Windows Updates in Network Environment (Keep Off or ON?)

Hi guys,

I run a small SBS 2003 server network with about 40 Lenovo laptops. Most laptops have Win 7 and a few have XP. I was wondering if i should keep the windows updates TURNED OFF or TURNED ON. In the past i always kept them turned off but since Microsoft comes out with so called CRITICAL updates i was wondering  if i should turn them back on. THANKS
MXU2011Asked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
jawa29Connect With a Mentor Commented:
Hi MXU2011

As I was sadly one of the many Sysadmins hit by Conficker back in the day (through no fault of my own I'd like to add) I'm a strong believer of installing updates shortly after they are released.

The best way to do this is to install WSUS from Microsoft on your server http://technet.microsoft.com/en-us/windowsserver/bb332157, this will require some additional disk space but it allows you to have a local repository of updates on your network, you can then configure your clients to look at that instead of Windows Updates.

This will also allow you to create groups of PC's allowing you to deploy updates to test PC's first.

Jawa29

0
 
IWillHelpCommented:
The answer you need completely depends on you own internal patch management policy.  There are many critical security updates that should be installed and maintained, but some are not.

In my personal experience, I too have run it both ways and seem to find less issues when the group internal policy dictates what patches / updates are installed and which are not.  But that does take a lot more time on personnel (you) than just allowing all updates to load in middle of the night.

So in conclusion, I would suggest all updates to be installed immediately after the nightly backup policy is completed.
0
 
IWillHelpConnect With a Mentor Commented:
I would as well, agree with jawa29 in the repository of updates with the WSUS tool.  It saves headache but adds time when deploying to a group of 40 units since you are able to test common deployment scenerios prior to them going live.

Downside to this is attempting to deploy to a group that has differing setups, as many small companies / deployment would since many at <50 units will all have a different setup and machine, so thus the number of tests would be exaggerated.
0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
Lee W, MVPConnect With a Mentor Technology and Business Process AdvisorCommented:
WSUS comes with SBS 2003 R2 and later and if the systems have been installed properly, should be working.

Should you patch?  Only IF:
 - You want to ensure viruses cannot spread easily
 - You want to ensure your data is not stolen
 - You want to ensure the stability and reliability of your systems.

If you don't want any of that, then don't patch.

It's always possible updates will break something else ... an office patch caused issues in December... but it was pulled a couple of days after its release.  If you want to wait a week, I wouldn't fault you... but by the third tuesday of the month (considering MS typically releases patches on the second tuesday) I would patch.  And testing isn't bad either - setup or designate a guinea pig PC to always patch first and make sure it doesn't have problems... much less hassle repairing a single system from a failed patch than a office full of systems.
0
 
Donald StewartConnect With a Mentor Network AdministratorCommented:
Among one of the other benefits not mentioned is reduced bandwidth. With WSUS the updates are all downloaded to your WSUS server and your clients pull from there. If you were to enable just Windows Updates and had 40 clients all downloading updates at the same time, your network would start to crawl. WSUS/windows updates uses BITS(Idle network bandwidth) which can also be throttled to your needs as well.

As far as taking extra personnel time, that's what automatic approval rules were designed for.
0
 
MXU2011Author Commented:
THANK YOU VERY MUCH GUYS. YOU GUYS ARE AWESOME!! I DONT KNOW WHAT I WOULD DO WITHOUT EXPERTS-EXCHANGE
0
 
LeeTutorretiredCommented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0
All Courses

From novice to tech pro — start learning today.