Our policy has been that our DCs are not patched via WSUS, like other member servers, but instead that we manually install the current patches from Microsoft Update. But now, I would like to change this, and use WSUS to patch all the DCS to our production levels (meaning: one month behind on released patches).
I don't see any downsides to this. I would create a new GPO (rather than modify the Default Domain Controllers Policy). I think I might still set them to download only, not automatically install. Thoughts? Should I let them auto-install, like most of my other member servers? Is that what you others do? Do you let your DCs get their patches via WSUS? (the more servers I don't have to manually install patches on, the happier I am. We have some servers that we must do manually, for reasons I won't go into)
