May 26, 2014 at 8:34 pm
Comments posted to this topic are about the item Patching Problems
May 27, 2014 at 12:31 am
Hello, I wanted to write how we do patching of Microsoft CU in Client Servers.
My Company sells small and big servers as part of an industrial systems. Most of those are running isolated from the internet, with a VPN just established for maintenance purposes in a small timely window. In some of them we are obliged per contract to keep the system up to date.
We found a packager program for Microsoft Updates (not SQL updates, which we apply manually by Service Packs only). This packager is published on wsusoffline.net and needs a master machine to collect and prepare a package. This package can be transferred (we use 7zip for packing the provided subdirectories, and transfer them by FTP or USB to the client servers). There you run it.
Benefits: If I prepare such a package, and I test it on some reference machines, the risk of a bad patch in the rollout to the one hundred other servers is lowered. If I would use Online Microsoft Update, I would have to control manually that no other than the tested patches are installed on this machine. In my case this is granted by using the identical package. 7Zip seems to be safe enough to grant this.
Another benefit: The installer of that packages comes with the option to automatically reboot and proceed any time this is required by the update progress. There is no delay like a message waiting for confirmation at the console (which is not seen by anybody, because the servers mostly have a remote access only). Whenever the Windows Update requires a reboot, the package installer will instantly follow it. This reduces the time I have to monitor the server personally. I just login near the end of the agreed downtime, check, disconnect, and proceed hopefully to the next server.
On our reference machines at the office I can easily control the completeness of the offline procedure by running online updates right afterwards, and to note down the discrepancies. Each of such must have a reason. After that I am done for this months and all my important servers are patched. All unimportant servers will be patched on demand only, like twice per year. The risk for such rare patches is acceptable to most clients because of the isolation from the internet.
I hope this is a helpful procedure for other organizations also.
TAS
May 27, 2014 at 1:41 am
I think that SQL Server patches are just an example of a bigger issue that Microsoft appears to be attempting to resolve in a single way for all types of Windows OS installations. I am sure that they do this but they really need to look into the whole bunch of scenarios and provide relatively simple solutions for all of them. Sure, default to update as the fixes come, however, there needs to be a better management of patches and updates between the "as they come" and the "manually applied" strategies.
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
May 27, 2014 at 7:34 am
If it's any consolation, patching in other OSes (Linux, xBSD) is both better and worse at the same time. Package management, testing and dependencies can still be a bloody mess at times. There's also a huge spectrum in the quality of software depending on the type of applications.
May 27, 2014 at 8:17 am
IMO Windows 8 is nothing more than Vista II. It is by far the worst OS I have seen them release. I know some people like it, but invariably those are people who for whatever reason are using a tablet.
Windows 8 sucks on a PC or laptop.
Case in point - I built a new PC from scratch. I followed Microsoft recommendations on using sysprep to move the users folder off the SSD that I spent significant money on. SSDs have a limited number of writes, and given how IE handles caching, and given that your OS drive is NOT typically large enough to store your data, it made sense.
That is, until MS released 8.1, which does NOT support upgrading any system that has been syspreped!
MS's response is that the Microsoft sysprep tool is not supported, even though it is a Microsoft product, pretty much all businesses use it, and there is no logical reason to not support it.
Thus began my current project of removing Windows from my life. Ubuntu, Mint, Fedora, RHEL, CentOS, all of these are far easier to install and manage. My then 6-year old can install software on Linux without worrying about infecting my network. Why would I want to overpay for an OS that is so bad the manufacturer doesn't support it under normal operating conditions.
Dave
May 27, 2014 at 8:33 am
djackson 22568 (5/27/2014)
IMO Windows 8 is nothing more than Vista II. It is by far the worst OS I have seen them release. I know some people like it, but invariably those are people who for whatever reason are using a tablet.Windows 8 sucks on a PC or laptop.
Case in point - I built a new PC from scratch. I followed Microsoft recommendations on using sysprep to move the users folder off the SSD that I spent significant money on. SSDs have a limited number of writes, and given how IE handles caching, and given that your OS drive is NOT typically large enough to store your data, it made sense.
That is, until MS released 8.1, which does NOT support upgrading any system that has been syspreped!
MS's response is that the Microsoft sysprep tool is not supported, even though it is a Microsoft product, pretty much all businesses use it, and there is no logical reason to not support it.
Thus began my current project of removing Windows from my life. Ubuntu, Mint, Fedora, RHEL, CentOS, all of these are far easier to install and manage. My then 6-year old can install software on Linux without worrying about infecting my network. Why would I want to overpay for an OS that is so bad the manufacturer doesn't support it under normal operating conditions.
I agree that your sysprep issue is unacceptable. This will become an issue time and time again.
I just wanted to say that from a OS as a client point of view that I like it. I am using it on a laptop (without touchscreen) for development and have found it to be the best Windows OS so far.
I may eventually move off Windows but not until the majority of my clients do.
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
May 27, 2014 at 9:28 am
Gary Varga (5/27/2014)
djackson 22568 (5/27/2014)
IMO Windows 8 is nothing more than Vista II. It is by far the worst OS I have seen them release. I know some people like it, but invariably those are people who for whatever reason are using a tablet.Windows 8 sucks on a PC or laptop.
Case in point - I built a new PC from scratch. I followed Microsoft recommendations on using sysprep to move the users folder off the SSD that I spent significant money on. SSDs have a limited number of writes, and given how IE handles caching, and given that your OS drive is NOT typically large enough to store your data, it made sense.
That is, until MS released 8.1, which does NOT support upgrading any system that has been syspreped!
MS's response is that the Microsoft sysprep tool is not supported, even though it is a Microsoft product, pretty much all businesses use it, and there is no logical reason to not support it.
Thus began my current project of removing Windows from my life. Ubuntu, Mint, Fedora, RHEL, CentOS, all of these are far easier to install and manage. My then 6-year old can install software on Linux without worrying about infecting my network. Why would I want to overpay for an OS that is so bad the manufacturer doesn't support it under normal operating conditions.
I agree that your sysprep issue is unacceptable. This will become an issue time and time again.
I just wanted to say that from a OS as a client point of view that I like it. I am using it on a laptop (without touchscreen) for development and have found it to be the best Windows OS so far.
I may eventually move off Windows but not until the majority of my clients do.
I respect that you like it. I don't understand why, as the whole issue of removing the start button is just plain stupid if you don't have a touch screen. That said, each of us works differently, and if it works for you, that is a good thing. If I had a touch screen device with Windows, not that I can imagine ever wanting one given how much I love my iPads, I can see how the design might be better.
I still use it at home but only for apps that I can't replace yet in Linux.
One other thing I forgot to whine about, when I first built the machine it booted up in 5 seconds. Linux still boots that fast, but Windows now takes over 30 seconds. That has been an issue with Windows forever, every patch slows down the system even on an SSD.
Sigh.
Dave
May 27, 2014 at 9:53 am
I use Win 8 and Win 7 at home and Win 8 at work. I don't have touch screens except on the Surface Pro I use. Win 8 is ok and I am as productive as on Win 7. The Sysprep issue is unfortunate, too bad M$ doesn't get it.
May 27, 2014 at 10:17 am
We have SCCM control patch/update management. They are all (or should be) applied in the test and cert domains before release to production. Doing otherwise is a recipe for disaster.
May 27, 2014 at 4:37 pm
Ultimately the balancing act and plate spinning magic that has to occur deep inside the labs in OS development companies should humble us so we may see more of this elusive science and better learn from the masters (in their realm) of our race.
It's up to us.
Most admins need very specific testing platforms that mimic target systems as near as possible in order to propagate ANY change to their production secured environments. To expect perfect updates assumes the update provider will test our specific configuration. The exposure or sharing of this most intimate internal systems architecture is more and more becoming a serious risk regarding many aspects requiring tight information security.
So therein the push for better internal testing and change management processes. It's we that need to improve our own acquisition, assimilation and integration methodologies to mitigate the inherent issues in the updating and patching of core systems.
May 28, 2014 at 10:27 am
To put a slightly different view on this topic - Steve was upgrading a Client operating system. Windows Services should run fine, but they are hardly typical on Windows 8.
We all know that Windows Server 2012, in an Active Directory/SCCM/SCOM/WSUS environment, is an entirely different proposition. Ideally such an obvious problem with a new patch would be detected in a test/dev/quality environment.
But I absolutely agree that without Service Packs, we are almost being forced to apply CUs, which come with such a waiver of responsibility that makes you think why you would pay for Software Assurance :crying:
May 28, 2014 at 11:35 am
Andy sql (5/28/2014)
To put a slightly different view on this topic - Steve was upgrading a Client operating system. Windows Services should run fine, but they are hardly typical on Windows 8.We all know that Windows Server 2012, in an Active Directory/SCCM/SCOM/WSUS environment, is an entirely different proposition. Ideally such an obvious problem with a new patch would be detected in a test/dev/quality environment.
But I absolutely agree that without Service Packs, we are almost being forced to apply CUs, which come with such a waiver of responsibility that makes you think why you would pay for Software Assurance :crying:
Assurance? :ermm:
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
May 28, 2014 at 1:47 pm
Gary Varga (5/28/2014)
Andy sql (5/28/2014)
To put a slightly different view on this topic - Steve was upgrading a Client operating system. Windows Services should run fine, but they are hardly typical on Windows 8.We all know that Windows Server 2012, in an Active Directory/SCCM/SCOM/WSUS environment, is an entirely different proposition. Ideally such an obvious problem with a new patch would be detected in a test/dev/quality environment.
But I absolutely agree that without Service Packs, we are almost being forced to apply CUs, which come with such a waiver of responsibility that makes you think why you would pay for Software Assurance :crying:
Assurance? :ermm:
you are assured you get software. That's it.
Viewing 13 posts - 1 through 12 (of 12 total)
You must be logged in to reply to this topic. Login to reply