• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 678
  • Last Modified:

Recommendations for GPO Windows Updates of Managed Servers

I am reviewing my processes and policies for managing multiple Servers across multiple sites/clients.

I am curious to see how others manage servers for Microsoft Updates, specifically the GPO settings used in conjunction with manual execution.

For Example, do you set updates to Download and Schedule install for 3am on a Sunday and let the server reboot when required? Alternatively do you set to download only and have better control over reboot times etc.?

Pros and Cons .....
0
Flipp
Asked:
Flipp
2 Solutions
 
Cliff GaliherCommented:
I don't use WU/MU to manage servers. WSUS in some cases, in which case a scheduled install is fine, because I can still control that install time through the approval process...and I don't use auto-approval rules on servers either.

For multiple sites or clients, however, nothing beats a good patch management package, usually integrated with other RMM tools as well. PacketTrap, LabTech, GFIMax are all highly respected in this field. Heck, evne MS is getting in on the action with MS InTune. There is just not a reason to use WU/MU to manage servers as the lack of control makes losing a server at an inopportune time way too likely.

-Cliff
0
 
Donald StewartNetwork AdministratorCommented:
These should help you


Best Practices with Windows Server Update Services 3.0

http://technet.microsoft.com/en-us/library/cc720525%28WS.10%29.aspx


Managing the WSUS Automatic Updates Client Download, Install, and Reboot Behavior with Group Policy

http://technet.microsoft.com/en-us/library/cc512630.aspx


WSUS GPO Settings for the real world  <<<good explanations here

http://community.spiceworks.com/how_to/show/1390
0
 
FlippAuthor Commented:
Thank you.
0
 
vak73Commented:
Instead of allowing automatic updates to install all the patches on your servers, it is always better and safe to test them on few machines before you roll out to all the servers. SCCM has this capability of approving patches prior to bulk deployment If you are looking for a simple tool to manage you patch deployments, you can try this:
http://www.manageengine.com/products/desktop-central/windows-patch-management.html
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now