patching

WSUS – Auto Patching Servers

Posted by robd on June 02, 2016
WSUS / 1 Comment

So recently we took the plunge to auto patch and reboot all our servers based on the following schedules:

Schedule_1 WSUS Auto Approve – 7 days Deadline – When new updates are downloaded by WSUS they are held for 7 days then rolled out to the servers.  The server will then auto install and reboot (if necessary) the Monday after the 7 day deadline expires at 03:00.  Please note all previous updates that are needed will be installed installed on any Monday at 03:00.

Schedule_2 WSUS Auto Approve – 12 days Deadline – When new updates are downloaded by WSUS they are held for 21 days then rolled out to the servers.  The server will then auto install and reboot (if necessary) the Tuesday after the 21 day deadline expires at 02:00.  Please note all previous updates that are needed will be installed installed on any Tuesday at 02:00.

Schedule_3 WSUS Auto Approve – 31 days Deadline – When new updates are downloaded by WSUS they are held for 31 days then rolled out to the servers.  The server will then auto install and reboot (if necessary) the Wednesday after the 31 day deadline expires at 03:00.  Please note all previous updates that are needed will be installed installed on any Wednesday at 03:00.

 

So in other words patch schedule 1 first and see if the servers break then 5 days later do install the patches on the servers in schedule 2 and then 24 days later do the rest.  I.e. Test, test and finish.

So here’s how we did it:

  • On WSUS setup some Computer Groups i.e. Schedule 1, Schedule 2 and Schedule 3:

Schedules

  • Put your servers in these groups (or if you auto place servers in groups via GPO then I cover that later).
  • Create some Auto Approval Rules under Options in WSUS manager:
    • The following example only applies Critical and Security updates to Computer Folder Schedule 1 and the deadline to install (i.e. install after) is 7 days at 03:00Auto_Approval
    • Auto_Approval2
    • Auto_Approval3
    • IMPORTANT – Once you’ve created the rules click RUN RULE or the rule wont run against the existing updates.
    • RunRule
  • Finally setup the Group Policies for the Servers (example for schedule 1), I applied a security group to the GPO so only the servers in schedule 1 received these updates:
    • Administrative TemplatesWindows Components/Windows Update
      Allow Automatic Updates immediate installation Enabled
      Always automatically restart at the scheduled time EnabledThe restart timer will give users this much time to save their work (minutes): 15

      Configure Automatic Updates Enabled

      Configure automatic updating: 4 – Auto download and schedule the install
      The following settings are only required and applicable if 4 is selected.
      Install during automatic maintenance Disabled
      Scheduled install day: 3 – Every Monday
      Scheduled install time: 03:00
      Enable client-side targeting Enabled

      Target group name for this computer Schedule_1  (Note – if you use GPOs to place servers in computer groups in WSUS then is the setting)

      No auto-restart with logged on users for scheduled automatic updates installations Disabled
      Specify intranet Microsoft update service location Enabled

      Set the intranet update service for detecting updates: http://WSUS01:8530
      Set the intranet statistics server: http://WSUS01:8530

That should be it!!!!

Tags: , , , ,