We patch over 300 servers every month, including domain controllers and exchange servers.
We do not have any GPOs managing any aspect of Windows Update. We let the SCCM client change the settings it wants to. We require every server to have a maintenance window, and all of our ADRs are set to 'Required'. This prevents any deployments from taking place at unpredictable times. All sysadmins approve the windows and all of the services are expected to be resilient enough to have servers reboot on their own during their window. For the handful of servers that cannot have MW's all deployments to those servers are set to 'Available' rather than 'Required', and it is left up to the sysadmin for those servers to patch them manually. (typically this is due to cluster failovers, and stuff like that) We used to have separate collections for suppressing reboots, but that often was more trouble than it was worth because updates would get installed, then it was up to a sysadmin to reboot them. Most of the time it worked out ok, but there were a few times when a server got forgotten and it was in that weird updates-installed-but-not-rebooted state for longer than it should have been, so we decided to take away that option for sysadmins. It's been working quite well for us. Todd From: [email protected] [mailto:[email protected]] On Behalf Of Kevin Johnston Sent: Thursday, September 19, 2013 2:40 PM To: '[email protected]' Subject: [mssms] SCCM 2012 SUP/WSUS and GPO... grr! I have read many blog posts about this configuration, and during our last patch cycle servers had rebooted themselves just after 3AM, which leads me to believe that something is not right. We just changed to having SCCM take care of it. Even though we suppress the reboots, I want to think that the WUAgent is the one actually rebooting, so we need the settings to hopefully stop this from happening. Ideally we are trying to accomplish the following: 1) user cannot modify settings; 2) updates download and install, absolutely no forced reboot, regardless if user is/isnt logged on; 3)NO REBOOT We have created an ADR for patch Tuesday which deploys the patches to test servers. We then take the previous months ADR and manually deploy it to our Production servers collection, this allows us to have a month of testing the patches. We noticed that servers were rebooting, which lead us to our GPO's and rethinking this process. Currently all our GPO settings that involve WSUS are set to "Not Configured" We don't have any maintenance windows configured either, although I read that some people put them far into the future. Thanks, Kevin Johnston
smime.p7s
Description: S/MIME cryptographic signature
