What is the best approach to Windows Server patching

Hello EE,  we have many Windows servers we can't manually log into and patch as we are set to download but let us choose when to install.

Is there a better way to automate this?
operationsITAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ZorniacCommented:
Setup a WSUS, create a computer group of your servers, set which updates you want your WSUS to automatically "synch".  As updates come in for your server, simply approve them from WSUS for the specific computer group.
Helao MwapangashaData Centre: Server EngineerCommented:
is you have software assurance you can setup sccm. patch using mantanance windows and create different collection where you can seperate servers that can automaticaly reboot and those that require a manaul restart
operationsITAuthor Commented:
With WSUS
1. Setup server group
2. Set servers to update automatically or what's best?

Will approved updates automatically install and reboot the server?
Can it be scheduled?
Or is it best to automate some and the rest manual?
Check Out How Miercom Evaluates Wi-Fi Security!

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom on how WatchGuard's Wi-Fi security stacks up against the competition plus a LIVE demo!

ZorniacCommented:
HI OperationsIT,

I don't set to update automatically.  I usually roll my server updates about a month after release.  I like to make sure there are no unexpected "surprises".   A few Group Policy settings can help with this situation: Enable the policy setting “No auto-restart with logged on users for scheduled automatic updates installations.” This will prevent an update installation from restarting the computer.

https://technet.microsoft.com/en-us/magazine/gg537354.aspx
operationsITAuthor Commented:
Great article so do you
1 download and install with no reboot
2. Download with no install or reboot

On WSUS do you let any updates go or wait the 30 days to manually approve for servers?

Do you have a script to reboot all servers in a maintenance window as the article?
ZorniacCommented:
I download with no install or reboot.  I then wait until the start of the following month (usually first Tuesday of each month), approve the pending updates.  Occasionally, when a patch is released by MS 'out-of-band' I will approve that update.  These 'out-of-band' updates are the ones that usually address a newly publicized exploit.  In these cases the lesser evil is a server crash due to an update, then dealing with clean-up of a breach.  For security-related updates, your computer is unsafe before that reboot occurs: it is vulnerable to attacks which exploit the issue(s) fixed by the update requiring a reboot.  

For that reason, when Windows Update automatically installs an update that needs a reboot, it proceeds with an automatic reboot. *FOR CRITICAL UPDATES ONLY*

No I don't have a script.  I have only about seven physical servers, so I will login to them to reboot.  Now by default, in order to make the updating process more convenient for you by preventing disruptions to your work, WU defaults to installing updates (and subsequently rebooting your computer) at 3:00AM.

http://blogs.technet.com/b/mu/archive/2008/10/02/windows-update-and-automatic-reboots.aspx

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
operationsITAuthor Commented:
great input thanks
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.