||[Apr. 16th, 2004|09:39 am]
Windows Update is a really great idea. Instead of having to follow all the Microsoft security bulletins (which were much more frequent, before the change to monthly announcements), and keep track by hand of what had gone onto your servers, and what would need to go on a new server, it takes care of it for you. Your life becomes easier, more machines out there get patched, everything is good.
I currently look after quite a few windows servers, most of which are co-located, and all of which are supposed to be high availability. When Windows Update works, it makes my life easier - log in, prod it a bit, the security fixes get download and installed, all nice and friendly. All you then do is schedule the time for the reboot that they'll require (I won't start on that one.....)
Of late though, I've been having more and more issues with Windows Update. There have been a couple of times when scanning with Nessus (a very nifty Open Source vulnerability scanner) when I've discovered that Windows Update hadn't installed all the fixes a server needed. Secondly, the downloads seem to be running much slower than they used to (what's up with this 4k/s download of fixes, especially when the fix is a few mb in size). My most recent problem is more annoying - updates that download, appear to install, but then throw up an error at the end.
Windows update gives very little information on what it's up to. One scrolling update bar for downloads, one for install progress. No information on any problems or anything - just a list at the end of what installed and what didn't. Oh, and no indication of why your update didn't install, just a suggestion that you try again. If you're really lucky, it won't restart your computer after the updates are installed. If you're not, it'll just restart the machine without asking you. Most handy for a production box.
One server of ours was suffering very much from the silent failure of security fixes to install. They'd download, the scroll bar would move, and you'd be told they hadn't installed. You'd try again (which sometimes works on other servers), and no difference. A quick reboot that evening, and you try again, and once more they won't apply.
So, this morning, I've been using Windows Update to find the fixes that need applying. I've then gone to the Microsoft site, found the fixes there, downloaded them by hand and installed them. All of them went on fine, all of them told me what they were doing, and none of them rebooted my computer without asking me. All nice and friendly (if a little time consuming), and how Windows Update should be. Stupid thing....