Maintenance Windows Issues

Question

I have been using this product for many years now and for the most part has always patched our servers perfectly. When Microsoft made the change and added exclusive updates this caused all kinds of issues. Finally to deal with this issue I ended up creating 2 tasks for each maintenance window:

1) Task 1 - Install all non exclusive updates and post reboot only if Windows update needs it.

2) Task 2 - (1 hour later) - Install exclusive updates and always reboot. This serves 2 purposes, patching system, and making sure no system is up for more than 30 days to help with system stability.

I have never been crazy about using this method because what if task 1 takes more than 1 hour? Would be nice if PM had some more logic capabilities for tasks.

How does everyone handle this issue?

The second issue I am having has to do with pending restarts. If Task 1 runs on a system that has reboots waiting the task will fail and the system will not patch. 1 hour later Task 2 will run and that will also fail because of the pending restart. That means that month the system missed its maintenance window and will not get patches. One option I have never fooled with and looks like it might help with this issue is the pre-update management option "Reboot only if required by Windows Update". I imagine this means if it's in a pending restart mode the task will reboot the system. My question is will the Task 1 re-run after the pre-reboot to actually initiate the patches? I asked support this question and they didn't have a definitive answer for me.

I brought this up with support several times but have never got any help. Once suggestion was to do something like the following:

1) Task 01 - Task to Reboot system.

2) Task 1 - (15 minutes later) - Install all non exclusive updates and post reboot only if Windows update needs it.

3) Task 02 - (1 Hour later) - Task to Reboot system.

4) Task 2 - (15 minutes later) - Install exclusive updates and always reboot.

I was not crazy with this solution once again as setting static times could cause timing issues.

How does everyone handle this issue?

My boss is on this new mission, and rightfully so, to automate more and reduce the amount of time we're wasting by performing manual processes.

Any help would be appreciated.

sshawl · Answer

Currently we're using PM to monitor patching of all systems and to automate installation of patches on workstations and laptops. (Server updates are currently initiated by hand due to our short maintenance window for them)

Workstations get updates installed nightly in the evening. Options used here are Pre & Post reboots only if WUA requires and Install Exclusive update only if found. Then 8 hours later the workstation reboots regardless via a GPO scheduled task.

Laptops are a little different as they are not on the network during the maintenance window as they travel with the management staff. So for these I have two scheduled tasks in Patch Manager that that kick off 4 hours apart during the day to catch as many laptops online as I can. The big difference here is there is no scheduled reboots and no Pre and Post reboots.  I've written a PowerShell script to prompt the user to reboot their computer but sadly the PowerShell script feature of Patch Manager doesn't work right and I have an open feature request to have it fixed. This overall schedule has worked fairly well for us and only requires manual intervention when the WUA agent breaks, or Microsoft releases an update that doesn't install correctly, or occasionally prodding laptop users to reboot their computer instead of hibernating it.