Hey everyone! I'm working on developing a patching strategy for our setup and I'm hoping to gather some feedback from anyone who has experience in this area.
**Environment Overview**
- We have a total of 30 virtual machines (VMs) which include a mix of Windows Server 2022 (running various roles like domain controllers, file, print, and application servers) and Windows 11 service VMs.
- Currently, our patching is mostly done manually and on an ad-hoc basis.
- We already use M365 E3/E5 licenses and utilize PDQ Deploy for updating third-party applications.
**Objectives**
- I'd like to move away from the monthly hassle of logging into each VM and clicking Windows Update.
- I want to minimize the risks associated with applying patches immediately on release day, as we've faced issues with problematic updates in the past.
- It's important for me to create a repeatable and auditable schedule that my director would be able to understand and approve.
- Additionally, I want to avoid adding more on-prem infrastructure just for the sake of patching.
**Proposed Plan**
1. Use Intune for managing OS patching while continuing to use PDQ Deploy for application updates.
2. Implement two dedicated Intune service accounts for better management of VM enrollments.
3. Establish a monthly patching schedule that aligns with Patch Tuesday but includes a delay for testing.
4. Ensure strong governance with locked-down service accounts and proper grouping of devices in Intune.
**Questions for the Community**
- Does the strategy of using two Intune service accounts along with PDQ Deploy and a delayed Patch Tuesday sound reasonable for my 30-VM setup?
- Are there any potential pitfalls to using dedicated accounts as the primary user on these servers?
- For those with similar setups, how do you manage exceptions for VMs that can't reboot during the patching window? Also, how do you report patch compliance in a way that's satisfactory to management?
- Do you think simplifying the accounts or policies would be better, or should I maintain the separation?
I'm open to any constructive criticism or alternative design suggestions to achieve a practical and low-touch monthly patching process that accommodates our small team.
2 Answers
I'm surprised you're not using a Remote Monitoring and Management (RMM) tool for this. It could really streamline your processes.
I don't think you can manage Server OS updates directly through Intune. Have you considered using Azure Update Manager instead? It might offer you the control you're looking for with server patches.
Yeah, I inherited a bit of a mess here. Just trying to piece things together!