The previous posts on The Patch Solution have outlined the though process and goals to a patching strategy. Now it’s time to start taking that strategy and putting it into practice. Now that we have defined some of our goals (See
The Patch Solution – Part 3 post), we can start looking at how we reach those goals. In my opinion, one of the easiest goals to attain is reporting. This gives you an attainable goal which is completely measurable and trackable. Simply run a report, see where you’re at, update a few machines, run a report and see where you got to. The solutions that we try and come up with at TriCon Elite is all about being free and giving back to the community. We like to strive for secure and simple. For The Patch Solution, we opted to use Windows Server Update Services (WSUS).
The benefits of using WSUS are:
- Has been around for years
- Is a built in Server Role within the operating system
- Available free of charge
- A Tried, Test and True technology that supported by Microsoft
- Built in reports
- Configurable via Group Policy
- Minimizes WAN bandwidth
- Single control point of update approval
The downsides of WSUS without The Patch Solution
- Once an update is approved, Windows machines install it pretty much whenever they want
- Does not have proactive reporting
- Does not save reports
Reporting
From a reporting perspective, WSUS falls down with reporting. You need to manually go in and run your own reports. The reports from The Patch Solution are scheduled. There are essentially two reports that the Patch Solution adds to the table. The reports that The Patch Solution generates are quite simple, but they offer 2 added features.
- Email the report output (HTML)
- Export the results to a XLS file
How is this reporting different from the built in reports. Well it’s about when the reports are run.
The Full Report
The full report details all the machines and the number of outstanding patches for all the machines, regardless of the defined maintenance windows. It only shows machines with 1 or more outstanding patches. Generally I will have this report scheduled to run on Monday mornings at 06:00 so that it’s in my inbox in the morning.
The Upcoming Patch Report
The upcoming patch report is actually the default report and it should be run every day. Again, I usually kick this one off every morning at 06:00. This report will enumerate all the maintenance windows and determine which machines are scheduled to run tomorrow. This is the bonus of this report. I can now see which machines and how many patches they are going to install tomorrow in the next maintenance window. If there is something going on, I can halt the patching for all machines or a particular machine. This report gives you a preview of what is going to happen in the environment. Along with the email in your inbox, there will also be a link to the excel file detailing the patches for each machine.
Environments with Multiple WSUS
Some environments have multiple instances of WSUS. The Patch Solution reports will query all WSUS instances within the hierarchy and combine the report. This is great for those environments that have distributed sites or DMZ type infrastructures.