Windows update deployment

Dr Zoidberg

Dr Zoidberg

Dr Zoidberg

Associate
Joined
18 Oct 2002
Posts
710
Location
Somerset
I would be interested what methods / polices people use for windows update deployment across a network ?

I have just started a new job where a lot more responsibility is on my shoulders and after my first week it looks like there is a lot for me to do to get things into a state that i currently think the system should be in.

After doing some searching mainly on Microsoft site i have come across WSUS and MBSA which look like handy tools, as they are MS tools i would guess it would be the best way forward but would like to hear about other options.

Thanks
Keith
 
As well as MBSA and WSUS, there's also SMS, or SCCM as it's now being called. Depending upon your budget, you could consider using that. WSUS is OK-ish depending upon how many machines you're administering and what amount of control you want/need.

It's far from brilliant. As an example, you can't really schedule installs to take place at a certain time, instead you use 'Deadlines' assigned at the Update level to each WSUS Group, which work slightly differently... as soon as the deadline is expired then the patch will be deployed. However, if you have expired deadlines (i.e. deadlines that are in the past) then the patch that the deadline was set for will be installed immediately, and normally causing a reboot to happen. Also, deadlines override the Group Policy settings of your machines, so even though you may have set the policy to only download and notify, the deadline will force the installation to take place regardless. In a production environment, this ain't good, as I'm sure you can appreciate.

Also it has to be said that the reporting side of WSUS out of the box is absolutely ****. If you're happy knocking up reports yourself by querying the backend database then it's less of an issue, but otherwise the reporting is diabolical.

There are other annoyances such as not being able to push updates out to machines from the management console. Instead, if you don't want to wait for your endpoint to report-in as per its schedule, you have to sign-on to that particular machine and call the wuauclt program. Very tiresome when you're working with many machines.

I could go on and on. However, WSUS is free, so I suppose it's understandable that it's not really that well supported.

If you're prepared to look further afield than Microsoft's offerings, there are loads of products in the market place. HFNetChk by Shavlik is a popular choice - not least because Shavlik wrote MBSA for Microsoft ;) Other products include Landesk, Altiris, Ecora, etc... The advantage of these is that they'll scan for non-Microsoft products, e.g. Java, Flash, Adobe Acrobat, etc...

Hope that helps.
 
Thank you GarethDW

great post, i will have to go and do some reading on those other options, but for now i think the free MS way will get put in place to make a start.
 
You must log in or register to reply here.
Back
Top Bottom