Windows Updates, WSUS Style

Update Tuesday. Another set of fixes comes down the pipes, and sysadmins hope as hard as they can that this batch won't break an application or system. Again.

When you have to administrate hundreds of systems and have very few people to cover them, you end up with a lot of systems going for months (or in some cases longer) without updates. This is especially true if you don't have a routine and policy in place for making sure all systems are updated within a particular period of time.

To help with the update chore, Microsoft created a free Windows System Update Server tool; you make a server on your network with a lot of dedicated space and that server then downloads your updates for you from Microsoft, then your systems can be configured (again, Active Directory, when it works...) to look to that server within your much faster network for updates rather than from the Internet, thus contributing to slowing down your site's access while others are working (or goofing off) over the Internet. It also keeps track of systems that are updated and what updates are needed, and can control which systems get what updates.

The irritating part is that it only sometimes seems to really help.

1. There's no web interface from the client that needs to be updated. In other words, I need the Windows Update Service to see the updates and notify me. There's a command line utility you can run to tell it to try the updates, but it just runs and exits without feedback...it just tells the invisible background service, "Yeah, could you try checking now instead of later for updates?," then you might be able to find a log somewhere that lists if the service did anything. The conventional bandwidth-sucking method means I can just go to Microsoft's update website and click on the button to start updates; from there I can get SOME feedback on what's going on.
2. I found a script that is supposed to help with on-demand updates. I dutifully put it into a directory with a couple support programs, double click it, and in anywhere from five to fifteen minutes a script window pops up that tells me whether it's downloading updates or not. Some improved feedback, but c'mon!
3. Just as the script's window pops up, I sometimes get the Windows Automatic Update "shield" in the system tray telling me there are updates to download. Sometimes it comes up while the script window hasn't appeared yet. In other words, I could easily end up running two updates in parallel, slowing me down even more because of a slip of attention.
4. Sometimes it's not a slip in attention. Sometimes the script just doesn't work so I start the other process thinking the first attempt failed. There is sometimes an error from the script, sometimes not. ARGH!
5. It appears that sometimes if a particular "pre-update" isn't installed, the WSUS (update server inside our network) simply won't work. Period. I have to do a manual update from Windows Update on Microsoft's site, defeating the purpose of having the internal server in the first place.

I'm not a professional programmer, but in designing this update server program I really think it would be nice to have something that

1. Gives feedback on your system's update status and current state of the updater.
   
2. Allows the admin to pull updates on demand, not whenever the system decides to notice that there are updates waiting for it.
3. Has better mechanisms for realizing you need various "pre-updates" in order to work properly.

It would be nice if your administration tools didn't make you want to scream and bash your head into a wall...when doing updates for Ubuntu, at least I can usually decipher my update progress and messages as things are zipping around on the console when not running the graphical front-end to the tools. Seems like Windows with all the enterprise penetration that operating system has and the fantastic developer tools available would have better tools for such a common chore!