Schedule Groups for Updates using Update Management Wizard

One of the more frequent questions I get is; being able to setup schedules for updating separate groups of machines.  Whether that be for a small test of power users to see if new patches break the system before rolling it out environment wide, or if you want to ensure your SQL servers are up and running before the front-end web application.  You can accomplish these and any other reasons with our Update Management Wizard task.

You’ll first want to have an idea of the schedule and the servers in the proper groups (either WSUS groups, or a Patch Manager Group, or in an Active Directory OU), before launching this Wizard.

To schedule your update maintenance downtimes, you will want to use the Update Management Wizard task. On the left in the Tree console, click All Updates, on the right under Actions, click on the Update Management Wizard.

1.bmp

This will launch a Wizard with a lot of flexibility, for this walk-through, I am going to keep it more Basic with some hints in italics at what else you could do.

First screen you have some options.  The simplest is the one I noted with the red box.  With this choice you are telling the machines to download and install everything that you have approved that is not installed already:

(you can see the other options as well, instead of everything, there is a choice for just critical and security, the bottom choice is probably the most complex.  You can create a custom selection of updates based on criteria)

2.PNG.bmp

Also to note, this does override your Group Policy settings.  So if you have download and notify, but you choose Download and Install all approved updates, that is exactly what is going to happen.

The very next screen is the criteria of the task, so depending on what you selected the criteria will reflect it.  Even if you had not chosen the custom, you can modify this if needed:

3.bmp

The next tab is a nice set of options.  You can add a pre or post reboot event.  You can wake on LAN if needed.  (you can also run this in planning mode, this would give you a report and let you know items like how many machines would meet the criteria to confirm you have the right logic for example)

4.bmp

The next screen will be your Targets.  This is the place you can build your selection of machines.  The nice thing is you can add them from multiple sources.  You can add 1 at a time by IP address, you can browse Active Directory for machines in certain OU groups, you can also utilize any WSUS groups you have already created.  (You can also create Patch Manager Groups for machines you want to group together, and don’t have other methods to group them and then use them here)

5.bmp

And finally, the main reason you are doing this, the Schedule tab.  After you have all of the end Targets added into the selections here, the next screen is the final one and where you set up the time to execute this task, and of course, you can setup a Recurring Schedule as well.  (You could also do an ad-hoc version of this task and just Run Task Now if there was something you wanted deployed immediately)

6.bmp

  • Thanks for the write up, I was looking for something like this. Question, does this method pick up new machines added to groups? Or once you put this schedule in place the list is static?

    Edit: I now see that you can use the "Select computers using rules" tab and pick an OU, WSUS group, or a Patch Manager group to run the schedule for. That's awesome. This way you won't have to worry about new machines being added. They'll just get picked up when they are added to the group.

  • You're exactly right.  And you beat me to the answer....nice

  • Hello, I've setup schedules exactly as specified above for updating separate groups of machines, Wednesday: Test Group 10am  Friday:  All workstations10am    Friday:   All servers 5am.

    I've chosen the option to "Download and install all needed approved updates"  this means the updates need to be manually approved by myself before they downloaded/deploy to the groups in my scheduled tasks. This is all fine, however I have a problem that when I choose to "Approve" a needed update it prompts me to select a computer group and I have to choose a computer group before I can proceed with the approval. I don't want to choose a computer group as these have been set in the above scheduled tasks.  

    Is there a way around this?

    Thanks

  • Well, the Task itself is only going to grab the "Approved updates".  So they will need to be Approved for those machines for the Task to be successful.  Otherwise the Task would start, target those machines and the machines would not install anything without the Approval.

    So there is not a way around this.

    These schedules are outside of the Group Policy settings you have.  So if you are wanting to avoid the machines getting these outside of your schedule.  You would want to modify your GPO to have the machines Download the updates, but NOT install anything.  (by default the GPO installs once a day).  Then you could have your scheduled time take care of the install at the time you want.

    I guess there is a way around this.....but might not be your desired option.  There is another choice besides the 'Download and Install all needed approved updates'.  There is a "Download and Install all needed Security and Critical updates"....this one does not require them to be Approved.

  • Thanks Travis, sorry about the delay in responding.


    I have decided to go with the below option, this will avoid needing to manually approve the updates and means the scheduled tasks I’ve set in Solarwinds will work as intended.

    "Download and Install all needed Security and Critical updates"....this one does not require them to be Approved

    I’m a little confused as to how I setup my Windows GPO’s ,  if I have scheduled install time set in the windows GPO will a scheduled task in Solarwinds overwrite it?

  • The Patch Scheduled Task will not over-ride your GPO.  It is in addition to....

    So let's say, you have your GPO "Download and Notify" users there are new updates.  And that happens everyday.  You can have a Patch scheduled task to 'Download and Install' occur at 6:00 PM on Monday and Friday....this will NOT change your GPO.  Your GPO will still happen everyday, AND something will happen every Mon/Fri at 6:00.

    *A nice thing about the Download and Install would be, if users are ignoring the update notifications, the Scheduled Task Patch runs would install all pending updates.

  • I'm still trying to wrap my head around how Patch Manager tasks handle updates when you don't want to interrupt business. I have plenty of machines that are slightly out of date - I just can't get the users to remember to keep their computers on so I can run updates overnight. WOL seldom works, so I'm left with the option of running updates during business hours but I also can't hold up a machine - just the nature of our business - we could lose money if a computer is downed.

    If I run a download and install, but set it to "Do not reboot" will it simply queue the update on the next user restart, or if the update requires it, will it still force a restart? I have my GPO settings to never notify, but schedule the installs.