How to handle deploying Exclusive WSUS Updates

tresstylez

I'm using PM to handle a monthly deployment of Security/Critical Updates to clients in our target WSUS groups.

I am looking for advice on how the community handles the rollout of EXCLUSIVE updates.  If you are familiar with the interface, updates will either 1) Fail if and exclusive update is found, 2) only install the exclusive updates, or 3) only install non-exclusive updates.

Since I would like to schedule our WSUS deployments with PM on a monthly basis, I'm not exactly sure what the Best Practice is here.  Right now I choose the 3rd option (above) assuming that more updates will be installed.  I then login to those machines and still see updates available - and I'm assuming these are the "exclusive" updates.  I have to manually install those separately.

Questions:

1. Do you typically have MULTIPLE jobs for a deployment?  I suppose I could run #3, then create and run a 2nd job for #2, but then I will manually have to kick off the 2nd job after being notified that the 1st job completed.  OR -- I can maybe just rollout updates via both jobs over 2 days.
2. Is there any way to tell if an update is a exclusive update or not?  Right now, it seems like all updates say "You may need to restart your PC after installing this update" -- but I'm not sure if thats the same as an EXCLUSIVE update or not.

Any feedback on the 2 questions above would be appreciated.  Thanks!

frgpugs

There are actually very few exclusive updates... but there are definitely updates that have to reboot before all other updates are done and can take several "rounds" of reboots to complete all, especially if you are only patching once a month.  Currently patch manager is working on a "patch until its done" system but for now I just have my machines patching every day once approved (which I do on fridays) and then servers on saturdays.  If servers still need more installed I may do them manually monday morning.