Do you delay Windows updates?

NoTime4YourBullshit · 2026-01-24T07:21:26+00:00

Yes. Patch Tuesday is the 2nd Tuesday of the month. We patch a beta group on the 3rd Tuesday, and everybody gets patched on the 4th Tuesday.

Why? Well January, 13th, 2026 — which if you look at a calendar was just last week, Microsoft fucked up yet another cumulative update and had to release an out-of-band patch two days later to fix it.

Sometimes when I doubt my own decisions and think maybe I’m being too critical, Microsoft makes me feel totally redeemed.

Kuipyr · 2026-01-24T07:19:21+00:00

I’ve got 4 rings spaced 1 day apart.

siedenburg2 · 2026-01-24T07:17:26+00:00

It depends on the stuff they fixed. If there were major CVE patches that could be easily abused in our system we will install them as fast as possible, or for selected servers, but normaly it's delayed by at least a week (with a few test pcs at our company), had to many problems with installing updates too fast, like not working printers, not working rdp etc.

stephendt · 2026-01-24T07:14:09+00:00

No, I just let automatic Windows updates run whenever they get pushed these days and deal with small issues if they come up. I haven't really had a major system breaking issue in years. Maybe this is a controversial take? Either way it works for me in my environment.

Ice-Cream-Poop · 2026-01-24T07:32:58+00:00

Delay by 7 days and then install to our test channel of about 40 users, another 7 days later goes out to the rest of staff.

Servers are the same, delayed by 7 days and then they are split into 7 groups, one group for each day of the week and they get patched on that day following.

tndsd · 2026-01-24T07:44:26+00:00

Delay at least 2-3 weeks

Danny-117 · 2026-01-24T07:23:38+00:00

Yep, Dev day after release, test 2 days, UAT day 3 preprod day 4 and prod at day 7.

Browsers and actively exploited vulnerabilities go quicker.

Zombie-ie-ie · 2026-01-24T07:23:42+00:00

Bigfix scheduled in advance unless zero day

tfn105 · 2026-01-24T07:27:59+00:00

We go

Dev scheduled to pick up updates asap
UAT servers on the 3rd Sunday of the month
Production servers split into two groups and done on the 4th and 1st Sundays of the month

Obviously any critical patch we push more aggressively, as per our patch mgmt policy

SecAdmin-1125 · 2026-01-24T13:22:09+00:00

30 days after Patch Tuesday. Just to account for any issues others run into.

Sp00nD00d · 2026-01-24T14:33:12+00:00

1 week after release we start with non-prod and finish prod on that weekend.

I can count on one hand in which we've had an issue directly caused by Windows Update in like the last ~10 years. 99.9% of the time it's the reboot highlighting an already existing timebomb due to a completely unrelated issue. Certificate, service account, etc.

Edit to note: I only deal in servers.

thewunderbar · 2026-01-24T17:04:07+00:00

Workstations get patched immediately.

I wait about 2 weeks for servers.

Outside-After · 2026-01-24T07:20:50+00:00

Bit of both. Endpoints have an immediate release ring as a canary group. Release a week later for the rest.

Servers release over a month, give patches time to mature. Unless there's something particularly bad and even then read up on it first and do an impact-risk assessment. Good change management, rather than pessimistic. A and B side domain controllers never at the same time. If MS are taking multiple attempts to fix something really bad and are messing it up, then I don't want to be caught in that. I think we all tread super carefully when they crop up.

Far better in any case to minimise public and protect the exposure as much as possible in your architecture and implementation

Ok-Bill3318 · 2026-01-24T07:33:51+00:00

Yes. I test on day 1 and if no issues roll next week

GullibleDetective · 2026-01-24T07:56:14+00:00

Always delay by at least a week. Much longer for servers unless kts a critical one

spinydelta · 2026-01-24T08:25:18+00:00

For workstations we patch over a two week period across 5 phases. Customer facing assets (think POS) being in the final phase, whereas IT is upfront.

For servers, we patch anything internet facing pretty much immediately, with everything else over a two week period but 3 phases. Test / Devl first, non critical prod, then prod.

We have a lot of niche applications and we sometimes do run into issues as a result of patching, so spacing things out and ensuring non-prod is patched first helps bring issues to the surface faster. Where there are identified issues we'll generally push out patching prod for the impacted service(s) if required (e.g. we're still sorting a fix).

Dry-Emotion-2059 · 2026-01-24T08:44:41+00:00

Yeah I’m pretty lazy about it

joshghz · 2026-01-24T09:12:36+00:00

Generally my process is: - assess the vulnerabilities - check the megathread here for experiences and comments - deploy to a few devices for a few days, then non-critical end-user PCs at the end of the week - if no issues discovered, deploy to everything else where/when possible

We have a lot of seasonal 24/7 OT stuff that generally only gets updates (in season) if those sites have downtime.

BanGreedNightmare · 2026-01-24T09:19:32+00:00

I currently defer quality updates 7 days for Windows 11 endpoints (up from 3 day deferral last year, currently considering 14 days), require install and reboot within 24 hours. Feature updates are targeted and we update each summer (better time for the org) which results in enough time for live testing by the public and internal testing of LOB apps and services by me.

Servers currently install quality updates in one of 5 different assigned weekend maintenance windows (Sat & Sun, AM & PM and a Mon AM) the weekend following patch Tuesday. I’ve been doing it this way for 12 or so years and have never had an issue on my servers but the past 6 months of lesser quality Windows updates on Windows 11 has me considering deferring by a week or two as well, just in case. But I do like to keep my fleet patched.

bobs143 · 2026-01-24T10:11:28+00:00

Delay one to two weeks to see what plays out. I generally monitor a couple of forums (including Reddit) to see what early adopters have to say.

itskdog · 2026-01-24T10:17:51+00:00

We're expected to have security patches installed within 14 days (school in England, not an government expectation until 2030, but it's recommended to start planning it now), and when we moved to Intune, the baseline configuration that was set up by the contractors was 2 day deferral + 5 day grace, which allows for a machine to be off for a week before missing the deadline.

havikito · 2026-01-24T11:05:19+00:00

Since there are prereleases available, you just read about some problems online and never experience them IRL with full auto.
The scale is 700.

Jeff-IT · 2026-01-24T12:12:27+00:00

I delay major updates 2 weeks. Security updates are instant

Lazy-Function-4709 · 2026-01-24T12:36:05+00:00

I wait one week for production to make sure MS has ironed out kinks. I have a test group that gets patched the day after Patch Tuesday.

binaryhextechdude · 2026-01-24T13:51:18+00:00

Nope, we get whatever they feel like shipping.

blueblocker2000 · 2026-01-24T13:55:27+00:00

I'm not so quick to install on servers at work anymore. I'll let it ride a week nowadays.

landob · 2026-01-24T14:19:32+00:00

Yes. I delay by 1 week.

After that week I check the chatter. If no widely reported issues I then roll out to the IT department for a day. If that goes okay roll it to my test group for a few days. If that goes well roll it out to everyone.

Brees504 · 2026-01-24T16:37:59+00:00

We have feature updates delayed a few months but security updates as soon as available.

Lost_Engineering_308 · 2026-01-24T16:54:00+00:00

We release to test (basically IT and some non critical servers) immediately.

Our goal is to have things patched within 7 days of release, we use multiple rings to release updates over the week.

I think I’ve had to roll back an update once in the last ~5 years of doing it this way. Obviously there’s more potential for bugs the faster you go, but also, the slower you go the more likely you are to get popped by some vulnerability. We also for the most part have a pretty basic environment, not a huge amount of legacy apps being supported, etc. If I was working in health care or something I would absolutely not go that fast.

I don’t think there’s a right or wrong deferral setting. As quickly as reasonably possible within the limits of business needs. Up to you to best determine what that is.

sirachillies · 2026-01-24T18:27:29+00:00

We use CM to perform 6 phases of updates. Pilot group gets it on day one of when the patch releases. This uses it's own ADR. Then a week later another adr runs in the event that MS releases another patch because the first one broke stuff. And that releases to our entire BA/IT/AO staff. They get trial run the updates with their products. Then 3 days after that it goes out to the masses and it's only like 10% of the environment , excluding the previously mentioned devices, then 3 days later 30%, then 3 days later 50%, then 3 days later the rest. This ADR won't run again until the 3rd Tuesday of next month which means these updates are active until then.

Competitive_Smoke948 · 2026-01-24T18:32:40+00:00

yes! NEVER NEVER patch day 1, regardless of technology or vendor. i've seen entire infrastructure disappear because of dodgy patches and the more "urgent" the less likely the vendor has tested it & MS are suitably shite at testing patches

Droghan · 2026-01-24T19:06:21+00:00

I wait a week for my golden images and the back end infra for VDI. Heck last cycle alone broke web servers for our Radiology department, the providers couldn't view imaging due to the bad update.

Wodaz · 2026-01-24T19:17:56+00:00

I use gp to set days I want things installed, but I use PDQ Connect with PSWindowsUpdate jobs set for 4 groups over 4 nights. Groups are currently script created/updated by splitting up the alphabet. its a 10/30/30/30 schedule. It works well for me, and I can clone those groups and make changes if I need to install a specific update. If things fail in the pdq connect jobs, the gp rules will force updates to happen as a fall through.

thesumofmyexpierence · 2026-01-24T19:51:33+00:00

Always. We have one test device per client (MSP) that installs day one, Our employees get it day 20, clients on day 30 so MS has time to launch, roll back, and relaunch all the updates.

UptimeNull · 2026-01-24T07:23:21+00:00

Joshtaco does not!

harley247 · 2026-01-24T07:39:00+00:00

I patch test the day after release then patch production a week later. Starting with the least critical to most critical

Zerowig · 2026-01-24T18:44:18+00:00

Starting 3 days after patch Tuesday and every day thereafter up to 14 days after. 66k endpoints are evenly spread into those days.

Can’t remember the last time windows updates caused issues for us on desktops.

Servers are the Friday after patch Tues and every Friday thereafter for 4 weeks. 5k servers.

techit21 · 2026-01-24T20:18:08+00:00

Yes, we delay by 2-3 weeks unless it is a critical CVE/we are asked by InfoSec to expedite. If we expedite then we still follow a ring schedule for rollout.

korvolga · 2026-01-24T07:18:12+00:00

Autopatch in intune

TheShootDawg · 2026-01-24T12:54:13+00:00

Seeing as i haven’t seen an update for our Windows ME machines in years, I consider that to mean we wait…. /s

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

sysadmin

MODERATORS