WSUS integration plan

caponcapon Registered Users Posts: 4 ■□□□□□□□□□
Hello friends.
My bosses gave me an assignment to make plan how to integrate WSUS server in our infrastructure.
So please help me with advise how to do it.
By now i install windows server 2012 and add WSUS role on it. Test the server in test environment and everything was good.
Now i have to accept WSUS updates in exchange servers and domain controllers, SQL servers and DMZ servers.
My question is which one will be first to update, if some update broke the server what should i do.
Our infrastructure is:
4 domain controllers - 2 with windows 2008 and 2 with windows 2012 R2
Exchange (Windows Server 2012 R2 Datacenter) have 2 DAG-а with 3 mailbox servers and 2 client access servers.
We also have 20 child domains
So please what will be the procedure to update. I must use GPO suppose but tell me what is the right order


  • rwmidlrwmidl Member Posts: 807 ■■■■■■□□□□
    It's been awhile since I played with WSUS but a few suggestions:

    - If you can, have test systems you can deploy/test the patches on and production systems.
    - Set your GPO to download but not install the patches (from memory I believe you can do that). This will help prevent patches from automatically installing.
    - You can also segregate out the systems. Have a WSUS group for your Exchange servers, DCs, etc.
    - Remember you can approve the patches to push from WSUS, so until you are ready (and tested) don't push them out.
    - Document, document, document! You are doing change/patch management. Document what patches are to be installed. Have a rollback plan.
    CISSP | CISM | ACSS | ACIS | MCSA:2008 | MCITP:SA | MCSE:Security | MCSA:Security | Security + | MCTS
  • caponcapon Registered Users Posts: 4 ■□□□□□□□□□
    Yes I will make different groups for exchange, domain controllers ant etc, but I think that i must update only one DC at a time not all at the same time. I'm I right ?
    What will be the roll back plan. Restart from backup or what? This is what i dont understand.
    And how can i understand what patches to approve, In my case i want only security updates.Should i install all which WSUS find in MS servers?
  • DojiscalperDojiscalper Member Posts: 266 ■■■□□□□□□□
    Test them on a lab first before approving them for update. If you don't have the resources to do that your only other option would be to back up the servers before the update so you can do a true and complete roll back in case of failure.
  • techfiendtechfiend Member Posts: 1,481 ■■■■□□□□□□
    What I'd do is auto accept only security updates from WSUS and start with a test server (if all physical otherwise skip and mention going virtual if you haven't already). If you have virtual servers snapshot and update non PDC DC's first. If there's an issue rollback and troubleshoot but it'll likely work next time.
    2018 AWS Solutions Architect - Associate (Apr) 2017 VCAP6-DCV Deploy (Oct) 2016 Storage+ (Jan)
    2015 Start WGU (Feb) Net+ (Feb) Sec+ (Mar) Project+ (Apr) Other WGU (Jun) CCENT (Jul) CCNA (Aug) CCNA Security (Aug) MCP 2012 (Sep) MCSA 2012 (Oct) Linux+ (Nov) Capstone/BS (Nov) VCP6-DCV (Dec) ITILF (Dec)
  • caponcapon Registered Users Posts: 4 ■□□□□□□□□□
    All servers are virtual. We have no physical servers.

    If something broke revert last snapshot right? No need from full backup?

    So PDC will be updated last as i understand right.
  • techfiendtechfiend Member Posts: 1,481 ■■■■□□□□□□
    I just use snapshots and rollback if needed but never had an issue with monthly security updates. I'd do 2 DC's as a test for a week than do the rest. PDC is the most important DC but easily transferred. The other servers appear to be more important.
    2018 AWS Solutions Architect - Associate (Apr) 2017 VCAP6-DCV Deploy (Oct) 2016 Storage+ (Jan)
    2015 Start WGU (Feb) Net+ (Feb) Sec+ (Mar) Project+ (Apr) Other WGU (Jun) CCENT (Jul) CCNA (Aug) CCNA Security (Aug) MCP 2012 (Sep) MCSA 2012 (Oct) Linux+ (Nov) Capstone/BS (Nov) VCP6-DCV (Dec) ITILF (Dec)
  • MicronewbMicronewb Member Posts: 41 ■■□□□□□□□□
    The way I do patches are as follow

    1) Approve to test OU
    2) After a week approve to Employee OU
    3) Every quarter approve to infrastructure OU
    4) GPO controls when patches get downloaded BUT does not install them.
    5) Snapshot VM (we use VMware Sphere).
    6) Apply patches
    7) Rinse and repeat

    Can share where the GPO settings are controlled if needed.
  • caponcapon Registered Users Posts: 4 ■□□□□□□□□□
    Yes please. Share that information.
    I resided to make 2 extra OU. One for critical servers (DHCP, Exchange, DC) and one for others.
  • MicronewbMicronewb Member Posts: 41 ■■□□□□□□□□
    This is what I have for the test OU in regards to the updates.

    COMPUTER Configuration
    Windows settings
    Security settings
    Administrative Templates hideWindows Components/Windows Update

    Allow signed updates from an intranet Microsoft update service location Enabled
    Configure Automatic Updates Enabled
    Configure automatic updating: 3 - Auto download and notify for install
    The following settings are only required and applicable if 4 is selected.
    Install during automatic maintenance
    Scheduled install day: 0 - Every day
    Scheduled install time: 03:00

    Policy Setting Comment
    Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box Enabled
    Enable client-side targeting Enabled
    Target group name for this computer test

    Policy Setting Comment
    No auto-restart with logged on users for scheduled automatic updates installations Enabled
    Specify intranet Microsoft update service location Enabled
    Set the intranet update service for detecting updates: [URL]https://SERVERNAME:PORTNUMBER[/URL]
    Set the intranet statistics server: [URL]https://SERVERNAME:PORTNUMBER[/URL]

    There is also a certification section as well but I imagine you have this setup.

    Let us known if this is what you are looking for or something else.
Sign In or Register to comment.