Usually stagger patching of domain controllers and test and validate patches in non production region prior to deployment in production
On Jul 12, 2017 11:03 AM, "Michael Leone" <[email protected]> wrote: > Our policy has been that our DCs are not patched via WSUS, like other > member servers, but instead that we manually install the current patches > from Microsoft Update. But now, I would like to change this, and use WSUS > to patch all the DCS to our production levels (meaning: one month behind on > released patches). > > I don't see any downsides to this. I would create a new GPO (rather than > modify the Default Domain Controllers Policy). I think I might still set > them to download only, not automatically install. > > Thoughts? > Should I let them auto-install, like most of my other member servers? > Is that what you others do? > Do you let your DCs get their patches via WSUS? > > (the more servers I don't have to manually install patches on, the happier > I am. We have some servers that we must do manually, for reasons I won't go > into) > >
