What is your policy for pushing out updates on your networks?

[MrGuvernment]

Just want to check in to see what type of policies some of you are using at work for pushing out windows updates and other drivers and systems updates to workstations / servers?

Do you do it bi-monthly, do you follow MS release cycle?

What is you're testing environment like if you have one?

How do you decided if an update gets pushed out or not?

Are there any good resources / sites out there that track problems with the last MS updates and other releases?

 

[/usr/home]

We push out updates once or twice a month using WSUS and we also push the latest Flash/Java/Adobe Reader via GPO then too.

Drivers are automatically installed during the imaging process and aren't updated unless they need to be. BIOS updates are done after imaging to whatever the latest BIOS is at that time. We use WDS to image workstations.

For testing, we have seperate OUs and GPOs to test updates.

 

[MrGuvernment]

i like the idea of flash/java and adobe via GPO, they all have MSI installers now i presume?

I do have a WSUS server, but since most all of our systems are web based i push out updates about every 2 weeks on systems assuming no major reports are around of issues.

 

[-Dragon-]

Generally you have to extract the MSI's from the normal installers, how you so varies on the installer, like with java you have to start the install and then go to your temp folder and find the files it extracted then copy them somewhere else before the install finishes and they're automatically deleted, adobe reader requires a command line switch to extract and for flash I get that here.

 

[cyr0n_k0r]

Adobe allows you to subscribe to an enterprise agreement which they give you the full offline installers of shockwave, flash, etc in MSI form.
You have to sign up and be verified through a corp email account and answer a few questions about your environment.
Takes about 3 days, but once verified you can get the newest versions pretty easily after that.


Does anyone update their BIOS using EXE's? I know Dell provide a windows EXE that will update the BIOS during the next reboot. Does anyone know if other manufacturers offer similar capabilities?

 

[Mackintire]

WSUS updated monthly every third Thursday assuming our Systems Engineer and Sustaining Implementations Engineer approve the update.

I control placing an update into the Query. The other two guys have to approve it for release.

The reason for the delay is to allow them to make sure the patches don't break anything and to give all of us a week to catch any oppsies Microsoft makes. I've pulled two patches myself within the past year.

The two dev engineers have virtual enviroments that they can test the patches in an automated fashion. When we deploy, we restart the machines, install the patches and again restart the end-user's machines.

 

[gimp]

Does anyone update their BIOS using EXE's? I know Dell provide a windows EXE that will update the BIOS during the next reboot. Does anyone know if other manufacturers offer similar capabilities?

we did this for quite a few machines a couple years back, due to an issue with the existing BIOS revision, and the machines had already been deployed. It was the Dell OptiPlex 745 machines that we had to do this for.

For servers, most of us manually install on patch Tuesday. We don't publish the updates in WSUS until the Friday following patch Tuesday.
I do my patching on the 3rd Tuesday of the month, due to some servers in a restricted VLAN that can only access WSUS.

For desktops, we push updates via LANDesk, which works a bit better since updates are on numerous cores in different locations all over the state. So some of the data transfers stay to the local LAN.
IT machines are the "test environment"

 

[MrGuvernment]

i like the idea of IT machines as the test bed, since we can usually revert back and get things back up fast enough ..

also the gap from Tuesday to Friday, i was considering a 1 a month release, i only have 53 workstations to deal with and 13 servers right now

The issue with a testbed is trying to cover everything that every other department may do from development with visual studio to web and design using dreamweaver, and various other adobe products, to customer service using things like kayako desktop and other apps.

 

[MrGuvernment]

i just noticed in windows server 2008 R2 GPO for my windows updates, you can only choose to do it daily or every day or something with in a week period.

Anyone know of a way to set it to every 2 weeks or once a month?

Also i noticed i had approved some updates a few days ago, but it wasn't until last night that some systems pulled and installed those updates....