For our environment, WSUS fits our needs. We've never had any problems. However, I do not have WSUS auto-approve patches--that's definitely asking for trouble. When new patches come out, I generally take no action for a while. Let other folks be the guinea pigs. If I don't hear any negative buzz about a patch after a week or so, I'll distribute it on a very limited basis, let it go a few days, then a larger basis, wait a few more days, then send it on to everyone.
John Hornbuckle MIS Department Taylor County School District 318 North Clark Street Perry, FL 32347 www.taylor.k12.fl.us -----Original Message----- From: Ziots, Edward [mailto:[EMAIL PROTECTED] Sent: Friday, September 12, 2008 9:09 AM To: NT System Admin Issues Subject: RE: OMG WSUS Just tanked *EVERY* Desktop in my org! Importance: High Same here, about 125 test systems I patch with all the new patches, evaluate, and then push to production, also development machines also get the patches first, so there is no issue with test/dev being behind the curve patch wise. Also the other reason I don't use WSUS, M$ has already shown that they can fark up a WSUS patch or WSUS itself and cause lots of pain to the patch and pray shops out there, which causes downtime, user disasatifcation and mgmt asking wtf just happened? Folks read the NIST SP 800 series guidelines about patch management/vulnerability management and use that as your guidelines to do patching/vulnerability and change management. Its gotta be tiered and it has to be tested and controlled, or you will run into these situations. Z Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP,Security+,Network+,CCA Phone: 401-639-3505 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~