1

I have disabled windows update on all of my windows server. Will that cause problems?

shearn89
  • 3,403
  • 2
  • 15
  • 39
silverknightone
  • 123
  • 4

2 Answers2

13

No, it is not safe.

Having Windows Update disabled means you are not receiving latest security and other updates from Microsoft. Unless you keep downloading and installing the patches on monthly basis manually, this leaves your servers (as well as your whole environment) vulnerable to security attacks. In a long run, this might result in stability issues or data loss/leak.

Tomas Dabasinskas
  • 769
  • 5
  • 8
3

It's good practice to disable automatic updates on servers: you don't want them to apply updates and reboot whenever they feel like doing it, and also it's better to not immediately install any update on all your servers as soon as it comes out, without doing at least some testing before.

However, you definitely should keep your servers up to date; exactly how, when and what updates will be applied is up to you (or your company/department) to define, but you really should have an update policy (even as simple as "wait for a week after updates are released, then run a manual Windows Update on each machine during off-peak hours") and follow it.

Massimo
  • 70,200
  • 57
  • 200
  • 323
  • How i testing that updates from microsoft is safe for installation in production server? There is any best practice for that? – silverknightone May 12 '16 at 07:12
  • Use test servers. If you don't have any of them, that's a whole different problem (which I strongly suggest you address ASAP). – Massimo May 12 '16 at 13:43
  • This answer is simply not good practice from any enterprise perspective, irregardless of os platform. Some form of automated patch maintenance is simply required. – Jim B May 13 '16 at 12:28
  • @JimB Please re-read the answer; I said, too, that *some* form of update policy and management is required; I just said that it's better to not rely on the simple built-in Windows Update setting for that, unless you want your servers to automatically install everything that Microsoft pushes out and then perform a reboot whenever they want. – Massimo May 13 '16 at 17:27
  • @JimB Automated patch management is fine and good, but only if you combine it with proper testing, maintenance windows and several other things you should care about (such as which servers have to be restarted in which order). If "automated patch management" boils down to "let Windows install whatever it wants whenever it wants", then you only get a disaster waiting to happen. – Massimo May 13 '16 at 17:31
  • so specific to windows, leaving automatic update on is essential to allow you to control the update process with a WSUS or WUB server. Even if you don't have a wsus or wub server, you are far safer having it on than off. Testing is good but must be done same day as release since many compromise attempts occur day of release (or within a day of release). – Jim B May 13 '16 at 18:58
  • @JimB Looks like you never witnessed a broken patch wreaking havoc on your systems, or one or more servers suddenly rebooting just because they were configured to install updates automatically. Good for you. – Massimo May 13 '16 at 19:14
  • 1
    @JimB But I still stand by my point: ***without proper planning***, automated updating can be even worse than not updating at all. – Massimo May 13 '16 at 19:15
  • We will have to agree to disagree, although, so far, it's incredibly rare to be compromised by patching flaws. – Jim B May 14 '16 at 00:49
  • 1
    @JimB Tell that to all of the exchange and system center admins when WMF 3 and 4 came out :). Also, many patch management tools don't rely on the automatic update mechanism in Windows. I absolutely agree that patch automation and compliance reporting is critical all but the smallest of environments, but that doesn't always require WAU to be enabled. – MDMarra May 14 '16 at 16:17
  • I still remember (somewhat fondly) that Exchange CU which was retired two days after its release... because it was discovered it had a nasty habit of irrecoverably corrupting databases. Some people there definitely got taught to *not* immediately apply any update that Microsoft pushes out ;) – Massimo May 14 '16 at 16:43
  • Neither patch set would be applied with default AU settings, I don't believe either was a critical patch. – Jim B May 15 '16 at 14:35
  • To be clear this question (and at least my comments) are about automatic updates in windows, not any arbitrary update that may be available. – Jim B May 15 '16 at 23:30