I have heard of WSUS, but is that the best solution? I have techs interrupting our clients to do Windows Updates during business hours. I need a solution that will reduce customer interruptions and is reliable.
Any products that do more than just Windows Updates?
The Windows Update client can be configured to perform installations at odd hours. Combined with a solution to do Wake-on-LAN you can get update deployment to occur outside of normal hours fairly easily. (We use some scripts to do this, but there are probably off-the-shelf solutions, too.)
WSUS has been exceedingly reliable for me. I'm particularly fond of the reporting functionality in locating computers that are not receiving updates properly.
The Windows Update client is easily manageable with group policy, so that makes us very happy, too.
There are third-party and Micrsoft products (SCCM, comes to mind) that do more than just operting system patch management. I don't have any experience to relate about these. These products look to be priced out of the ballpark for the size of Customers I'm working with. (We've usually handled patching applications via startup scripts or re-deployment of patched software assignments thru GPOs...)
You can use WSUS in conjunction with group policy to set when the users will be prompted to install the updates. I'm not sure if you can specify a time or not, but it's less intrusive than having a techie physically get in the way :)
Shavlik as mentioned by someone else. It's got some interesting features that make it stand out. Checks for actual files on the system, not just a reg value for installed updates. Takes care of precedence of updates. Scans pretty quick and you don't need to install an agent on the system.
You didn't mention how many servers/clients you are talking about, but If you are wanting to control patching (just of Windows patches), then WSUS is definitely the way to go (and the price is right). You can control when the patches are loaded, approve or reject certain patches, etc. More information is available at the WSUS resource center on TechNet (http://technet.microsoft.com/en-us/wsus/default.aspx)
The next step up would be System Center Essentials, which adds server/client monitoring for up to 30 servers and 500 clients, and will allow you to distribute software (not just patches) automatically. It actually works quite well. More information here: http://www.microsoft.com/Systemcenter/essentials/en/us/default.aspx (there is also a VHD that you can download to try it out).
There are no end out there, such as the shavlik solution, and quite a few others than include support for more than just the MS products.
At the end of the day though, if you're interrupting people during their business day to patch, that's a behavioural problem not a technological one. Whatever product you use it should be possible to schedule patches to happen outside the core working day and if you don't fix the reasons that isn't already happening (it's quite possible with WSUS, we don't interrupt our users with patches) then you'll be spending a lot of money solving the wrong problem.
Symantec's "Altiris" will patch as well, and is a general all-round good management/inventory/ticket tracking system.
That being said, we migrated from using Altiris to patch, to WSUS. WSUS can be configurable to impact your users in the least-disturbing method using it in conjunction with GPOs.
Another vote for WSUS!
It takes a little bit of effort to set up and learn, but it's absolutely excellent for ensuring that all of your machines are up to date with Windows patches. You can use group policy to configure it so that it does not interrupt your users at all, or you can configure it to force important updates on all machines right away.
It doesn't help you out at all with non-MS software though, so I'm looking for something that will work well in tandem with WSUS.
