Automatic Updates Resistance in a Corporate Environment

[Allen]

Hi all,

Having a bit of a headache with Automatic Updates (no surprise there) in a corporate environment, and wanted to see how others deal with this.

As with I am sure any company, about 50% of staff are reasonably "competent" with Windows, and the rest are Mac users or simply not interested in learning. So this presents me with a bit of a problem on how to implement AU. If I set them to install automatically, people complain it interrupts work. If I set it so the user has to install them, they don't do it, or know how to do it. I have thought about setting them to update at certain times but when PC's aren't on, they won't update.

I will hopefully be implementing WSUS at some point as we grow, but for the moment I am controlling AU with GPO's.

So for any sysadmin's out there, how do you deal with AU?

[Splash]

WSUS is a must really: it costs you nothing beyond the server that you run it from and will let you run a report showing which machines haven't been updated. Most environments I'm involved in have a few different GPOs - clients get theirs installed when they shutdown, and there's a corporate policy that machines are shutdown at the end of a working day for environmental reasons and the like: if people aren't shutting their machines down then they're in breach of corporate policy.

Servers tend to be a little different - dependent on role of the server we'll usually apply a policy that will install the updates early in the morning then reboot *unless somebody is logged in*. Core servers tend to be manually applied and rebooted as required. Some sysadmins get a little obsessed with uptime of their servers, I'd rather have mine patched. Any services that cannot take downtime should have patching windows designed in, and clustering may be required.


EDIT - that said: *do* test the updates before you start rolling them out company-wide...

[Dooms]

Hmmm it's a tough one. The only real solution for day to day patching that I can think of is getting WSUS or/and SCCM 2012 up and running.

How many machines are we talking about? Is it every day updates that are causing issues or just the big ones?

For a small setup you got a few options to get everything patched up:
https://www.ntlite.com/ - Allows you to make images for machines and streamline all patches
https://ninite.com/pro - For keeping applications updated without any user interaction
http://www.autopatcher.net/forum/ - Great application for manually patching machines, downloads all patches and gives you an exe you run on each machine.

[shaithis]

WSUS, it absolutely has to be (unless you want additional costs for things like SCCM)

Push updates out without rebooting and then choose a reboot time.

The reboot time will be dependant on a number of factors though, most importantly - do the PCs get turned off or are they set to sleep?

In the mean-time, get some buy-in from management as to the importance of updates and then send out a correspondence to all users telling them updates must be done and on what schedule they must adhere to.

[Allen]

Thanks guys, I have gone with rebuilding WSUS sooner rather than later. Haven't yet configured it, but for the time being have set PC's to download updates and confirm with users when to apply them (there was, of course, lots of moaning about long reboots when automatically applying them).

Thanks for your help!

[abaxas]

How are you validating and testing updates before sending them out?

There have been some proper horrors in the past where updates break software / business continuity.

Be safe, dont be up to date.

[DanceswithUnix]

Just remember to push updates at 4pm for any laptop users, so that as they close down at the end of the day eager to pack the laptop in its bag and go home it says "Installing update 1 of 53, please wait" because they love that

[Saracen]

....

There have been some proper horrors in the past where updates break software / business continuity.

Be safe, dont be up to date.

That concern applies in my environment too, which is both personal use and small business, not corporate.

I recently noted one AV company (Panda??) managed to break their own product, detecting it as malicious, by a faulty update.

That said, my security products are about the only thing I do have set to either do, or at least prompt me to do, auto-updates.

[Jay]

SCCM and wsus are a must, depending on how you are licenced it may be worth adding sccm to your agreement, especially if you are using datacenter licensing

[Allen]

How are you validating and testing updates before sending them out?

I will, once our infrastructure has been upgraded, be running a virtual machine with all software used in the company running on it, and will therefore apply updates to the virtual to check everything before rolling them out.