Can Active Directory be used for updating PC with patches from Microsoft? RRS feed

  • Question

  • The company I work for is taking on the task of updating all of our computers with security updates and patches from Microsoft on a monthly basis. 

    Right now, the process we use is an in-house developed procedure that is time-consuming and we rarley gain compliance in a given month.  One of member of my team indicated that Active Directory can be used to manage these security updates and patches and would be a more automated process.

    Can anyone verify this?  We use Active Directory to manage user access and it would be a tool already in place.


    Tuesday, January 19, 2010 3:02 PM


  • You can use Active Directory with WSUS (which is free from Microsoft) to deploy security updates and patches. All it cost you is the hardware to run the WSUS server on. If you are a smaller company then the hardare requirement isnt very much. I run our WSUS server in a virtual environment and it currently updates around 500 machines. It gives you reporting as well so you can see where you stand on machines and their updates.

    Or if you wanted to be really simple with it you can create a GPO in Active Directory that sets the workstations to automatically update themselves on a regular basis by assigning a Windows Update policy with your criteria. The draw back to this is that you dont have the ability to Approve or Decline any certain update...WSUS allows you to Approve updates before they actually are deployed to the clients so you can test them first if you would like.
    Tuesday, January 19, 2010 4:00 PM