How do you handle windows updates on your servers?

davidelliott6117 · 2018-07-26T11:50:21.000Z

For work stations :- Automatic update and install
For server :- download & Manual install
“Mission Critical” server are on no download, we update them manually.

This is all handled by WSUS.

The servers have to be done outside of work time, and this can be from 06:00 to 00:00.

I don’t want to put the servers onto automatic download and install, because of rouge patches.

So what do you all do?
If you had the money what would you like to do?

P.S. Absolutely no cloud solutions as some of my customers have stated that as soon as we use cloud then they will say good buy.

big-green-man · 2018-07-26T12:17:31.000Z

Servers are set to download automatically, but not install. We run 24x5 and many weeks are 24x7, so we have a limited install window.

chuckdruery · 2018-07-26T12:18:29.000Z

We use System Center for patch management. Push out updates to test servers the weekend after patch Tuesday and if no issues, prod follows about a week behind.

The same for our desktops

JohnFreeman · 2018-07-26T13:08:15.000Z

We have them set to download but not install. I’ll usually schedule them to install when someone (if not myself) is around to check if it runs well afterwards. If it doesn’t we just roll it back and investigate. Luckily the servers generally don’t have this issue but we have Rollback Rx Server these just in case there is an issue as well as a few readily available Veeam disk images.

So we essentially install at a time when server won’t affect anyone if it’s down. If there is an issue we roll it back or re-image.

James404d · 2018-07-26T13:24:08.000Z

Download only and manual install.

simon-marden · 2018-07-26T14:05:20.000Z

I’m interested to know, what is your customers objection to a cloud based patch updates system? Cloud base storage or email I could understand if they are sensitive about where their data is, but a patch update system stores no data except the patch level of your PCs/servers.

kas2021 · 2018-07-26T21:06:56.000Z

I follow the following plan:

For workstations - Automatic update and install
For servers - download & manual install outside of business hours (usually on a weekend)
This is all handled by WSUS.

All other patches are done through PDQ Deploy which works well for our SMB.

ryantill · 2018-08-08T10:38:21.000Z

We got a little fed up of Windows Updates and patches screwing up systems.

All our servers run Windows Server 2016 and our workstations Windows 10. All machines pull their updates from our internal WSUS server.
So i implemented 2 test machines that download and apply the updates 1st. If the update does not destroy the machine then i roll it out to our live servers and workstations around a week later.
The only ones i allow straight through are critical security updates.

Its a little time consuming, but less time consuming than rolling back updates that have screwed up our systems and the added headache of multiple support calls claiming the updates that “ICT” applied yesterday broke everything.

kalvinlo7493 · 2018-08-24T17:37:11.000Z

we use PDQ inventory and PDQ deployment