I had an incident a couple of weeks ago that I thought I’d share with all of you. I had a beautiful four server SharePoint 2013 farm. It was humming along, serving up SharePoint pages with the best of them. Then Patch Tuesday hit last month. One of the four servers was set to automatically install Windows Updates, and it did. It installed the crap out of them. Normally that’s not a good thing, but it’s also not a horrible thing. In the past that’s bitten us SharePoint admins because things like .NET patches, or random reboots in the middle of the night. Inconvenient, for sure, but not the end of the world. The September 2014 Patch Tuesday rotation had another trick up its sleeve. It looked like this:
Picture courtesy of John White (blog | Twitter)
Those sneaky devils snuck a SharePoint patch in the Windows Updates. Installing a patch on just one server of course causes all kinds of havoc. Since I thought all the servers were set to only download it was doubly confusing as to why SharePoint was now all in a snit about needing an upgrade. I got it all taken care of, but that’s food for another blog post.
My recommendation is to NOT enable installing Windows Updates automatically. I recommend having Windows download the patches, then installing them manually. You can change that setting in Control Panel > System and Security > Turn automatic updating on or off. You can also Win + R and run wuapp. It looks like this:
You can also set it using PowerShell with this little beauty:
Set-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update' -Name AUOptions -Value "3"
That might be showing off a little, but using PowerShell is just cool. You can look in this White Paper to see all the different Windows Updates settings and their values.
However, that does not mean you shouldn’t patch your servers. The OS still needs to be patched. You can install them manually, but that sounds like a lot of work. An even better idea would be to install a WSUS Server and push your patches out that way.