Do you leave Windows Automatic Updates enabled on your production IIS server?

Solution 1:

Short answer, no.

In a best case scenario, you should at least have another box/vm/guinea pig to test the patch to make sure it doesn't destroy your world.

In worst case, I would let it download the patches but not install, so I can review what's getting installed. But I'm just a control freak that way.

Solution 2:

I'm afraid I have to disagree with the consensus.

Anybody who says that "human intervention is required" is not thinking progressively enough.

Automate everything.

Maybe this means turning on automatic update (I do this in my low-consequence environments).

Maybe it means something more rigorous (where you automatically update a staging environment, have it automatically validated for correct operation, then trigger the automatic update in the production environment). Reports or e-mail notification should be used so that administrators have visibility into the status of the process.

There are a number of ways to accomplish this automation, from powershell scripts to Software Update Services (SUS)... and especially since you asked this question on stackoverflow and not serverfault, I would recommend that you develop routines to automate as much of the update process as possible.

Failing to do so puts yourself at risk of not applying updates or applying them improperly. Also, if you're anything like me, you would prefer to wake up at 3am once in a blue moon when updates fail (and you're paged by your update routines), and not wake up at 3am every month to install the updates during low-consequence hours.

Of course, YMMV. Design a process that works best for you, but try not to make too much unnecessary work for yourself.