1

Hi all,

I run WSUS in my environment, which has about 50ish servers.

I’ve come to the realization that the way that I do updates is very time consuming and I’d like to figure out how to get through the process while still being safe. I came to the realization of how time consuming it was by thinking that it would be impossible for someone who had hundrends of servers to do what I do each month. I really would love to find a way to save some time on this. Let me generally outline my process for you all to laugh at and give me suggestions.

  1. Two main groups in WSUS for servers, one of which is a test group.
  2. Two GPO’s for servers, one which only downloads upgrades when they are approved, another which downloads and installs, reboots, the whole bit.
  3. Typically a couple of weeks after updates are released, I go in, release the updates to my test group, and then manually run those reboot.
  4. After I am confident there’s no issues, I move on to my main group. In the main group, most of the systems are under the GPO that downloads and installs. A few of them I end up doing manually as well.
  5. The end

I realize that any manual installation of updates kills my time, but my main concern is to ensure that everything comes back up okay and isn’t broken. With that being said, I’ve never had any real issues before with updates and I’m not really sure what I’d be looking for anyway, mainly just being cautious. Suggestions on how to speed this up but still be safe would be appreciated.

2 Spice ups
2

Have some monitoring in place. Basic things like ping, check for free disk space, maybe if specific services are running if you have some services that don’t always start.

Even better to have a product that can start services that aren’t running.

Then you can approve updates for different groups of servers in WSUS, and let them apply automatically. Servers can be set to apply daily or specific day of the week. That’s how it used to work. Windows 2019, 2022, and maybe 2016 changed the settings. At any rate, manage through group policy.

I have a larger environment with hundreds of servers. When I was using WSUS, patches were auto approved. I have low criticality VMs that can apply patches daily.

Normal machines would apply on Saturday or Sundays. I make sure that DCs have different schedules so they don’t all reboot at once.

There are some machines that require manual intervention to bring up and down due to how they interact with my 24 x 7 infrastructure. I hate dealing with them.

3

I’m kind of ashamed to realize I never got back to this, Kevin.

You did give some helpful advice. I’m still dealing with this, just haven’t found a good way (or time) to deal with it yet. I agree with you 100%, the issue is really keeping tabs on stuff, so that when they get updated, I get alerted if they don’t come back up, so I suppose that’s a whole other product I’d need to identify. Obviously we are a pretty small shop, so any suggestions from whoever on something simple to do this is appreciated. We have previously run a few different monitoring tools that are free. Most recently, we’ve delved just slightly into LibreNMS, but moreso for network equipment, plus from what I’ve read, it sounds like it’s not great for monitoring Windows services.

1 Spice up