So, I've just read the following article:
http://blogs.technet.com/b/wsus/archive/2013/06/11/wsus-blog-managing-updates-with-deadlines-in-an-era-of-automatic-maintenance.aspx
After reading that it appears that the recommended method of managing updates for Windows Servers is to combine Automatic Maintenance and Deadlines.
That information is gleaned from this article:
http://technet.microsoft.com/library/hh994618.aspx#BKMK_WhatsNewEight
The relevant portion I believe is this:
Set machines to auto-install, prevent auto-reboot until desired time
Policy: Configure Automatic Updates (Enabled) Configure automatic updating: 4 – Auto download and schedule the install
Policy: No auto-restart with logged-on users… (Disabled)
WSUS deadlines: set to Fridays at 11PM
But after reading through some of the posts here it appears that historically this is not the proper way to handle this:
Specifically the moderator said this:
Ahh.. yes.. this is the natural artifact of using deadlines as as 'scheduling' tool, rather than an 'enforcement' tool -- which is what they were designed to be used for.
If the update is missing after the dealine expires, it will get installed immediately and cause an immediate system restart.
Since the method admins have historically used to schedule updates to occur on specific dates was via GPO and those settings are no longer honored with the recent change to Windows 8/2012 it seems that deadlines are THE ONLY method to handle scheduling update for servers.
The upside to this is that we are able to schedule updates and reboots to happen on a specific date.
The downside is that once an update has a deadline set, when a new server comes online and gets updates an out-of-band reboot will happen, as the deadline dictates that the client must reboot when the deadline has passed.
There appears to be a couple of ways around this situation but they require an investment in some of the System Center products that not all admins may be able to avail themselves of.
Solution 1
Create a System Center Configuration Manager 2012 (CM12) deployment and allow CM12 to handle updates. You will need to create collections, manage maintenance windows and configure CM12 to manage your updates, but this solution appears to work as advertised.
Solution 2
Create a System Center Orchestrator 2012 (OR12) deployment and design runbooks within that environment to handle grabbing updates, installing updates, and then bouncing the server as needed. You may also need to run with Auto-Updates disabled, but since OR12 would be doing it for you that should be ok.
It seems to me that there should be a better method of allowing admins to handle windows updates for servers with 2012+ rather than having to resort to some of these solutions. I think most of us would agree that the ability to permanently disable Automatic Maintenance would be a place to start. Barring that, perhaps a method to set deadlines for a computer group rather than for an update. The problem of servers coming online and getting updates after a deadline is still a problem, but perhaps that more of a user education problem.
I would appreciate anyone's comments on this and perhaps a dialog on here with Microsoft showing us better methods of handling this than what we've been able to find online.
Thanks,
Jeffrey S. Patton Jeffrey S. Patton Systems Specialist, Enterprise Systems University of Kansas 1001 Sunnyside Ave. Lawrence, KS. 66045(785) 864-0242Image may be NSFW.
Clik here to view.
| http://patton-tech.com