• Home
  • Consulting
  • Contact Us
    • About this site
    • Contact Wayne
    • Media Room
    • Wayne’s Bio

SBSFAQ.COM

Supporting IT Pro's & MSP's since 2000

  • Blog
  • FAQs
  • Reviews
  • Downloads

Patching your Small Business Network – Part 2 – Deciding on your patching strategy

July 22, 2015 by Wayne Small Leave a Comment

The key decisions you need to make in terms of patching your small business network are around how much you want to do, how much reporting/verification you want and how reliable the technology is.  In the small business space you’ve got a few options available to you, and as such you need to decide which one you wish to follow before implementing it.

  1. Do nothing and let whatever the default settings for Windows Update are work as they are configured.
    • The upside to this option is simple – you do nothing.  Windows Update should out of the box be configured to download and install patches on the workstations, or at the very least notify the user that there are patches to be deployed and request they then approve and deploy them.  This process occurs on each workstation in your network and depending on if the users have local administrator rights (and many small businesses they do because it’s just easier to do it that way) they can in fact change the settings to do whatever they want to do. 
    • Whilst the upside here is there’s minimal administrative effort on behalf of the network administrator, the downsides here are not so good.  The negatives for this are that you have no control over what the users do, when they install patches that might be critical to the security of your environment and added to that, that each machine will individually download whatever patches are needed for it and it alone.  Lets do some math on that – say each machine in your 30 user network needs 1GB of patches, that’s 30GB of downloads that need to come down for them all.  Now if you are in the USA where bandwidth is cheap and fast, not a problem, but if you are here in Australia where it’s a little more costly, then sure – it’s a negative.
  2. Implement central control over the settings for Windows Update and force them to pull updates directly from Microsoft
    • Ok – so this is a little better than option 1 above – you would implement a Group Policy (assuming all machines are domain joined) to force all machines to have specific settings with respect to downloading and installing updates.  This would remove the users control over these settings and ensure with the right application of GPO that your machines would at least be looking to download and install the patches as you wanted them to.  You’d still be stuck with the download of patches for each individual machine, so the data usage could be quite high, but at least you’d have some assurance that things are being patched and controlled.
  3. Implement WSUS and manually approve what patches to deploy and to which machine.
    • WSUS is FREE with every single Windows Server out there, including Windows Server 2012 R2 Essentials.  WSUS is a centralised repository of patches that are downloaded ONCE from Microsoft to your server and then deployed to the machines that require them.  This requires some configuration initially to install and configure WSUS on your server.  It requires Group Policy configuration to then control the machines within your domain to report in to the WSUS server.  From there, the Windows Update client on the machines will talk to WSUS, find out what patches are available vs what the workstation needs and then install the patches, and report back to the WSUS server that the patch installed fine or not.  That gives you a central point of control over what works and what doesn’t.  You will need to manually approve the patches needed before they are downloaded and deployed  to the workstations but this is a pretty simple task overall. 
    • The downside to WSUS is that the patches needed for each machine will reside on the servers hard drives, even after all the machines have been patched.  Therefore it takes up space.  How much space depends on if you do regular maintenance on the server which can then reduce the overall requirement for disk space.
  4. Implement WSUS and automate it for patch deployment
    • This is a natural progression on option 3 above – where you use WSUS to do the download and deployment of patches, Group Policy to control configuration and then automate the approval process.  If you do this then you can pretty much set and forget it and your machines will be patched AND you can see where things are at if you want to do anything specific yourself.  SBS 2003 R2, SBS 2008 and SBS 2011 all had this level of cool automation built into it that meant it was very simple to deploy and monitor the environment.
    • Downside to this – is that the inbuilt WSUS auto approval rules are really silly and should never be used, but stay tuned because I’ve got ways to help with that.
  5. Use some third party tools to do the patching for you.
    • The options above all involve things you do, things you manage using your onpremise resources, such as your server etc.  This option involves using various cloud patching offerings such as Microsoft Intune, Kaseya and the like to patch your machines for you.  Typically they will involve doing a one time installation of a management agent from your service provider and then the process can be managed from a web console with various rules being applied to automate the patching.  These solutions are always subscription based where you will pay a set amount per machine, per month, so there is this cost to consider as well.

Ok – so these are pretty much the options you have in terms of patching your network.  The next article, I’ll show you how to implement option 2 so that you can start gaining control over your network.

Share this:

  • Click to share on Facebook (Opens in new window)
  • Click to share on Twitter (Opens in new window)
  • Click to share on LinkedIn (Opens in new window)
  • Click to share on Reddit (Opens in new window)
  • Click to print (Opens in new window)

Filed Under: Blog Tagged With: Patch Management, Windows Server 2012 Essentials, Windows Server 2012 R2, Windows Server 2012 R2 Essentials

About The Author

Wayne has been working with Microsoft Server products in the SMB market for over 20 years. He has a passion for technology and been a Microsoft MVP for over 15 years. Read More…

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Connect Online With Us

  • Facebook
  • Twitter

Reviews

Splashtop – Cost Effective Remote Control Software

September 22, 2017 By Wayne Small 2 Comments

Western Digital DL4100 NAS

March 3, 2015 By Wayne Small Leave a Comment

SBS 2011 Configuring Certification Guide (70-169)

August 7, 2012 By Wayne Small 4 Comments

Site News

Exchange Bug Stops Mail Delivery in 2022

January 2, 2022

Huge bug found in Intel CPU that could permit hackers to steal your data

January 4, 2018

Recent Posts

  • MS Exchange Zero Day and RemotePowerShell Disabling on Admin accounts
  • Setup changes for Exchange 2016 and Exchange 2019
  • Bluetooth Mouse and Keyboard Randomly Stop Responding
  • Exchange Bug Stops Mail Delivery in 2022
  • How to open and search extremely large text log files

Tags

Antivirus Backup Business Focus Cloud Computing Community Conferences Disaster Recovery Exchange 2010 Exchange Server Future Products Hyper-V Installation Microsoft Migration Patches Personal Rants SBS 4.5 SBS 2000 SBS 2000 SP1 SBS 2003 SBS 2003 Premium SBS 2003 R2 SBS 2003 R2 Premium SBS 2003 R2 Standard SBS 2003 SP1 Premium SBS 2003 SP1 Standard SBS 2003 Standard SBS 2008 SBS 2008 R2 SBS 2011 SBS 2011 Essentials SBS 2011 Standard Security Service Packs ShadowProtect SMB Community Software Software I use StorageCraft Training TrendMicro Troubleshooting Virtualisation Windows Server 2012 Essentials

Terms of Use

Privacy Policy

Copyright © 2023 · Magazine Pro Theme on Genesis Framework · WordPress · Log in