How do you handle Windows Updates? PDQ? WSUS? Both? Neither?
I know there are lots of ways to hand patching a bunch of servers, with or without PDQ, and I"m just wondering what everyone does. The way we do things seems to work pretty well, but I'm always looking for ways to enhance things.
We have very specific outages windows for our production systems. We can't take anything down until 10PM on the last Saturday of the month. We use a combination of WSUS and PSWindowsUpdate (PowerShell) to get things updated. Here's a sample schedule:
- Friday afternoon we go into WSUS and approve all the applicable patches
- GPO sets all machines to check in every couple hours and to Download but Not Install.
- All machines should have downloaded their patches by Saturday.
- I have a schedule in PDQ that runs a PSWindowsUpdate command to Install patches but Not reboot when done. This fires off at 8PM for all machines.
- At 10PM, the first half of machines are simply told: Reboot Now.
- At 11PM, the second half of machines are simply told: Reboot Now.
- Then I spend the next hour or so fighting with any stragglers that didn't do what they were told, or have errors, or just need some hand-holding for whatever reason.
This setup seems to work pretty well, but I'm always open to ways of improving it.
Are there any pros or cons of using PDQ to install the patches that PDQ supplies instead of using WSUS? Does PDQ have a way of having the machines all download the PDQ Packaged install file ahead of time so I don't have 200+ machines all hitting the file share to download the patch file at the same time? Can PDQ do an install but No reboot by modifying the Deployment?
I don't want to reinvent the wheel and change up our entire method unless there's a compelling reason to do so.
The deployment will be limited by the option set in Options > Preferences > Performance. Notably the concurrent target limits and the Copy Mode. 200 concurrent targets is quite large and I recommend considering lowering that number.
The Windows Update packages in the Package Library shouldn't reboot so you shouldn't have to modify the deployment.
If you are interested in trying some different methods, it may be worth spinning up a test machine and trying out some different deployment methods.
I hope that other people share their perspectives and what they are using, but there are some blogs from PDQ about Windows Updates and even one that uses WSUS that might give some insight:
How to deploy monthly Windows updates | PDQ
Don't Wait For WSUS, Deploy Updates Immediately With PDQ Inventory And Deploy | PDQ
Please sign in to leave a comment.