A little bit of background information for this one. In the company I work for, we tend to patch everything, it’s a fine practice but when it comes to Windows Servers which we have close to 80 of, all of them are currently being updated by hand.

Now, other than being tedious and annoying it’s a pretty large overhead and consumes quite some time… never mind those which needed to be done outside of office hours.

So, my solution?

Well, the new year had come, I could see the horrific patch day Tuesday on the horizon (second Tuesday of every month) and decided to stamp my foot down.

First thing first, decide a time when this can happen, I opted for 3-5am where there are no Back-Up jobs going on, it’s outside of AV scans etc. This is now called the Update Window

Secondly, split a domain of servers up into groups based on different things, what ESX host they were on, what services run from them etc. One thing I kept in mind was to reduce any potential strain on our VM setups (Our hosts are a little crowded!) during the machine start ups the machines were distributed evenly between the two security groups.

Next thing was to construct the group policies and as a picture speaks a thousand words, here’s mine


Once this GPO is published and applied the only other step is to exclude your 2 security groups (Romeo & Juliet in this case) from the default/predefined WSUS GPO’s

And that’s about it! 85% of our internal servers are currently auto-updating every Friday (You never know Microsoft and those damn extra hotfixes!)

TL;DR Make 2 security groups, exclude these from default WSUS GPO’s… copy the GPO above, publish, apply and enjoy.