Windows Servers update management

1

We have a couple of Windows 2012R2 and Windows 2016 servers hosted with Amazon. None of those servers are joined to a domain, they are all separate.

Before we would just install Windows updates as they came out and I would manually set a reboot time through a powershell script.

Now we have quite a few servers and customers so I want to figure out a better policy. Our official policy now is to do a periodic maintenance every Sunday from 1am to 2am following patch tuesday. It's OK if ALL servers are down at the same time.

Now I read about WSUS, but it seems this is just a role a server takes on to delegate windows update processes to other servers, is that correct? Would it handle scheduling and rebooting for me?

Would it be easier to use the Windows Update PowerShell Module and write my own powershell script, which gets scheduled through the Task Scheduler which I deploy manually on all servers?

Are there other options / best practices?

Roger Far

Posted 2017-07-20T22:28:53.850

Reputation: 259

Question was closed 2017-07-28T02:33:09.650

I'm going to say this is going to be too opinionated but for me I like to control when the servers get their patches manually or at regular scheduled intervals as you indicate you already do to have better change control over the server systems. I've used WSUS for hundreds of various Windows computers and made sure I had a nice spread of test group machines and apply to the smaller test group first in case WU breaks something so you're not fixing for hundreds. If you have hundreds of servers of various Windows OSes, then the same strategy would apply to Servers with WSUS too I suppose. – Pimp Juice IT – 2017-07-21T01:06:14.190

Answers

2

WSUS allows computers / servers to check in for Windows updates. It not only allows you to control which updates are available for installation on the systems, but it can cache them locally so a large number of systems won't download the same patch from the internet and eat up bandwidth. It works ok, but isn't a perfect solution and it doesn't provide any method of scheduling reboots or other windows update behavior. This would be done with group policy or other means.

There are tools for managing and monitoring systems calls RMM tools. They would probably be the best for doing the patch management and maintenance in a controlled fashion on your server.

But, alternatively, you should be able to just set the scheduled reboot time on your servers for the once a week windows you mentioned. Let them automatically install and let the server reboot during that window - that is a standard windows update setting.

Your other alternative is that I believe AWS has a patch management system available also. It's not free, of course, but it will help you manage the systems. Add to that redundancy and load balancing and you can insure no downtime.

Appleoddity

Posted 2017-07-20T22:28:53.850

Reputation: 9 360

Asked: 2017-07-20T22:28:53.850

Viewed: 84 times

Active: 2017-07-21T00:01:54.840