1
We have a couple of Windows 2012R2 and Windows 2016 servers hosted with Amazon. None of those servers are joined to a domain, they are all separate.
Before we would just install Windows updates as they came out and I would manually set a reboot time through a powershell script.
Now we have quite a few servers and customers so I want to figure out a better policy. Our official policy now is to do a periodic maintenance every Sunday from 1am to 2am following patch tuesday. It's OK if ALL servers are down at the same time.
Now I read about WSUS, but it seems this is just a role a server takes on to delegate windows update processes to other servers, is that correct? Would it handle scheduling and rebooting for me?
Would it be easier to use the Windows Update PowerShell Module and write my own powershell script, which gets scheduled through the Task Scheduler which I deploy manually on all servers?
Are there other options / best practices?
I'm going to say this is going to be too opinionated but for me I like to control when the servers get their patches manually or at regular scheduled intervals as you indicate you already do to have better change control over the server systems. I've used WSUS for hundreds of various Windows computers and made sure I had a nice spread of test group machines and apply to the smaller test group first in case WU breaks something so you're not fixing for hundreds. If you have hundreds of servers of various Windows OSes, then the same strategy would apply to Servers with WSUS too I suppose. – Pimp Juice IT – 2017-07-21T01:06:14.190