSUS. you should let people know that they should leave the systems on but logout to allow the update to be installed, and the system rebooted to apply the updates.  This way when you approve the version 1903 to 1909 upgrade. the process will complete overnight.
The long duration is also likely because the System uses spindles, HDD versus SSDs which are faster....

The issue occurs likely once every six months so .......
"APPLYING UPDATES and FINISHING SETUP, on occations this has lasted for hours to only get to a windows saying REVERTING CHANGES" - this is never happening here. You can have it if a feature update is "going bananas", but not with normal updates - these never take long to roll back if they fail. So don't distribute feature updates via wsus, use different methods (a script) at times where machines are not needed by the users.
@McKnife
Windows updates (upgrades) that change version say from Windows 1709 Build xxxx
to version 18xx build xxx, these come as feature upgrades in wsus categories.problem is no matter how we upgrade some PC's just refuse to upgrade and we have had to in some cases do a full install of those upgrades, or it will never stop the loop, cd's, usb, direct windows update, so that was the reason we stopped applying feature updates automatically, unless PCs (models) are in a group that has never presented such problems.

Do you have any script for that purpose that you could share to my inbox?
This might be better as a new topic, but just wondering from this group if anyone uses a utility like KACE from Quest for their updates and patch management. I have demoed a few products and KACE seems to be the most powerful so far. The issue with KACE is the cost - they are pretty proud of it. Anyone out there know of a product that is nearly as good as KACE, but not as spendy?
was one of the products you tested opsware?
ASKER CERTIFIED SOLUTION
Avatar of McKnife
McKnife
Flag of Germany image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial