Mark Minasi's Tech Forum
Register Calendar Latest Topics
 
 
 


Reply
  Author   Comment  
nikolas.e

Senior Member
Registered:
Posts: 140
Reply with quote  #1 
Hi all.

Okay i have some difficulties understanding how to apply updates using some policy. I do not mean how to approve or decline i mean the policy i will follow to apply them. Let me give an example


April updates for computers & servers O/S

Computer updates ->apply to test computers for 30 days period.

if okay -> approve to production computers
if not okay -> decline approve to production (decline the update that causes the issue)


Server updates ->apply to test servers for 30 days period.

if okay -> approve to production servers
if not okay -> decline approve to production (decline the update that causes the issue)


Now what i use is an excel file to write down the KB number, Date i approved it, Where did i approved it, Results of the approval.


Please correct me or add if you want. I would like to know the best way to handle wsus since sometimes i feel am lost in it.


Also : Should i or not approve preview updates?



Thanks

__________________
Just call me the 1000Questionsguy
0
downtime

Senior Member
Registered:
Posts: 103
Reply with quote  #2 
Hi Nikolas,

Personally I preferred the so called "Patch Tuesday" because I knew when all the latest Windows Updates would be released.

Now Microsoft seem to be releasing updates all over the place, some with stupid names like "Preview".

This is an example from April 2017 updates on a Windows Server 2008 R2 Server:

April, 2017 Security Only Quality Update for Windows Server 2008 R2 for x64-based Systems (KB4015546) - Installed OK.
April, 2017 Preview of Monthly Quality Rollup for Windows Server 2008 R2 x64 Edition (KB4015552) - Installed OK.
April, 2017 Security Monthly Quality Rollup for Windows Server 2008 R2 for x64-based Systems (KB4015549) - Failed, and no longer required (why?!).

Anyway, this is what I have in my WSUS Server:

I have various Computer Groups like "Domain Controllers", "Member Servers", "Test Computers", etc.

When the new Windows Updates arrive, I have a look at the list and I may (rarely) decline some updates like "drivers".
I then approve all the updates for the "Test Computers" group.

Under "Updates" I have a custom Updates View called "Partial Approved Windows Updates". View properties: Approval (Approved), Status (Any)
Here I can see which updates are still pending to which groups.

When I am happy with the Windows Updates (after a week of testing on various PCs and test servers), I will then approve the updates to all the other groups (DCs, Member Servers, Etc).

I have a separate record for every server I have, which details what updates were installed and when.

I hope this helps, but any questions, please ask!

0
nikolas.e

Senior Member
Registered:
Posts: 140
Reply with quote  #3 
Thank you so much for the info.

In our network environment there is only 1 group for all production servers (15 Servers). I will need to separate them to different groups.Member Server Groups & Domain Controller Groups.

About : 

Under "Updates" I have a custom Updates View called "Partial Approved Windows Updates". View properties: Approval (Approved), Status (Any) 
Here I can see which updates are still pending to which groups. 


I will have to have a look at that since i have never done it.


In the following days i am going to build WSUS at my home lab. I can take screenshots of my setup attach them here to the forum also the steps i will follow for approving and maybe you cant point to me my mistakes or add additional info.


Thank you again for your help.

__________________
Just call me the 1000Questionsguy
0
nikolas.e

Senior Member
Registered:
Posts: 140
Reply with quote  #4 
I didnt have the time to setup my test lab with wsus but i will say this. Because of this ransom ware virus attacking systems worldwide i had the opportunity to spent more hours on the production wsus server(Make sure that the necessary patches where applied for protection) and learn things that am sure they will help me in the future. In combination with my  excel file of course [smile]. One mistake i believe i was doing was the delay to apply patches to the production Server.(By the time i had to apply the patches to the servers most of them where already superseded) So am trying to correct that. Let me give an example. Patch Tuesday updates released for May. I will delay the apply to Test Servers for 2 -4 Days just to check each KB for any known issues. If no issues i will apply them to Test Servers for 1 Week Testing. After the week pass and i see no problems i will apply them to production servers.
__________________
Just call me the 1000Questionsguy
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.