Notifications
Clear all
Topic starter
Do any of you wonderful people have Windows updates done Automatically on your application servers\environment? Just wondering, thanks!!!
Posted : March 7, 2019 5:33 am
I still do most of my servers manually (especially the GE/Vierence/Athena servers). You never know when you are going to burned by a bad update, which seems to happen way too frequently for my liking. I do them on the weekend and do some testing before Monday rolls around. While this method is far from fool proof it is better than letting Microsoft decide. I only have about 30 Windows servers so it is easy for me to do them manually. Some I can do during the work day because I can reboot them without anyone noticing but about 20 of them are mission critical.
I use WSUS to deploy patches to my workstations and several servers. That way I have control over what I approve and when patches are deployed. If you have many Windows servers I would recommend WSUS but Microsoft warns you to "deploy in test environment" but who has such a test setup with identical hardware as production? Most of my lab is made up of retired hardware which is different than what I have in production. I test into production (after a VM snapshot) and if everything appears to work I leave it but the real test starts on Mondays.
I also hold off on updates about a week to see if there are any pullbacks from Microsoft. In that time, I can let the many MS customers who are set to auto update on patch Tuesday beta test for me.
Mike Zavolas
Tallahassee Neurological Clinic
Posted : March 7, 2019 6:29 am
Topic starter
That was an awesome reply. Your attention to detail is exactly what I was looking for.
I do know of an environment where one of our fellow users of CPS Admins does use Windows Auto Updates on their servers and got bit by a .NET update. But he is also one of the most savvy technical people I have ever met and he managed through the issue just fine.
If there are any other users with stories regarding Windows Auto Updates out there we would love to hear them.
Thank you very much Mike Zavolas for your detailed response!!
Posted : March 7, 2019 6:47 am
We use a path management system that allows us to setup test users (the IS staff) from all other computers. Five days after application to the test users patches will automatically be applied to all other computers (including servers) as long as we don't stop it.
Steve
Posted : March 14, 2019 11:12 pm
Mike described our patch/upgrade management process very well. Servers are always patched/upgraded manually.
I can't imagine ever wanting a production server to automatically reboot without an administrator knowing about it.
-dp
Posted : March 15, 2019 2:04 am
We have a Test and Production environment. The Production environment gets patched on the 3rd Wednesday of every month. The Test environment gets patched the Monday before the 3rd Wednesday, so we go into Test, looking to see if the updates have caused any issues, and if we find a bad one, we have it removed from the Wednesday night patching.
Posted : March 18, 2019 3:41 am
Mike's response is right on and is almost exactly what we do. We use WSUS to approve workstations in groups automatically (a few less critical immediately, then more important after 4 days, most important last).
For servers, most (a couple dozen) approve automatically in WSUS in stages also and I only manually patch a handful of critical servers. WSUS can apply patches automatically after set periods of time. If your reboot schedules are set appropriately, you will never be surprised by a patch reboot. This is not to be confused with just using the default Microsoft Update settings, this is using "Automatic Approvals" in WSUS.
It's time consuming and usually after hours work to manually patch, so finding the right balance with your servers and your organization is the key. In 6 years, we've only had 1 or 2 patch surprises and they were easy to fix, so I go pretty aggressive with the automatic approvals.
Thanks,
Wade
Posted : April 10, 2019 5:52 am
