1

I have several Windows ec2 instances that are controlled by an ELB (Elastic Load Balancer). These instances are scheduled to install any new windows updates once per day during non-peak hours.

Automatically installing Windows updates often causes all of my Windows ec2 instances to be unavailable at the same time. Service availability is one of the primary reasons that I am using an ELB.

How can I install Windows updates automatically and prevent service disruption due to installing those updates?

Edit: I want to do this without the overhead of running an additional service (e.g. WSUS or a domain controller).

cseaton
  • 113
  • 6

2 Answers2

1

If your Windows machines are not part of a domain, the following link may help you configure things the way you want.

http://technet.microsoft.com/en-us/library/cc720464(v=ws.10).aspx

The registry keys and values described in the atricle will not exist by default. These can either be created manually, or by editing the local group policy, using gpedit.msc. This will allow you to add the keys via a GUI, just like with domain Group policy. You can then export the resulting registry keys, and alter/import them for to other machines as needs be.

If they are in a domain, doing this via group policy is the best way. You can group the computer objects in organizational units, or by groups, then apply a GPO, using slightly different timing settings.

The Configure Automatic updates setting is the one you would want to change between groups of machines, this can be found in the Group Policy Management Console.

Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates

Updates can also be set to install automatically using this option, plus additional options available in adjacent settings.

Dave Green
  • 26
  • 4
  • I'm looking to do this without a domain controller. I'm probably going to try and use a powershell script to randomize the update installation time for each instance. – cseaton Sep 09 '14 at 13:19
  • I have been unable to find any of the keys listed in that technet article. Does the Group Policy feature have to be installed on the servers to be able to access these registry keys? – cseaton Sep 09 '14 at 14:24
  • 1
    The keys wont exist, as they are in the Policy section of the registry. You can use the local group policy editor, gpedit.msc to add them via a GUI, just like with domain Group policy, then export the resulting registry keys, and alter them for your other machines. – Dave Green Sep 10 '14 at 06:18
  • 1
    What I ended up doing is creating these registry entries using a powershell script that bootstraps the individual instances. Each ec2 instance randomly chooses between 8 different times to install scheduled updates. – cseaton Sep 12 '14 at 19:44
0

Point your instances at a WSUS server, which you can then use to group your instances into two or more groups, each of which gets the updates at a different time.

EEAA
  • 109,363
  • 18
  • 175
  • 245
  • I don't have the budget or time to manage another service just solve this problem. I will add that to the question. – cseaton Sep 09 '14 at 13:20