patching servers using PSB software updater
Anyone using this to patch their servers?
I'd like to; but it seems to be missing some essential options.
scheduling the patching, and optionally rebooting the server after patching are the two things that would allow us to use this effectively for server patching. or has anyone found an effective workaround for this
Let me answer assuming that you are using the new Server Protection (if not, we recommend that you take it into use as soon as possible as it has many improvements especially to software update).
Scheduling the patch is controlled from the "Profile for Server Protection". It allows to schedule the update for:
- certain type of updates (e.g. only critical updates)
- certain day and time (e.g. everyday at 18.00)
It also provides control over reboot by selecting ask user or force restart (and selecting in how many hours the restart happens.
Are these the functions you need or are you looking for different and more granular control?
We are using the latest server protection.
Unfortunately, we'd need more granular control than this.
When patching servers we would not patch them all on the same schedule. one week we may patch servers A, B, and C. the next week we may patch servers D and E. then not patch any for some time.
We're also very selective on exactly what patches we put on to servers, and wouldn't just go ahead and deploy every update available all at once to a server.
There are also specific time windows where servers can be rebooted - for example between 00:00 and 05:00. we can't just tick a box to say reboot after updates have installed, or reboot 2 hours after updates are installed - as this could essentally be any time, depending on how long it takes to complete the update process.
the generic settings in the profile work ok for workstations, but for servers some greater control is required.
Please note that settings in profile work only for automatic installations. It's definitely good fit only for workstations and even there it's not for everyone - mostly people are patching only serious security vulnerabilities this way.
But there is also a manual way where you can select what and where to install. During maintenance window you can check all your servers in PSB portal one by one and apply only selected updates to it (manually). You can also disable reboot from F-Secure and do reboot some other way later (We are planning to add in future a remote action to request reboot remotely but it's not added yet.)
I ran into the same issue myself. I am currently trying to configure automatic updates on our servers and it seems most efficient to let the Software Updater of F-Secure install all the updates, because it will also update non-Microsoft software and everything can be done in one go.
Although the portal does not provide a methode to schedule updates for each server indepedently, I think there is a way to do it. You can create a test profile and set the settings for the Software Updater as close as you want them to be (don't mind the scheduled time; as long as it is not today). Then assign one server to that profile. You will see that once the profile is assigned to the server a schedule task will appear in the Windows Task Scheduler under F-Secure > Software Updater.
It executes fssua.exe with some arguments.
You can use this task as a example to create your own task on each server.
I have to warn you that I have not tested this yet, but it seems pretty straight forward to me; can't imagine that it will not work.
That leaves the issue of control over restarting: the Server Protection profile does not have any options for that. The options mentioned previously in this thread are only available in Computer Protection and not in Server Protection.
For some of the servers I manage this is not an issue, I will test it anyway to see if it will actually restart automatically.
I've just tested my custom scheduled task for starting the installation of updates and it is working.
As I said in my previous message, I got the settings from a scheduled task which F-Secure will create on a server when you configure automatic updates installation in a server profile.
Unfortunately it did not update all available updates at once, so I have to keep that in mind when creating an update script.
F-Secure does not reboot the server after installing the updates, which gives me the option to do this myself if needed by adding reboot command in my script.
This does not give me a lot of control over what updates will be installed; I can only choose between installing critical updates, critical and important updates or all updates.
Any updates I do not want to install can be configured in the profile, but that requires a lot of maintenance when you have a lot of servers.
It would be nice to have some more control over update installations on servers by default in F-Secure.