This approach doesn’t really scale beyond a handful of servers… Windows is well setup to have updates installed but pending a reboot – the servicing system is built to support that.
Thanks, Brian Desmond w – 312.625.1438 | c – 312.731.3132 From: [email protected] [mailto:[email protected]] On Behalf Of Hank Arnold Sent: Saturday, July 15, 2017 4:34 AM To: [email protected] Subject: RE: [NTSysADM] Advice on patching Domain Controllers via WSUS I never allow any server to auto install updates. I can’t allow them to reboot automatically. If they don’t reboot, then they are in what I consider an unstable environment. They all are set for Option 3 (download & inform). Regards, Hank Arnold “Understanding is a 3-edge sword. Your side, my side and the truth. J. Michael Straczynski [MVP_Emblem_FINAL_0818] My Blog: http://blogs.msmvps.com/hankshelp/ Twitter: @Hank_PCDoc Facebook: https://www.facebook.com/hank.arnold.96 From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Michael Leone Sent: Wednesday, July 12, 2017 10:56 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] Advice on patching Domain Controllers via WSUS Our policy has been that our DCs are not patched via WSUS, like other member servers, but instead that we manually install the current patches from Microsoft Update. But now, I would like to change this, and use WSUS to patch all the DCS to our production levels (meaning: one month behind on released patches). I don't see any downsides to this. I would create a new GPO (rather than modify the Default Domain Controllers Policy). I think I might still set them to download only, not automatically install. Thoughts? Should I let them auto-install, like most of my other member servers? Is that what you others do? Do you let your DCs get their patches via WSUS? (the more servers I don't have to manually install patches on, the happier I am. We have some servers that we must do manually, for reasons I won't go into)
