3

Yesterday I babysat a Windows 2008 R2 server for three hours applying multiple rounds of Windows Updates. This is not a good use of my time.

This is a server that cannot apply updates automatically; I have to schedule maintenance windows in order to reboot the server. I want to bring Windows completely up to date during that maintenance window, which often means multiple rounds of a check-for-updates/download-updates/apply-updates/reboot cycle.

I know that I can download updates and apply them manually, but that doesn't really help when Windows determines after the first round of updates that it needs to apply even more updates.

The biggest problem is that it can easily take ten minutes for Windows to determine what updates it needs to apply. It can then take easily another ten minutes to download these updates. Then it can take ten minutes to reboot and finish the update installation. If it decides that you need three rounds of updates, that's an hour and a half, and that assumes that Windows doesn't freak out and make one of those steps take forever, or fail, making you start over.

Is there any way to determine all of the updates that would be needed to bring a Windows system up to date beforehand, so that I can just apply them all by hand and avoid having to wait for Windows to perform its interminably long checks and ridiculously slow downloads multiple times during my maintenance window.

(I feel like this should be a FAQ, but I can't find it.)

wfaulk
  • 6,878
  • 7
  • 46
  • 75

3 Answers3

1

WSUS. Just installed it myself a few weeks ago and it's making my life much easier.

Tedwin
  • 559
  • 3
  • 14
  • 1
    Correct me if I'm wrong, but doesn't that just effectively fix the "download" part? It's not nothing, but the "checking to see what updates I need" part is just as long, if not longer. – wfaulk Apr 11 '16 at 14:32
  • You're right, when you initially set up the server it'll take a while for all your clients to report in and say what updates they require. But you can manage them all from one place and you don't need to be waiting around as you describe. I automate my update installs, so only critical or important updates are automatically installed. So it's totally automated in my case. Just check in to the WSUS console every now and then to be sure everything is happy. – Tedwin Apr 11 '16 at 14:35
  • 1
    But that assumes that your server can be rebooted whenever. I have systems where I have to schedule maintenance windows. If I want to bring Windows up to date during that maintenance window, I have to run Windows Update multiple times. (I'm going to add that to the question.) – wfaulk Apr 11 '16 at 14:38
  • No, it does not. My servers do not automatically reboot; I restart them when there's a window to do so. – Tedwin Apr 11 '16 at 14:40
  • When I do that, when it comes back up, it often decides that it needs to apply another round of updates. When that happens for you, do you just wait for the next window? – wfaulk Apr 11 '16 at 14:43
  • Yes. We can only restart our servers every so often, so it's not always possible to get all updates installed right this second. – Tedwin Apr 11 '16 at 14:57
  • Tedwin, a one word answer 'WSUS' isn't much cop at all. How does that help the OP in his specific situation? -1 – BlueCompute Apr 11 '16 at 15:09
  • The OP is sitting around staring at a screen trying to install updates...kind of sounds like exactly what he or she needs to me...reporting and automation. What is your better suggestion? – Tedwin Apr 11 '16 at 15:18
1

Is there any way to determine all of the updates that would be needed to bring a Windows system up to date beforehand, so that I can just apply them all by hand and avoid having to wait for Windows to perform its interminably long checks and ridiculously slow downloads multiple times during my maintenance window.

As far as I know, no, not really. The core problem is that Windows Update doesn't flag an update as needed if a prerequisite update is missing. It does this to prevent attempting to install an update whose prerequisite has not yet been met, which could lead to system that won't even boot. It's potentially very complicated to generate a list of missing updates that accounts for prerequisites, superseded updates, etc. that accounts for all software installed on a system including software that will be installed by each patch or update in the chain.

About the best you can do is use a patch management system like WSUS to see that a server doesn't have certain updates installed. If you see a server missing monthly updates from the last six months, you know it might need multiple restarts if the same system was patched multiple times or upgraded and then patched.

Note that if you wait long enough, you'll find the same issue to be true with Linux updates as well.

The best way to avoid the situation it is to patch often.

Bacon Bits
  • 1,531
  • 1
  • 9
  • 9
  • Re: Linux updates: Maaaybe. But even if that's the case, it takes seconds for it to determine *what* needs to be updated for each round of updates, not multiple minutes. – wfaulk Apr 11 '16 at 15:04
1

Yesterday I babysat a Windows 2008 R2 server for three hours applying multiple rounds of Windows Updates. This is not a good use of my time

Don't wait so long between update cycles. Microsoft releases updates every second Tuesday of every month (for the past 13 years). If you install patches every month you'll (almost) never have more than a single download/install/reboot cycle per server.

joeqwerty
  • 109,901
  • 6
  • 81
  • 172