D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] OT: Updating windows was Re: CentOS and it's useful lack of network on boot


On 15/01/14 22:54, Simon Waters wrote:

> Had you down as the kind of person to install WSUS when a second
> computer arrives on the network, given your "nothing changes without
> me authorising it" approach to system admin.
> What's the alternative you'd suggest for smaller networks? of Windows
> machines. Say the 0 to 50 desktops range.
> Microsoft say set a group policy to use Windows Update, which is
> probably sound advice for a small domain, with just regular boring
> desktops for Word-processing and Email, and little other
> infrastructure to break.
> Somewhere an admin is sticking Windows update monitoring into Nagios
> and cursing the vagaries of Powershell and Windows admin rights, but
> that is probably fine for the odd server inflicted on us by history,
> in a tightly controlled environment, where we just need the odd bit
> of Microsoft server software to work, and Nagios or similar is a
> given for the Linux or Unix side of thing. We'll know it needs
> patching, we'll do it manually, and test, and roll-out in a really
> small deployment (of Windows anyway). Even here WSUS is looking like
> it might have some benefits.
> I'm definitely not a Windows admin, so curious where folks go here,
> and how well it works.
> Microsoft seem to see the third party software update thing, as well
> as some improved management, as a revenue stream, which is perhaps
> where Linux distros went wrong, if Debian had a penny for every
> package I'd updated from their mirrors....

Ha, I do have WSUS running here at home actually, but then I have more
computer resources than a lot of small shops do, and more instances
(especially counting the VM herds). But I do mostly work here and all my
testing, learning and experimenting with new stuff is done at home so
I've got one of almost everything to hand that I might run into at work.

For a smaller shop of 0-50 machines WSUS is still useful, especially if
it's one of the local ones you guys sometimes mention that are on
terrible internet connections - just the bandwidth savings alone would
be useful. It's easy to setup and use, I'd say it mostly depends on
whether you already have the existing hardware and licensing stuff in
place, i.e., you won't have to spend any more money on it. So if you've
already got a couple of 2008/2012 Windows Server boxes in place that
aren't working very hard or doing much, might as well turn it on!

Otherwise, it depends on the era of your Windows stuff - if it's
creakier, like Vista/XP + Server 2003 then yeah, group policies set from
the PDC. Super modern (all 2012/r2 and 8/8.1) then it's powershell
scripts all the way. In between or mixed, and you'll end up using both.

The other critical factor is how managed your environment - if it's a
small shop with only a handful of non-idiotic, relatively skilled
windows users they can usually be trusted with Admin or at least
elevation rights and to not install crap/interfere with the update
process. In almost all bigger environments though, by necessity you're
going to be exercising much tighter control and in many places, updates
have to be tested against custom images first to check for breakage
*before* they're rolled out to the network at large. I'm used to the
bigger/more controlled environments personally so have nearly always
used WSUS as a matter of course. It's as much about locking out user
interference and ensuring ongoing patch checking as anything else.

How dearly I wish that Nagios ran properly on Windows... I've tried and
used lots of things that are a start (like NSClient) but it's all just
crap compared to Nagios on *nix. As per usual, I end up having to do
most of this stuff natively with WMI + powershell. I also wish that just
writing bash scripts for Windows was a proper option, and whilst I'm at,
I'd like a pony too.


The Mailing List for the Devon & Cornwall LUG
FAQ: http://www.dcglug.org.uk/listfaq