SOLVED

Best Practice for Windows Server 2012 R2 and 2016 for 24/7 Operating Manufacturing System.

%3CLINGO-SUB%20id%3D%22lingo-sub-2211730%22%20slang%3D%22en-US%22%3EBest%20Practice%20for%20Windows%20Server%202012%20R2%20and%202016%20for%2024%2F7%20Operating%20Manufacturing%20System.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2211730%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20about%2060%20Windows%202012%20R2%20and%202016%26nbsp%3B%20servers%20for%2024%2F7%20operating%20manufacturing%20lines.%20These%20servers%20seem%20to%20have%20not%20updated%20at%20all%20since%202018%2C%20I%20have%20to%20plan%20how%20to%20update%20these%20servers%20with%20as%20fast%20as%20I%20can%20but%20impact%26nbsp%3B%20the%20server%20operation%20at%20least.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EQuestion%20and%20your%20recommendation%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20My%20plan%20was%20just%20to%20apply%20for%20the%20latest%20Security%20Only%20Patch%20for%20March%202021.%20As%20I%20found%2C%20the%20Security%20Only%20Patch%20is%20not%20cumulative%2C%20but%20some%20say%20I%20don't%20have%20to%20apply%20all%20the%20previous%20month%20security%20patch%2C%20just%20recent%20one%20as%20the%20security%20patch%20itself%20is%20already%20having%20the%20previous%20security%20patches.%20Is%20this%20true%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2.%20For%20the%20new%202012%20R2%20installation%2C%20how%20do%20you%20apply%20patches%20if%20you%20have%20to%20manually%20patch%20them%3F%20Just%20most%20recent%20Security%20Update%20Only%20or%20Monthly%20Rollup%20Update%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2.%20For%20Server%202016%2C%20I%20don't%20see%20any%20Security%20Only%20Update%2C%20but%20only%20Monthly%20Rollup%20Update.%20What%20if%20I%20want%20to%20update%20security%20updates%20only%3F%20The%20servers%20have%20custom%20applications%20running%20coded%20in%20old%20.NET%20and%20others.%20If%20the%20quality%20update%20breaks%20the%20application%2C%20it%20will%20result%20in%20a%20manufacturing%20delay%20and%20it%20can%20be%20disastrous.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20in%20advacne.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2211730%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EUpdate%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2211985%22%20slang%3D%22en-US%22%3ERe%3A%20Best%20Practice%20for%20Windows%20Server%202012%20R2%20and%202016%20for%2024%2F7%20Operating%20Manufacturing%20System.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2211985%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20software%20manufacturer%20should%20maintain%20a%20list%20of%20supported%20patch%20levels%20so%20I'd%20ask%20them%20or%20check%20their%20site%20(Rockwell%20does%20this)%20You%20could%20also%20test%20in%20an%20isolated%20environment.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2212022%22%20slang%3D%22en-US%22%3ERe%3A%20Best%20Practice%20for%20Windows%20Server%202012%20R2%20and%202016%20for%2024%2F7%20Operating%20Manufacturing%20System.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2212022%22%20slang%3D%22en-US%22%3EThat%20will%20not%20be%20possible.%20as%20the%20software%20manufacturer%20won't%20confirm.%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20reason%20why%20is%20that%20%2C%20I%20got%20a%20notice%20from%20HQ%20to%20install%20patch%20KB4571723%20(August%2C%202020%20Security%20Only%20Update%20superceded%20by%20KB4578013)%20for%20Remote%20Access%20vulnerability.%3CBR%20%2F%3E%3CBR%20%2F%3EBut%20I%20like%20to%20bring%20up%20the%20patch%20level%20at%20least%20to%2012%2F2020.%20Can%20I%20install%208%2F2020%20~%2012%2F2020%205%20Security%20Only%20Update%20and%20reboot%20once%3F%20I%20am%20not%20sure%20what%20will%20happen%20if%20I%20don't%20install%20the%20Security%20Only%20Updates%20prior%208%2F2020%20or%20skip%20one%20or%20two%20between%20them.%3CBR%20%2F%3E%3CBR%20%2F%3EOften%2C%20IT%20security%20article%20online%20ask%20us%20to%20install%20a%20specific%20month%20Security%20Only%20Update%2C%20so%20I%20guess%20installing%20a%20couple%20month%20updates%20skipping%20others%20may%20not%20break%20the%20system.%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello, 

We have about 60 Windows 2012 R2 and 2016  servers for 24/7 operating manufacturing lines. These servers seem to have not updated at all since 2018, I have to plan how to update these servers as fast as I can but don't impact or break applications running on it. There are lots of old .Net developed applications and PLC software. 

 

Windows 2012 R2 server patch strategy:

So, I liked to apply Security Only Updates to the server, but since the patch has only the month's security patches, I have to apply all security patches from 7/2016 which is almost impossible. 

So, I have to update the server with Monthly Rollup 3/2021 which has cumulative updates from 7/2016. 

 

Question 1. Microsoft says Monthly rollup contains other updates with security updates. Does it contain other updates such as Flash, .Net, and others which may break my old .Net applications installed on the server? I like to update the server up to date, but very least impact on the server. 

 

Question 2. For critical 24/7 operation servers, do you guys install Security Only Update or Monthly Rollup regularly? 

 

Windows 2016 server patch strategy:

Microsoft seems they changed the update scheme and there's only Monthly Rollup.

 

Question 3:

If then, if you want to patch your server with the least risk, how do you patch your 2016 servers? Just apply Montly rollup and have you find any issue?

 

Thank you in advance. 

 

Updates:

 

I patched 30 Windows servers 2012R2/2016 with monthly rollups 1 week ago, no issue so far. 

 

-2012 R2: Feb 2021, 0.5GB, took 15 minutes

-2016: Feb 2021, 1.5GB (You need to install the latest SSU (Servicing Stack update before applying monthly rollup), took 40 mintues. 

 

As I researched, Monthly rollup contains reliability update besides security update, but not .net or other application related updates, so it's quite safe that it will not break existing application states. I had lots of issues the windows update breaking applications with Windows 7/2008, but Microsoft seems doing quite well on making monthly rollup is stable. For .net, it has its own update history and separate channel. 

 

 

 

4 Replies

The software manufacturer should maintain a list of supported patch levels so I'd ask them or check their site (Rockwell does this) You could also test in an isolated environment.

 

 

 

 

That will not be possible. as the software manufacturer won't confirm.

The reason why is that , I got a notice from HQ to install patch KB4571723 (August, 2020 Security Only Update superceded by KB4578013) for Remote Access vulnerability.

But I like to bring up the patch level at least to 12/2020. Can I install 8/2020 ~ 12/2020 5 Security Only Update and reboot once? I am not sure what will happen if I don't install the Security Only Updates prior 8/2020 or skip one or two between them.

Often, IT security article online ask us to install a specific month Security Only Update, so I guess installing a couple month updates skipping others may not break the system.
best response confirmed by sungpill_han (Occasional Contributor)
Solution
 I am not sure what will happen if I don't install the Security Only Updates prior 8/2020

It won't hurt to try, if there's a prerequisite or requirement then the update will throw "not applicable" and exit.

 

 

 

I just patched 30 windows servers 2012 R2 and 2016 with Monthly rollups, didn't have any issues.

For 2012 R2:
Since July 2020, Only security patches have been added to Monthly rollup. So the cumulative update is quite stable. 0.5GB

For 2016:
You need to install the latests SSU (Servicing Stack Update) which helps to install update well, then apply Monthly rollup. 1.5GB

Things to note:
- Windows Monthly rollup doesn't contain .net update, .net update has its own update scheme with quality update and security update. So, it's safe that the monthly rollup won't break the old .net application running on the server.
- Windows server monthly rollup is classfied as 'Security Critical' so, most of updates are security updates and some reliability fix which will not affect applications running. I used to have lots of issues after update for 2008 but it seems like Microsoft did a good job from 2012 for monthly rollup which is stable.

Over all, patching new windows server install or not updated windows server with monthly rollup is the way to go.