server<\/em> updates.<\/p>\n<\/blockquote>\n<\/aside>\nDepends on what you class as “risky”, I have this setup on some of my servers for Saturday at 1am which means they reboot do all there bits etc and are back up early sat, if something broke i have 2 days to resolve.<\/p>\n
On others we manually install the updates and test every monday morning at 7am.<\/p>\n
Most of the time windows updates are fine, you will find that one time they break something but unless you install them manually and test everything everytime on a cloned server you won’t prevent it. In the case of 1 small server auto updates are probably fine
I want to set up WSUS on our network to manage updates. My intention is to update one ‘pilot’ client machine each week, let it run for a week and then deploy to all clients if that goes ok.<\/p>\n
The problem is how to manage updates to the server itself. We only have one server (it’s a small charity and money is an issue) so a pilot installation is not practical. Any thoughts?<\/p>\n
Thanks<\/p>\n
Patrick<\/p>","upvoteCount":6,"datePublished":"2013-09-06T07:33:19.000Z","url":"https://community.spiceworks.com/t/how-are-people-managing-windows-updates-for-server-2008r2/237633/1","author":{"@type":"Person","name":"patricksmyth8219","url":"https://community.spiceworks.com/u/patricksmyth8219"}},{"@type":"Answer","text":"
WSUS will only control what updates can be installed it won’t push / control the install of the updates. Which sounds like what your after?<\/p>","upvoteCount":1,"datePublished":"2013-09-06T07:38:49.000Z","url":"https://community.spiceworks.com/t/how-are-people-managing-windows-updates-for-server-2008r2/237633/2","author":{"@type":"Person","name":"akp982","url":"https://community.spiceworks.com/u/akp982"}},{"@type":"Answer","text":"
Thanks for the info about WSUS. That relates to how client machine updates are handled.<\/p>\n
The real question for me is how best to handle updates to the server itself. Automatic download and install is one option but that’s risky. I was interested to hear about what strategies other are using for their server<\/em> updates.<\/p>","upvoteCount":0,"datePublished":"2013-09-06T07:45:01.000Z","url":"https://community.spiceworks.com/t/how-are-people-managing-windows-updates-for-server-2008r2/237633/3","author":{"@type":"Person","name":"patricksmyth8219","url":"https://community.spiceworks.com/u/patricksmyth8219"}},{"@type":"Answer","text":"Install MSSQL Server Express (that way you can backup the database on a regular basis automatically) from there install WSUS. Have that syncronize with Windows Update 1x/day (or whatever may be necessary).<\/p>\n
from there all you need to do is setup a GPO to have all computers point to WSUS server<\/p>","upvoteCount":0,"datePublished":"2013-09-06T07:48:06.000Z","url":"https://community.spiceworks.com/t/how-are-people-managing-windows-updates-for-server-2008r2/237633/4","author":{"@type":"Person","name":"andrewzwieg6785","url":"https://community.spiceworks.com/u/andrewzwieg6785"}},{"@type":"Answer","text":"
I use WSUS to split my computers and servers into groups.<\/p>\n
When I see updates available, I approve them for the test server and test desktop groups. If those devices show no issues for the rest of the week, I then approve the updates for the live server and live desktop groups over the weekend<\/p>\n
+added+<\/p>\n
In your case where you only have one server, you could create a virtual test server and apply the updates to that.<\/p>\n
I also take a snapshot of the test server beforehand, just in case.<\/p>","upvoteCount":5,"datePublished":"2013-09-06T07:56:09.000Z","url":"https://community.spiceworks.com/t/how-are-people-managing-windows-updates-for-server-2008r2/237633/6","author":{"@type":"Person","name":"Huw3481","url":"https://community.spiceworks.com/u/Huw3481"}},{"@type":"Answer","text":"\n\n
<\/div>\n
Huw3481:<\/div>\n
\nI use WSUS to split my computers and servers into groups.<\/p>\n
When I see updates available, I approve them for the test server and test desktop groups. If those devices show no issues for the rest of the week, I then approve the updates for the live server and live desktop groups over the weekend<\/p>\n<\/blockquote>\n<\/aside>\n
Run almost exactly the same way & in two years we haven’t had a single patch/update related problem.<\/p>","upvoteCount":2,"datePublished":"2013-09-06T07:57:51.000Z","url":"https://community.spiceworks.com/t/how-are-people-managing-windows-updates-for-server-2008r2/237633/7","author":{"@type":"Person","name":"robertbp","url":"https://community.spiceworks.com/u/robertbp"}},{"@type":"Answer","text":"
For servers, I approve updates, but manually install them. ie when logging on, the servers task bar shows updates to be installed/downloaded.<\/p>\n
For user PC, updates are automatically downloaded and installed. I find in normal practice, it takes at least 3 days before updates are installed.<\/p>\n
Day 1) Updates are approved<\/p>\n
Day 2) On start up, computers talk back to WSUS and acknowledge approved updates. Computers may install updates at 4pm, and then finish installing<\/strong>.<\/p>\nDay 3) On startup, final settings are completed.<\/p>\n
Computers may install updates at 4pm, and then finish installing -<\/strong> this is the bit that sometimes doesn’t happen when expected, and can take a few more days, there is no user interaction with this.<\/p>","upvoteCount":0,"datePublished":"2013-09-06T09:12:30.000Z","url":"https://community.spiceworks.com/t/how-are-people-managing-windows-updates-for-server-2008r2/237633/8","author":{"@type":"Person","name":"ctubby5229","url":"https://community.spiceworks.com/u/ctubby5229"}},{"@type":"Answer","text":"\n\n
<\/div>\n
Huw3481:<\/div>\n
\nI use WSUS to split my computers and servers into groups.<\/p>\n
When I see updates available, I approve them for the test server and test desktop groups. If those devices show no issues for the rest of the week, I then approve the updates for the live server and live desktop groups over the weekend<\/p>\n<\/blockquote>\n<\/aside>\n
What is your workflow for doing this in WSUS? Is it something like this:<\/p>\n
\n\nApprove the updates for the test groups only from “All Updates, Unapproved”<\/p>\n<\/li>\n
\nCreate a new Update Group with “Updates are approved for a specific group,” selecting your test groups<\/p>\n<\/li>\n
\nLater approve the updates approved for the specific group for all computers<\/p>\n<\/li>\n<\/ol>\n
Just wondering what the best process is to make sure you don’t miss approving any updates for all machines after you’ve approved them for any group and they disappear from “All Updates.”<\/p>","upvoteCount":0,"datePublished":"2013-09-06T11:52:28.000Z","url":"https://community.spiceworks.com/t/how-are-people-managing-windows-updates-for-server-2008r2/237633/9","author":{"@type":"Person","name":"mahasd","url":"https://community.spiceworks.com/u/mahasd"}},{"@type":"Answer","text":"\n\n
<\/div>\n
Mahasd:<\/div>\n
\nWhat is your workflow for doing this in WSUS? Is it something like this:<\/p>\n
\n\nApprove the updates for the test groups only from “All Updates, Unapproved”<\/p>\n<\/li>\n
\nCreate a new Update Group with “Updates are approved for a specific group,” selecting your test groups<\/p>\n<\/li>\n
\nLater approve the updates approved for the specific group for all computers<\/p>\n<\/li>\n<\/ol>\n
Just wondering what the best process is to make sure you don’t miss approving any updates for all machines after you’ve approved them for any group and they disappear from “All Updates.”<\/p>\n<\/blockquote>\n<\/aside>\n
\n\nSelect All Updates. Approval: Unapproved, Status: Failed or Needed. Approve for test groups<\/p>\n<\/li>\n
\nWait a few days.<\/p>\n<\/li>\n
\nSelect All Updates. Approval: Any Except Declined, Status: Needed. Approve for live groups<\/p>\n<\/li>\n<\/ol>","upvoteCount":1,"datePublished":"2013-09-06T15:04:18.000Z","url":"https://community.spiceworks.com/t/how-are-people-managing-windows-updates-for-server-2008r2/237633/10","author":{"@type":"Person","name":"Huw3481","url":"https://community.spiceworks.com/u/Huw3481"}},{"@type":"Answer","text":"
I use WSUS to update all the desktops. I update the servers manually.<\/p>","upvoteCount":0,"datePublished":"2013-09-06T16:25:47.000Z","url":"https://community.spiceworks.com/t/how-are-people-managing-windows-updates-for-server-2008r2/237633/11","author":{"@type":"Person","name":"matthewmock5775","url":"https://community.spiceworks.com/u/matthewmock5775"}},{"@type":"Answer","text":"
Many thanks for all your help.<\/p>\n
Sadly, Server 2008R2 does not support restore points, so in what seems to be the unlikely event of a problem with an update, I’ll have to go back and manually uninstall. Rather than allowing daily installs, I think I’ll go for weekly, based on the assumption that the lower the frequency of changes, the easier it will be to pin problems down.<\/p>\n
As for WSUS updates, I like the idea of having 1 test PC in a separate group & rolling out the changes to the others after a week.<\/p>\n
Thanks again!<\/p>\n
Pat<\/p>","upvoteCount":0,"datePublished":"2013-09-11T09:29:10.000Z","url":"https://community.spiceworks.com/t/how-are-people-managing-windows-updates-for-server-2008r2/237633/12","author":{"@type":"Person","name":"patricksmyth8219","url":"https://community.spiceworks.com/u/patricksmyth8219"}}]}}
I want to set up WSUS on our network to manage updates. My intention is to update one ‘pilot’ client machine each week, let it run for a week and then deploy to all clients if that goes ok.
The problem is how to manage updates to the server itself. We only have one server (it’s a small charity and money is an issue) so a pilot installation is not practical. Any thoughts?
Thanks
Patrick
6 Spice ups
akp982
September 6, 2013, 7:38am
2
WSUS will only control what updates can be installed it won’t push / control the install of the updates. Which sounds like what your after?
1 Spice up
Thanks for the info about WSUS. That relates to how client machine updates are handled.
The real question for me is how best to handle updates to the server itself. Automatic download and install is one option but that’s risky. I was interested to hear about what strategies other are using for their server updates.
Install MSSQL Server Express (that way you can backup the database on a regular basis automatically) from there install WSUS. Have that syncronize with Windows Update 1x/day (or whatever may be necessary).
from there all you need to do is setup a GPO to have all computers point to WSUS server
akp982
September 6, 2013, 7:51am
5
Depends on what you class as “risky”, I have this setup on some of my servers for Saturday at 1am which means they reboot do all there bits etc and are back up early sat, if something broke i have 2 days to resolve.
On others we manually install the updates and test every monday morning at 7am.
Most of the time windows updates are fine, you will find that one time they break something but unless you install them manually and test everything everytime on a cloned server you won’t prevent it. In the case of 1 small server auto updates are probably fine
4 Spice ups
Huw3481
September 6, 2013, 7:56am
6
I use WSUS to split my computers and servers into groups.
When I see updates available, I approve them for the test server and test desktop groups. If those devices show no issues for the rest of the week, I then approve the updates for the live server and live desktop groups over the weekend
+added+
In your case where you only have one server, you could create a virtual test server and apply the updates to that.
I also take a snapshot of the test server beforehand, just in case.
5 Spice ups
robertbp
September 6, 2013, 7:57am
7
Huw3481:
I use WSUS to split my computers and servers into groups.
When I see updates available, I approve them for the test server and test desktop groups. If those devices show no issues for the rest of the week, I then approve the updates for the live server and live desktop groups over the weekend
Run almost exactly the same way & in two years we haven’t had a single patch/update related problem.
2 Spice ups
ctubby5229
September 6, 2013, 9:12am
8
For servers, I approve updates, but manually install them. ie when logging on, the servers task bar shows updates to be installed/downloaded.
For user PC, updates are automatically downloaded and installed. I find in normal practice, it takes at least 3 days before updates are installed.
Day 1) Updates are approved
Day 2) On start up, computers talk back to WSUS and acknowledge approved updates. Computers may install updates at 4pm, and then finish installing .
Day 3) On startup, final settings are completed.
Computers may install updates at 4pm, and then finish installing - this is the bit that sometimes doesn’t happen when expected, and can take a few more days, there is no user interaction with this.
mahasd
September 6, 2013, 11:52am
9
Huw3481:
I use WSUS to split my computers and servers into groups.
When I see updates available, I approve them for the test server and test desktop groups. If those devices show no issues for the rest of the week, I then approve the updates for the live server and live desktop groups over the weekend
What is your workflow for doing this in WSUS? Is it something like this:
Approve the updates for the test groups only from “All Updates, Unapproved”
Create a new Update Group with “Updates are approved for a specific group,” selecting your test groups
Later approve the updates approved for the specific group for all computers
Just wondering what the best process is to make sure you don’t miss approving any updates for all machines after you’ve approved them for any group and they disappear from “All Updates.”
Huw3481
September 6, 2013, 3:04pm
10
Mahasd:
What is your workflow for doing this in WSUS? Is it something like this:
Approve the updates for the test groups only from “All Updates, Unapproved”
Create a new Update Group with “Updates are approved for a specific group,” selecting your test groups
Later approve the updates approved for the specific group for all computers
Just wondering what the best process is to make sure you don’t miss approving any updates for all machines after you’ve approved them for any group and they disappear from “All Updates.”
Select All Updates. Approval: Unapproved, Status: Failed or Needed. Approve for test groups
Wait a few days.
Select All Updates. Approval: Any Except Declined, Status: Needed. Approve for live groups
1 Spice up
I use WSUS to update all the desktops. I update the servers manually.
Many thanks for all your help.
Sadly, Server 2008R2 does not support restore points, so in what seems to be the unlikely event of a problem with an update, I’ll have to go back and manually uninstall. Rather than allowing daily installs, I think I’ll go for weekly, based on the assumption that the lower the frequency of changes, the easier it will be to pin problems down.
As for WSUS updates, I like the idea of having 1 test PC in a separate group & rolling out the changes to the others after a week.
Thanks again!
Pat
