Windows Updates deployment

We are in the process of creating a policy for deploying windows updates. Our network was an isolated network with no access to the internet till now. we have recently deployed SCCM and software update point has been installed and configured.

Now we want to have policies create for deploying windows updates on servers and clients.

I am concerned about the servers as we have servers with different roles like

File server, sql clusters
exchange DAG's
application servers.

I want some suggestions if is it safe to deploy security updates on all servers at the same time especially the ones that are part of the clusters.

looking for some best practices related to deploying windows updates.
Aamer MAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

yo_beeDirector of Information TechnologyCommented:
It is not a good idea to deploy updates to your environment is one fell swoop. You should always stage it.
I do the following with my SCCM system.

Deploy to one and see how it goes. If successful then I have a small test group. If that is successful one more test group with a larger scope. If that is success push it out to the masses

Servers:  I would recommend one by one.
Especially very critical ones like email or sql.

Make sure that you push out to them at very late hours.
If you set the updates to push outside the maintenance window you will have the updates apply during production hours and it can take services offline like IIS or others like exchange.

I recommend following a similar stage approach or manually addressing each server. If you apply all the patches at once you many have a fire that you cannot put out. I like to air on the side of caution and review what each update addresses and make decision from there.
Aamer MAuthor Commented:
I agree and thanks for the reply.

Now Microsoft releases rollups and if I download the latest rollup update for windows servers, will it cover all previous rollups and updates.
yo_beeDirector of Information TechnologyCommented:
That is very true and I have seen this cause issues because one of the many that have been rolled up can cause your system not to work.

It's a catch 22 with Microsoft's rollup method.
Build an E-Commerce Site with Angular 5

Learn how to build an E-Commerce site with Angular 5, a JavaScript framework used by developers to build web, desktop, and mobile applications.

Mike TLeading EngineerCommented:

I agree with what's already been said. I just want to add some info regarding SCCM.

There are three key things you can configure for a better experience, that I've noticed gets neglected. Things will still work if you don't but the SCCM server will work harder, the loads on the endpoints will be greater and traffic will be heavier. All that makes your job as an IT admin that much harder and take longer.

The 3 things are:

1) Create excellent collections
2) Create good client settings
3) Manage your boundaries with your networking team

3) You may well have boundaries all set already, but have a look at the speed rating. Do they all say fast? Unless you have excellent bandwidth the chances are not all network routes are fast. Ask your networks team for the speed ratings of each boundary and then flip the boundary to "slow" as required. Then ask the network team how to group the boundaries. You can group by geography, speed or both, but it will help later.

2) Client settings are absolutely key. You can create a custom policy group for each role of machine "Workstation", "Laptop", "General Server", "Cluster". By policy group #I just mean a whole selection of settings that are appropriate to the role. Current Branch has dozens of settings to change. Not all are appropriate or relevant to all machines. For example the restart policy for a cluster can be quick, because you will want to be there watching and reboot promptly and not defer for 2 hours. Likewise there is no zero need to collect the CDROM inventory or the wireless settings (on Hardware Inventory classes). You want the compute to be doing clustering not making lists of WMI classes that don't exist!

3) The last and ironically the first thing to do is create excellent collections. By that I mean don't just copy and paste an example from the Web for "servers" or "laptops" that looks for a WMI battery. Whilst it can work there are odd desktops with batteries, so it's not as simple as it looks.
Create master limiting collections first and then use those to lock (limit) future collections. Then create role-based collections - say servers, workstations, laptops.
Now deploy the client settings to the matching collections. You can then deploy updates to those same collections. If you have designed it well, only cluster based servers will get updates using the settings most appropriate for clusters.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
yo_beeDirector of Information TechnologyCommented:
I like that follow up detail. Lots of details. Do you have any recommended links?
yo_beeDirector of Information TechnologyCommented:
Curious why no points awarded for my comments being that the one you accepted solution acknowledged mine and added details.
Mike TLeading EngineerCommented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.