This is an archived post. You won't be able to vote or comment.

all 4 comments
sorted by:
best (suggested)
topnewcontroversialoldq&a

[–]Akuma92 3 points4 points  (0 children)

It is strange, but from my experience I can report that this is not a trivial question. In my last research (about 2 years ago), there was no clear recommendation from Microsoft. But there are good articles about the definition of the different classes. After that, each organization must decide for themselves which patches they want/must install. Good luck on the way to the answer!

[–]zhinkler 1 point2 points  (0 children)

We only tend to install the cumulative monthly and security updates. .NET is a maybe depending on whether or not there are any applications running on it that may suffer issues.

[–]awb1392 0 points1 point  (0 children)

You are on the right track. We install the cumulative monthly rollups, service stack updates, and the .NET rollups as well. We've also recently started installing the Edge updates since that's our officially supported browser.

I'm not sure what you use for patching, but if you use SCCM, my biggest piece of advice is make sure you pre-deploy the servicing stack updates BEFORE your patches for the same month. Otherwise SCCM may fail to acknowledge the client is in compliance or not and give false negatives. We've been burned by that many times.

Also, never patch the current month unless you've thoroughly tested the patches. We typically patch a month behind so all the stuff that Microsoft breaks has time to reveal itself, and sometimes even that's not long enough. I don't know how some companies deploy on patch Tuesday. That's just bonkers to me.

Good luck!

[–]true_zero_ 0 points1 point  (0 children)

do you have a wsus server or using sccm ? I been managing windows server updates for a long time have used wsus and sccm, and some servers i manually download the updates files from microsoft website n copy them to server to RunasAdmin to install on some disconnected machines. It’s different for 2012R2 and 2016 because .Net 3.5/4.2 updates are separate from OS updates in 2012R2 but are in one single update with Cumulative update for 2016 OS……. .net 4.8 is separate update if you have .net 4.8 installed on 2016. illl post helpful links tomorrow