SW, I just don't get it

Carnival Boy

Handbags at dawn. Ignore it and move on before you both look even more silly.

Regarding WSUS. I don't find it the easiest system to install and manage. For SMBs with little in-house IT expertise it does seem like overkill. I'd like something simpler, but having nothing is perhaps too far the other way.

In terms of the listed advantages of WSUS:

Bandwidth: a decent proxy server will cache the downloads anyway, I believe, so this might not be an issue.

Reporting: a decent antivirus/security system will normally report on Windows updates and list any clients that haven't installed critical updates. And this is normally more user friendly that WSUS.

Testing: do people really test updates? How common is this. I'd never find the time. Updates are released weekly, so you'd be testing constantly. And there are loads and loads of updates. Plus, by having a testing strategy in place, you are delaying the roll-out of updates. For critical security updates, this is leaving your systems exposed to zero-day threats. Isn't the risk of having an unpatched system greater than the risk of an update breaking a system? There was an IE update recently that broke our ERP system and I was advised in advance by the ERP vendor not to install it so I configured WSUS accordingly. But this left me in a dilemma, the ERP vendor was effectively dictating that we run IE unpatched and this is not a good place to be. What should you do in this scenario? Or do you release all critical updates and just test non-critical ones?

So generally, I use WSUS and authorise all updates for client PCs without doing any testing. Nothing generally gets broken, and if it did there's normally a way of uninstalling the update or otherwise working around the problem. I'm more lax when it comes to servers. Too lax, and I need to step it up, it's a big weakness of mine.

JaredBusch

Yeah, Windows Updates in general are basically never "tested" anymore for less than production servers. It does not make financial sense. The time it would take would be huge and not worth the investment on desktops that can be reimaged in an hour. A controlled deployment would potentially be worth it as even reimaging 100 desktops would be a time waster. But generally anything that is broken by a Windows Update is fairly minor when looking at the history of updates over the last few years.

For servers, it really comes down to available resources. None of my clients have the resources to allow me to setup a non production server and test something like this. Instead I simply make a snapshot. Install updates and reboot. Check the main LoB apps and if all good, delete the snapshot. If not, revert.

Now for the servers, I do usually wait until the first week of the month to run those updates. This lets me hear about anything bad just in case.

CHaynes2013

I know exactly what you mean. David just deleted two of my posts because I asked if the OP was drunk for wanting to tell off everyone in his office.

What is up with mods lately?

Bill Kindle

@CHaynes2013 said:

I know exactly what you mean. David just deleted two of my posts because I asked if the OP was drunk for wanting to tell off everyone in his office.

What is up with mods lately?

Why don't you ask them directly?

scottalanmiller

What thread was that?

DenisKelley

@Carnival-Boy said:

Testing: do people really test updates? How common is this. I'd never find the time. Updates are released weekly, so you'd be testing constantly. And there are loads and loads of updates. Plus, by having a testing strategy in place, you are delaying the roll-out of updates. For critical security updates, this is leaving your systems exposed to zero-day threats. Isn't the risk of having an unpatched system greater than the risk of an update breaking a system? There was an IE update recently that broke our ERP system and I was advised in advance by the ERP vendor not to install it so I configured WSUS accordingly. But this left me in a dilemma, the ERP vendor was effectively dictating that we run IE unpatched and this is not a good place to be. What should you do in this scenario? Or do you release all critical updates and just test non-critical ones?

I think with 20+ PCs to manage, WSUS is a good solution for managing the updates. Testing is pretty easy too. As you probably are aware, you just setup a different Group Policy for those PCs you wish to test. Out of the 30 odd that I deal with, I've got about 4-5 that I let suck down and auto-install. I agree that most of the time there are no issues, but there have been, and as recently less than a year, that Microsoft released a hastily, untested patch that screwed people. While that happens infrequently, I don't wish to be the one having to deal with that. In addition, I also time my synchronizations a good 8 hours later than when MS does their patch Tuesday thing, so I can catch and deny one if need be even before it gets to the test PCs.

Honestly, I'd rather have a total solution to include app updates, but as we all know, not every company will pay for that software so we all make do.

CHaynes2013

@Bill-Kindle I did. He informed me that I was "attacking" the OP, and that I should only use humor if "it's a close friend or colleague, obviously it's a bit different than an internet stranger."

Basically, because I haven't met Frank in person, I should avoid making any jokes about his post. Even though the thread I asked if he was drunk got deleted because the OP was that ridiculous.

CHaynes2013

@scottalanmiller My post was deleted out of: http://community.spiceworks.com/topic/548723-closed-due-to-financial-reasons?page=1&source=navbar-community-notifications#entry-3598107

But the main "offending" comment was in a now deleted thread called "how to tell everyone there welcome"

Bill Kindle

@CHaynes2013 said:

@Bill-Kindle I did. He informed me that I was "attacking" the OP, and that I should only use humor if "it's a close friend or colleague, obviously it's a bit different than an internet stranger."

Basically, because I haven't met Frank in person, I should avoid making any jokes about his post. Even though the thread I asked if he was drunk got deleted because the OP was that ridiculous.

Frank is French-Canadian, and is often scatter brained. I've had a many of back and forth's with him as so have a few others. You have to know how to deal with his posts, which can take a while to get info out of, in order to help him with whatever it is that he's trying to do.
TL:DR?
Frank doesn't do English well.

CHaynes2013

@Bill-Kindle I understand if his English isn't near perfect, but I was commenting on his demeanor of "everyone can go screw themselves, I'm out of here!"

I think it's a gross overgeneralization by mods to just go around deleting posts. But then again, I probably shouldn't be bitching about mods, it's not exactly productive.

Addie

As a mod I will say it is hard to be a community mod, we are still small here but we still watch everything and try to stay out of the way. I hope you have noticed around here we don't really moderate much other than bad language. Even @PSX_Defector only gets words [moderated] out, his whole post stays, and for anyone that knows him or his reputation, you know what should have been there.

Moderation is not about being PC but it sounds like that is what it has turned into. I do want to point out we don't want to become the "over there" bashing society here though.

Bill Kindle

@CHaynes2013 said:

@Bill-Kindle I understand if his English isn't near perfect, but I was commenting on his demeanor of "everyone can go screw themselves, I'm out of here!"

I think it's a gross overgeneralization by mods to just go around deleting posts. But then again, I probably shouldn't be bitching about mods, it's not exactly productive.

If you have problems with moderation over there, reach out the the moderator or CM over there.

Carnival Boy

@DenisKelley said:

As you probably are aware, you just setup a different Group Policy for those PCs you wish to test.

No I'm not, can you explain? What I have done is setup different groups within WSUS - one for Accounts dept, one for Sales dept and one for everyone else. That way I can approve for Accounts dept first, and then assuming that goes well, I can approve for Sales dept and then everyone else. So I'm staggering the installations, so that if there is a problem, I only have to deal with a handful of PCs rather than every PC.

One thing I'm not sure about with this process is how I should approve updates for other departments once I've approved for Accounts dept. How do I view which updates have been approved only for Accounts, so that I can then select them and approve for other users?

You can probably tell I'm a newbie when it comes to WSUS.

scottalanmiller

The thread seems pretty benign now. Did Frank redact something?

scottalanmiller

On WSUS... We use InTune for WSUS functionality for our disparate systems that are never in the same locations.

david.wiese

@CHaynes2013 if you are straight up implying that someone might be drunk because you cannot understand them, yes that deserves to be removed. While understanding that this and SW are mainly English speaking sites you have to keep in mind if you don't know the person or they are from a different nationality their English will be moderate at best. The bigger question is why are you getting upset by having your "are you drunk" post removed? It adds nothing to the conversation or line of question. The user in question as @Bill-Kindle has said has a different way of communicating than we do. If you don't know the person don't make such public comments about his use of HIS second language. Play nice and you won't be moderated. Mod's delete posts for reasons, if you have an issue with it raise it with them, don't come to a different site just to complain about the other because they are doing something that you don't approve of.

DenisKelley

@Carnival-Boy said:

@DenisKelley said:

As you probably are aware, you just setup a different Group Policy for those PCs you wish to test.

No I'm not, can you explain? What I have done is setup different groups within WSUS - one for Accounts dept, one for Sales dept and one for everyone else. That way I can approve for Accounts dept first, and then assuming that goes well, I can approve for Sales dept and then everyone else. So I'm staggering the installations, so that if there is a problem, I only have to deal with a handful of PCs rather than every PC.

One thing I'm not sure about with this process is how I should approve updates for other departments once I've approved for Accounts dept. How do I view which updates have been approved only for Accounts, so that I can then select them and approve for other users?

You can probably tell I'm a newbie when it comes to WSUS.

It is somewhat similar to what you are doing, but in Active Directory, I have different computer OUs. I have one for Servers, one for PCs, and one for WSUS test. Since they are in different OUs, I can apply a unique WSUS group policy to them. The best guide I've used is the WSUS Step-by-Step guide. I realize the new O/S have a newer WSUS version, but the concepts should be similar. Browse the setup here: http://www.microsoft.com/en-us/download/details.aspx?id=913. Rob over on SW also has a how-to he wrote with a bunch of good advice. http://community.spiceworks.com/how_to/show/1390-wsus-gpo-settings-for-the-real-world

Bill Kindle

@DenisKelley Similar to what I've done too. Been working great so far. I also followed a lot of Rob's advice.

CHaynes2013

@david.wiese That's the thing. My 'are you drunk' comment wasn't removed (that entire thread got deleted). Again, even in that comment, I said his demeanor (meaning posting two topics about basically telling off his entire office) made him seem drunk, not his grammar.
I am well aware that SW isn't completely English speaking, and I don't get on people for grammar. The part that bugs me was that something I said in a completely different thread was removed, but the mod cited me posting that previously.

Also, can we stop with the "why don't you talk to them?" If you had read my post, you would clearly see that I did go to them. I didn't come here to complain, I just happened to notice someone else complain about a mod deleting their post, and I said "that happened to me too. What's up with the mods"
@scottalanmiller Frank didn't respond to either of my comments. He didn't redact or change anything as far as I can tell.

technobabble

@scottalanmiller said:

On WSUS... We use InTune for WSUS functionality for our disparate systems that are never in the same locations.

Scott, do you test first? And what if the client doesn't have the resources to do a test?