Tuesday, February 4, 2014

System Center 2012x: Turn On Microsoft Update Or Not?

With System Center 2012x a new functionality came to be. That is, a functionality which already exists for a long time for other Windows/Microsoft based technologies, the Microsoft Update functionality.

During installation one is asked whether or not to let Microsoft Update cover the related System Center 2012x component as well. For myself I always set this option to OFF:

I’ll tell you why I choose for this option. As a matter of fact there are multiple reasons for it:

  1. Updating System Center 2012x requires manual actions as well
    Many times when updating System Center 2012x components there are some or more manual actions required as well, like running queries, updating the web.config file etc. When Microsoft Update runs the update for you, you still have to run these actions manually and – when you’re unlucky – in an unplanned manner as well.

  2. Updating System Center 2012x requires additional checks
    I ALWAYS check the updates after they have been applied. In order to see the proper files got updated. In the past sometimes updates didn’t land properly, like skipping the Agent deployment folders and so on. So never presume but always check.

  3. Updates aren’t error free
    Another MAJOR reason for not using Microsoft Update (even through WSUS mechanisms!) for updating System Center 2012x is that in the past URs contained errors. Causing issues in your System Center 2012x environment. So it’s better to wait with applying an UR rather than applying it too soon. Also because rolling back an UR can’t be done, unless when running a restore of the affected systems and databases…

  4. WSUS doesn’t protect you
    Of course, Windows Update is managed in your environment by a whole chain of WSUS servers. And patches only get through when approved. But still WSUS shouldn’t be your last defense against updates. Yes, updates are required in order to keep your systems healthy and safe. But don’t automate Windows Update too far. Always let the last part of the update chain be a human being with knowledge and experience of the products/technologies involved. And when all lights are green run the updates in a time frame which is chosen by you and your organization and not by WSUS.

Of course, these reasons are open to discussion. But always when I discuss this topic with my customers, these are the reasons why I advice them NOT to use Windows Update for any System Center 2012x component. At the end however, it’s up to the customer and the related policies to decide what approach to use.

Feel free to comment and share your thoughts on this topic.

No comments: