We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now


Windows Update Patch Management Best Practice

Medium Priority
Last Modified: 2020-02-22
Dear Experts,

I am trying to formalize our server update procedures.  Since the existing procedure was not created recently, I would like to bring it to date.
We have a WSUS server, and I was thinking of using Group Policy for deployment.  (right now, we are using SolarWinds patch manager, and manually pushing the patches every week)
I am only including Microsoft Windows Server and SQL Server updates, and we have test server group we can use first before rolling out to production.
I would like to know what would be the more recent best practices for:

1. How long I should wait to deploy the patch after it comes out. (Unless it is Zero-day security category)  
2. How should I track the success/failure rate, besides going through WSUS app report on the WSUS server.
3. What should be the Automatic Approval policy?  Always with Critical patches?
4. Is there a better way rather than using GPO?

Please advise.  Thank you.
Watch Question

Sean BravenerSenior Information Technology Consultant
Awarded 2019
Distinguished Expert 2019

The de facto method for windows patch mgmt is sccm. It allows you to set up reporting auto deployment rules for pushing the patches as well as a rollback method if things go pear shaped.  
Delay before deployment is up to you.  If you have a big environment it is. It unheard of to wait 30-60 days from release to completion.
yballanSystem Administrator


Dear Sean, thank you for a quick response.
Yes, in my previous job, we used WSUS and SCCM, but in my current position, SCCM is not yet available.
They are using BatchPatch and SolarWinds, but is using GPO a bad way to do it?
Sean BravenerSenior Information Technology Consultant
Awarded 2019
Distinguished Expert 2019
gpo gives you next to no control as to when patches actually get deployed.  but I suppose if it is what you have then you make it work.  I say make sure you have the and imported for win 10 so that you can control at least a little the reboot behavior etc of the machines.  
I would say look into PowerShell patching so that you can remote in and control at least a little bit the patching schedule.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Philip ElderTechnical Architect - HA/Compute/Storage
With BatchPatch and SolarWinds there should be Group Policy settings provided by the vendors to use to deploy their settings to all systems on the network.

http://patchmanagement.org <-- I highly suggest subscribing.
kevinhsiehNetwork Engineer
I use GPOs to tell my devices to use WSUS, which WSUS group to use, and which schedule to follow for applying updates.

My "test" devices will patch on a daily basis if a patch has been made available. Most servers patch on Saturday morning, but I do spread out servers so that I don't patch all DCs at once.

Some servers are set to download but manually apply.

I only make GPO changes to disable all patching at the end of the month,

I auto approve patches in WSUS. Solarwinds Patch manager publishes updates to WSUS, but that it more of a manual process than what I would like. All reporting is done from WSUS and Solarwinds Patch Manager.
Exec Consultant
Distinguished Expert 2019

It depends on the type of system e.g. internal and internet facing system. The latter has larger exposure rate hence regime would need more stringent whic can be within 1 month. The former is within 2-3 month and varies because endpoint clients would take a while when there are many remote office and mobile. Also need to be mindful on the reboot requisite if applicable to effect the patch as this would need downtime maintenance windows that is already pre scheduled. 

The length also depends on the rigor of the testing before deployment esp to be released to the server and database farm. You can sit the patch for a period so that issue can be caught before a mass deployment. 1-2 weeks are preferred to allow any due to surface up with the pilot users.

Zero day also depends on the relevance and applicability of the affected system. It is as soon possible but not to be hasty to avert application breakage and leads to self DOS.

There is also a mandatory installation once the push down is enforced. The key is users are notified and they can react to it like saving works otherwise there will be a negative experience. So it is good to constantly build up awareness on such patch prompt

yballanSystem Administrator


Dear Sean, thank you for your input, I now understand GPO's short comings, thanks for pointing that out.
Dear Philip, That is good to know that Group Policy settings provided by the vendors to use to deploy exist.  I will definitely look into them.
Dear Kevinhsieh, I appreciate you giving me specific settings you use, it is very helpful.
Dear btan, I also appreciate your example as well, it gives me confidence knowing what other experts do.

Experts, thank you very much for helpful tips and advises, I feel more equipped to write up my own policy to present to my team!!
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.