Windows patching for Veeam Infrastructure

That is true, but I personally don’t mind having a bit of control of my backup infrastructure.

The more I start using replicas, CDP, etc. the less I really want to automate something that might not come back if I’m on vacation. 

Of course. I have multiple copies of my config backup and have done a few restores in the past. Once you get heavy into the tape it’s a LONG process sometimes. 

We do the updates to our backup server at another time as to the poduction servers (normally one week later).

So, we have the backup environment up an running in the case there is something wrong with the updste process to the production servers.

The backup servers itself are patched the same way as all other servers- via WSUS.

> For most of my servers I use  a WSUS deployment I have scripted all of my servers to check in weekly and to download the updates at a specified time.

Good to know that you are using WSUS! But why does your client(s) have to check weekly? Seems to me you do not test and approve updates to your clients.

>  I use flags so they won’t download the updates if a reboot is currently pending incase a previous month is missed. I then use VMware to scheduled reboot the hosts as It’s much more consistent this way and easy to disable.

There are tons of GPO settings to help with all these. There are polices to download only as far as I can remember.  Let me introduce you to another exciting tool “Windows Admin Center (WAC)” for server management since you love to manually install these updates. I am sure that you already know about this :-)

Lastly, do you know that you can also target your VBR via WSUS. WSUS can be deployed in a disconnected scenario, where updates and metadata are exported on one WSUS server and imported on another disconnected WSUS server. This scenario makes WSUS useable in highly-restricted perimeter networks. 

• Here is a simplified method: All you need are just some few registry tweaks!  https://learn.microsoft.com/en-us/answers/questions/447288/shared-wsus-server-for-domain-and-non-domain-joine.html

Yep, I didn’t see you’d posted here before. For some reason I thought you’d just joined. 

I understand now! Great script by the way...

From my personal experience, if your backup infrastructure (Veeam Servers and related) is not too big, I would like keeping control over it, cause is my last line of defense,

I personally run windows updates manually, downloading the updates and performing the install and reboot between jobs hours, and placing a snapshot before updating if it was a vm, and always keeping close the latest config file in case of needed.

We did monthly patching, and treated the Veeam servers as all other servers, but taking into consideration that they are a bit special, so not taking risk over them.

cheers.

Due to the long backup windows I have, (lots of 40TB+ file servers), Requirements for Tape, and insane retention (60 years, 100 years, forever) my tape jobs sometimes take a fair amount of time. I always need some control over when my reboots take place, and the ability to abort at the drop of a hat too. 

The way my script works for the other servers is fantastic when they say “NO UPDATES TODAY” I just turn off the scheduled task for the reboot. The update stays staged ready for whenever. if it tries again the script sees a waiting reboot and won’t download the updates if someone doesn’t reboot it for a month and it will catch up the following month.

It’s all automatic and only involves setting up a scheduled task upon creation of the servers.  I’ve never looked into a bastion domain, time to do some google learning :)

@HunterLAFR  sounds very similar to me. For the few servers I have in Veeam, although growing, i don’t mind doing them 1 at a time and saving things like config backups, or doing a snapshot etc.

Once you have a large MS update go and bork about 25-40 servers in one go, you learn your lesson. 

I’ll go and see if there is anything that needs to be redacted  from them and share what I can.  There may be some very specific stuff I can comment out or remove depending on if it would be beneficial to others.  Might take me a bit though, being pulled in 1000 directions lately :) 

Since I started here I refuse to install new servers without a Window and make it part of every project implementation to have a monthly outage.   Due to how critical our systems are though, this requires an insane amount of HA, FT solutions etc which get VERY expensive.  Getting SQL Enterprise was a challenge but if you want me to keep creating servers, you need to give me windows to reboot them for patches. 

When I started here there were hundreds of servers with 1000 days - 2000 Days of uptime so I have done well lol. 

And, of course, take snapshots of the servers before patching...because...MS...

I should probably put more thought into our patching, but we apply Windows updates via our RMM.  Since nearly all of our deployments are using the SQL Express deployment on the same server as VBR, we don’t run into many dependency issues at least, but for the most part we’ve been letting it ride with the rest of the patching.