You can configure clusters and maintenance windows in SCCM so it will only reboot a certain percentage of a given population of machines at one point also.
Thanks, Brian Desmond (w) 312.625.1438 | (c) 312.731.3132 From: [email protected] [mailto:[email protected]] On Behalf Of Heaton, Joseph@Wildlife Sent: Wednesday, July 12, 2017 10:07 AM To: [email protected] Subject: RE: [NTSysADM] Advice on patching Domain Controllers via WSUS I patch everything with SCCM. Currently, all of my servers get updates deployed to them, with reboots being done manually by me after hours. I have a little over 200 total, minus the 30 or so in my test group that gets done the previous week. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Michael Leone Sent: Wednesday, July 12, 2017 7:56 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] Advice on patching Domain Controllers via WSUS Our policy has been that our DCs are not patched via WSUS, like other member servers, but instead that we manually install the current patches from Microsoft Update. But now, I would like to change this, and use WSUS to patch all the DCS to our production levels (meaning: one month behind on released patches). I don't see any downsides to this. I would create a new GPO (rather than modify the Default Domain Controllers Policy). I think I might still set them to download only, not automatically install. Thoughts? Should I let them auto-install, like most of my other member servers? Is that what you others do? Do you let your DCs get their patches via WSUS? (the more servers I don't have to manually install patches on, the happier I am. We have some servers that we must do manually, for reasons I won't go into)
