Patching. Software Updates. Windows Updates.
These are the most mundane things possible for a windows admin, but the most essential for maintaining a good cybersecurity posture. ICPSR embarked on a mission to answer one question: can we automate ourselves out of needing to hire Windows Administrators? The answer is yes.
Through the use of tools like Packer, Ansible, Chocolatey, and Powershell we were able to reduce our monthly patching needs from a dedicated admin running through a checklist down to someone monitoring the results of a script and doing QA to ensure our build process worked as expected. We have implemented version control in git as the source of truth for what our OS images should contain, and developed automation to ensure that our desired state matches reality.
What makes this even more powerful is that it is self-updating. Because our software is updated through chocolatey, we can script the download of new software binaries and builds of new installation packages. Think of it like a PDQ Deploy subscription, but it works for anything we've built a package for once.
We have successfully automated ourselves out of needing to hire Windows Admins at ICPSR, and we delivered a better product to our users as a result. All we have to do to keep our systems secure at this point is update a configuration file once in a while, and read over the latest news and scans from IA about vulnerabilities.
How I Learned to Stop Worrying About Updates and Love GitOps for Windows - Slide Presentation