Windows Updates Policy
Something I've not really seeen talked about on these forums, which is surprising... What policy do you use for applying MS updates to servers and desktops?
Do you auto download and install all critical and security updates to servers? Sounds like a reasonable compromise. But what about the other updates, how do you decide which to apply and when? And how do you deal with updates that have an unwanted affect?
What policy do you have for desktops?
My main concerns are to make sure security and critical updates don't get missed, but I am unsure of what is best practice on this and the other updates.
We use WSUS on Windows 2008 Standard to push out updates.
Critical updates are automatically approved by our WSUS server, and rolled out automatically, forced to install on a Thursday. To avoid them hogging all our network bandwidth, The bandwidth settings in the updates section of group policy are set very low, so the updates trickle feed to our machines as they are downloaded by WSUS.
Other updates are installed when we update our build images, unless there's a specific one we require to be installed in which case we'll manually approve it on WSUS.
WSUS box is set to download everything and bar updates for already approved ones and Forefront Client Security Upgrade (IE Anti-virus definitions and Anti-Virus software update) it waits for approval of them all. We tend to do this a week after patch Tuesday to give time for me to read Edugeek or pickup on issues off the web related to them.
Servers are not set via WSUS (never got around to it) and they are set to notify me what they want and are all manual, and I tend to do them once a month in an evening when I remember.
Bandwidth costs would kill us if we let it download automaticly so we just go into the "needed updates" section of the WSUS server and download the required updates which are then pushed out and installed automaticlly.
Servers are done manually, nothing is installed automatically. I would rather watch them install and make sure noting goes wrong.
WSUS id setup for all clients. We issue updates as they come after testing.
So does the WSUS work pretty well?
Does with all our computers.
Originally Posted by siadam