Patch managment tool needed

slinuxuzerslinuxuzer Member Posts: 665 ■■■■□□□□□□
Ok I need a tool to trigger my Wsus install's I don't want to log in to every server, I must use WSUS, and I want to remotely trigger the patches from a single console based off of groups hopefully. I am allowed to spend money on the solution.

I've seen all the solutions that involve scheduled tasks, but these don't seem to work very well for 2003, I am patching 2003 and 2008, if there is a powershell way to trigger this remotely that might work, but after alot of research I am turning up nothing that works with only powershell again all solutions seem to involve a task and a script.

Thanks in advance.

Comments

  • RTmarcRTmarc Member Posts: 1,082 ■■■□□□□□□□
  • CodeBloxCodeBlox Member Posts: 1,363 ■■■■□□□□□□
    Maybe Kaseya...
    Currently reading: Network Warrior, Unix Network Programming by Richard Stevens
  • rwmidlrwmidl Member Posts: 807 ■■■■■■□□□□
    Group Policy
    CISSP | CISM | ACSS | ACIS | MCSA:2008 | MCITP:SA | MCSE:Security | MCSA:Security | Security + | MCTS
  • ThePuterGeekThePuterGeek Member Posts: 31 ■■■□□□□□□□
    I am a big fan of Shavlik
  • slinuxuzerslinuxuzer Member Posts: 665 ■■■■□□□□□□
    The only problem with group policy is I want to trigger everything manually, just letting group policy patch and reboot the servers would probably work for about 30% of my machines, I am looking for something that lets me handle 100%

    I've worked with SCCM before, but its been a long while, can anyone remind me, will this let me trigger the outstanding WSUS patches manually on my own time frame?
  • ptilsenptilsen Member Posts: 2,835 ■■■■■■■■■■
    You can do almost anything with SCCM. Truly, almost anything, if you have the time and infrastructure to support it. It is specifically designed to integrate with WSUS and provide more control than GPO.

    Outside of using a third-party tool or SCCM, I would script it. Scripting it is technically going to be the least resource-intensive approach, since you don't need client agents for your tool or a server on which to run your tool. In scripting it, I would almost certainly use PowerShell, and my immediate Google search leads to a fairly promising article:
    Install Windows Updates using Windows PowerShell
    Working B.S., Computer Science
    Complete: 55/120 credits SPAN 201, LIT 100, ETHS 200, AP Lang, MATH 120, WRIT 231, ICS 140, MATH 215, ECON 202, ECON 201, ICS 141, MATH 210, LING 111, ICS 240
    In progress: CLEP US GOV,
    Next up: MATH 211, ECON 352, ICS 340
  • RTmarcRTmarc Member Posts: 1,082 ■■■□□□□□□□
    slinuxuzer wrote: »
    The only problem with group policy is I want to trigger everything manually, just letting group policy patch and reboot the servers would probably work for about 30% of my machines, I am looking for something that lets me handle 100%

    I've worked with SCCM before, but its been a long while, can anyone remind me, will this let me trigger the outstanding WSUS patches manually on my own time frame?

    How manual are you talking? With WSUS+GPO you can still make it a manual process. Disable anything auto-approved by WSUS, trigger download but prompt for install on the servers, etc.
  • fly2dwfly2dw Member Posts: 122 ■■■□□□□□□□
    slinuxuzer wrote: »
    I've worked with SCCM before, but its been a long while, can anyone remind me, will this let me trigger the outstanding WSUS patches manually on my own time frame?

    Yes. You can even create a package (This saves servers having to download updates from the Internet or WSUS all together which saves time and bandwidth if using the Internet) bundling all the updates that you want installing on a particular server (Or group of servers), and set it to install at any time followed by a reboot when completed and email a status report of what succeeded or failed. As ptilsen mentioned almost anything is possible with SCCM if you have the infrastructure in place to support it.

    I mentioned SCCM as you said you had budget for the solution. I would have a look in your infrastructure to see what other things you could utilise SCCM for such as software deployment library or image deployment etc. If it proves cost effective then go for SCCM. You can fall back on scripting and Group Policy if SCCM is not going to work out cost effective for you. However if you have a predominant Microsoft server base then I am sure SCCM will prove useful, especially if you have used it before, and already use to it.
  • EveryoneEveryone Member Posts: 1,661
    Definitely +1 for SCCM... but since you mentioned PowerShell, scheduled tasks, and GPOs... I've had to do it that way before at places that refused to invest in SCCM. I used GPO to set all my servers to point to WSUS and not automatically install anything. Then I setup scheduled tasks to kick off installation via a PowerShell script at a designated time for each server. I had the script send an e-mail alert to the Help Desk (24/7 operations) to remind them that scheduled maintenance was about to start on the server the script was running from and to expect reboots. Then it would send another one when the server was back online via a second script that ran as a start-up task. I had it check to make sure the proper services/applications were started on the server after the reboot, and it would alert if they did not.

    It worked great. I was able to setup maintenance windows for several hundred servers in an environment that "couldn't have any downtime", and previously had no patch management process at all. Most servers were months to even years behind on patches before I stepped in.
Sign In or Register to comment.