locked
New WSUS GPO Schedule Option RRS feed

  • General discussion

  • I'd like to suggest that there be an option added to allow you to select Saturday AND Sunday for patching. We have "maintenance weekend" once a month in our organization and since the only options available in the group policy are EVERY DAY or single days, we have to select EVERY DAY to ensure our patches are pushed out on both days of the weekend. This has caused problems where we had a miss configured WSUS server which was auto approving re-released/revised patches and caused our patches to push out in the middle of the week instead. This has been resolved on the server but having the ability to have a SAT/SUN option on the Scheduled Install day option would be AWESOME!
    Wednesday, August 13, 2014 4:56 PM

All replies

  • Hi,

    I'm glad to see that the issue has been resolved. I'm not quite sure why you need to push patches on both Saturday and Sunday. If there are many have the same requirement, I think it will improved.

    Friday, August 15, 2014 5:33 AM
  • we have to select EVERY DAY to ensure our patches are pushed out on both days of the weekend.

    I'm curious about something...

    On how many weekends, and how many systems, are updates actually installed on Saturday **AND** Sunday in the same weekend?

    In fact, I submit, that if all things are working normal, the only machines that will install updates on Sunday are the ones that are powered off on Saturday. Since we're talking about SERVERS, I suspect that's highly unlikely.

    In fact, if you did have a server fail to install updates on Saturday, I'd say that was a "failure" unto itself and would be worthy of its own investigation.

    This has caused problems where we had a miss configured WSUS server which was auto approving re-released/revised patches and caused our patches to push out in the middle of the week instead.

    Or you could disable the option to "Automatically approve revisions for approved updates". (You will, however, then need to keep up with them manually and remember to approve the newer revision when appropriate.)


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.


    Sunday, August 17, 2014 7:54 PM
  • We push patches to about 700 servers on one weekend a month.  We are also time limited and have a 3 hour patch window with servers distributed unevenly amongst the windows. We use Patch Manager to help maintain our patch windows. 

    Generally speaking, the middle window is most popular.  In any event, it does take the entire weekend to get the majority of the servers patched and I have deselected the auto approval to prevent unexpected patching.

    Having the ability to limit patching to both weekend days would be a great improvement as far as I am concerned. That way, we approve patches on the Friday before the designated weekend and any stragglers can catch up magically on the other weekends, off the normal work day cycle.

    Monday, August 18, 2014 1:52 PM
  • We use Patch Manager to help maintain our patch windows. 

    If you're using Patch Manager to deploy updates, then what difference does it make how Configure Automatic Updates is set? In fact, I'd argue that if you're deploying the updates with Patch Manager, then your servers shouldn't have any scheduled installation event at all. Set AUOption = '2'.

    That way, we approve patches on the Friday before the designated weekend

    This is part of your complication. You cannot possibly approve updates on Friday and have any reasonable expectation that those updates will actually be fully downloaded to the WSUS server, detected by the client, and then fully downloaded to the client in order to make a scheduled installation event on Saturday. Of course, that's back to the question of whether you're actually using WUA-scheduled installations, or not -- but even if you're deploying with Patch Manager, the files need to be available to the client to be installed, and if they're not available at the WSUS server, the installation isn't going to happen..

    So, to summarize, I would suggest the following approach:

    1. Create a DUMMY group on the WSUS server that has no client members. Use this DUMMY group to approve updates early in the week. This will ensure that the WSUS server gets ample opportunity to download all needed files before the weekend deployment events, without risking the servers getting them before the weekend.
    2. Configure the servers with AUOptions='2', since with Patch Manager you don't need (nay, you don't want!) the Windows Update Agent launching the installations.
    3. Approve the updates on Friday (if you must) -- although a little-known/well-kept secret... the Patch Manager Update Management tool doesn't actually require the updates to be approved... it just needs the binaries to be on the WSUS Server, which will be achieved by the approvals for the DUMMY group in Step #1.
    4. Schedule the installation tasks as needed for those servers, but you should never need to run multiple installation tasks on a server in the same weekend, if all of the pre-weekend events are properly executing.


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Monday, August 18, 2014 11:26 PM
  • Thanks for the suggestions Lawrence.

    That sounds like an interesting avenue to pursue. I inherited the current process and have been trying to tweak it to work better in the past and have not had time to really focus on improving the process with PM. I will have to dedicate some time to PM to resolve the issues I have with it if that is the solution to my patching problems

    I do have an appointment with a Solarwinds representative to look at some issues I am having with my PM installation.  I might bounce a few configuration questions off him to see how I can set it up to make this work.

    Thanks again,

    Layne 

    Monday, August 25, 2014 8:14 PM