Automation Machine & WSUS integration

Scenario

Automation Machine provides options for managing with Windows Updates. On a collection you can set a list of options to manage Windows Updates on the client machines. In this blogpost I’ll discuss a common setup. A single WSUS server which all clients point to using client side targeting. The clients in this case being a set of servers (the role of the server is not relevant). over which we want full control regarding Windows Updates. I’m assuming you already have an Automation Machine environment and have working knowledge of WSUS (you can find numerous posts about setting up WSUS anyway).

Automation Machine Setup

Without Automation Machine you would configure Windows Updates using a GPO. Some of the settings in the screenshot below are similar or simply identical. Automation Machine also provides some options not available in the GPO. For example “Manage Windows updates service”. This option enables the control of the wuauserv Windows service. So when enabling this option Automation Machine takes over full control of Windows Updates on the machine. The first option “AutoInstall windows updates” simply enables controlling windows updates from Automation Machine. The other updates control which updates are installed. Since we’re going to use a WSUS server which controls updates to be installed these are irrelevant.

Note: I’ve done some additional testing in the meanwhile and came to the conclusion that enabling “Manage Windows update service” isn’t the best idea when you want proper reporting. After windows update have installed we do initiate a “wuauclt /reportnow” but there is feedback on when this is completed. Right after that is executed the service is disabled again. Disabling “Manage Windows update service” fixes this. This does however mean you need to make sure automatic windows updates are disabled.

Automation Machine Collection Settings
Windows Update Collection Settings

For WSUS to work we’re still missing a few options though. Clients would need to know which WSUS server to target and which group they belong to. Though you can use a GPO to configure these settings. I’d rather configure them using Automation Machine. You already have a tool with which to configure your servers. So you want as much configuration as possible in a single tool as a general best practice.

For that purpose I’ve created an AM package which configures the remaining options needed. You can download here. This package provides you with 3 options (seen below). The target group, Windows Update Server and the Windows Update Statistics Server. It also sets some additional registry settings to enable Windows Updates. Which you can find on the deployment tab if you want to dig in the package. The Target Group has been made Global. I’ll explain this in the next paragraph.

Automation Machine Package Private Variables
WSUS Package Private Variables

 

The variable has been made Global because the Target Group usually differs per collection. Since you don’t want to create a WSUS package for each set of servers Automation Machine features the option to override these settings on a per collection basis (as seen below). Using this you can link the package to each collection you want and then override the setting on a collection to match the desired target group. I haven’t done the same for the Windows Update Server variables since you usually have only 1 WSUS server. If you want though, you can simply tick the box below “Global” and it’ll also show up in the Collection Package Settings tab.

Automation Machine Package Settings
Collection Package Settings

How does it work?

Ok, so now you’ve configured everything and are ready to update servers using WSUS and Automation Machine. Yes, you should also setup a WSUS server, configure the updates you want to deploy and create target groups but I’m not discussing that in this post.

Automation Machine incorporates the Windows Updates process in a so-called “Deployment reboot”. A deployment reboot is an ordinary Windows reboot. With the addition that at startup Automation Machine will start processing the packages that were configured by the administrator to process. At the end of processing all packages Automation Machine will start the Windows Update and install all available updates (reboot in the process if necessary).

If you want to learn more please visit Automation Machine website.

Leave a Reply