On Wed, Jul 12, 2017 at 11:05 AM, Kennedy, Jim <[email protected] > wrote:
> Separate group in WSUS, download but don’t install. I manually install > them during downtime I schedule shortly after patch Tuesday. That is how I > hand member servers and DC’s. > > > > But, I only have 40 or so servers to do. > Yeah, we have close to 4x that. When it was only 40-50, manually installing patches is manageable. With our number, we have 3 staff come in and have to do 50+ servers once a month. That's like 12 hours or so overtime (total for all 3) every month. So auto-installing patches would also be a cost saving maneuver for us, as well. I have groups in WSUS, and approve current month patches for just our testing servers, and everything up until this month for all other servers. So I would just add the DCs to that second group. And then use a GPO to either download or install, and tie it to a specific AD group. I'm just a bit leery about having DCs auto-patch. I don't know if I am being over-cautious, is all ... > > > > *From:* [email protected] [mailto:listsadmin@lists. > myitforum.com] *On Behalf Of *Michael Leone > *Sent:* Wednesday, July 12, 2017 10:56 AM > *To:* [email protected] > *Subject:* [NTSysADM] Advice on patching Domain Controllers via WSUS > > > > Our policy has been that our DCs are not patched via WSUS, like other > member servers, but instead that we manually install the current patches > from Microsoft Update. But now, I would like to change this, and use WSUS > to patch all the DCS to our production levels (meaning: one month behind on > released patches). > > > > I don't see any downsides to this. I would create a new GPO (rather than > modify the Default Domain Controllers Policy). I think I might still set > them to download only, not automatically install. > > > > Thoughts? > > Should I let them auto-install, like most of my other member servers? > > Is that what you others do? > > Do you let your DCs get their patches via WSUS? > > > > (the more servers I don't have to manually install patches on, the happier > I am. We have some servers that we must do manually, for reasons I won't go > into) > > >
