Windows Updates deployment

Aamer M
Aamer M used Ask the Experts™
on
We are in the process of creating a policy for deploying windows updates. Our network was an isolated network with no access to the internet till now. we have recently deployed SCCM and software update point has been installed and configured.

Now we want to have policies create for deploying windows updates on servers and clients.

I am concerned about the servers as we have servers with different roles like

File server, sql clusters
exchange DAG's
application servers.

I want some suggestions if is it safe to deploy security updates on all servers at the same time especially the ones that are part of the clusters.

looking for some best practices related to deploying windows updates.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
yo_beeDirector of Information Technology

Commented:
It is not a good idea to deploy updates to your environment is one fell swoop. You should always stage it.
I do the following with my SCCM system.

Workstations:
Deploy to one and see how it goes. If successful then I have a small test group. If that is successful one more test group with a larger scope. If that is success push it out to the masses

Servers:  I would recommend one by one.
Especially very critical ones like email or sql.

Make sure that you push out to them at very late hours.
If you set the updates to push outside the maintenance window you will have the updates apply during production hours and it can take services offline like IIS or others like exchange.

I recommend following a similar stage approach or manually addressing each server. If you apply all the patches at once you many have a fire that you cannot put out. I like to air on the side of caution and review what each update addresses and make decision from there.

Author

Commented:
I agree and thanks for the reply.

Now Microsoft releases rollups and if I download the latest rollup update for windows servers, will it cover all previous rollups and updates.
yo_beeDirector of Information Technology

Commented:
That is very true and I have seen this cause issues because one of the many that have been rolled up can cause your system not to work.

It's a catch 22 with Microsoft's rollup method.
Announcing the Winners!

The results are in for the 15th Annual Expert Awards! Congratulations to the winners, and thank you to everyone who participated in the nominations. We are so grateful for the valuable contributions experts make on a daily basis. Click to read more about this year’s recipients!

Leading Engineer
Commented:
Hi,

I agree with what's already been said. I just want to add some info regarding SCCM.

There are three key things you can configure for a better experience, that I've noticed gets neglected. Things will still work if you don't but the SCCM server will work harder, the loads on the endpoints will be greater and traffic will be heavier. All that makes your job as an IT admin that much harder and take longer.

The 3 things are:

1) Create excellent collections
2) Create good client settings
3) Manage your boundaries with your networking team

3) You may well have boundaries all set already, but have a look at the speed rating. Do they all say fast? Unless you have excellent bandwidth the chances are not all network routes are fast. Ask your networks team for the speed ratings of each boundary and then flip the boundary to "slow" as required. Then ask the network team how to group the boundaries. You can group by geography, speed or both, but it will help later.

2) Client settings are absolutely key. You can create a custom policy group for each role of machine "Workstation", "Laptop", "General Server", "Cluster". By policy group #I just mean a whole selection of settings that are appropriate to the role. Current Branch has dozens of settings to change. Not all are appropriate or relevant to all machines. For example the restart policy for a cluster can be quick, because you will want to be there watching and reboot promptly and not defer for 2 hours. Likewise there is no zero need to collect the CDROM inventory or the wireless settings (on Hardware Inventory classes). You want the compute to be doing clustering not making lists of WMI classes that don't exist!

3) The last and ironically the first thing to do is create excellent collections. By that I mean don't just copy and paste an example from the Web for "servers" or "laptops" that looks for a WMI battery. Whilst it can work there are odd desktops with batteries, so it's not as simple as it looks.
Create master limiting collections first and then use those to lock (limit) future collections. Then create role-based collections - say servers, workstations, laptops.
Now deploy the client settings to the matching collections. You can then deploy updates to those same collections. If you have designed it well, only cluster based servers will get updates using the settings most appropriate for clusters.

Mike
yo_beeDirector of Information Technology

Commented:
I like that follow up detail. Lots of details. Do you have any recommended links?
yo_beeDirector of Information Technology

Commented:
Curious why no points awarded for my comments being that the one you accepted solution acknowledged mine and added details.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial