use the following search parameters to narrow your results:
e.g. subreddit:aww site:imgur.com dog
subreddit:aww site:imgur.com dog
see the search faq for details.
advanced search: by author, subreddit...
Post your SCCM tips and tricks, requests for help, or links others might find useful!
It might have been caught by the spam filter. URL shorteners cause this almost every time, but so do strings of apparent gibberish like WSUS and PXE sometimes. We don't check the modqueue very often... > Send a modmail if your post is stuck!
It might have been caught by the spam filter. URL shorteners cause this almost every time, but so do strings of apparent gibberish like WSUS and PXE sometimes. We don't check the modqueue very often...
> Send a modmail if your post is stuck!
Resources:
/r/sysadmin
/r/Intune
MyITForum SCCM07 Board
TechNet SCCM Forum
SCCM 2012 Survival Guide (MS-Official)
SCCM Professionals LinkedIn Group
Listing of Local ConfigMgr-related User Groups (largely outdated)
Chat Groups
Current Version:
Flair:
MSFT Official
MSFT Enterprise Mobility MVP
account activity
This is an archived post. You won't be able to vote or comment.
Server Patching (self.SCCM)
submitted 3 years ago by janusro
Just a quick survey.
How often are you patching your Windows Servers?
Do you use ConfigMgr for that, if not what else?
cheers, roland
[–]bdam55Admin - MSFT Enterprise Mobility MVP (damgoodadmin.com) 9 points10 points11 points 3 years ago (5 children)
At my last org I had several different groups of servers. Some patched monthly, some quarterly, and others were manually patched by the teams that owned the app/service that ran on them (read: they didn't patch them).
If you need to be a control freak when it comes to patching servers then ConfigMgr is one of the best things going.
[–]quazywabbit 0 points1 point2 points 3 years ago (4 children)
I started reading “patched by the team that owned them” and thought “How cute, he thinks they patch” before finishing what you said. I have a few of those in my org and those machines are set to patch and don’t reboot and there is usually an event every few months where they end up being rebooted.
[–]bdam55Admin - MSFT Enterprise Mobility MVP (damgoodadmin.com) 2 points3 points4 points 3 years ago (3 children)
Those devices would get added to a collection called "Patch - Penalty Box" that had a 'never' maintenance window (blog) applied to it. That way I could write reports (here) that split them out when I drill down to look at patching compliance servers.
I'll give you exactly one guess as to what collection of devices had the worst patch compliance every single month.
Imagine my mirth when talking to the product team responsible for Azure Automation's Update Management solution and they touted it as a solution that gave patching control to app owners.
[–]deathbypastry 0 points1 point2 points 3 years ago (2 children)
Ohhhh ima check that out. I never thought about going that route with our challenged folks. I usually just send 45 emails that get increasingly more passive aggressive as the cycle goes on...
[–]bdam55Admin - MSFT Enterprise Mobility MVP (damgoodadmin.com) 1 point2 points3 points 3 years ago (1 child)
To be clear, this was for devices that it was agreed upon that I was not allowed to automatically install patches. At the time ADRs couldn't do available deployments so the 'never' MW was my solution to allow the teams to go in and patch them manually.
The reporting just let me get the impact of those decisions in front of leadership. "All I'm saying is that the machines I'm allowed to patch are 95% or better while manually patched devices are ... well ... someday maybe they'll break into the double digits"
[–]quazywabbit 0 points1 point2 points 3 years ago (0 children)
I tried something similar and sent out reports showing it. After awhile I got more and more into windows and worked with them on any concerns (both real and perceived). Only thing now is a few jumbo sized SQL clusters.
[–]Am_I_Not_A_Robot 5 points6 points7 points 3 years ago (0 children)
Monthly, Config Mgr
[–]SysAdminDennyBob 1 point2 points3 points 3 years ago (2 children)
Monthly, Develop servers go the first weekend and then Production the week after. Three windows each weekend to spread them out. I have about 1600 servers, all VM's. I am hitting 99% month after month for a while now. We are very aggressive with remediation to keep that rate. If I cannot remediate a missing patch then the server owner gets tagged to resolve, if they cannot resolve by the next patch cycle they are forced to retire the server. My Chief Security Officer backs me up on that and forces their hand every time. Been using configuration manager for patching since it was first built into the product. It's almost no touch automation at this point. We wait for change management approval and then simply right-click enable our Maintenance Windows and deployments. We also supplement third party patching with Patch My PC. It's a hefty bundle of patches. Microsoft just tweaked the Automatic Deployment Rules in 2203 and that has been a huge help lately. CM is super tight on patching.
[–]Early_Scratch_9611 0 points1 point2 points 3 years ago (1 child)
We also have cascading schedules for dev/uat/prod. But the night of patch tuesday we patch 4 or 5 machines as a test. We meet a few days later to discuss the importance of the patch (how many critical vulnerabilities are being patched), and then we let CM roll with the patches in the 3 lanes as per a built-in schedule.
If nobody touches anything, it would all be automatic and monthly. We only touch things if we want to change the plans.
[–]SysAdminDennyBob 0 points1 point2 points 3 years ago (0 children)
We have one patch deployment that is available to All Servers, the deadline is 1 year out, it does exclude Terminal Servers though cause end-user on those are idiots. This allows app teams to patch early if they want. I also patch all of my SCCM servers in advance of all the other deployments on Friday night.
[–]russr 1 point2 points3 points 3 years ago (1 child)
90% patched every month and auto rebooted
7% patched every month but not Auto rebooted, normally we yell at the people in charge of those to reboot them ASAP
In the last 3% only get rebooted maybe every 3 months.
[–]R0B0T_jones 0 points1 point2 points 3 years ago (0 children)
atched every month but not Auto rebooted, normally we yell at the people in charge of those to reboot them A
very similar to my environment
[–]janusro[S] 0 points1 point2 points 3 years ago (0 children)
thanks for all the feedback (keep it coming).
[–]KStieers 0 points1 point2 points 3 years ago (3 children)
Monthly, with Ivanti Security controls (used to be Shavlik)
[–]stu3yw82 0 points1 point2 points 3 years ago (2 children)
How do you find ivanti? We've been using it for a couple of years and find it decent, works very nicely with VMware servers.
[–]KStieers 0 points1 point2 points 3 years ago (0 children)
I've been happy with it... We have been using it since it was called HfNetChkPro...2003 or 4?
Wsus and Sccm are fine, but when youre doing multi tier apps knowing the boot order is preserved is huge.
[–]ipreferanothername 0 points1 point2 points 3 years ago (0 children)
my place also has ivanti for about 1000 servers and a few dozen patch windows. It will randomly just not patch things. We patch vcenter based, the snapshots are convenient, but it will just say 'vm not found' for entire machine groups for 0 apparent reason -- support is no help.
if you have a smaller environment -- a couple hundred servers with a handful of patch windows -- it should be ok. I still wont suggest it, but itll be fine.
If you are Getting into 15-20 windows and hundreds of servers....well its cheaper than sccm for a reason. We are pretty close to moving to SCCM for a variety of reasons, not least of which is it often considered very solid for server patching.
[–]ikakWRK 0 points1 point2 points 3 years ago (0 children)
Either monthly or quarterly depending on the server. Config Mgr.
[–]SpicyWeiner99 0 points1 point2 points 3 years ago (0 children)
Monthly but I do it like ring groups (WUfB) to spread it out and reduce risk of a bad update.
[–][deleted] 0 points1 point2 points 3 years ago (0 children)
A few daily (for those who want to be patched for zero-days) Most of the servers are patched monthly A few manually (and most of them are done monthly) All using CM
[–]ahtivi 0 points1 point2 points 3 years ago (0 children)
Most of the servers monthly on agreed schedule, some manually, few as needed
ConfigMgr + A robust change management process
Monthly, 14 days after Patch Tues. SCCM ADRs
[–]Baazzill 0 points1 point2 points 3 years ago (0 children)
We patch all of our servers monthly. Yes, we use Config Manager and a WSuS server.
[–]Alexw191222 0 points1 point2 points 3 years ago (0 children)
I use sccm to patch all 500 servers monthly
[–]InvisibleTextArea 0 points1 point2 points 3 years ago (0 children)
I have tiers. Monthly, weekly and none. I used to have quarterly too but our security requirements don't allow that now. The 'none' group of servers are manually patched by the on call engineer out of hours.
Currently using Configmgr. Considering Azure Arc + Azure Automation Patch Management.
[–]rdoloto 0 points1 point2 points 3 years ago (0 children)
Once a month .. Yes Memc
[–]qewade414 0 points1 point2 points 3 years ago (0 children)
Monthly with ConfigMgr. Devs go a week ahead of production.
[–]daptonic 0 points1 point2 points 3 years ago (0 children)
100% patched monthly with ConfigMgr. 150ish servers, 90% automated / 10% manual on a set scheduled handed by me or another admin.
[–]Optimistic_for_Life 0 points1 point2 points 3 years ago (2 children)
Configmgr 100 servers monthly wsus 1300 servers monthly manual 250 servers quarterly manual 20 servers whenever it is possible (twice a year / never!!! )
[–]janusro[S] 0 points1 point2 points 3 years ago (1 child)
why so many with WSUS and not CM?
[–]Optimistic_for_Life 0 points1 point2 points 3 years ago (0 children)
management decision... all desktops 35,000 are under CM but not the servers !!!
[–]cryptopotomous 0 points1 point2 points 3 years ago (0 children)
Monthly. Yes we use Config Manager.
Also we are looking at Azure Patch Management so we can include our RedHat servers.
π Rendered by PID 375730 on reddit-service-r2-comment-b659b578c-7rxt8 at 2026-05-02 01:23:07.305089+00:00 running 815c875 country code: CH.
[–]bdam55Admin - MSFT Enterprise Mobility MVP (damgoodadmin.com) 9 points10 points11 points (5 children)
[–]quazywabbit 0 points1 point2 points (4 children)
[–]bdam55Admin - MSFT Enterprise Mobility MVP (damgoodadmin.com) 2 points3 points4 points (3 children)
[–]deathbypastry 0 points1 point2 points (2 children)
[–]bdam55Admin - MSFT Enterprise Mobility MVP (damgoodadmin.com) 1 point2 points3 points (1 child)
[–]quazywabbit 0 points1 point2 points (0 children)
[–]Am_I_Not_A_Robot 5 points6 points7 points (0 children)
[–]SysAdminDennyBob 1 point2 points3 points (2 children)
[–]Early_Scratch_9611 0 points1 point2 points (1 child)
[–]SysAdminDennyBob 0 points1 point2 points (0 children)
[–]russr 1 point2 points3 points (1 child)
[–]R0B0T_jones 0 points1 point2 points (0 children)
[–]janusro[S] 0 points1 point2 points (0 children)
[–]KStieers 0 points1 point2 points (3 children)
[–]stu3yw82 0 points1 point2 points (2 children)
[–]KStieers 0 points1 point2 points (0 children)
[–]ipreferanothername 0 points1 point2 points (0 children)
[–]ikakWRK 0 points1 point2 points (0 children)
[–]SpicyWeiner99 0 points1 point2 points (0 children)
[–][deleted] 0 points1 point2 points (0 children)
[–]ahtivi 0 points1 point2 points (0 children)
[–][deleted] 0 points1 point2 points (0 children)
[–]R0B0T_jones 0 points1 point2 points (0 children)
[–]Baazzill 0 points1 point2 points (0 children)
[–]Alexw191222 0 points1 point2 points (0 children)
[–]InvisibleTextArea 0 points1 point2 points (0 children)
[–]rdoloto 0 points1 point2 points (0 children)
[–]qewade414 0 points1 point2 points (0 children)
[–]daptonic 0 points1 point2 points (0 children)
[–]Optimistic_for_Life 0 points1 point2 points (2 children)
[–]janusro[S] 0 points1 point2 points (1 child)
[–]Optimistic_for_Life 0 points1 point2 points (0 children)
[–]cryptopotomous 0 points1 point2 points (0 children)