We do all of our critical servers this way. Download the patches, install cycle
happens manually. It’s just a separate group in WSUS. We also do manual
approval only on that group.
--
There are 10 kinds of people in the world...
those who understand binary and those who don't.
From: [email protected] [mailto:[email protected]] On
Behalf Of Michael Leone
Sent: Wednesday, July 12, 2017 10:56 AM
To: [email protected]
Subject: [NTSysADM] Advice on patching Domain Controllers via WSUS
Our policy has been that our DCs are not patched via WSUS, like other member
servers, but instead that we manually install the current patches from
Microsoft Update. But now, I would like to change this, and use WSUS to patch
all the DCS to our production levels (meaning: one month behind on released
patches).
I don't see any downsides to this. I would create a new GPO (rather than modify
the Default Domain Controllers Policy). I think I might still set them to
download only, not automatically install.
Thoughts?
Should I let them auto-install, like most of my other member servers?
Is that what you others do?
Do you let your DCs get their patches via WSUS?
(the more servers I don't have to manually install patches on, the happier I
am. We have some servers that we must do manually, for reasons I won't go into)
