Recommendations for GPO Windows Updates of Managed Servers

Posted on 2011-04-27
Last Modified: 2012-05-11
I am reviewing my processes and policies for managing multiple Servers across multiple sites/clients.

I am curious to see how others manage servers for Microsoft Updates, specifically the GPO settings used in conjunction with manual execution.

For Example, do you set updates to Download and Schedule install for 3am on a Sunday and let the server reboot when required? Alternatively do you set to download only and have better control over reboot times etc.?

Pros and Cons .....
Question by:Flipp
    LVL 56

    Assisted Solution

    by:Cliff Galiher
    I don't use WU/MU to manage servers. WSUS in some cases, in which case a scheduled install is fine, because I can still control that install time through the approval process...and I don't use auto-approval rules on servers either.

    For multiple sites or clients, however, nothing beats a good patch management package, usually integrated with other RMM tools as well. PacketTrap, LabTech, GFIMax are all highly respected in this field. Heck, evne MS is getting in on the action with MS InTune. There is just not a reason to use WU/MU to manage servers as the lack of control makes losing a server at an inopportune time way too likely.

    LVL 47

    Accepted Solution

    These should help you

    Best Practices with Windows Server Update Services 3.0

    Managing the WSUS Automatic Updates Client Download, Install, and Reboot Behavior with Group Policy

    WSUS GPO Settings for the real world  <<<good explanations here
    LVL 6

    Author Closing Comment

    Thank you.
    LVL 4

    Expert Comment

    Instead of allowing automatic updates to install all the patches on your servers, it is always better and safe to test them on few machines before you roll out to all the servers. SCCM has this capability of approving patches prior to bulk deployment If you are looking for a simple tool to manage you patch deployments, you can try this:

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Join & Write a Comment

    Healthcare providers, insurance companies and other covered entities trust eFax Corporate to transmit their most sensitive documents. eFax Corporate can help your organization implement a HIPAA compliant cloud faxing solution.
    Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now