# Server patch deployment environment(WSUS)/policies question



## Juice13610 (Oct 26, 2004)

Hello all,
I am the new crowned ruler of WSUS at my company. We have over 300 servers in our environment and have never had any kind of patching schedule at all. In fact, over most of our maintenance windows, we get a list of 30-40 servers we have to patch manually and patch them that way.

Obviously this is a problem. So, I've installed WSUS and started by making a single group that does nightly patching/reboots when patches are available, and it has thus far worked like a charm. It is only patching a set group of 30-40 servers that are test/development or just aren't that important to the day to day operations of the company (a large group of desktop imaging servers, for example). Yes, desktop imaging servers are important, but they could be rebuilt in a few hours and won't put a stop to our business if a patch were to break them.

Using group policies, you can unfortunately only set WSUS to work on certain days of the week, not certain days of the month (unless someone knows something I don't). Ideally I could say one group gets patches on the 3rd Tuesday of the month, and another would get the patches the next week after nothing bad happens to the group getting patches on the 3rd Tuesday. *Since you can only choose certain days of the week and not of the month, do most people just approve the patches for install for the first group, then come back the next week and approve the patches? How do you verify that the patches released by microsoft are ok? Do you follow the KB article link for each patch and see if it has any warnings? Or do you just push the patches and then depend on the application owners to let you know if their test application broke after patching?*

I'm sure I will have more follow up questions, but this is it for now. Please let me know how you handle these in your environment. I don't want to make any assumptions or look stupid when I start meeting with the application groups.


----------

