What are you all using for patch management on your Windows servers? We had been using NetChk Protect from Shavlik (formerly HfNetChk Pro) and were pretty happy with it. Our maintenance contract has recently expired so I thought I’d take a look at the current state of Microsoft’s own offerings before I renewed. It amazes me that for all the other legitimately useful items Microsoft has added to their server products, there still seems to be no way of doing fine-grained patch management without resorting to third party products. I'm not even talking about control over which patches to apply. I'm just talking about basic scheduling.

WSUS seems to have come a long way, but it still seems to rely on Automatic Updates on the “client” side and (to the best of my knowledge) the AU mechanism is still a blunt object as far as scheduling is concerned. It doesn't appear that there's any way with WSUS+AU to specify anything more than “Do [blah] with updates every day/week/month and do it at the top of [blah] hour.” IMO, that simply isn’t enough control and flexibility for the real world of patching servers.

/SoapBox

 

Mom?

 

We have recommended to clients to take a look at:

Lumension Security’s Patch and Remediation Manager

http://www.lumension.com/vulnerabili...t-software.jsp

 

MOM costs the proverbial arm and leg. Stogie, would I be correct in assuming the Lumension product also hails from not cheap land?

The thing is we only have about 15-20 machines, all servers, we need this for. It's pretty hard to justify the cost of a higher end product for such a small number of machines.

 

Maybe two arms, although they may have scalable pricing structure. It was appropriate for a 450 machine (some office use, some POS, some server) setup where they couldn't have machines doing their post-update reboots during peak sales times, or at other certain times of the day... Also gave them very granular control over the server patch process.

WSUS is cheep, but you get what you pay for... Overall a pretty good tool, though.

 

We use LANDesk. I'm not directly involved with it, but from what I saw, I wasn't impressed. Our admin seems to like it though.

 

We use WSUS for everything. Prod servers will not auto install/reboot.
Office servers will install over night and reboot. Workstations get it too.

I've heard that VMWare 4 has some kind of patch management tool but haven't looked into it.

 

Sure there is. You can have it prompt the user for a reboot, rather than forcing it. This is the registry script we use for all WSUS client machines:

====================================
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Win dows\WindowsUpdate]
"WUServer"="(server_name)"
"WUStatusServer"="(server_name)"

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Win dows\WindowsUpdate\AU]
"NoAutoUpdate"=dword:00000000
"AUOptions"=dword:00000004
"NoAutoRebootWithLoggedOnUsers"=dword:00000001
"RescheduleWaitTime"=dword:00000005
"ScheduledInstallDay"=dword:00000000
"ScheduledInstallTime"=dword:00000012
"UseWUServer"=dword:00000001
"LastWaitTimeout"=-
"DetectionStartTime"=-
=============================================

The "NoRebootWithLoggedOnUsers" key will only cause a prompt for a reboot, and can be cancelled ("Reboot Later") for five minutes at a time. It will, however, keep nagging until a reboot is performed (meaning, it doesn't let you forget to do it).

We run the registry script from within a batch file which stops the Automatic Updates service, patches the registry with the above script, and then restarts the AU service:

==============================================
@ECHO OFF
NET STOP "WUAUSERV"
REGEDIT.EXE /S Z:\SUSPOLICY1.REG
;The above line runs the registry script.
NET START "WUAUSERV"
==============================================

Hope that helps!

 

WSUS, though it is inconsistent on the workstation side. I'll eventually get Zenworks upgraded to Novell ZCM and implement patch mgmt. I'd rather force apps and patches to a workstation rather then rely on the workstation contacting a server like WSUS does.

 

Would be a lot easier if you just created a group policy object and edit the Windows Update portion.

 

I'm interested in servers, not end user workstations. I don't see any way where this could be applicable to a server.

 

You could look at Altiris Patch Management. It's certainly robust enough to handle most scheduling needs. Be prepaired to pay roughly $300 a seat for it. However, for that $300, you'll get a lot more than just patch management. I don't know if they license Patch as a stand alone.

 

Though I don't directly manage it, we use WSUS here. We seem to have no problems and it seems to do the job.

 

It works with servers too. Apply the exact same registry script as I posted, and make sure your server OS is part of the stuff your WSUS server downloads.

 

The registry script only has to be run once, so I just apply it to every new workstation that I configure.

 

Its just as easy for servers. Just configure a specific GPO for servers (hopefully you have your server computer objects in a separate container from your workstations) and configure to install and not reboot. After hours, I reboot all servers and I'm done with patching.

 

All I'm saying is they make GPO's specifically so you don't have to do things like what your doing...

 

Sid's solution (GPO-based or manual) may be technically valid for servers but it's really not at all practical. Updates to servers almost always need to be fully automated so they run during the overnight hours and automatically reboot the box so that it's are back online for people to start using in the morning.

 

I dont know about you, but I would not feel comfortable coming in the next morning knowing my 50+ Windows servers auto rebooted that night. Its just asking for trouble and you get to explain why server X services arent started for whatever reason because your servers rebooted on a Tuesday. Plus given the fact that I have to bring up certain servers in a particular order because of SQL servers, its just not worth the time saved to automate.

 

So what do you do? You actually come into the office or VPN in at 3:00am every month just to apply Microsoft's updates? That blows. We just tell our monitoring system not to poll the server for 30 minutes or so after the scheduled patch install time. If something doesn't come back up, we definitely know about it.

The item mentioned about patching boxes in a specific order is one of the reasons why I find M$ Automatic Updates' ability to only schedule whole hour times to be completely ridiculous. We usually do the domain controllers, then the Exchange boxes, then file/print boxes, with each of them staggered fifteen minutes apart. There doesn't seem to be any way of doing this using WSUS & Automatic Updates.

 

Well, then you're a) a lot more brave (or foolish?) then I am and b) have very tolerant managers/execs/etc. In the 10+ years of doing network administration there have been quite a number of times where I applied a patch, rebooted and something didn't come up just right. For example, a couple of months ago I patched and rebooted our Exchange server. When the server came back up, the SMTP service didn't start for whatever million reasons MS can give you. Luckily it started right away, but had that been a weekday and I had to troubleshoot, I would have had some angry people asking questions.

I usually do this on a Saturday when I also have a billion other things to do. So its no big deal to me. Granted if I had a 1000+ servers, sure I would have to consider some form of automation, but I would have someone monitoring it.

 

Shavlik is what we use here, my last job we used WSUS 3.0, altiris also has it's uses