In the past, and even today, Patch Management for servers can be quite a struggle for administrators. Not only by policy or processes but technically as well. The struggle might become bigger when clusters are involved…
Microsoft has done a great job by introducing Cluster Aware Updating (CAU) in Windows Server 2012 (it’s available in R2 as well). This allows administrators to have a much bigger amount of control to safely update cluster nodes while preventing a restart of each node at the same time. I will not get into the technical details about CAU, TechNet and a lab environment are your friends on that department.
Many organizations use ConfigMgr to facilitate Patch Management for all Windows based machines equipped with a ConfigMgr client. For the sake of this post, I assume ConfigMgr 2012 is used (SP1 or newer).
As we all know, ConfigMgr uses WSUS as an ‘engine’ and adds additional technology to provide a feature rich Patch Management solution. ConfigMgr adds more options to scan, evaluate, download and distribute updates than WSUS. Unfortunately, the ConfigMgr client is NOT aware of CAU which will provide some challenges.
CAU is a beneficial feature that admins do not want to see defeated by the ConfigMgr client when deploying updates. However, if a ConfigMgr Site (or even a hierarchy) is available, then it would be very nice to use this facility to download and install updates.
Microsoft provided a nice FAQ for CAU that is certainly recommended to read: http://technet.microsoft.com/en-us/library/hh831367.aspx
The FAQ describes two options when using ConfigMgr with CAU:
Leveraging CAU with ConfigMgr is most likely the way to go. The ConfigMgr infrastructure is used to determine which updates need to be deployed. CAU will do the actual installation of updates and will make sure that cluster availability is secured. This is especially true for Hyper-V clusters which will live migrate each VM to a different node to allow the node beging updated being restarted during installation.
On the other hand, involving ConfigMgr with CAU might deliver some additional complexity. In some scenarios it makes sense not to leverage ConfigMgr at all and stick to WSUS alone. This might be true when building private clouds from scratch where a WSUS server is used to update the backend of the private cloud…
If someone has some experience with CAU and ConfigMgr, then feel free to share your thoughts in the comments…