/wsus-demo

Primary LanguageRubyOtherNOASSERTION

wsus

Preparation:

Update .kitchen.yml with your Azure subscription details per kitchen-azurerm

driver_config:
  subscription_id: '00000000-YOUR-GUID-HERE-000000000000'
  location: 'Central US'
  machine_size: 'Standard_D3_v2'

NOTE: The WSUS Server takes ~30 minutes to spin up

Before showing someone, make sure you stand up the WSUS server as it takes a while to download the updates

  • Run kitchen create so that all machines are ready
  • Run kitchen converge server
  • Update kitchen.yml
    • Update image_urn if needed for platform windows-2012r2-old
      - name: windows2012-r2-old
    driver_config:
    # NOTE: If you don't specify an out of date Azure URN there will not be
    # any updates to apply. You can get a current list of 2012R2 URNs by running
    # az vm image list --all --sku 2012-R2-Datacenter
      image_urn: MicrosoftWindowsServer:WindowsServer:2012-R2-Datacenter:4.127.20170510
      vm_name: 2012r2-old
    transport:
      name: winrm
      elevated: true
    
    • Update wsus_server attribute to reflect your WSUS Server
    attributes:
        wsus_client:
        # NOTE: this needs to be set on each run, the DNS entry from the AzureRM driver creates
        # as kitchen-[driver UUID].[location].cloudapp.azure.com 
        # the UUID can be found in .kitchen/server-windows2012-r2.yml
        # Don't forget to include 'http://' and ':8530' in the WSUS server string
            wsus_server: "http://kitchen-9581203fe04897be.centralus.cloudapp.azure.com:8530"
    

Running the show

  • Run kitchen converge client --parallel
    • This will stand up a current and an old Windows 2012 R2 instance in Azure Allowing you to show different levels of patches that would need to be applied
    • This run will be relatively quick as we should not have any approved updates yet
  • Login to your WSUS server kitchen login server
    • Open Windows Server Update Services
      • Press CMD or WIN and type WSUS to search for Windows Server Update Services
      • Close the tutorial window to launch into WSUS
    • Click on Updates on the left and expand the drop down
    • Select All Updates
    • Switch the Status to Any from the drop down and refresh
      • All updates should be Not Approved
  • Check to see that your kitchen converge client --parallel has finished
    • Go back to WSUS and expand the left drop down for Computers
      • Select My Server Group
      • Click on each computer to show the updates that are missing
    • Go to All Updates, select all of them **NOTE: Make sure your filters are set to Approval: Any Except Declined and Status: Any
      • From the Actions menu on the right click Approve...
      • Approve for My Server Group
      • This will take a second, remind folks they probably don't want to blindly approve all updates in their systems, but this is just a demo
  • Run kitchen converge client --parallel again
    • Your output should quickly show
      * wsus_client_update[WSUS updates] action download
    • The update process should take between 10-20 minutes and will eventually reboot
  • Login to the older server kitchen login client-windows2012-r2-old
    • In the Server Manager go to Local Server
      • Point out that Windows Update shows "Download updates only, using a managed update service"
      • Click on that link to open the Windows Update menu
      • Point out "You recieve updates: Managed by your system administrators"

TO DO:

  • Add a suite with a client that has a scheduled install for patches instead of on demand
  • Add InSpec profile to validate connection to appropriate WSUS server
  • Integrate with BJC