Do you turn off auto-update on your servers?
20/05/2020 7:56 AM by
It is not a good idea to have Windows Update automatically updating your servers. There are a few reasons.
- The hotfix could bring down a production environment. (This issue previously happened)
- In fact, even in a development environment, this could be hours of lost work as the development team struggles to understand why only
some of the developers' servers magically and mysteriously broke overnight.
- Windows Update could restart your server, or put your server in a state where it requires restarting - preventing any urgent MSI installs without bringing down the server.
Windows Update remains the best thing for end-users to protect their systems. But in a server, especially a production server environment - Windows Update patches are just like any new versions of the software that's built internally. It should be tested and then deployed in a controlled manner.
So recommendations for managing updates are as follows:
- Use WSUS to approve/deny updates for your servers.
- Update Staging/Development servers first to see if any issues arise from the updates.
- Roll these updates out to Production once confident there are no issues.
- Windows Updates may be critical and should be kept relatively up to date.
- Do all of this on a schedule - have an email sent to your SysAdmins to remind them to review and reboot needed machines:
- Good Example: Scheduled email showing clear action points and WSUS stats
Do you feel this rule needs an update?