Mass patching 300+ servers that have never been patched RRS feed

  • Question

  • Hi,

    I've taken onboard the massive task of updating our companies servers that have rarely (or never) been patched.  It is something that unfortunately has been severely neglected over the past few years (before my time).

    I have a full ongoing monthly schedule worked out and planned (using SCCM of course), so that is under control... The problem now is how to update 300 odd servers that almost all require 200+ patches for each. the servers are made up of 2008R2, 2012, and 2012 R2. 

    The past week I've built up a number of test servers & have rolled out the patches to the test servers using SCCM.  I've had mixed success.  The simple fact is that there are way too many updates involved for it to work seamlessly. The amount of reboots varies, and there's always a number of updates that fail that need redoing.  All in all it is taking a couple of days to update a server which will just take too much man power to cope with this many servers.

     FYI the number of patches needed on my 'test' servers that resemble production are like this:

    2008R2 = 199 updates required
    2012 = 186 updates required
    2012R2 = 182 updates required.

    Does any one have any suggestions on how to better tackle this situation ?  I've considered looking for 'rollups' or 'service packs' but I think these will only go so far, and the effort involved in getting them into SCCM to cater for an easily 'chained' type deployment approach may just be too much effort & complication.

    Any ideas outside the box are welcome. 


    Monday, June 6, 2016 7:58 AM


  • I would approach this by creating Software Update Groups based on release dates in either 6 or 12 month increments and then slowly schedule the deployments so you bring your servers up to compliance over a period of time. There really isn't going to be a nice easy way of doing it in one big hit.



    • Proposed as answer by Frank Dong Sunday, July 3, 2016 4:35 AM
    • Marked as answer by Frank Dong Wednesday, July 6, 2016 8:58 AM
    Monday, June 6, 2016 8:55 AM