Jump to content

Auto-Updates for production servers

Guest Brian Kitt

By Guest Brian Kitt
in Windows 2003 Server

 Share

Recommended Posts

Guest Brian Kitt

Guest Brian Kitt

Posted
Posted

Hello.

I am a developer, and have been having an ongoing battle with our Network

Admins, and would like advice here.

 

They have Microsoft Windows Auto-Updates turned on for all production

servers. This has caused numerous problems, because patches get applied,

then cause servers to reboot, or other miscellaneous problems.

 

I keep trying to tell them it is not a 'best practice' to have auto-updates

on for production servers, but rather they should push them out with admin

tools on a regular scheduled basis. They assure me they 'know what they are

doing', and auto updates 'are required to prevent viruses and hackers'. They

have assured me that Microsoft strongly recommends auto updates for all

production servers.

 

The amount of problems alone this has causes ought to be proof enough this

is a bad idea, but can anyone point me to 'official' statements from

Microsoft as to 'auto-updates' for production servers? I am having trouble

finding an official statement from Microsoft either way.

  • Replies 9
  • Created
  • Last Reply

Popular Days

Popular Days

Guest SBS Rocker

Guest SBS Rocker

Posted
Posted

Re: Auto-Updates for production servers

 

I'm with you for all the reasons you have stated. It is best practice to

update your servers on a frequent basis but it is not best practice to have

them automatically updated. there are a lot of updates that may not even

apply to your environment then there are others that will reboot your server

thus causing great inconvenience as you have experienced. Personally myself

I prefer to push my updates on a weekly basis. I usually do this on a Friday

evening in case a reboot is required so I don't disrupt "production". You do

not need an official document or staement from MS. the disruption and loss

of work you have suffered should be the proof in the pudding. I would take

this up with their supervisor or manager.

 

 

"Brian Kitt" <BrianKitt@discussions.microsoft.com> wrote in message

news:FB252A39-79A5-4522-9113-71C1A1303DBB@microsoft.com...

> Hello.

> I am a developer, and have been having an ongoing battle with our Network

> Admins, and would like advice here.

>

> They have Microsoft Windows Auto-Updates turned on for all production

> servers. This has caused numerous problems, because patches get applied,

> then cause servers to reboot, or other miscellaneous problems.

>

> I keep trying to tell them it is not a 'best practice' to have

> auto-updates

> on for production servers, but rather they should push them out with admin

> tools on a regular scheduled basis. They assure me they 'know what they

> are

> doing', and auto updates 'are required to prevent viruses and hackers'.

> They

> have assured me that Microsoft strongly recommends auto updates for all

> production servers.

>

> The amount of problems alone this has causes ought to be proof enough this

> is a bad idea, but can anyone point me to 'official' statements from

> Microsoft as to 'auto-updates' for production servers? I am having

> trouble

> finding an official statement from Microsoft either way.

Guest Anthony

Guest Anthony

Posted
Posted

Re: Auto-Updates for production servers

 

Hi Brian,

I hope you won't mind advice that contradicts your presumed views.

When Microsoft or any software vendor discovers a flaw that can be

exploited, they need to fix it.

If you don't apply the fix, you are vulnerable from that time on because

everyone knows what the flaw is.

You can test the fix to see if it breaks anything, but you still need to

apply it even if it does.

So really it could be a responsibility of the developers to be aware of

fixes, maintain a testing environment and identify what to do if a fix

breaks their software. They would then need to deploy their own patch within

a week or two. If they object to having to test, it demonstrates that it is

really an argument about who should do the work rather than whether it

should be done.

The only way to avoid patching, or to postpone it till the developers are

ready, is to maintain a sealed environment. You can do this as follows:

- run the application on terminal services

- allow no other applications to run: no IE, no Word, no iTunes etc, just

the application.

- run a firewall between the LAN and the terminal servers and allow no other

connections to the terminal servers.

Apart from that, you just have to live with patching. What problems exactly

does it cause? Rebooting should be addressed either by patching

out-of-hours, or by a resilient service (e.g more than one application

server). What are the miscellaneous problems? You should probably identify

what they are and try to resolve them rather than prevent patching.

Hope that helps,

Anthony, http://www.airdesk.co.uk

 

 

 

"Brian Kitt" <BrianKitt@discussions.microsoft.com> wrote in message

news:FB252A39-79A5-4522-9113-71C1A1303DBB@microsoft.com...

> Hello.

> I am a developer, and have been having an ongoing battle with our Network

> Admins, and would like advice here.

>

> They have Microsoft Windows Auto-Updates turned on for all production

> servers. This has caused numerous problems, because patches get applied,

> then cause servers to reboot, or other miscellaneous problems.

>

> I keep trying to tell them it is not a 'best practice' to have

> auto-updates

> on for production servers, but rather they should push them out with admin

> tools on a regular scheduled basis. They assure me they 'know what they

> are

> doing', and auto updates 'are required to prevent viruses and hackers'.

> They

> have assured me that Microsoft strongly recommends auto updates for all

> production servers.

>

> The amount of problems alone this has causes ought to be proof enough this

> is a bad idea, but can anyone point me to 'official' statements from

> Microsoft as to 'auto-updates' for production servers? I am having

> trouble

> finding an official statement from Microsoft either way.

Guest Anthony

Guest Anthony

Posted
Posted

Re: Auto-Updates for production servers

 

When you say auto-update, I am assuming that they are using Group policy to

schedule the update:

- either download the updates and manually run them out-of-hours

- or schedule the update for an out-of-hours time

Anthony, http://www.airdesk.co.uk

 

 

"Anthony" <anthony.spam@spammedout.com> wrote in message

news:uDMoW0nGIHA.4272@TK2MSFTNGP06.phx.gbl...

> Hi Brian,

> I hope you won't mind advice that contradicts your presumed views.

> When Microsoft or any software vendor discovers a flaw that can be

> exploited, they need to fix it.

> If you don't apply the fix, you are vulnerable from that time on because

> everyone knows what the flaw is.

> You can test the fix to see if it breaks anything, but you still need to

> apply it even if it does.

> So really it could be a responsibility of the developers to be aware of

> fixes, maintain a testing environment and identify what to do if a fix

> breaks their software. They would then need to deploy their own patch

> within a week or two. If they object to having to test, it demonstrates

> that it is really an argument about who should do the work rather than

> whether it should be done.

> The only way to avoid patching, or to postpone it till the developers are

> ready, is to maintain a sealed environment. You can do this as follows:

> - run the application on terminal services

> - allow no other applications to run: no IE, no Word, no iTunes etc, just

> the application.

> - run a firewall between the LAN and the terminal servers and allow no

> other connections to the terminal servers.

> Apart from that, you just have to live with patching. What problems

> exactly does it cause? Rebooting should be addressed either by patching

> out-of-hours, or by a resilient service (e.g more than one application

> server). What are the miscellaneous problems? You should probably identify

> what they are and try to resolve them rather than prevent patching.

> Hope that helps,

> Anthony, http://www.airdesk.co.uk

>

>

>

> "Brian Kitt" <BrianKitt@discussions.microsoft.com> wrote in message

> news:FB252A39-79A5-4522-9113-71C1A1303DBB@microsoft.com...

>> Hello.

>> I am a developer, and have been having an ongoing battle with our Network

>> Admins, and would like advice here.

>>

>> They have Microsoft Windows Auto-Updates turned on for all production

>> servers. This has caused numerous problems, because patches get applied,

>> then cause servers to reboot, or other miscellaneous problems.

>>

>> I keep trying to tell them it is not a 'best practice' to have

>> auto-updates

>> on for production servers, but rather they should push them out with

>> admin

>> tools on a regular scheduled basis. They assure me they 'know what they

>> are

>> doing', and auto updates 'are required to prevent viruses and hackers'.

>> They

>> have assured me that Microsoft strongly recommends auto updates for all

>> production servers.

>>

>> The amount of problems alone this has causes ought to be proof enough

>> this

>> is a bad idea, but can anyone point me to 'official' statements from

>> Microsoft as to 'auto-updates' for production servers? I am having

>> trouble

>> finding an official statement from Microsoft either way.

>

>

Guest Brian Kitt

Guest Brian Kitt

Posted
Posted

Re: Auto-Updates for production servers

 

I've tried to take this up with management, but it's the old 'buddy system',

and I am new. We have entrenched management and network guys who are so

stale in their knowledge that they are out of touch with reality.

Unfortunately the 'new guy' carries no weight. That's why I'm hoping to find

a statement that I can forward to them.

 

"SBS Rocker" wrote:

> I'm with you for all the reasons you have stated. It is best practice to

> update your servers on a frequent basis but it is not best practice to have

> them automatically updated. there are a lot of updates that may not even

> apply to your environment then there are others that will reboot your server

> thus causing great inconvenience as you have experienced. Personally myself

> I prefer to push my updates on a weekly basis. I usually do this on a Friday

> evening in case a reboot is required so I don't disrupt "production". You do

> not need an official document or staement from MS. the disruption and loss

> of work you have suffered should be the proof in the pudding. I would take

> this up with their supervisor or manager.

>

>

> "Brian Kitt" <BrianKitt@discussions.microsoft.com> wrote in message

> news:FB252A39-79A5-4522-9113-71C1A1303DBB@microsoft.com...

> > Hello.

> > I am a developer, and have been having an ongoing battle with our Network

> > Admins, and would like advice here.

> >

> > They have Microsoft Windows Auto-Updates turned on for all production

> > servers. This has caused numerous problems, because patches get applied,

> > then cause servers to reboot, or other miscellaneous problems.

> >

> > I keep trying to tell them it is not a 'best practice' to have

> > auto-updates

> > on for production servers, but rather they should push them out with admin

> > tools on a regular scheduled basis. They assure me they 'know what they

> > are

> > doing', and auto updates 'are required to prevent viruses and hackers'.

> > They

> > have assured me that Microsoft strongly recommends auto updates for all

> > production servers.

> >

> > The amount of problems alone this has causes ought to be proof enough this

> > is a bad idea, but can anyone point me to 'official' statements from

> > Microsoft as to 'auto-updates' for production servers? I am having

> > trouble

> > finding an official statement from Microsoft either way.

>

>

>

Guest Brian Kitt

Guest Brian Kitt

Posted
Posted

Re: Auto-Updates for production servers

 

Sorry Anthony, you misunderstand the problem. I totally agree with keeping

the servers up to date. Every Friday night, or whatever, is perfect.

 

HOWEVER, that is not what I am asking about.

 

They have the actual Windows Auto-Update on which applies all updates on an

'as released basis' from Microsoft. In other words, updates go on production

servers, and nobody, not even them, have any idea which updates went on or

when. Since auto-updates are on, the 'you need to reboot your server now'

function keeps trying to reboot servers. For example, every time we log on

to terminal services, we are prompted to reboot because of auto-updates.

However, we don't have authority to reboot, so the box is grayed out. We just

have to cancel the prompt. This prompt comes up every 10 or 15 minutes.

There are days when I will work for 10 hours through terminal services, for

every day of the week, so there are times, that for 40 or 50 hour work week,

I am canceling that dang prompt every 10 minutes. It is not unusual that I

may have to tunnel through 2 or 3 levels of terminal services, so take the

every 10 or 15 minutes times 2 or 3.

 

To me, this is down and out wreckless to just apply updates to production

without any knowledge whatsoever of what is being applied.

 

"Anthony" wrote:

> Hi Brian,

> I hope you won't mind advice that contradicts your presumed views.

> When Microsoft or any software vendor discovers a flaw that can be

> exploited, they need to fix it.

> If you don't apply the fix, you are vulnerable from that time on because

> everyone knows what the flaw is.

> You can test the fix to see if it breaks anything, but you still need to

> apply it even if it does.

> So really it could be a responsibility of the developers to be aware of

> fixes, maintain a testing environment and identify what to do if a fix

> breaks their software. They would then need to deploy their own patch within

> a week or two. If they object to having to test, it demonstrates that it is

> really an argument about who should do the work rather than whether it

> should be done.

> The only way to avoid patching, or to postpone it till the developers are

> ready, is to maintain a sealed environment. You can do this as follows:

> - run the application on terminal services

> - allow no other applications to run: no IE, no Word, no iTunes etc, just

> the application.

> - run a firewall between the LAN and the terminal servers and allow no other

> connections to the terminal servers.

> Apart from that, you just have to live with patching. What problems exactly

> does it cause? Rebooting should be addressed either by patching

> out-of-hours, or by a resilient service (e.g more than one application

> server). What are the miscellaneous problems? You should probably identify

> what they are and try to resolve them rather than prevent patching.

> Hope that helps,

> Anthony, http://www.airdesk.co.uk

>

>

>

> "Brian Kitt" <BrianKitt@discussions.microsoft.com> wrote in message

> news:FB252A39-79A5-4522-9113-71C1A1303DBB@microsoft.com...

> > Hello.

> > I am a developer, and have been having an ongoing battle with our Network

> > Admins, and would like advice here.

> >

> > They have Microsoft Windows Auto-Updates turned on for all production

> > servers. This has caused numerous problems, because patches get applied,

> > then cause servers to reboot, or other miscellaneous problems.

> >

> > I keep trying to tell them it is not a 'best practice' to have

> > auto-updates

> > on for production servers, but rather they should push them out with admin

> > tools on a regular scheduled basis. They assure me they 'know what they

> > are

> > doing', and auto updates 'are required to prevent viruses and hackers'.

> > They

> > have assured me that Microsoft strongly recommends auto updates for all

> > production servers.

> >

> > The amount of problems alone this has causes ought to be proof enough this

> > is a bad idea, but can anyone point me to 'official' statements from

> > Microsoft as to 'auto-updates' for production servers? I am having

> > trouble

> > finding an official statement from Microsoft either way.

>

>

>

Guest Leythos

Guest Leythos

Posted
Posted

Re: Auto-Updates for production servers

 

In article <FB252A39-79A5-4522-9113-71C1A1303DBB@microsoft.com>,

BrianKitt@discussions.microsoft.com says...

> They have Microsoft Windows Auto-Updates turned on for all production

> servers. This has caused numerous problems, because patches get applied,

> then cause servers to reboot, or other miscellaneous problems.

 

This is normally a bad move, and most patches are not necessary in all

shops. If you're server is protected then even many security updates are

not needed.

 

Patches should be set to download and then allow you to manually install

them once they have been tested on a QA server.

 

Only noob admins set production servers to update automatically, or ones

where the production server is not important enough to maintain a

running status 24/7.

 

--

 

Leythos

- Igitur qui desiderat pacem, praeparet bellum.

- Calling an illegal alien an "undocumented worker" is like calling a

drug dealer an "unlicensed pharmacist"

spam999free@rrohio.com (remove 999 for proper email address)

Guest Leythos

Guest Leythos

Posted
Posted

Re: Auto-Updates for production servers

 

In article <uDMoW0nGIHA.4272@TK2MSFTNGP06.phx.gbl>,

anthony.spam@spammedout.com says...

> I hope you won't mind advice that contradicts your presumed views.

> When Microsoft or any software vendor discovers a flaw that can be

> exploited, they need to fix it.

> If you don't apply the fix, you are vulnerable from that time on because

> everyone knows what the flaw is.

> You can test the fix to see if it breaks anything, but you still need to

> apply it even if it does.

 

No, Anthony, you don't.

 

You need to patch if the update provides a resolution to something that

you might be exposed to, but if your server is not exposed to xyz then

you don't need ot patch for it.

 

Not all production servers are fully exposed to the Internet, most are

behind a firewall and have little or no exposure to most of the threats

you read about.

 

Yes, it's "good practice" to update with all critical updates and

security patches, but the update should be based against the threat vs

stability.

 

--

 

Leythos

- Igitur qui desiderat pacem, praeparet bellum.

- Calling an illegal alien an "undocumented worker" is like calling a

drug dealer an "unlicensed pharmacist"

spam999free@rrohio.com (remove 999 for proper email address)

Guest Anthony

Guest Anthony

Posted
Posted

Re: Auto-Updates for production servers

 

OK, so you have a specific problem with the update options. I would take a

look at the Group Policies for Windows Updates and suggest to them which

ones would make your life easier.

http://technet2.microsoft.com/windowsserver/en/library/51c8a814-6665-4d50-a0d8-2ae27e69ca7c1033.mspx?mfr=true

 

It sounds as though the one that is affecting you is "No auto-restart for

scheduled Automatic Updates installation". That reboot prompt would only

happen if:

- the production server was switched off at the scheduled time, and so the

installation happens when it restarts, or

- a user is logged in either at the scheduled time (but it's supposed to be

out-of-hours).

So I would talk to them about the specific update options: when is the

scheduled time, and what options are they using?

Hope that helps,

Anthony, http://www.airdesk.co.uk

 

 

"Brian Kitt" <BrianKitt@discussions.microsoft.com> wrote in message

news:1548528A-3E6A-460E-AF22-5FD215FBC738@microsoft.com...

> Sorry Anthony, you misunderstand the problem. I totally agree with

> keeping

> the servers up to date. Every Friday night, or whatever, is perfect.

>

> HOWEVER, that is not what I am asking about.

>

> They have the actual Windows Auto-Update on which applies all updates on

> an

> 'as released basis' from Microsoft. In other words, updates go on

> production

> servers, and nobody, not even them, have any idea which updates went on or

> when. Since auto-updates are on, the 'you need to reboot your server now'

> function keeps trying to reboot servers. For example, every time we log

> on

> to terminal services, we are prompted to reboot because of auto-updates.

> However, we don't have authority to reboot, so the box is grayed out. We

> just

> have to cancel the prompt. This prompt comes up every 10 or 15 minutes.

> There are days when I will work for 10 hours through terminal services,

> for

> every day of the week, so there are times, that for 40 or 50 hour work

> week,

> I am canceling that dang prompt every 10 minutes. It is not unusual that

> I

> may have to tunnel through 2 or 3 levels of terminal services, so take the

> every 10 or 15 minutes times 2 or 3.

>

> To me, this is down and out wreckless to just apply updates to production

> without any knowledge whatsoever of what is being applied.

>

> "Anthony" wrote:

>

>> Hi Brian,

>> I hope you won't mind advice that contradicts your presumed views.

>> When Microsoft or any software vendor discovers a flaw that can be

>> exploited, they need to fix it.

>> If you don't apply the fix, you are vulnerable from that time on because

>> everyone knows what the flaw is.

>> You can test the fix to see if it breaks anything, but you still need to

>> apply it even if it does.

>> So really it could be a responsibility of the developers to be aware of

>> fixes, maintain a testing environment and identify what to do if a fix

>> breaks their software. They would then need to deploy their own patch

>> within

>> a week or two. If they object to having to test, it demonstrates that it

>> is

>> really an argument about who should do the work rather than whether it

>> should be done.

>> The only way to avoid patching, or to postpone it till the developers are

>> ready, is to maintain a sealed environment. You can do this as follows:

>> - run the application on terminal services

>> - allow no other applications to run: no IE, no Word, no iTunes etc, just

>> the application.

>> - run a firewall between the LAN and the terminal servers and allow no

>> other

>> connections to the terminal servers.

>> Apart from that, you just have to live with patching. What problems

>> exactly

>> does it cause? Rebooting should be addressed either by patching

>> out-of-hours, or by a resilient service (e.g more than one application

>> server). What are the miscellaneous problems? You should probably

>> identify

>> what they are and try to resolve them rather than prevent patching.

>> Hope that helps,

>> Anthony, http://www.airdesk.co.uk

>>

>>

>>

>> "Brian Kitt" <BrianKitt@discussions.microsoft.com> wrote in message

>> news:FB252A39-79A5-4522-9113-71C1A1303DBB@microsoft.com...

>> > Hello.

>> > I am a developer, and have been having an ongoing battle with our

>> > Network

>> > Admins, and would like advice here.

>> >

>> > They have Microsoft Windows Auto-Updates turned on for all production

>> > servers. This has caused numerous problems, because patches get

>> > applied,

>> > then cause servers to reboot, or other miscellaneous problems.

>> >

>> > I keep trying to tell them it is not a 'best practice' to have

>> > auto-updates

>> > on for production servers, but rather they should push them out with

>> > admin

>> > tools on a regular scheduled basis. They assure me they 'know what

>> > they

>> > are

>> > doing', and auto updates 'are required to prevent viruses and hackers'.

>> > They

>> > have assured me that Microsoft strongly recommends auto updates for all

>> > production servers.

>> >

>> > The amount of problems alone this has causes ought to be proof enough

>> > this

>> > is a bad idea, but can anyone point me to 'official' statements from

>> > Microsoft as to 'auto-updates' for production servers? I am having

>> > trouble

>> > finding an official statement from Microsoft either way.

>>

>>

>>

Guest SBS Rocker

Guest SBS Rocker

Posted
Posted

Re: Auto-Updates for production servers

 

I think your misunderstanding Brian's problem here. Apparently he has no

issues with servers being updated. His issues are with servers being updated

during business hours where it affects production time and work if I

understand correctly. Brian I find it hard to believe that management would

not work with you on this especially if it affects yours and ohters work.

Why not propose they schedule their auto updates say like every evening at

midnight?

 

"Anthony" <anthony.spam@spammedout.com> wrote in message

news:%23KQHyzsGIHA.3548@TK2MSFTNGP06.phx.gbl...

> OK, so you have a specific problem with the update options. I would take a

> look at the Group Policies for Windows Updates and suggest to them which

> ones would make your life easier.

> http://technet2.microsoft.com/windowsserver/en/library/51c8a814-6665-4d50-a0d8-2ae27e69ca7c1033.mspx?mfr=true

>

> It sounds as though the one that is affecting you is "No auto-restart for

> scheduled Automatic Updates installation". That reboot prompt would only

> happen if:

> - the production server was switched off at the scheduled time, and so the

> installation happens when it restarts, or

> - a user is logged in either at the scheduled time (but it's supposed to

> be out-of-hours).

> So I would talk to them about the specific update options: when is the

> scheduled time, and what options are they using?

> Hope that helps,

> Anthony, http://www.airdesk.co.uk

>

>

> "Brian Kitt" <BrianKitt@discussions.microsoft.com> wrote in message

> news:1548528A-3E6A-460E-AF22-5FD215FBC738@microsoft.com...

>> Sorry Anthony, you misunderstand the problem. I totally agree with

>> keeping

>> the servers up to date. Every Friday night, or whatever, is perfect.

>>

>> HOWEVER, that is not what I am asking about.

>>

>> They have the actual Windows Auto-Update on which applies all updates on

>> an

>> 'as released basis' from Microsoft. In other words, updates go on

>> production

>> servers, and nobody, not even them, have any idea which updates went on

>> or

>> when. Since auto-updates are on, the 'you need to reboot your server

>> now'

>> function keeps trying to reboot servers. For example, every time we log

>> on

>> to terminal services, we are prompted to reboot because of auto-updates.

>> However, we don't have authority to reboot, so the box is grayed out. We

>> just

>> have to cancel the prompt. This prompt comes up every 10 or 15 minutes.

>> There are days when I will work for 10 hours through terminal services,

>> for

>> every day of the week, so there are times, that for 40 or 50 hour work

>> week,

>> I am canceling that dang prompt every 10 minutes. It is not unusual that

>> I

>> may have to tunnel through 2 or 3 levels of terminal services, so take

>> the

>> every 10 or 15 minutes times 2 or 3.

>>

>> To me, this is down and out wreckless to just apply updates to production

>> without any knowledge whatsoever of what is being applied.

>>

>> "Anthony" wrote:

>>

>>> Hi Brian,

>>> I hope you won't mind advice that contradicts your presumed views.

>>> When Microsoft or any software vendor discovers a flaw that can be

>>> exploited, they need to fix it.

>>> If you don't apply the fix, you are vulnerable from that time on because

>>> everyone knows what the flaw is.

>>> You can test the fix to see if it breaks anything, but you still need to

>>> apply it even if it does.

>>> So really it could be a responsibility of the developers to be aware of

>>> fixes, maintain a testing environment and identify what to do if a fix

>>> breaks their software. They would then need to deploy their own patch

>>> within

>>> a week or two. If they object to having to test, it demonstrates that it

>>> is

>>> really an argument about who should do the work rather than whether it

>>> should be done.

>>> The only way to avoid patching, or to postpone it till the developers

>>> are

>>> ready, is to maintain a sealed environment. You can do this as follows:

>>> - run the application on terminal services

>>> - allow no other applications to run: no IE, no Word, no iTunes etc,

>>> just

>>> the application.

>>> - run a firewall between the LAN and the terminal servers and allow no

>>> other

>>> connections to the terminal servers.

>>> Apart from that, you just have to live with patching. What problems

>>> exactly

>>> does it cause? Rebooting should be addressed either by patching

>>> out-of-hours, or by a resilient service (e.g more than one application

>>> server). What are the miscellaneous problems? You should probably

>>> identify

>>> what they are and try to resolve them rather than prevent patching.

>>> Hope that helps,

>>> Anthony, http://www.airdesk.co.uk

>>>

>>>

>>>

>>> "Brian Kitt" <BrianKitt@discussions.microsoft.com> wrote in message

>>> news:FB252A39-79A5-4522-9113-71C1A1303DBB@microsoft.com...

>>> > Hello.

>>> > I am a developer, and have been having an ongoing battle with our

>>> > Network

>>> > Admins, and would like advice here.

>>> >

>>> > They have Microsoft Windows Auto-Updates turned on for all production

>>> > servers. This has caused numerous problems, because patches get

>>> > applied,

>>> > then cause servers to reboot, or other miscellaneous problems.

>>> >

>>> > I keep trying to tell them it is not a 'best practice' to have

>>> > auto-updates

>>> > on for production servers, but rather they should push them out with

>>> > admin

>>> > tools on a regular scheduled basis. They assure me they 'know what

>>> > they

>>> > are

>>> > doing', and auto updates 'are required to prevent viruses and

>>> > hackers'.

>>> > They

>>> > have assured me that Microsoft strongly recommends auto updates for

>>> > all

>>> > production servers.

>>> >

>>> > The amount of problems alone this has causes ought to be proof enough

>>> > this

>>> > is a bad idea, but can anyone point me to 'official' statements from

>>> > Microsoft as to 'auto-updates' for production servers? I am having

>>> > trouble

>>> > finding an official statement from Microsoft either way.

>>>

>>>

>>>

>

>

 Share
Go to topic listing
×
×
  • Create New...