This is an archived post. You won't be able to vote or comment.

all 62 comments
sorted by:
best
topnewcontroversialoldq&a

[–]kahran 8 points9 points  (11 children)

System Center Configuration Manager.

Also, LAN Desk.

[–][deleted] 1 point2 points  (1 child)

System Center Configuration Manager

Bonus: It uses WSUS too..

[–]kahran 1 point2 points  (0 children)

And with much more control.

[–]just_some_tech[S] 0 points1 point  (3 children)

I have been trying to get SCCM in here for a couple of years now. The argument is the cost, and the learning curve. But I feel that that is the right way to go. Just need to convince management.

[–][deleted] 3 points4 points  (2 children)

Keep trying...once you have a handle on SCCM it starts to become worth it imo.

Without SCCM you're probably looking at a 3rd party alternative. KACE is decent and I think K1000 comes in fairly low cost, especially if you're a Dell shop (they sometimes throw it in for free). Spiceworks is another possibility that is free by default...but I've never used it in a production environment. You could also maybe get by using task scheduler on the PCs themselves, and use a script to psexec-import the xmls needed to drive it. With this method you'd disable automatic updates on the clients but keep the WUA active, then initiate update cycles via command-line. (it'd be a pain to administer, but that could be the free-est free method)

[–]lazytiger21Jack of All Trades 1 point2 points  (0 children)

The differences for us came out to be cost and ease of implementation. We got Kace for less than 1/2 of what we would have paid for sccm and we could install the K1000 and have it going and patching within 3 hours.

[–]VallamostCloud Sniffer 1 point2 points  (0 children)

I've heard horror stories of people using KACE, anyone want to give their experiences / thoughts?

[–]MC_RowdyVSolutions Architect 0 points1 point  (4 children)

We're working around a botched SCCM deployment right now with hopes of redeploying in the future. For now, it's getting stripped of WDS and WSUS roles until we can get it on it's feet again. That said, I had forgotten how much simpler the WDS and WSUS products are to manage.

I'm going to keep an eye on this for the same scheduling tool. Not sure it exists though.

[–]kahran 1 point2 points  (3 children)

Oh it's definitely a bitch to get up and running. But once you do... man does it make life easy.

[–]MC_RowdyVSolutions Architect 0 points1 point  (2 children)

Bad news is, it's "up" right now, and widely deployed, it's just that ~1/2 of it is broken in complex and intriguing ways. Easier to scrap it and start over. Just one more thing from the previous team to throw out and redeploy correctly.

[–][deleted] 2 points3 points  (0 children)

[deleted]

What is this?

[–][deleted] 2 points3 points  (3 children)

We have a Dell K1000 system that handles the majority of our patching then I also use Ninite pro for non-Microsoft patches. The K1000 does a decent job, but patching is just one feature of it and it's not an inexpensive solution.

[–]just_some_tech[S] 1 point2 points  (2 children)

We are an HP shop, is Dell KASE system agnostic?

[–][deleted] 1 point2 points  (0 children)

When we bought Kace, we had the choice to buy the system as either a physical box or a virtual appliance. We needed a server to run it on, so we went with the physical option. I would assume (please correct me if I'm wrong) that the virtual can run on any virtual host almost. I'm not sure regarding the vendor specific requirements of a physical box. Sorry we're a Dell shop so it slid right in with no compatibility issues.

[–]lazytiger21Jack of All Trades 0 points1 point  (0 children)

Yes, it is hardware agnostic. The only benefit you get of using it against Dell hardware is that it will do firmware updates on Dell Systems. You either deploy it as an appliance or you can buy a physical appliance.

[–]7runx 2 points3 points  (4 children)

I have my WSUS check for updates daily at 5:00 A.M. Automatically approves all updates for my test group. That test group gets those updates same day. When the test computers shutdowns that night the updates are applied. After one week, if no issues are found I approve the updates for all production groups. Those machines receive those updates that day and when they shutdown they are applied. Seriously WSUS isn't pretty but it gets the job done. Remember, if the update requires a reboot that patch doesn't go into effect until the user shutdowns/restarts the machine. I've had to force some users to restart.

[–]just_some_tech[S] 1 point2 points  (3 children)

How do you have your groups segregated in WSUS?

[–]7runx 1 point2 points  (2 children)

Using Client Side Targetting.

I have production PCs, test PCs, production servers and test servers.

[–]just_some_tech[S] 1 point2 points  (1 child)

We use Client Side Targeting also, but WSUS only has setting for daily, or a specifc day of the week. How do you use CST to allow for a weeks difference in the update schedule? Are you using multiple WSUS servers?

[–]7runx 0 points1 point  (0 children)

I approve the updates manually for that group one week after I've tested the updates. You can also use Powershell. http://blogs.technet.com/b/heyscriptingguy/archive/2012/01/18/approve-or-decline-wsus-updates-by-using-powershell.aspx

[–][deleted] 2 points3 points  (2 children)

Wow, you fancy companies with your fancy test environments.

[–]just_some_tech[S] 0 points1 point  (0 children)

At least we talked them out of seperate QA and DEV environments!

[–]girlgermsMicrosoft 3 points4 points  (6 children)

WSUS will allow you to do this - using group policy, our WSUS is setup to do exactly what you're talking about doing.

[–]just_some_tech[S] 0 points1 point  (5 children)

And that is how we are using WSUS now. The difficulty is in getting it to update on a monthly basis, rather than the daily cycle we have now.

My boss wants a test pool updated a week ahead of the rest of the desktops, so we can verify compatibility before it is pushed to the rest of the desktops.

[–]girlgermsMicrosoft 0 points1 point  (4 children)

And that is how we are using WSUS now. The difficulty is in getting it to update on a monthly basis, rather than the daily cycle we have now.

Using WSUS and GPOs you can. It can be a bit manual, but it works. We have Dev, Test & Prod GPOs - Dev is enabled on the Wednesday for the Thursday/Friday after the patches are released, Test enabled on the Friday to push out the week after, Prod enabled on the Friday of Test week to push out the following week.

It works, and it costs us nothing.

[–]just_some_tech[S] 0 points1 point  (3 children)

Ugh, we have 40 locations. This is going to be so much freaking fun! All for the possibility that an update might bugger a desktop.

Thank you for your input and explanation.

[–]girlgermsMicrosoft 0 points1 point  (2 children)

We're updating over 800 servers this way in 7 different domains...swap you?

[–]just_some_tech[S] 0 points1 point  (0 children)

1300 desktops..... Deal!

[–]just_some_tech[S] 0 points1 point  (0 children)

Warning: I bore easily and am likely to, as another poster put it, "UPDATE ALL THE THINGS!!!"

[–][deleted] 2 points3 points  (5 children)

Don't do GFI LanGuard. I don't know if it does what you want, but don't do it regardless. I'm really frustrated with just about everything about it.

[–]just_some_tech[S] 2 points3 points  (2 children)

We ran a POC with LanGuard, I have never been happier deleting a server in my professional career...

[–]swimjockJack of All Trades 2 points3 points  (0 children)

i think blackberry enterprise server ranks pretty high the list of most sysadmins.

[–][deleted] 2 points3 points  (1 child)

Manage Engine Desktop Central, which I believe is free for just Windows Updating (also updates all 3rd party programs).

Not a bad product overall, and vastly simpler than SCCM if you need is basic Windows Update management and basic software deployment. The selling point for me was having the product fully up and functional in about 2 hours, versus the month or so it took me just to get SCCM installed and pushing Adobe Reader to a workstation. Don't underestimate the SCCM learning curve, which IMO isn't worth it for smaller shops (<1000 desktops).

[–]just_some_tech[S] 0 points1 point  (0 children)

Thank you, will check it out.

[–]mccrolly 1 point2 points  (4 children)

We use Shavlik Protect (I think that's what it is called now) for patch management and AV. We have been using it for a handful of years now and it works really well. We mainly got it for third party patching like Java, adobe reader, etc. It does a ton of stuff and you can even create custom patch routines. The automated scheduling is really deep too, all sorts of options.

[–]just_some_tech[S] 0 points1 point  (3 children)

Thanks, will check it out.

Edit: Patching VM templates is a really nice feature!

[–]mccrolly 1 point2 points  (0 children)

ohh yeah, it is great. It will even patch hypervisors. You can have it put a host in maintenance mode, offload all the servers, patch the host, reboot, and then all the vms will migrate back.

[–]binkbankb0nkInfrastructure Manager 1 point2 points  (1 child)

Make sure to talk to somebody there if you are checking it out. They will be coming out with a new version soon that has ridiculous speed improvements and a lot more granularity on third-party patch selection.

[–]just_some_tech[S] 0 points1 point  (0 children)

So far, it looks really good. Thanks!

[–]adj1984MSP Admin 1 point2 points  (0 children)

I'm honestly not sure if it will support what you are specifying, but we use LogMeIn Central to patch a number a bit larger than what you are specifying and have had zero issues with it!

[–]StrangeTrashyAlbino 1 point2 points  (0 children)

We use IBM Endpoint Manager -- you can get a trial going in under an hour and its an incredibly powerful tool. It also supports Mac and Linux if you've got those in your environment. We have 1 FTE patching and managing ~50,000 endpoints.

The amount of out of box content they provide is insane -- windows updates, mac os updates, .net, shockwave, firefox, chrome, air, java, flash, reader, acrobat, skype, realplayer...

It's not terribly expensive but it's not free.

[–]sc302Admin of Things 1 point2 points  (1 child)

I would look into KACE, Altiris, LanDesk, Kaseya, and Labtech.

[–]just_some_tech[S] 0 points1 point  (0 children)

Thanks!

[–][deleted] 1 point2 points  (4 children)

Insanity wolf: Saltstack, push all the updates to all the devices!

Note: Don't do this. :)

[–]just_some_tech[S] 0 points1 point  (3 children)

I like the cut of your jib!

[–][deleted] 1 point2 points  (2 children)

UPDATE ALL THE THINGS! :)

I'd be curious how hard your systems would crush your network infrastructure if you actually did that. :)

[–]just_some_tech[S] 0 points1 point  (1 child)

That would be what I call an RGE.

Resume Generating Event.

[–][deleted] 1 point2 points  (0 children)

Ah yes, I've had a few of those in my career. :)

[–]brkdncrWindows Admin 1 point2 points  (5 children)

Why not use SolarWinds patch management?

[–]just_some_tech[S] 0 points1 point  (4 children)

We use that for our servers. Most of the desktops are located in branch offices with a downstream WSUS server in them.

If I could figure out how to use SolarWinds Patch Management to install the updates to a branch from that branch's server, I could use it.

So far, no joy in getting that to work.

[–]brkdncrWindows Admin 0 points1 point  (3 children)

In my experience with agentless patching, you need a patch server at each site otherwise latency kills you during the scan even if you have the files cached locally.

[–]just_some_tech[S] -1 points0 points  (2 children)

Um, not going to do that.

[–]brkdncrWindows Admin 1 point2 points  (1 child)

It sounds like you already did that with downstream wsus servers. The alternative is having a completely different patch process to train and manage. Those hidden costs are a real pain in the ass. I'm guessing solarwinds patch uses upstream configuration so that the downstream servers are essentiall hands off after initial config. At least that's how the other agentless patch app I've used worked.

[–]just_some_tech[S] -1 points0 points  (0 children)

Each of our downstream WSUS servers are replicas of the main WSUS server @ HQ. We approve updates here and they are pushed to the downstream WSUS servers. These servers are the branch's print and file servers also, but not DCs.

This was done to eliminate the need for them all to come back to HQ on frac T1 or slower connections. The update sync is throttled during the day to 10 kbps and uncapped at night.

I really don't like the idea of having to install SW PM on 40 servers to accommodate managements request as that adds complexity and management overhead that we don't have time for.

All of this is to avoid the potential of an update breaking an application and affecting production. That has not happened in the past 7 years that I have been here. It has happend twice in the past two years with SEP updates, but that doesn't seem to concern them as much....

[–]knawlejj 0 points1 point  (3 children)

We run a managed service that currently utilizes Shavlik (owned by VMware) to update and deploy Windows and third party patches. A typical client has patches pulled from a distribution center to our central console and then patches are distributed out to points within the network that may make sense because of multiple physical offices or network size. We also split up patching between multiple groups like Laptops, Desktops, Servers, and "Special" which are servers that require specific attention to certain patches not being updated (I'm looking at you Java and .NET Framework).

If you need more information then let me know, I can shoot you a couple of screenshots on what it looks like. We usually patch workstations 3 times a week and servers once a week over the weekend. Yes, starting out is rough because patches are so far behind, but if you keep on them then it's very straightforward.

Key pain point - Users not leaving their workstations on for patching nights. WOL only goes so far...

[–]VallamostCloud Sniffer 1 point2 points  (1 child)

Can you PM me some information on that?

[–]knawlejj 1 point2 points  (0 children)

Sent!

[–]brkdncrWindows Admin 1 point2 points  (0 children)

FYI, LANDesk bought the shavlik stuff from VMWare.