Best Practices in Scheduling Patch Installation for Minimal User Impact



Similar documents
5 Group Policy Management Capabilities You re Missing

Two Ways to Use Group Policy Delegation


Making Endpoint Encryption Work in the Real World

Tips & Tricks for Protecting User Data on Windows 7

Packaging Software: Making Software Install Silently

MAC OS 10.6 SNOW LEOPARD AND EXCHANGE SERVICES (MAIL, CALENDAR & ADDRESS BOOK)

Providing Patch Management With N-central. Version 7.1

How to Outsource Without Being a Ninnyhammer

Remote Assistance. bonus appendix

You must do Windows updates with Microsoft Internet Explorer.

Role Based Access Control: Why Groups Aren t Enough

Providing Patch Management With N-central. Version 7.2

How to Configure Outlook 2007 to connect to Exchange 2010

Why Endpoint Encryption Can Fail to Deliver

Troubleshoot Using Event Log Mining

Providing Patch Management with N-central. Version 9.1

Patch Management Hands-On Exercises. Patch Management Hands-on Exercise

How to enable Disk Encryption on a laptop

WINDOWS AZURE EXECUTION MODELS

Using New Relic to Monitor Your Servers

What you should know about: Windows 7. What s changed? Why does it matter to me? Do I have to upgrade? Tim Wakeling

Small Business Owners: How You Can-and Must-Protect Your Business From The IRS If You Have Payroll Tax Problems!

In the same spirit, our QuickBooks 2008 Software Installation Guide has been completely revised as well.

Getting Started Guide

The Hottest Recruiting Scripts in MLM by Eric Worre

Lock Down Apps & Reduce Help Desk Calls with Registry Policies

Web App Development Session 1 - Getting Started. Presented by Charles Armour and Ryan Knee for Coder Dojo Pensacola

The Social Accelerator Setup Guide

When the Active Directory Recycling Bin Isn t Enough

Managing your accounts

THE WINDOWS AZURE PROGRAMMING MODEL

Configuring the Server(s)

Sophos PUA Manual. To check now for PUAs, scan your computer. It will start as soon as you click on Scan My Computer. This may take a few minutes.

Setting Up Your Android Development Environment. For Mac OS X (10.6.8) v1.0. By GoNorthWest. 3 April 2012

Central England People First s friendly guide to downloading

Deep Freeze - Retaining User Data TECHNICAL PAPER Last modified: June, 2012

Patch Management Table of Contents:

Automating Windows 7 Installation for Desktop and VDI Environments

F Cross-system event-driven scheduling. F Central console for managing your enterprise. F Automation for UNIX, Linux, and Windows servers

Seven Things You Must Know Before Hiring a Plumber

Dell OptiPlex XE Watchdog Timer

Stop being Rails developer

How to make more money in forex trading W. R. Booker & Co. All rights reserved worldwide, forever and ever and ever.

Active Directory Auditing: What It Is, and What It Isn t

Trend Micro TM Worry-Free Business Security Services Integration with LabTech

ANDRA ZAHARIA MARCOM MANAGER

Todd: Kim: Todd: Kim: Todd: Kim:

Northwestern University Dell Kace Patch Management

Top 5 Mistakes Made with Inventory Management for Online Stores

A Formula for Dramatically Improving Healthcare IT Customer Service

Group Policy Objects: What are They and How Can They Help Your Firm?

Enterprise Job Scheduling: How Your Organization Can Benefit from Automation

University of Colorado Boulder Colorado Springs Denver Anschutz Medical Campus. CU ecomm Program Marketing Best Practices

The Definitive Guide. Active Directory Troubleshooting, Auditing, and Best Practices Edition Don Jones

Automating client deployment

So before you start blasting campaigns, check out these common mistakes that -marketing rookies often make.

How to Install SQL Server 2008

How to import Data from Outlook 2010 in standalone mode to your Pushex Exchange mailbox

Meeting your Healthy Blue Living weight management requirement. If your body mass index is 30 or more, you have two ways to get healthier

10 things Group Policy Preferences can do better than your current script!

Spam: What Consumers Really Think

Installing Windows Server Update Services (WSUS) on Windows Server 2012 R2 Essentials

How to make the most of ebay Motors.

How to get 2 Cents Clicks by Colin Klinkert

Activity 3: Observe Psychological First Aid

These are some of the things IA enables in the centralized management pane:

Understanding offline files

Cleaning Up Your Outlook Mailbox and Keeping It That Way ;-) Mailbox Cleanup. Quicklinks >>

Track User Password Expiration using Active Directory

RAID Utility User Guide. Instructions for setting up RAID volumes on a computer with a Mac Pro RAID Card or Xserve RAID Card

Congratulations on deciding to take a significant step in your business career! More than

Managed Antivirus Quick Start Guide

How to Configure Outlook 2013 to connect to Exchange 2010

Getting started with IMAP for Aggi What is IMAP?

How to make your business more flexible & cost effective? Remote Management & Monitoring Solutions for IT Providers

Returning to Work is a Lot of Work

How to Use SNMP in Network Problem Resolution

YOUR ERP PROJECT S MISSING LINK: 7 REASONS YOU NEED BUSINESS INTELLIGENCE NOW

Team Foundation Server 2010, Visual Studio Ultimate 2010, Team Build 2010, & Lab Management Beta 2 Installation Guide

[ INTRODUCTION ] A lot has changed since 1992, except for everything that hasn t. We come from a place you ve probably never heard of.

USE OUTLOOK BEST PRACTICES TO ACHIEVE YOUR GOALS

Recovering from a System Crash

How to import Data from Outlook 2007 in standalone mode to your Pushex Exchange mailbox

I. Create Windows 2012 R2 VMware Template for Guest Customization

A lot has changed since 1992, except for everything that hasn t. We come from a place you ve probably never heard of.

Deltek Maconomy Business Performance Management

Configuring ehealth Application Response to Monitor Web Applications

Specops Command. Installation Guide

UNDERSTANDING YOUR ONLINE FOOTPRINTS: HOW TO PROTECT YOUR PERSONAL INFORMATION ON THE INTERNET

Using Microsoft Active Directory 1 Group Policy 2 with Diskeeper

Windows Server 2008 R2 - Changes in Group Policy and Removal

Usability Test Results

How Are Certificates Used?

7 Myths of Direct Mailing Think all your mail is delivered equally? Think again.

So you want to create an a Friend action

Wireless Remote Control of the TT24

CentreWare for Microsoft Operations Manager. User Guide

ANSIBLE TOWER IN THE SOFTWARE DEVELOPMENT LIFECYCLE

10 everyday things your data backup system should do. Data backup that is reliable, easy and fast is only the beginning

Transcription:

Best Practices in Scheduling Patch Installation for Minimal User Impact Greg Shields 1. 8 0 0. 8 1 3. 6 4 1 5 w w w. s c r i p t l o g i c. c o m / s m b I T

2012 ScriptLogic Corporation ALL RIGHTS RESERVED. ScriptLogic, the ScriptLogic logo and Point,Click,Done! are trademarks and registered trademarks of ScriptLogic Corporation in the United States of America and other countries. All other trademarks and registered trademarks are property of their respective owners. 2 Best Practices for Scheduling Patch Installation for Minimal User Impact

We IT administrators spend so much time worrying about patches themselves that sometimes we forget about our users. Indeed getting those monthly Microsoft patches installed is important, but when that installation causes users to miss their deadlines we re actually hurting our business. That s why working with patches and a patch management solution requires more than just clicking buttons. It requires more than just a priority on keeping things secure. It requires a look at how our users behave, and how we can fulfill our requirements for security while minimizing our impact on everything else. What you need is a patch management schedule. How Not to Do Patching As an IT analyst and occasional consultant, I get the regular opportunity to pop into other people s networks and poke around. That opportunity puts me into the networks of the very smallest all the way to the very largest IT organizations. While every network is different, you d be amazed at how common some tactics are. Figure 1 WSUS Patch Configuration in Group Policy Management Console Take, for example, the usual settings many administrators configure for deploying WSUS patches. These settings are strikingly common, even as they completely obliterate user productivity on patch deployment day. Even worse, a casual read through the blogosphere would have you think that they re actually a good idea. Here are the Group Policy settings found in Computer Configuration Administrative Templates Windows Components Windows Update that define how you shouldn t schedule patching: Configure automatic updates. Under Configure automatic updating: 4 Auto download and schedule the install. No auto-restart with logged on users for scheduled automatic updates installations. Disabled. Delay Restart for scheduled installations. Enabled, with any configured value. 3 Best Practices for Scheduling Patch Installation for Minimal User Impact

Reschedule Automatic Updates scheduled installations. Wait after system startup, with any configured value. Let s take a look at what this combination of Group Policy settings actually accomplishes. Its first setting configures automatic updates to download and install once they ve been approved and the start time arrives. Configure that start time for the middle of the night, and most of your patchwork gets done when no one s around. This approach might have worked well back in the days when most computers never left the office. But today, most computers aren t desktops anymore. They re laptops, and they re not necessarily guaranteed to be powered on when the start time kicks off. Here s where the rest of these settings actually cause more problems than help. Computers that are powered off during their time for patching will, with this configuration, start that patch installation process once they power back on. That period is usually when the user needs the computer the most, right when they re starting work for the day. The collection of bad settings here may give the user a postponement and even a delay to partially insulate them from the pains of the post-installation patch reboot. But if that user powers on their laptop, starts working on a document, and then walks away for a while, they re going to be in for a world of hurtful rebooting. Figure 2 Configuring Automatic Updates Introducing the Patch-and-Hold Technique Many administrators configure these less-than-optimal settings because of a long-held fear of not immediately rebooting a computer after a patch installation. That fear is admittedly warranted. Back in Windows early days, not rebooting after a patch installation could cause real problems. Half-installed patches lingering around a system drive in those days sometimes caused BSODs or worse. Today s Windows Update service is far smarter than what it was in the old days. The Windows Update service has for a long time been intelligent enough to pre-stage patches that require reboot. Once pre-staged, the computer can continue to operate without problems. Patches awaiting a reboot will get installed later during that reboot. 4 Best Practices for Scheduling Patch Installation for Minimal User Impact

This added intelligence grants the patching administrator the ability to patch systems, but hold off on the reboot until a more appropriate time in the future. One could still, for example, set the Configure Automatic Updates policy setting to Auto download and schedule the install for some period during the workday. Your next step is to prevent the reboot from happening. You could accomplish this by setting the No auto-restart with logged on users for scheduled automatic updates installations policy setting to Enabled. Doing the combination of these two settings gets patches installed while users and their laptops are in the office, but prevents the reboot until the next time they actually reboot the computer. You can speed this process even more for patches that don t require a reboot for their installation. Those that don t can get automatically installed by setting the Allow Automatic Updates immediate installation policy setting to Enabled. Figure 3 No Auto-Restart Configuration How to Handle Reboots: The Scheduled Reboot Window This combination is pretty powerful stuff, and it s functionality that you can get right out of the box with Group Policy. Yet there s something that s absolutely missing that keeps this from being a complete solution: Reboots. While the settings in the last section are great for getting rid of the unpredictable reboots that happen as a result of patch installation, they do nothing for actually getting those reboots programmatically implemented across the board. Indeed, you can just tell your users, Hey, you should probably reboot from time to time. But we all know that users invariably do the wrong thing when we give them the right to choose. WSUS and its Group Policies alone don t address the reboot problem very well (a point that I ve already made in the beginning of this article). As a result, solving the reboot problem requires some tools that exist outside WSUS itself. The solution that works the best across nearly every implementation is what I ll simply call a scheduled reboot window. 5 Best Practices for Scheduling Patch Installation for Minimal User Impact

A scheduled reboot window is a period of time that you and your users negotiate wherein you re allowed to reboot every desktop in your organization. Perhaps that window is from 2:00PM to 4:00PM on Wednesdays and Saturdays. Maybe it s slightly past the end of workday. Notwithstanding when you agree upon your reboot window, it is a set time period every week that you re given carte blanche to reboot everything. Having that reboot window means being able to Patch-and-Hold users computers. Those with desktops will get rebooted because they re on the network. Those with laptops will get rebooted when they unplug at the end of the day and head home. System, patched; system rebooted. Scheduling that reboot window to occur just past the end of Patch Tuesday also ensures you get patches installed and systems rebooted quickly after patches are announced. Now, your next question probably asks, So, how does one script the reboot? The possibilities are numerous. You could create a VBScript or PowerShell script to accomplish the task, scheduling either perhaps via a Scheduled Task. Doing so via a scheduled script obviously solves the task, but requires some first-hand knowledge of scripting. You ve also got to keep an eye on your Scheduled Task, ensuring that it runs every night like it s supposed to. Here s a quick script that can reboot a bunch of computers, all at once. You ll need a file called computers.txt that contains computer names, one per line, in the same folder as the script. RebootFile = "computers.txt LogFile = "results.txt" Set fso = CreateObject("Scripting.FileSystemObject") Set f = fso.opentextfile(rebootfile, 1, True) On Error resume next Do While f.atendofline <> True strcomputer = f.readline Set objwmiservice = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strcomputer & "\root\cimv2") If Err.Number <> 0 Then Err.Clear Else Set coloperatingsystems = objwmiservice.execquery("select * from Win32_OperatingSystem") For Each objoperatingsystem in coloperatingsystems ObjOperatingSystem.Reboot() Next End If Loop This script is admittedly very basic. It s also VBScript, which every IT pundit in the world will tell you is a language soon to go away. Accomplishing the same task in Windows PowerShell is remarkably simpler: Restart-Computer -computername (Get-Content computers.txt) 6 Best Practices for Scheduling Patch Installation for Minimal User Impact

The Pain of Reboot Scripts Reboot scripts are ridiculously powerful, when you ve got the time to code them correctly. The script above very obviously reboots computers, but it does nothing for letting you know which ones actually responded. It doesn t let you know when computers have problems, or when they re just not behaving correctly. A desktop management solution can give you better control over this whole reboot process. Such a solution might introduce the kinds of logging that alerts you when computers misbehave. Scripts alone are also challenging for those special cases, like when you want to reboot everybody except for the vocal few, like the executives and those annoying developers who run jobs at night. Scripts run via Scheduled Tasks also do little for laptop users who rather than shut down their computers as they leave for the night, instead choose to just put them to sleep. Some laptop users in the Scheduled Tasks situation might go days or even weeks without rebooting, thanks to Windows built-in hibernation features. So the moral of this story is: Get yourself off the WSUS settings that benefit you but cause problems for your users. Get yourself on a scheduled reboot window, to ensure your patches complete their installation in a timely manner. And get yourself a desktop management solution, one that s primed to assist when those special cases become problematic. 7 Best Practices for Scheduling Patch Installation for Minimal User Impact

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information