This project is read-only.

 

Components

  • Automatic Updates
  • WSUS
  • Patch Solution Scripts
  • Scheduled Task
  • Group Policy
  • Configuring Computer Maintenance Windows

 

Automatic Updates

Most organizations will have an installation of WSUS. This minimizes the amount of updates that needs to be downloaded from the internet and distributed to servers or workstations. In turn, these devices have been configured to use WSUS. By default, download and install the patches at 03:00. This is so far away from a optimal solution for any company, regardless of size. There are many ways to configure automatic updates to download and install or notify the users or administrators to install patches.

The Patch Solution aims at simplifying and centralizing the process. The Patch Solution is basically a wrapper that calls into the Windows Update API and forces it to do a update scan. Now again, as this uses the general Windows Updates API, if the computer is target to use the Microsoft Updates servers on the internet, then it will do just that. Of course after the scan has completed, Patch Solution will then install the patches. Again, regardless of where the patches come from, either Microsoft Update servers, or a from a WSUS installation, if the patches have been approved and are visible through the Windows Update GUI, they will be applied.

 

WSUS

Now that most organizations will have an installation of WSUS, it is easier to control and approve which devices get what patches. Again the problem is when do they install these patches. Applying Windows Updates to any system is always a contention of debate. Which ones and when. What is the level of administrative effort to deploy them. Using Windows Server 2012 R2 Windows Software Update Services (WSUS) has that nifty feature of Automatically approving patches. In the places where I have to work with updates, I have always enabled the Default Rule, Auto Approve all Critical and Security Patches. Again, this only approves them, not installs them.

 

Patch Solution Scripts

This is where the heavy lifting is done. There has been quite a few scripts floating around the Internet on doing the same idea, trigger Windows Updates API, download and install. These are also very popular for maintaining patches on a Windows Server Core installation. The Patch Solution has been extended so that these scripts will look at an attribute in AD. The value stored in the attribute translates to a day of the week, start time and how many minutes it will try to patch for. These translations are fully configurable in the XML configuration file.

Patch flow:

  1. Log onto the system to patch
  2. Run the InstallUpdates.ps1 script
  3. Script will open the XML Configuration file
  4. Script will connect to AD, look up it’s machine account and get it’s Patchgroup attribute
  5. Script will compare the Patchgroup value and the current date/time and run some assessments
  6. Example Assesments are:
      • Is the machine a non-production machine, go ahead and patch
      • Machine is a production machine and it is a change stop
      • Current date/time is inside a valid patch window, patch
  7. Patch the machine and reboot if necessary

How to automate this? Onto the next step.

 

Scheduled Tasks

Now this Patch Solution is all about automation, giving time back to administrators to focus on proactive activities. There is also a plus side for organizations, less overtime is required to patch production machines, and their environments are more secure.

Leveraging Windows Task Schedule, this script can be called every 5 minutes. It will only trigger the patch installation if the machine is allowed to. Essentially you need to configure a scheduled task that calls the script at the proper time. This is easy to do if you have 10 machines, but again we’re looking for automation.

 

Group Policy

Group Policy comes to the rescue for scheduling the execution of the scripts.

 

At a high level the PatchSolutionUpdateGPO.ps1 will

  • Open the XML Configuration file and load in the ValidPatchGroups
  • By default look for a group policy named “PatchSolution”
  • Connect into the Computer portion of the policy
  • Update/Remove any ValidPatchGroup values that need to be modified
  • Add a scheduled task so that you can manually run and force the updates to be installed

Now you have just automated a group policy that creates a targeted scheduled task for the valid patch groups that you have defined.

 

Configuring Computer Maintenance Windows

Maintenance or Patchgroup windows are defined in two places.

  • The ValidPatchGroups for the organization are defined in the XML Configuration file.
  • Each machine account in AD has an “ExtensionAttribute1” (Configurable in the XML Configuration file)

For each machine you’ll need to edit this ExtensionAttribute to the proper patch group value. Once this value is set inside AD, then the Group Policy will be applied and a Schedule task will appear in each of your targeted machines.

Bingo! Done the overall Configuration

 

Reporting

More documentation to Come!

Essentially,

  • Configure the XML Values for email
  • Configure 2 scheduled tasks
    • First one is just run the daily report (No parameters to the script)
    • Second one is to run the weekly report (Full Report).
  • Watch your email and look for the \Reports folder for the exported XLS file

Last edited Jun 10, 2015 at 1:29 AM by arafuse, version 4