#noobquestion How to finally automate Windows Update for free?
Posted by Commercial-Fun2767@reddit | sysadmin | View on Reddit | 48 comments
Hello,
If:
- No WSUS: had a server crashing and never found a solution).
- No Intune: no budget.
- No SCCM: it could be installed but not sure it's worth it for our small org.
- No payed perfect app like Ninjaone: no budget.
- No RMM.
Or I should have just said: no qualified admin. /s
How do you enhance the manuel update of each server (clients are nearly well handled by end users)?
cellnucleous@reddit
When I worked for a no-budget company I used chocolatey package manager with pswindowsupdate to script install of windows updates and 3rd party programs. It's possible to create your own repository to install from for better security. I used a non-production system to test on first.
Master-IT-All@reddit
Install the PowerShell module for Windows Update.
Use Scripting.
Borgquite@reddit
Either just set up some Windows Update policies via GPO enforcing the updates to install at the appropriate time (although NB no ability to control or report).
Or set up WSUS with this guide, it should stop your crashing issues: https://learn.microsoft.com/en-us/troubleshoot/mem/configmgr/update-management/wsus-maintenance-guide
Commercial-Fun2767@reddit (OP)
What GPO forces installing updates and reboot on chosen time? I find none and browsed the web and even the GPO like I was reading the dictionary.
Thank you (and others) for the reminder WSUS can work.
Master-IT-All@reddit
If that's your attitude towards learning, you shouldn't be in IT.
Commercial-Fun2767@reddit (OP)
Whoa. There must be some misunderstanding. I suppose I shouldn't be offended if someone among the thousands who saw my question tells me point-blank that they've figured me out and predicts my future career. I could just say that you're not going to get very far in life if that's how you talk to people.
jimicus@reddit
It sort-of can, with caveats:
The upshot is that if you’re looking for a guarantee of 100% update compliance with 0% pain, you’ll be looking for a long time.
Borgquite@reddit
See the Group Policy settings I suggestd above. I've had them working for years on servers, with a reliable reboot schedule.
Borgquite@reddit
We have the following policies working on Server 2022 (at least):
This forces a reboot after the restart timer, on the specified date/time.
Previous-Low4715@reddit
“Well I’ve vibecoded a tool…”
fahque@reddit
Sweet! Straight to production then.
Arudinne@reddit
Don't forget to make sure it's publicly accessible!
sublimeprince32@reddit
Bruh.
OregonTechHead@reddit
Action1. Bonus that you'll also be updating all of that other old software that probably hasn't been touched in 5 years.
Ad3t0@reddit
Being transparent I developed and founded this company but please check out my platform TridentStack Control at https://tridentstack.com totally free for under 200 endpoints forever. Excellent at patch/vulnerability remediation/policy/compliance management. I'd love to hear what you think!
Ad3t0@reddit
Being transparent I developed and founded this company but please check out my platform TridentStack Control at https://tridentstack.com totally free for under 200 endpoints forever. Excellent at patch/vulnerability remediation/policy/compliance management. I'd love to hear what you think!
St0nywall@reddit
Windows Update for Business could be an option for on-prem workstations and servers. It doesn't allow for much configuration or logging but it does manage the built-in update in the OS.
There are a few other options if you are Intune managed or hybrid joined and have money for licenses.
poro_8015@reddit
wsus is free and built into windows server, been using it for years. if it was crashing you probably had a database issue - the WID can get bloated over time. running the server cleanup wizard regularly or switching to a full SQL express instance usually fixes it. worth giving it another shot before looking at anything else imo
fahque@reddit
It never worked for me. I rebuilt the server (full windows reinstall) a few times and never got it to work. After the first or third update from micropenis the db would be too bloated and sql would crash. It didn't matter what wsus db cleanup utility I ran, it still failed.
Stonewalled9999@reddit
SQL express might be too small for that. WID is stripped down BUT does not have the DB limit like Express does
TerrorToadx@reddit
Surely you can powershell this?
non-descript_com@reddit
For very small environments I've used the PSWindowsUpdate module and scheduled tasks... But I'm not sure it's still being maintained.
AdministrativeAd618@reddit
Check out Zecurit Endpoint Manager..
rairock@reddit
I'm using Ansible as we have multiple domains.
Xzenor@reddit
Do you use a gui or just schedule from the crontab?
rairock@reddit
With the schedule options of the GUI (Ansible AWX). Every hour it has a run and looks if any server matches that hour based on a calendar.
Original-Reaction40@reddit
You do know ansible core is free and can automate windows updates
Xzenor@reddit
I didn't. Well I knew it was free but not that it could handle windows that well.
Original-Reaction40@reddit
No GUI for me and i use systemd to schedule
Live in the now!
Xzenor@reddit
Systemd? Like, creating your own timers? That's not a bad idea I guess but it does seem like a lot of work for something that can also be done much faster with the crontab.. what's the advantage of using systemd timers?
Original-Reaction40@reddit
Accuracy and better logs
Journalctl and all that
Xzenor@reddit
That makes sense I guess.. thanks. I'll think about it. Might be a good idea indeed
daze24@reddit
less than 200 endpoints on action1 for free
Humble-oatmeal@reddit
Yeah its a decent option you can use for free for patching
Commercial-Fun2767@reddit (OP)
Sometimes I would love to handle a small org like this.
daze24@reddit
You did say small org in your post.. all relative I guess
networkn@reddit
This is a decent recommendation.
Leather-Tour-7288@reddit
Saltstack or Ansible maybe?
BananaSacks@reddit
They said 'no admin' /s /s
Commercial-Fun2767@reddit (OP)
I find using ansible easier than automating windows update without Ninjaone.
DeliveranceXXV@reddit
If there is no admin, then everyone is probably an admin!
BananaSacks@reddit
Exactly!
rootofallworlds@reddit
Just let Windows Update do its thing and tough luck about the reboots or any breakage? Maybe handle the most critical servers manually like the DCs (if you have them). If you ain’t paying for professional tools then that’s what you’re getting.
Commercial-Fun2767@reddit (OP)
Well, I can tell you we are paying. Not enough apparently :)
Tovervlag@reddit
But I would probably introduce ansible to be able to manage windows update and other things around endpoint management. But via gpo it would work very nice too. This would be a good excuse to try and in the end master a new tool though.
jcpham@reddit
Not the best idea to automate without testing first, especially servers. You do you though
Conscious-Arm-6298@reddit
Action1 godbless
VoltsOpinion@reddit
Action1