Topic 'Re: Patching Servers using WSUS' in forum 'No, I Will Not Fix Your #@$!! Computer' - dslreports.com

Re: Patching Servers using WSUS

Wed, 17 Oct 2012 16:55:45 EDT

exocet_cm posted : We use WSUS to patch our clients and set a few categories to auto install. We also use WSUS to patch our servers but none of the updates are auto approved for install on servers. They'll download but one of the admins has to go test the updates before we apply to the server group.
--
"I have measured out my life with coffee spoons..." - T.S Eliot
"I have often regretted my speech, never my silence." - Publilius Syrus
Ma blog: »www.johndball.com

Re: Patching Servers using WSUS

Tue, 16 Oct 2012 17:03:01 EDT
DarkLogix posted : Yep just that easy.

though I'd look into fixing the failure of the SP to apply.

then where I'm at there's a server that must never get a DST update, or it'll cause much pain.

It uses an app that talks to SQL but something about the auth is not programmed right and the software maker's fix is remove the DST patch.

so if a DST patch hits that server then that app stops being able to connect to SQL.

Re: Patching Servers using WSUS

Tue, 16 Oct 2012 00:20:50 EDT
AsherN posted : Put that workstation in it's own group. Don't approve that patch for that workstation.

Re: Patching Servers using WSUS

Mon, 15 Oct 2012 23:08:38 EDT
drew posted : If you have any antiquated software that depends on IIS .NET app pools, I highly, highly, highly recommend to NOT push patches to them using WSUS.

We are required, pretty much under penalty of getting pounded by admirals to patch within a week of the IAVA coming out.

.NET security updates pretty much crap out our IIS boxes every single month. The admins manually approve those during the day and are ready to restart all IIS services as soon as humanly possible.

And another note... I'm not a WSUS expert but I was told that it is extremely difficult to prevent a single patch from going to a single workstation. One of our SQL 2005 boxes refuses to install SP4. So our measly 16GB C: partition fills up with ~700MB of patches that won't install.
--
flickr | 'Cause I've been waiting, all my life just waiting
For you to shine, shine your light on me

Re: Patching Servers using WSUS

Wed, 10 Oct 2012 11:30:56 EDT
DarkLogix posted : But it is malicious its even trying to tell you.

Re: Patching Servers using WSUS

Tue, 09 Oct 2012 17:41:15 EDT
OmenQ posted : What he said.

Nothing gets installed until I've checked over the list. I have different categories of servers in different groups in the WSUS console so I can control what gets installed where.
Only once have I had an issue with an auto-installed Anti-virus definition. Easy enough to fix, unapprove the bad definition file, wait for MS to publish the fixed definitions, then resume approvals. The resulting issue didn't affect production, just gave some false positives. (Forefront Client Security detected itself as malicious... That was amusing.)
--
Cogito Ergo Nom

Re: Patching Servers using WSUS

Tue, 09 Oct 2012 16:59:29 EDT
DarkLogix posted : With WSUS you don't have to set to auto.

The 1st perk of WSUS is not downloading everything from MS everytime (wan bandwidth savings)

The auto apply part is done via GP, so just set them to download but not install.

then when you want to apply updates you can still review them as you currently do.

Also a nice advantage is updates you find you need you can set to approve (even if its an optional update) then future servers can get the update without having to hunt for it.

Re: Patching Servers using WSUS

Tue, 09 Oct 2012 16:10:49 EDT
workablob posted : I am the WSUS admin where I work. Well that's one hat out of 20 or so including McAfee ePO admin.

I have a set of test servers and I allow patches to download and notify for install.

I then manually apply them and reboot as needed.

That's one test I do.

I am also the Citrix admin so I take one server from each app pool and apply the patches well in advance of the next scheduled patch weekend.

If there are issues I disable logins on those servers and remediate.

If there are no issues I put a patch freeze in place a few weeks prior to patch weekend.

IE no patch approvals after freeze.

When patch weekend comes I makes sure any problem patches have been declined then allow patches to download and notify for install.

Setting a deadline on servers or setting the GPO for download and automatically install is very risky to say the least.

Dave
--
I may have been born yesterday. But it wasn't at night.

Re: Patching Servers using WSUS

Sat, 06 Oct 2012 00:39:13 EDT
AsherN posted : I use WSUS for my 100 servers.

Approve all updates the Monday before Patch Tuesday.
WSUS is set to download and notify.
I have a 10 hour maintenance window starting at 2000 on the third Wednesday of the month. So the updates are between 1 and 5 weeks old by the time I apply them.

Re: Patching Servers using WSUS

Thu, 04 Oct 2012 21:33:45 EDT
Nightfall posted :
said by OmenQ:
I still do manual approval on everything except anti-virus definitions. So if I set a deadline, it's generally for a Sunday morning when I know I'll be available to clean up any issues that arise while no one's using the systems.
I have one or two servers that occasionally won't come back up properly (Application service hangs) but that's why I schedule them for Sunday morning. There was an issue for a while with Exchange 2010 SP2 services not auto-starting, but eventually a patch fixed that.
Having the building closed on Sundays sure is nice.

This is what our network admin wants to do. We are closed on the weekends, and if he is able to make this work, then all power to him. I will support him in his endeavor. He is going to be testing this next week when patch tuesday hits.
--
My domain - Nightfall.net

Re: Patching Servers using WSUS

Thu, 04 Oct 2012 19:28:57 EDT
OmenQ posted : I still do manual approval on everything except anti-virus definitions. So if I set a deadline, it's generally for a Sunday morning when I know I'll be available to clean up any issues that arise while no one's using the systems.
I have one or two servers that occasionally won't come back up properly (Application service hangs) but that's why I schedule them for Sunday morning. There was an issue for a while with Exchange 2010 SP2 services not auto-starting, but eventually a patch fixed that.
Having the building closed on Sundays sure is nice.
--
Cogito Ergo Nom

Re: Patching Servers using WSUS

Thu, 04 Oct 2012 13:47:55 EDT
netboy34 posted : we use it for our 50k workstations, wait a week after patch tuesday to approve the ones we want.

as for servers, we have 4 groups:

Manual DMZ (not in domain and not in WSUS)
Manual Production (SQL servers mostly)
Manual Approved but WSUS installed (Some Critical Servers, non-critical production servers)
Manual Approved, but critical auto approved (web servers, file/print servers and non critical servers)

Re: Patching Servers using WSUS

Thu, 04 Oct 2012 13:45:21 EDT
Nightfall posted : I think I am going to give the Network Admin the blessing to try it. My expectation is that he stay on top of the patching. That really is the best option right now. He will be ready at 2-3am when the servers are patching, and if he isn't I will push to make it manual again.
--
My domain - Nightfall.net

Re: Patching Servers using WSUS

Thu, 04 Oct 2012 13:33:41 EDT
boognish posted : I use WSUS to patch workstations. I still manually do servers because I want to know what is going on and if something goes wrong I am right there on top of it. Most of our servers are linux/unix though. We have about 15 windows servers so it isn't that big of a deal.
--
don't get 2 close 2 my fantasy

Re: Patching Servers using WSUS

Thu, 04 Oct 2012 12:07:13 EDT
Insder posted :
said by Nightfall:
said by OmenQ:
I use WSUS on all my servers (~50, all VM guests) with no issues.
I manually apply updates to the physical hosts still.
I have everything from Server 2008R2 down to Server 2000.

Have you had any issues with these updates killing servers or services? I know it depends on the software in your organization. Still, that would be my biggest fear, but I haven't had an issue with patching on servers since the Windows 2000 days.

Once a year (literally), I get an alert on my phone that the SQL Server is down, and I have to go in and manually restart the service due to an update. Most SQL updates will wait for a reboot to finish installing, but some of them will install right at that second, and sometimes the SQL Server process won't start back up. Hasn't been an issue since I catch it at 6/7AM and none of our users are in until 8AM.

Used to have constant issues with patching Exchange 2003 and I went to manual patching, but after we upgraded to Exchange 2010, I allowed it to start auto-patching and I haven't had any issues yet. I have all updates for any server install at 3AM, so that there is enough time for the backups to run and if the SQL/Exchange Services don't come up, I can get them back up in the early AM.

I still keep a close eye on every Patch Tuesday and read for any patches that apply to SQL/Exchange, though.
--
The one, the only, the Insder.

Re: Patching Servers using WSUS

Thu, 04 Oct 2012 08:29:40 EDT
Nightfall posted :
said by OmenQ:
I use WSUS on all my servers (~50, all VM guests) with no issues.
I manually apply updates to the physical hosts still.
I have everything from Server 2008R2 down to Server 2000.

Have you had any issues with these updates killing servers or services? I know it depends on the software in your organization. Still, that would be my biggest fear, but I haven't had an issue with patching on servers since the Windows 2000 days.
--
My domain - Nightfall.net

Re: Patching Servers using WSUS

Wed, 03 Oct 2012 17:56:11 EDT
amungus posted : I'd say let him try, but personally, I don't do it...
Just went over this with our new CIO actually. On desktop side, it's pretty much "set & forget" as far as I'm concerned. I check up on it here and there, but otherwise leave it mostly on autopilot. Have to clean it up every so often too, make sure it kills old updates that linger etc...

Losing my co-pilot (the only other network admin besides myself) today too, so I have very little time to mess with it and way too many other projects going.
Over 400 desktops here... approaching 500...

Server side, I just don't fully trust it. I prefer to do those manually still, even though it's kind of a pain (over 30 servers).

My biggest concern is the potential for updates to interrupt critical services (SQL, for example...), but that can happen with auto-install settings anyway - WSUS or not. I prefer to know exactly when I'm updating so that I know when the service(s) might get stopped. With WSUS, I suppose that if you still watched things as they updated, checked against what MS offers directly, and expected possible interruption of service(s), that's one option.

Either way, biggest question I would have is: are any servers (group policy or otherwise) set for auto install?

The patching itself is slightly better than before, but with WSUS, the more important thing is how you have the client side accept updates...

All servers here, for example, I place in an OU that gets a policy forcing the "let me choose when to download/install" option for updates. Even if I pointed them all to WSUS, and had it grab all the updates, I'd still want to install/reboot manually.

Re: Patching Servers using WSUS

Wed, 03 Oct 2012 17:39:49 EDT
OmenQ posted : I use WSUS on all my servers (~50, all VM guests) with no issues.
I manually apply updates to the physical hosts still.
I have everything from Server 2008R2 down to Server 2000.
--
Cogito Ergo Nom

Patching Servers using WSUS

Wed, 03 Oct 2012 16:51:13 EDT
Nightfall posted : I consider myself to be an old school admin. Now that I have stepped up to a director position, I still enjoy working with the admins on various projects. My network admin came to see me today looking for permission to use WSUS to update our servers.

He already uses WSUS to update our entire client fleet of over 200 workstations. He patches in a test environment first, and then deploys to the rest of the fleet. On the server side, he has a test server with a SQL server on it. What he would like to do is to apply patches to this server in the test environment, and if things pass, then apply to the server fleet of over 20 servers.

Being old school, I am against this to a certain extent. Maybe the patching has gotten better in the last few years. What is your take on this? Do you use any automatic patching for Windows servers? Have you used WSUS before on servers? Any input would be appreciated.
--
My domain - Nightfall.net