Tomorrow the "other" patch Tuesday.

On February 23, 2010, in Security, by

Description of Software Update Services and Windows Server Update Services changes in content for 2010:

Tomorrow is the “other” patch Tuesday.  The one at the end of the month that I consider the Vista/Win7 second patch day as well as being the clean up day for the month.  It’s when I look at all of those updates I said “oh I’ll deal with later” and decide if I’m going to deal with them this week.  If you do not have a third party patching tool (Kaseya, Zenith, Shavlik in my case), or even if you do, you might want to review this WSUS patch on the SBS 2008 on a sample of your boxes to ensure you aren’t missing patches that should be on your machines.  I also use Microsoft update on the server as another “check and verify” of what I think should be installed is actually installed.

Remember the first thing I want you to do is flip to MU.  In the Windows update window on the server, check that you are flipped to MU.  If you are not there’s a tiny little message that says “Get updates for other Microsoft products.  “Find out more”.

Click on the Find out more.  It launches you to where you agree to Microsoft’s terms and ensures that when you do a manual scan from the box you will get offered up the Windows, Exchange, SBS, SQL you name it patches.

But there’s also the native WSUS on the box.

On the SBS console click on the last tab, the security tab.  Now click on Updates.  In this console will be the updates for ALL of the network not just the Server.  Remember there are two levels of settings on the server.  Patches for servers are automagically set to download but do not install if they are security, critical, definition updates and all Windows SBS update rollups.  Service packs are not automagically approved, nor does it appear that Exchange rollup updates are either (hmmm another blog post tomorrow night to post about how to adjust that).  Remember that in wsus the server is set to sync all products but it doesn’t download all patches for all products, it’s just looking to sync up all the products.

So look at this list on your server.  When you find a patch that you want to install, go up on the right hand side and click on “Deploy the update”. 

 Please note that on the server for patches ON the server this only approves the update for download this will not autoinstall and reboot the box.

When you click okay, all this is doing is approving the download.  For an update that goes on the server you then need to come back at a later time after it’s downloaded and then click on the windows update downloaded update icon on the desktop.

Again, don’t panic, on the server this won’t get automatically installed.  It will only get downloaded. 

(ergo this is one reason why on a server many times I’m lazy and just MU it up there).  But on workstations while the process is exactly the same, for these the default setting is to  approve all security, critical, definition updates and service packs, and the default is to automatically install the updates. 


Comments are closed.