We have an isolated enviornment of a few hundred servers in which we use WSUS to push updates too. We have thousands of updates which to manage and push to devices testing along the way to ensure the update will not break anything. What are the best practices that you all follow in your enteprise networks to ensure an update does not go out to all the machines that will break something? We currently have ours broken into customized groups for each type of machine. There is one "Test Group" which has one PC of each type which we apply updates to for error checking. Is this a similar procedure others follow or is their an easier safer way to manage the thousands of WSUS updates?
Asked
Active
Viewed 576 times
1 Answers
5
In environments where you have a discrete set of configurations to manage (i.e. not a bunch of end-user desktops) you're already following the accepted best-practice.
- Create a canary group to get updates early.
- Run each configuration through acceptance trials after updates are applied.
- Promote updates to the general population once they've passed acceptance trials.
For really large populations, there is an additional tier between the first group and the everyone group, which is there to discover update problems that only show up occasionally. Whether or not your setup is big enough for that is up to you to decide.
sysadmin1138
- 131,083
- 18
- 173
- 296