Monday, April 23, 2007

Using deadlines to install Windows updates on unattended servers

WSUS is a great tool to distribute and install Microsoft Updates. As long as the administrator approves the updates, an "Updates are ready" notification will pop up on each user's screen, and the users will be prompted to proceed with installing the updates.

But what about unattended servers? No-one ever logs into their consoles and thus there's nobody to install the updates. Having an administrator log in to each server to install updates is just too tedious. Luckily, this isn't necessary. Using deadlines, one can have the updates install on unattended servers automatically. Here's how I do it:

  1. I've created a computer group in WSUS called "Servers" and added all servers to it.
  2. Whenever I approve an update, I make a separate approval for the "Server" group with a deadline.
  3. When the deadline expires, updates are installed automatically.
A thing to note here is that most of the time a server will reboot after the updates are installed. You don't want your servers to reboot in the middle of the day. Therefore, set the deadline to off-hours.

Always set the deadline more than 22 hours in the future. This is because Automatic Updates service is checking for new updates by default every 22 hours. Imagine what happens if during the day, say at 12am you set the deadline for 11pm today. By 11pm a server may not have checked for new updates yet, and it will not know a new update with a deadline is available. Next day, say at 10am it will check, find the update and see that the deadline is already past due. It will then immediately install the update and reboot right when your users are busy using it. To avoid such unfortunate scenario, allow sufficient time for Automatic Updates to find the update before the deadline expires.

Post a Comment