I use a WSUS v3 server for patching for my other servers (no workstations). I have a GPO that filters on AD group membership to download patches (not apply; we manually apply the patches at a scheduled date. There used to be good reasons for manual patching ...)
Used to be ... Now, what I want is automate it. I want my WSUS server to initiate the patch and reboot at a certain date and time frame, and I'd ideally like to do it via AD group membership, the way I do now. So that instead of 120 servers all patching and rebooting between 10AM - 5PM (for example), I can have a group of 40 do it from 10AM - 1PM, based on group membership; other groups for 1PM-3PM, and 3PM-5PM. Mostly for the control. Am I right that I would need 3 GPOs, each filtering to a different AD group, and each set to initiate patching and rebooting during a different time frame? Or should I just let them all patch and reboot, at anytime from 10AM-3PM on the scheduled date? Or is there a better way? Thanks
