hosts, or if SMB is used for the storage, then only the memory and state would need to
be migrated. This would avoid any downtime to the virtual machines for planned
outages; however, it would be an automated process that you would need to create
leveraging PowerShell or another automation solution. Additionally, if you have
virtual machines that need to be protected from unavailability (such as unscheduled
outages), the hosts should really be clustered anyway. Generally, if you have virtual
machines on a stand-alone host, you should expect to have some periods of
unavailability.
Microsoft maintains all updates on its Microsoft Update servers, and by default
computers can connect to these servers, find the list of updated patches, download
them, and apply them. This process works fine for a few machines, but if you have
hundreds of servers, it’s inefficient to have every machine downloading the updates
over the Internet connection. This process will be slow and consume your Internet
connection, which likely could be used more productively for other workloads.
Additionally, if machines update directly from Microsoft Update using the built-in
update component of Windows, the administrator of the organization has no ability to
approve patches prior to their deployment.
Leveraging WSUS
Windows Server Update Services (WSUS) is a role of Windows Server that acts as a
local source for updates for machines within your organization. At a high level, the
process when leveraging WSUS is as follows:
1 . Enable the WSUS role on a server, and specify when synchronization with the
Microsoft Update servers will occur.
2 . Configure the WSUS server for the updates that should be downloaded, such as,
for example, only critical and security updates and only for Windows Server 2016.
3 . Create computer groups in WSUS that will be the targets for patch deployment.
4 . Specify whether any types of updates should be automatically approved. Any
updates that are not automatically approved need to be approved manually by a
WSUS administrator before they are deployed to specified computer groups.
5 . Optionally, use Group Policy to automatically configure machines to use the WSUS
server and to be part of a specific computer group. I document this at the following
location:http://windowsitpro.com/windows-8/group-policy-settings-wsus
Machines will now utilize the WSUS server for available patches and also download
them from the WSUS server instead of the Internet (although it is also possible to
configure WSUS clients to pull updates from Microsoft Update if required). In very
large organizations, it’s possible to chain WSUS servers so that a downstream WSUS
server pulls approved updates from another WSUS server and then distributes them.
Configuring machines to pull down patches from Microsoft Update or a WSUS server