Stop pushing SharePoint updates via Windows Update
We all know the poor track record of SharePoint updates (security and non-security) when it comes to quality, still the updates are pushed via Windows Update causing all kinds of issues on on-premises farms.
Most common scenario is that IT doesn't really understand SharePoint, so they allow updates via WSUS (or just install them directly) to one or all servers of the farm, causing all kinds of "by-design" issues, as SharePoint Config Wizard needs to be executed to get the farm working properly again, OR the patch first needs to be installed on all SharePoint servers to make it work properly. I don't believe "train your IT" is a valid argument to this as it just keeps on occurring all the time, everywhere. It's like saying "don't crash to other vehicles" and wonder why there still are car crashes.
Another (all too common) scenario is that update itself causes issues in SharePoint, and there is total radio silence from MS side as to what happened, how to fix it, when a possible fix is done.
So, please do not push SharePoint updates (security or non-security) via Windows Update.
Bhashwar Bhattarai commented
Danie Claassen commented
If you talk about Windows Update and Microsoft Update...Are you refering to WSUS if you are talking about Microsoft Update?
Thijs Deschepper commented
Agreed. This is currently taking up 50% of my time. Fixing farms which were broken by Windows Updates, unable to add extra servers to a farm because retracted updates are installed on the farm, but cannot be installed on the new server....
Wonderful. So how then do you stop pushing them out through WSUS?
Kim Eldridge commented
We have an environment supporting 6TB of data and 70k users. We have had to give a list of patch names that might be SharePoint related to our patch team in hopes that they won't push them out to our SharePoint environments. Unfortunately there is a huge lack of consistency in the naming convention. The latest one to get pushed to half of our farm was "coreserverloc2010". Now we have to do emergency patching to complete the patch, taking down the entire farm and requesting a 10hr outage unexpectedly for business.
Don't push the patches, and keep the naming convention consistent. I can't tell you how many times I've come in to a problem because the network ops patch team pushed a SharePoint patch because they didn't know better.
Stefan Goßner commented
Microsoft does not ship SharePoint fixes through Windows Update - only through Microsoft Update. If you switched from Windows Update to Microsoft Update you asked to get security fixes also for other products but Windows - including Security fixes for SharePoint.
And you cannot expect Microsoft not to ship Security fixes for SharePoint.
So to avoid getting security fixes through Windows update just switch back to Windows Update from Microsoft Update.