Today I got to play with the Salt win_wua module. Anyone that manages Windows servers, they know all about the second Tuesday of the month. the win_wua module can help greatly. I have recently been toying with Salt as mentioned in some of my other articles like Introduction to SaltStack.
In the environments I manage, we typically implement Microsoft Windows Server Update Services (WSUS) but in a manual fashion so that we can control the installation of the patches. WSUS is more of a gatekeeper against bad patches. We approve updates immediate to only test servers. This lets us burn them in for a few weeks. Then when we’re comfortable, we push them to production. This greatly helped mitigate this conflict of Windows Updates – https://community.sophos.com/kb/en-us/133945
The process to actually install though is manual since we need to trigger the install. It involved manually logging into various servers to push the install button and then reboot. In my past complaints of this I was unable to find something to easily trigger the installation of windows updates.
Win_wua to the rescue
I originally thought I would need a salt state to perform this but the command line module is so easy, I did not bother.
salt TESTSERVER win_wua.list TESTSERVER: ---------- 9bc4dbf1-3cdf-4708-a004-2d6e60de2e3a: ---------- Categories: - Security Updates - Windows Server 2012 R2 Description: Install this update to resolve issues in Windows. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer. Downloaded: .....
It then spews a ton of data related to the pending updates to be installed. Luckily it has an option for a summary. Surprisingly we use the same “list” to install by setting a flag. The install function expects a list of updates you wish to install but we just want to install all pending ones.
Before we install, check out the summary output
salt TESTSERVER win_wua.list summary=True TESTSERVER: ---------- Available: 0 Categories: ---------- Security Updates: 4 Windows Server 2012 R2: 4 Downloaded: 4 Installed: 0 Severity: ---------- Critical: 3 Moderate: 1 Total: 4
Ok so let’s install and only see the summary
salt -t 60 LV-PSCADS01 win_wua.list summary=True install=True LV-PSCADS01: Passed invalid arguments to win_wua.list: 'int' object is not callable .. versionadded:: 2017.7.0 Returns a detailed list of available updates or a summary. If download or install is True the same list will be downloaded and/or installed.
Well that’s no fun! Not quite what we expected. It appears its a known bug on 2017.7.1 and fixed. Update your salt minion or perform the manual fix it listed and run again!
salt -t 60 TESTSERVER win_wua.list summary=True install=True TESTSERVER: ---------- Download: ---------- Success: True Updates: Nothing to download Install: ---------- Message: Installation Succeeded NeedsReboot: True Success: True Updates: ---------- 9bc4dbf1-3cdf-4708-a004-2d6e60de2e3a: ---------- AlreadyInstalled: False RebootBehavior: Never Reboot Result: Installation Succeeded Title: 2019-11 Servicing Stack Update for Windows Server 2012 R2 for x64-based Systems (KB4524445) 9d665242-c74c-4905-a6f4-24f2b12c66e6: ---------- AlreadyInstalled: False RebootBehavior: Poss Reboot Result: Installation Succeeded Title: 2019-11 Cumulative Security Update for Internet Explorer 11 for Windows Server 2012 R2 for x64-based systems (KB4525106) a30c9519-8359-48e1-86d4-38791ad95200: ---------- AlreadyInstalled: False RebootBehavior: Poss Reboot Result: Installation Succeeded Title: 2019-11 Security Only Quality Update for Windows Server 2012 R2 for x64-based Systems (KB4525250) a57cd1d3-0038-466b-9341-99f6d488d84b: ---------- AlreadyInstalled: False RebootBehavior: Poss Reboot Result: Installation Succeeded Title: 2019-11 Security Monthly Quality Rollup for Windows Server 2012 R2 for x64-based Systems (KB4525243)
Of course, this is windows so we need a reboot. By default the win_system.reboot waits 5 minutes to reboot. With the flags below we can shorten that.
salt TESTSERVER system.reboot timeout=30 in_seconds=True
If I wanted to automate the reboot after the update install, I could make this a state and check for the updates to trigger a reboot. In my scenario, I do not need it but if you want to try, check out this section for the win_wua states. The syntax is slightly different than the module we have been working with on this article.
Updating Multiple Server
If you want to update multiple servers at once you can do something like the following. The -L flag lets you set multiple targets as a comma separated
salt -t 60 -L TESTSERVER,TESTSERVER2,TESTSERVER3 win_wua.list summary=True install=True salt -L TESTSERVER,TESTSERVER2,TESTSERVER3 system.reboot timeout=30 in_seconds=True
We could even set a salt grain to group these
salt -L TESTSERVER,TESTSERVER2,TESTSERVER3 grains.set wua_batch testservers salt -G wua_batch:testservers win_wua.list summary=True install=True salt -G wua_batch:testservers system.reboot timeout=30 in_seconds=True
If you are running this on prem or just flat out want to avoid an update and boot storm, you can throttle it using “salt -b” as mentioned in Salt’s documentation.
# This would limit the install to 2 servers at a time salt -b 2 -G wua_batch:testservers win_wua.list summary=True install=True
This article is likely only good if you have salt in your environment somewhere but never thought about using it on Windows. It is a great tool at configuration management on Windows but most Windows admins think of other tools like GPO, SCCM, etc to manage Windows.