How do you handle windows updates in your

company

by nicolas9341 on Sep 17, 2012 at 10:38 AM

Windows

• Subscribe
• Report
• Translate

18

Next:It is possible to remove or hide languages from Windows Server?

Spiceworks Help Desk

The help desk software for IT. Free.

Track users' IT needs, easily, and with only the features you need.

Learn More »

Get answers from your peers along with millions of IT pros who visit Spiceworks.

Join Now

• prev
• 1
• 2
• 3
• next

61 Replies
···

Chipotle

OP

Geist Sep 17, 2012 at 4:00 PM

Run them through Microsoft update with every computer set to download during the lunch
break, the hard part is getting laptop users not to ignore the big message saying don't turn me off
whilst updating. We've had a fair few laptops lose hard drives through this action, but not as
many as we have had screen being shattered by pens and slamming.

Was this post helpful? Thanks for your feedback!

• Spice

(0)

• Reply
•
•

···

Thai Pepper

OP

Brian Thorp Sep 17, 2012 at 4:16 PM

Chestnut Consulting is an IT service provider.

Fought to own the project to deploy WSUS, with one slightly successful deployment in the last
year. Now I own SCCM 2012, so basically SCCM controls WSUS to deploy updates. its slick!!
 Was this post helpful? Thanks for your feedback!

• Spice

(0)

• Reply
•
•

···

Serrano

OP

Bozz Sep 17, 2012 at 5:05 PM

We used to use a WSUS server to patch all Microsoft applications but have since moved to the
cloud-based VMware Go solution (previously IT.Shavlik) that now handles scanning and patch
management for Microsoft + just about every 3rd party app out there. I'd been looking for
something like this for a long time, having tested tons of other solutions out there along the way
that always seemed to come up short in one way or another. But Vmware Go works amazingly
well and it's cheap.

Was this post helpful? Thanks for your feedback!

• Spice

(0)

• Reply
•
•

···
Thai Pepper

OP

Gregmfg Sep 17, 2012 at 5:11 PM

We use WSUS for everything here

Workstations download and install automatically while our servers download but require a
manual install.

Was this post helpful? Thanks for your feedback!

• Spice

(0)

• Reply
•
•

···

Serrano

OP

Don7478 Sep 17, 2012 at 5:36 PM

I just discovered a very lightweight very inexpensive program called BatchPatch. IMHO much
better than WSUS alone.

They're a vendor on here but I can't find their page for some reason. They're on the web at
www.batchpatch.com.
You can download a free trial(limited to 7 machines at a push) Give them a look.

Was this post helpful? Thanks for your feedback!

• Spice

(2)

• Reply
•
•

···

Pimiento

OP

Mike9115 Sep 17, 2012 at 6:39 PM

Years ago I used Update Expert to "push" patches to the computers. They can be a scheduled
push too. WSUS is a pull method of updating.

Mike D

Was this post helpful? Thanks for your feedback!

• Spice

(0)

• Reply
•
•

···
Serrano

OP

Don7478 Sep 17, 2012 at 6:39 PM

Here's their Vendor page:

http://community.spiceworks.com/pages/cocobolosoftwarellc

Was this post helpful? Thanks for your feedback!

• Spice

(1)

• Reply
•
•

···

Habanero

OP

Antal Daavid Sep 17, 2012 at 6:51 PM

I think these people like WSUS.

I was going to make a joke about the best way to handle updates is to never do them, but I
couldn't get the punch line to work right.

Was this post helpful? Thanks for your feedback!

• Spice

(0)
 • Reply
•
•

···

Serrano

OP

spngnetwork Sep 17, 2012 at 7:07 PM

Unfortunately our Windows updates are handled by a mysterious higher-level admin team, who
set our updates to run after hours. I use iTALC to fire up our computers remotely, then run a
scheduled shutdown a several hours later. If it were up to me I would use WSUS.

Was this post helpful? Thanks for your feedback!

• Spice

(0)

• Reply
•
•

···

Poblano

OP
nicolas9341 Sep 18, 2012 at 9:56 AM

Guys,

Thx a lot for al those replies! I'll have a look at this.

Was this post helpful? Thanks for your feedback!

• Spice

(0)

• Reply
•
•

···

Chipotle

OP

MattRat Sep 18, 2012 at 2:25 PM

We are also using WSUS. We usually review them once every few week or once a month. Then
when we approve them on the WSUS server, they are pushed to the clients and installed after
hours. We control the reboot behavior through GPs.

One thing that we do to save time on reviewing them, is watching the Shavlik webinars. They go
through each of the updates the week after they are released.
http://www.shavlik.com/webinars/shavlik-video/resources.aspx

This is a good mailing list and forum to discuss WSUS

http://www.patchmanagement.org/

Was this post helpful? Thanks for your feedback!

 • Spice

(0)

• Reply
•
•

···

Cayenne

OP

Alcyone92 Sep 18, 2012 at 3:07 PM

I used to use WSUS but it made it very hard to keep the 3rd party software updated.

Now we use LanGuard from GFI. Great product and very affordable. It pushed all the
Microsoft update as well as 3rd party one that are very important like Acrobat and Flash. It is
even configured to remove software that is not on the approved list like older AutoCAD
versions. Very nice product with a lot of features.

http://www.gfi.com/network-security-vulnerability-scanner/

Was this post helpful? Thanks for your feedback!

• Spice

(0)

• Reply
•
•

···
Thai Pepper

OP

JCAlexandres Sep 18, 2012 at 3:30 PM

Workstations with WSUS, servers is a mix, but most of the servers are done manually since their
operation is too critical to let them do it automatically.

Was this post helpful? Thanks for your feedback!

• Spice

(0)

• Reply
•
•

···

Serrano

OP

Anthony Tanjoco Sep 18, 2012 at 4:13 PM

Diddo on the WSUS...

Was this post helpful? Thanks for your feedback!

• Spice

(0)
 • Reply
•
•

···

Jalapeno

OP

the I.T. Dood Sep 18, 2012 at 5:06 PM

Lab19 is an IT service provider.

I love batchpatch.

WSUS for PC's via GPO is simple. but for servers you often need that manual
touch. batchpatch makes server patching via WSUS a lot easier.

Was this post helpful? Thanks for your feedback!

• Spice

(1)

• Reply
•
•

···

Poblano

OP
Douglas_ Sep 18, 2012 at 5:43 PM

Here we use a potent combination of WSUS for Microsoft updates and Secunia for Flash,
Reader, and Java et al. WSUS is free and does the job so would highly recommend it. Servers are
updated manually

Be sure to setup testing groups and keep clear logs on the updates you install approve for
installation - in case one breaks something and you need to uninstall it. The best advice I can
give is to subscribe to a good patch management mailing list as this will allow you to have a
heads up on updates which cause issues upon deployment.

Hope this helps

Was this post helpful? Thanks for your feedback!

• Spice

(0)

• Reply
•
•

···

Habanero

OP
BizDPS Sep 18, 2012 at 5:44 PM

We use Windows Intune. It works very much like WSUS, except is hosted and works wherever
the client computer has an Internet connection.

Was this post helpful? Thanks for your feedback!

• Spice

(0)

• Reply
•
•

···

Thai Pepper

OP

GUIn00b Sep 18, 2012 at 7:23 PM

GPO and WSUS

We basically leverage Scheduled Tasks for remotely handling updates on demand. I can force
all workstations to gpupdate and reboot with the click of a mouse. Another click and I force all
workstations to immediately check for updates, install them while automatically accepting
EULA, and then reboot. We have the same thing set up for our servers.

Was this post helpful? Thanks for your feedback!

• Spice

(0)

• Reply
•
•
···

Habanero

OP

DEngelhardt Sep 18, 2012 at 8:27 PM

Yasaf Burshan wrote:

WSUS

For clients - Automatic update and iinstall

For server - download & Manual install

"Mission Critical" server are on no download, we update them manually.

Ditto here, except that our policy is to install immediately to a test group and monitor the web
and newsletters for update issues over the next month. Then push to workstations and
servers. Workstations install at shutdown per GPO. Servers are manually updated and restarted
outside of work and backup schedules.

Was this post helpful? Thanks for your feedback!

• Spice

(0)

• Reply
•
•

···
Tabasco

OP

Guy5702 Sep 19, 2012 at 7:11 PM

For workstations, we have Windows Update enabled to automatically download and install the
updates. Although some employees just do the downloads and perform the updates at a
convenient time for them.

For servers, I will update one or two machines after Patch Tuesday and let them run for a
week. If I don't see any issues, then the rest of the servers get updated manually. I run a small
shop (12 servers and 3 dozen employees) so it's pretty easy to keep things up-to-date.

Was this post helpful? Thanks for your feedback!

• Spice

(0)

• Reply
•
•

···

Ghost Chili

OP

Briser_fae_the_broch Sep 20, 2012 at 5:20 PM

WSUS on W2008 for PC's but manually Windows Update for servers to give me control over
what and when.

Was this post helpful? Thanks for your feedback!

 • Spice

(0)

• Reply
•
•

···

Tabasco

OP

eskey Sep 20, 2012 at 6:29 PM

We use WSUS with registry settings to populate (not using GPO).

In WSUS we have two groups: TESTCOMPS (IT staff PCs and some really test machines) and
APPROVED (rest of users and operational servers). Updates for test group are approved
automatically during weekly synchronization on Wednesday and then installed. Then IT staff
have time to observe behaviour of test PCs. If everything goes OK, then on next Tuesday latest
we approve updates for the second group.

Approved updates are installed automatically on different hours (you may configure it). Users
have only a choice to postpone restart of PC (if required) to the hour of their choice (usually at
the end of work).

This model works great. We haven't had almost any issues with Windows Updates (only with
one: Microsoft Office File Validation Add-In).

Was this post helpful? Thanks for your feedback!

• Spice

(0)

• Reply
•
•
···

Cayenne

OP

Computer MD Sep 20, 2012 at 8:12 PM

WSUS - you can look over the updates before you deploy them. Also you can uninstall certain
updates if they prove to create a problem. For example I installed an Excel update (KB2596596)
that turned out to eliminate charts being printed out in excel. I merely went to the WSUS and
told it to uninstall (Approved for removal) that update and it removed it from all the systems. this
saved me from ahving to go to every system.

Was this post helpful? Thanks for your feedback!

• Spice

(0)

• Reply
•
•

···

Anaheim

OP

MarcoC Sep 20, 2012 at 8:59 PM

We use Lumension Endpoint Management because it allows us to customize groups of

computers (servers, desktops, x64 vs x32, etc.) with updates as well as pushing 3rd party updates
(Adobe, Sun, Apple) and not have to worry about Google Toolbar or Chrome being added to the
update automatically. I can also create custom updates of any 3rd party product I want, though
that has been more challenging than promised. Can also install/uninstall software programs as
well. Nice product.

Was this post helpful? Thanks for your feedback!

• Spice

(0)

• Reply
•
•

···

Serrano

OP

David Shepherd Sep 20, 2012 at 9:40 PM

We wait and update after testing for a week on a couple of machines.

Had way too many things break all at once from updates, like some of our outlook add-ins for
phone, etc. Our system is small, but complex enough that we just don't want to deal with it right
off. We have WSUS and GPO set up, but my hands are on the wheel.