SUS patch installs & required reboots

[Keith Langmead]

We've got SUS installed on our Win2k AD domain, and that's working fine,
however one thing has been concerning me for a while now.

Since the servers are all part of a live web platform, we don't want the
servers rebooting themselves once the updates have installed, since we found
they tended to do so during working hours at times, which is obviously
unacceptable, however as with all MS updates, I'm assuming that until the
server is actually rebooted, the patches won't in many cases be active.

How do other people handle this, and ensure that the servers are rebooted
after the patches have been installed by SUS, while maintaining maximum
possible uptime, and preventing any downtime during working hours?

Thanks
Keith

 

[Laura E. Hunter \(MVP\)]

You can use a Group Policy Object to enforce a "Prevent automatic reboots"
setting for the servers in question (either by using security filtering or
by dumping them into their own OU), and then plan to do your reboots
manually at a time that's good for your business processes.

 

[Keith Langmead]

Ahhh, perhaps I should have phrased the question better. We already have the
system set so that it won't allow the servers to reboot automatically,
however the real problem is finding a way to determine which patches have
been installed on which servers, and therefore when it is appropriate to
reboot the server. As far as I understand it, SUS doesn't install the
patches on any strict schedule, but rather it installs them at some point
when it has time / the source server isn't busy.

So for instance if I approve a patch this morning, how do I know tonight if
the patch has been installed on all the servers so I can then reboot them. I
don't particularly fancy the idea of trawling through all the event log
information for every single server to look for an event to tell me's been
done, but at the same time, I'd rather not wait around for longer than
necessary to ensure that it must have been installed.

Keith