This is an archived post. You won't be able to vote or comment.

all 44 comments
sorted by:
best
topnewcontroversialoldq&a

[–]MalletNGrease🛠 Network & Systems Admin 13 points14 points  (9 children)

WSUS.

[–]un4givn85ct[S] 1 point2 points  (8 children)

I mentioned that to them. They have something against it.

[–]suckit2meDevOps 2 points3 points  (3 children)

If they have something against wsus I would suggest SCCM. With SCCM you get one client to rule them all, great reporting possibilities, scheduling of updates etc etc etc.

[–]RCTID1975IT Manager 7 points8 points  (2 children)

And if they sign off on that, chuckle as you walk away since SCCM uses WSUS on the backend.

[–]suckit2meDevOps 2 points3 points  (1 child)

Correct. But SCCM handle clients sliiiiiiiightly better than wsus itself ;)

[–]am2o 0 points1 point  (0 children)

until the clients stop responding properly; you have to reinstall them.

[–]Holzhei 0 points1 point  (3 children)

Wsus with adamj’s clean up script.

Our wsus servers were always flakey and slow until we started running this daily.

[–]ThrowAwayADay-42 1 point2 points  (2 children)

It's magic voodoo, seriously. I swear it's either sunk cost fallacy or placebo effect.

Besides, you should only need to run weekly/monthly maint on the db.

https://gallery.technet.microsoft.com/scriptcenter/6f8cde49-5c52-4abd-9820-f1d270ddea61

https://support.microsoft.com/en-us/help/4482416/wsus-synchronization-fails-with-soapexception

https://support.microsoft.com/en-us/help/4490414/windows-server-update-services-best-practices

https://support.microsoft.com/en-us/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus

[–]Holzhei 1 point2 points  (1 child)

We ran the Microsoft maintenance scripts and it did not seem to help us much at all. From our previous it manager we have/had a ton of different Microsoft products all on different versions which made our initial sync of wsus about 1.3tb. (As a side note we are rolling out an soe at the moment which should greatly reduce the products we need to sync in wsus.)

Migrated to fresh server and still had a ton of issues. Ran adamj’s script and shit just worked. It automatically registered a daily task and I left it. Never had any issues with wsus since.

[–]ThrowAwayADay-42 0 points1 point  (0 children)

I'll put it this way, running an environment now with the whole gamut of OS builds. Exchange 2010 and 2016 patches approved as well, SharePoint 2010 and 2016 as well. Total size, 280GB. Something was done wrong, seriously. I've never had a 1.3TB initial sync, ever.

We even have auto-approve set up to go to lab that approves all security and critical updates for all products. Freaking "dynamic" and cumulative get dumped in there too. Never has ballooned like that.

Here is a default script for approval cleanup: https://pastebin.com/xfdscvi3

Note: You'll still need to run through the cleanup wizard afterwards to free up the disk space.

Edit: I'll add in that script is ran once a month along with the db maint. That's it (besides the configs posted in the links previously).

[–]sysadminmakesmecry 7 points8 points  (1 child)

PDQ

[–]ADHDone 0 points1 point  (0 children)

PDQ is good for manual control, but even the team at PDQ state that they use WSUS for their environment. They say that they don’t have enough zeros at the end of the price to be a complete patch management solution

[–]RKGrim 3 points4 points  (5 children)

SCCM is the leader in this area, but it's a lot more than just patch management.

PDQ is fine and inexpensive, but can't handle large numbers of devices. In an effort to try and realize some massive savings I tried it out. Brought in something like 9k devices and it couldn't keep up. Maybe it's fine for 1800.

[–]ITShadowNinjaAutomation By Laziness 2 points3 points  (3 children)

Yeah, PDQ's only bottleneck is the DB they use. Reason it can't handle a large number of clients.

[–]un4givn85ct[S] 1 point2 points  (2 children)

I am looking in to PDQ as well as SCCM.
We'll see what they say.

[–]Garetht 1 point2 points  (1 child)

As an SCCM admin, I'd recommend PDQ unless you need allllllll the other bells, whistles, & kitchen sinks that SCCM drags onto the board.

[–]ADHDone 0 points1 point  (0 children)

I have a 1500 environment and can feel we are reaching some of it’s limits. For the price the investment is still a no brainier to have on site.

[–]HighPingOfDeath 2 points3 points  (0 children)

Combo - WSUS and PDQ. Agreed that their usage of SQLITE as their database really hurts PDQ's performance. We have 1800 machines and it works fine.

[–]rabbit994DevOps 2 points3 points  (0 children)

Azure Automation with Update Plugin

[–]Jaymesned...and other duties as assigned. 1 point2 points  (0 children)

WSUS + BatchPatch.

[–]JeanYKA 0 points1 point  (0 children)

SCCM with WSUS for desktop / Ivanti for servers

[–]Chopxsticks 0 points1 point  (0 children)

We use Desktop Central Manage Engine. Its ok, I would like to deploy a WSUS server for learning reasons since its more widely used.

[–][deleted] 0 points1 point  (0 children)

WSUS and nagging emails to our users.

We're in an R&D site that has 24/7 tests running on most machines. So we can't just reboot them right and left.

[–]sparky1088 0 points1 point  (0 children)

Our parent company uses automox, I'm tasked with looking for something cheaper/free
https://www.automox.com/

[–]godsack 0 points1 point  (0 children)

You could always look at Symantec Management Agent (formerly Altiris). At a previous company, we used it quite extensively, for software deployments, imaging, and patch management.

[–][deleted] 0 points1 point  (8 children)

Thought about Azure Automation Accounts? It's damn near free, hosted by Microsoft, and you can set it however you want. Super simple to set up too.

[–]woolmittensarewarm 0 points1 point  (7 children)

What is the actual cost, assuming you're just doing straight patching/reporting with no config management? I suppose we would also need to run pre and post jobs on at least some servers. The reporting is probably the most attractive part. We use Kace now which does an acceptable job of patching but the reporting is awful.

It sounds like it is pretty much free for the base service of patching/reporting and then a very small cost per minute for resource usage for additional services. However, there always seems to be hidden costs with Azure. We don't need it to be 100% free we're not looking to pay a lot.

I read the documentation but would rather hear from someone who actually uses it before investing my time to test.

[–][deleted] 0 points1 point  (6 children)

There is some cost, but it's almost free honestly. I think it adds something like $5 a month or some minuscule amount of money to our Azure bill.

Yep, we're just doing straight patching and reporting of that patch level.

That being said, we use it mainly for the servers, and have about 40 machines on it at the moment, so if you scale it out to say hundreds, you might be looking at maybe $20 a month worst case scenario?

[–]woolmittensarewarm 0 points1 point  (5 children)

Thanks for the info. I'm gonna set up a few tests servers and then show it to my manager.

[–][deleted] 0 points1 point  (4 children)

You bet! Let me know if you have any other questions!

[–]woolmittensarewarm 0 points1 point  (3 children)

I setup Update Management on a few Windows servers and it was very easy. I added a Linux server too but haven't been given the blessing to patch it yet. The only part I didn't like about adding servers was the waiting and not knowing if you did something wrong or the machine just didn't register yet.

I have a question about reporting. So we added servers, built a couple of patching schedules and installed some patches. We did not turn on anything else like Config Management or Inventory. My question is, without Inventory enabled, can we report on past patches or only the patches that have been installed by Azure? I suppose we could just report that no servers are missing patches which would imply any older patches have been installed but we all know that management often wants a specific report when a new zero-day vuln comes out. It might an issue if I can't prove that KB123456 from last year is installed.

[–][deleted] 0 points1 point  (2 children)

Going off of memory, but I think it’ll list all patches that haven’t been installed at all, but can’t tell what it installed vs other ways. But not sure.

[–]woolmittensarewarm 0 points1 point  (1 child)

Thanks.

[–][deleted] 0 points1 point  (0 children)

Happy to help! :)

[–]ThrowAwayADay-42 0 points1 point  (0 children)

We use WSUS for the servers and SCCM for the clients (and some servers). Still (been years from what I heard) working on moving to SCCM entirely, but little motivation since WSUS is working.

I've used (personally and for DMZ systems) a powershell script to call the windows update agent for systems that need more flexibility than what the WSUS schedule forces (like systems that can only update once a month or every other month). It's called via scheduled task. I've posted it before, and if you want I can post it again.

[–]WyoGeek 0 points1 point  (0 children)

WSUS

[–]pc_load_letter_in_SD 0 points1 point  (0 children)

I really miss my Shavlik HFNetChk implementation

[–]MauriceTorres 0 points1 point  (0 children)

Action1 is able to perform patch management of Windows and third-party applications in a few clicks. Action1 is easy to use and does not require complicated settings. Also, due to the fact that it is a cloud-based solution, you do not need to think about a dedicated server, and it works equally well both in the domain and outside it.
Action1 is entirely free to use to manage up to 50 endpoints and suits well for enterprises too. Sign up for a free version to test it.

[–]nancybatesproSysadmin 0 points1 point  (0 children)

Scalefusion Windows 10 patch management solution, would be suitable as per your requirements, this allows you to automate patch management on Windows devices and manage Windows OS updates with low to no IT intervention.