This rule is currently archived
Do you turn off auto update on your servers?
  v6.0 Posted at 13/02/2020 10:54 AM by Steven Andrews
It is not a good idea to have Windows Update automatically updating your servers.  There are a few reasons.

  1. The hotfix could bring down a production environment. (This issue previously happened)
  2. In fact, even in a development environment this could be hours of lost work as the development team struggles to understand why only some of the developers' servers magically and mysteriously broke overnight.
  3. Windows Update could restart your server, or put your server in a state where it requires restarting - preventing any urgent MSI installs without bringing down the server.

Windows Update remains the best thing for end-users to protect their systems.  But in a server, especially a production server environment - Windows Update patches are just like any new versions of the software that's built internally.  It should be tested and then deployed in a controlled manner.

So recommendations:

  1. Windows Updates may be critical and should be kept relatively up to date.
  2. Have a plan where your awesome Network Admins schedule time to keep the servers up to date - including testing that the servers still perform its functions.
  3. Turn off Automatic Windows Update on Windows Servers

Related rules

    Do you feel this rule needs an update?

    If you want to be notified when this rule is updated, please enter your email address: