Patch managment tool needed

Ok I need a tool to trigger my Wsus install's I don't want to log in to every server, I must use WSUS, and I want to remotely trigger the patches from a single console based off of groups hopefully. I am allowed to spend money on the solution.

I've seen all the solutions that involve scheduled tasks, but these don't seem to work very well for 2003, I am patching 2003 and 2008, if there is a powershell way to trigger this remotely that might work, but after alot of research I am turning up nothing that works with only powershell again all solutions seem to involve a task and a script.

Thanks in advance.

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

RTmarc

Group Policy?

CodeBlox

Maybe Kaseya...

fly2dw

Microsoft SCCM (It does incorporate WSUS):

This link is is on SCCM 2007

Guide to Software Updates Deployment in Configuration Manager 2007 - The Configuration Manager Support Team Blog - Site Home - TechNet Blogs

Or SCCM 2012

https://msevents.microsoft.com/CUI/EventDetail.aspx?culture=en-US&EventID=1032487348&CountryCode=US

rwmidl

Group Policy

ThePuterGeek

I am a big fan of Shavlik

slinuxuzer

The only problem with group policy is I want to trigger everything manually, just letting group policy patch and reboot the servers would probably work for about 30% of my machines, I am looking for something that lets me handle 100%

I've worked with SCCM before, but its been a long while, can anyone remind me, will this let me trigger the outstanding WSUS patches manually on my own time frame?

ptilsen

You can do almost anything with SCCM. Truly, almost anything, if you have the time and infrastructure to support it. It is specifically designed to integrate with WSUS and provide more control than GPO.

Outside of using a third-party tool or SCCM, I would script it. Scripting it is technically going to be the least resource-intensive approach, since you don't need client agents for your tool or a server on which to run your tool. In scripting it, I would almost certainly use PowerShell, and my immediate Google search leads to a fairly promising article:
Install Windows Updates using Windows PowerShell

RTmarc

slinuxuzer wrote: »

The only problem with group policy is I want to trigger everything manually, just letting group policy patch and reboot the servers would probably work for about 30% of my machines, I am looking for something that lets me handle 100%

I've worked with SCCM before, but its been a long while, can anyone remind me, will this let me trigger the outstanding WSUS patches manually on my own time frame?

How manual are you talking? With WSUS+GPO you can still make it a manual process. Disable anything auto-approved by WSUS, trigger download but prompt for install on the servers, etc.

fly2dw

slinuxuzer wrote: »

I've worked with SCCM before, but its been a long while, can anyone remind me, will this let me trigger the outstanding WSUS patches manually on my own time frame?

Yes. You can even create a package (This saves servers having to download updates from the Internet or WSUS all together which saves time and bandwidth if using the Internet) bundling all the updates that you want installing on a particular server (Or group of servers), and set it to install at any time followed by a reboot when completed and email a status report of what succeeded or failed. As ptilsen mentioned almost anything is possible with SCCM if you have the infrastructure in place to support it.

I mentioned SCCM as you said you had budget for the solution. I would have a look in your infrastructure to see what other things you could utilise SCCM for such as software deployment library or image deployment etc. If it proves cost effective then go for SCCM. You can fall back on scripting and Group Policy if SCCM is not going to work out cost effective for you. However if you have a predominant Microsoft server base then I am sure SCCM will prove useful, especially if you have used it before, and already use to it.

Everyone

Definitely +1 for SCCM... but since you mentioned PowerShell, scheduled tasks, and GPOs... I've had to do it that way before at places that refused to invest in SCCM. I used GPO to set all my servers to point to WSUS and not automatically install anything. Then I setup scheduled tasks to kick off installation via a PowerShell script at a designated time for each server. I had the script send an e-mail alert to the Help Desk (24/7 operations) to remind them that scheduled maintenance was about to start on the server the script was running from and to expect reboots. Then it would send another one when the server was back online via a second script that ran as a start-up task. I had it check to make sure the proper services/applications were started on the server after the reboot, and it would alert if they did not.

It worked great. I was able to setup maintenance windows for several hundred servers in an environment that "couldn't have any downtime", and previously had no patch management process at all. Most servers were months to even years behind on patches before I stepped in.