Windows Update Patch Management Best Practice
Dear Experts,
I am trying to formalize our server update procedures. Since the existing procedure was not created recently, I would like to bring it to date.
We have a WSUS server, and I was thinking of using Group Policy for deployment. (right now, we are using SolarWinds patch manager, and manually pushing the patches every week)
I am only including Microsoft Windows Server and SQL Server updates, and we have test server group we can use first before rolling out to production.
I would like to know what would be the more recent best practices for:
1. How long I should wait to deploy the patch after it comes out. (Unless it is Zero-day security category)
2. How should I track the success/failure rate, besides going through WSUS app report on the WSUS server.
3. What should be the Automatic Approval policy? Always with Critical patches?
4. Is there a better way rather than using GPO?
Please advise. Thank you.
I am trying to formalize our server update procedures. Since the existing procedure was not created recently, I would like to bring it to date.
We have a WSUS server, and I was thinking of using Group Policy for deployment. (right now, we are using SolarWinds patch manager, and manually pushing the patches every week)
I am only including Microsoft Windows Server and SQL Server updates, and we have test server group we can use first before rolling out to production.
I would like to know what would be the more recent best practices for:
1. How long I should wait to deploy the patch after it comes out. (Unless it is Zero-day security category)
2. How should I track the success/failure rate, besides going through WSUS app report on the WSUS server.
3. What should be the Automatic Approval policy? Always with Critical patches?
4. Is there a better way rather than using GPO?
Please advise. Thank you.
ASKER
Dear Sean, thank you for a quick response.
Yes, in my previous job, we used WSUS and SCCM, but in my current position, SCCM is not yet available.
They are using BatchPatch and SolarWinds, but is using GPO a bad way to do it?
Yes, in my previous job, we used WSUS and SCCM, but in my current position, SCCM is not yet available.
They are using BatchPatch and SolarWinds, but is using GPO a bad way to do it?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Dear Sean, thank you for your input, I now understand GPO's short comings, thanks for pointing that out.
Dear Philip, That is good to know that Group Policy settings provided by the vendors to use to deploy exist. I will definitely look into them.
Dear Kevinhsieh, I appreciate you giving me specific settings you use, it is very helpful.
Dear btan, I also appreciate your example as well, it gives me confidence knowing what other experts do.
Experts, thank you very much for helpful tips and advises, I feel more equipped to write up my own policy to present to my team!!
Dear Philip, That is good to know that Group Policy settings provided by the vendors to use to deploy exist. I will definitely look into them.
Dear Kevinhsieh, I appreciate you giving me specific settings you use, it is very helpful.
Dear btan, I also appreciate your example as well, it gives me confidence knowing what other experts do.
Experts, thank you very much for helpful tips and advises, I feel more equipped to write up my own policy to present to my team!!
Delay before deployment is up to you. If you have a big environment it is. It unheard of to wait 30-60 days from release to completion.