I'd say yes. Testing in production with a ring-based deployment is the best way because it not only tests the patches on a sub-set of your network, but it also verifies that the WAY they are being used is unaffected. If there are issues, you have a relatively small group that are affected, and that troubleshooting for a work-around and in worst cases a removal and block of that update can be done for the rest of the staff until Microsoft can fix their patch.
WSUS - Are we updating our computers in the best way?
We currently have updates split in to 2 groups (SCCM collections for test and prod for both servers and workstations). Every month when the new Software Update Group gets created following the update downloads it automatically gets deployed to the test group and once we are happy they are ok, we deploy them to the server and workstation collections.
We have had this process for quite some time so decided to review it and reach out for some guidance to see if this is still a good way of updating our server/workstation infrastructure or if there is indeed a newer/better method we should be investigating.
Any feedback/suggestions would be very welcome.cheers
3 answers
Sort by: Most helpful
-
-
Adam J. Marshall 9,041 Reputation points MVP
2020-11-03T01:41:17.31+00:00 Yes. There are other software like PDQ Deploy that can 'handle' installing updates and deploying patches, but they may not do it as 'seemless' as WSUS/MEMCM would, or wouldn't provide the appropriate other reports/features, etc
-
Jason Sandys 31,186 Reputation points Microsoft Employee
2020-11-03T16:27:12.297+00:00 "Best" is always in the eye of the beholder. If anyone from the outside tries to tell you what is best for you without knowing your requirements, they are either dangerous or are trying to sell you something. Best is a measurement based on your requirements. So, the question here is have you defined your requirements in detail? If not, then "best" is meaningless. Once you define your requirements, then you can establish metrics and finally compare all of this to the results of whatever tools and methodologies you've chosen.
Do we, Microsoft, feel that using ConfigMgr to deploy updates to Windows systems is a valid and exceptional technical choice? Yes, of course. Do we feel it should meet all of your requirements? Yes, of course. Can it meet your requirements? Anyone answering that without knowing your requirements, is, as noted, dangerous or trying to sell you something. We can certainly assign a generic set of requirements to your organization and measure against those, but making assumptions like this is also dangerous IME.
Sorry, lots of soapboxing here. Bottom-line. Does it do what you need it to do? If yes, then why isn't that a good enough answer for you? Is someone questioning your results? Is there a challenge you are trying to overcome?