Windows Update Policy

joesasdelli8326 · 2012-10-18T15:04:21.000Z

Currently we haven’t had updates running (I know). A WSUS server was config’d and the GPO was put in place to redirect all updates, but the WSUS server was never put online to contact Windows Updates. All our PC’s are checking the WSUS server for updates and of course there are no updates. We are going to change that, migrate the WSUS server to a 2008R2 box and get automatic updates happening. We are torn on which way to proceed setting up the GPO and wanted to know what is recommended or common:

Set BIOS PC’s turn on at night, Configure WSUS and GPO to push updates at that time then power off.
Set GPO to auto-download and schedule the install during work hours and wait for the user to power down when they go home.

Method 1, requires more (slightly) work on our end to keep this going, but could interfere if users are running certain jobs overnight or have unsaved documents open and expect them to be there the next morning. Method 2 is easier for IT dept. but requires some user education and trust of them to restart when they should.

Which do you prefer? or is there an option 3 that i’m not seeing?

micahvanmaanen · 2012-10-18T15:08:08.000Z

We use option 2 and it seems to work well. We check WSUS to verify users are actually doing what they are supposed to be doing, and if they aren’t we kindly ask them to shut down and install updates at their earliest convenience.

patrickgreen2429 · 2012-10-18T15:17:04.000Z

Option 2 works well… After the first week or so. The first week will kill you and your team, as invariably, there will be countless machines that get stuck in update hell. (100+ updates all applying at the same time does not end well for any windows machine)

I suggest #2 but with a caveat. Apply it to a site at a time. This will prevent multiple headaches and keep users “happier”.

fmftw · 2012-10-18T15:17:34.000Z

We use option 2 as well.

gomachg · 2012-10-18T15:17:44.000Z

option 2. This allows them to pick a time, and I’ve always been on the shut it all down on the weekend idea.

mikemcgillivry · 2012-10-18T15:37:30.000Z

We option 2 it on 2 week intervals and do it at midnight. (because most users leave their computers on anyway)

data · 2012-10-18T15:50:05.000Z

Option 2 here.

chrisatkinson2 · 2012-10-18T16:00:23.000Z

Option 2, we run PC’s 24 hours a day mon-fri, and that allows us to do updates(on tuesdays) and updates to software, virus scans, etc

Chris

whopper · 2012-10-18T16:16:41.000Z

NMap scanning is new in SW6.0 and may help. It is disabled by default because there were some issues on a user network, so make sure you test it in your environment.

It won’t solve the problem, you will still need remote collectors, etc. as listed earlier, but since it is new you might not have tried it.

rmuniz9336 · 2012-10-19T01:56:57.000Z

Option 2 mostly, though we do have some machine on a separate vLAN that we have to be careful of. So to keep them up to snuff, I generate a monthly ticket, and then used wuinstall.exe in conjunction with psexec, and update them that way. They know they used our WSUS server to get updates, but because of how they’re set up, I have to give them a swift kick so to speak to ake them. A bit of an inconvenience, but it works. Oh, wuinstall and psexec are of course, FREE.

sergeadam2359 · 2012-10-19T10:27:49.000Z

I disable shutdown through GPO and do updates and virus scan in the middle of the night.