I have about 800 machines, a mix of Windows 7, and server versions from 2003 to 2012 R2. The ratio of workstation to server is about 50/50. I have been "trying" my best to get this environment caught up on patches for the last several weeks. Patching has been neglected over the past few years and the environment is kind of all over the place patch wise. Full disclosure, I'm familiar with WSUS in that I know how to release patches and pull reports and my knowledge of Solar Winds Patch Manager is about the same. I have yet to become experienced enough with Microsoft patching to workaround all the nuisances. For instance, yesterday, I spent an hour trying to figure out why a server was missing four patches. This didn't make sense since I had released all needed/failed patched that either did not have a superseding patch or it was the patch that superseded another. What was even more unnerving is that when I looked up the patches that were missing, they were superseded by newer patches (that I had already released). It turns out that Microsoft PULLED the newest version which is why it did not apply to the machine, causing it to report the older superseded patches were needed. Very frustrating.
First question, to catch up an environment where patching has been spotty, should I just release ALL "needed/failed" patches including all the superseded patches that are reported by my machines? What advice would you give on methodically working through this environment to get everything caught up? We are a very small shop and I have many other projects to tend to (I'm sure that sounds familiar to most of you), so I'm looking for the most automated workflow that I can implement. For workstations, I can push updates pretty much weekly without much worry, for servers I would like to get to a regular monthly schedule which most of my servers can handle on an automated schedule. I'm interested in hearing all points of view from you Solar Winds Patch Manager/Wsus gurus on how you run your patch management solution/s.
Do you use GPO's to let WSUS handle any updating?
Do you exclusively use SPM and always schedule your installs?
Do you approve all needed updates including superseded updates?
What do you do about machines that aren't in your domain, but you still have to patch them?
What about machines that need extra care such as Exchange, where you can't just let all CASHUB and Mailbox servers go off at once?
I'm not really looking for a hugely detailed explanation, I've been in IT for several years, but patching has always been an after thought at most of my jobs and I was never directly responsible and when it did come up it was a huge ordeal and a TON of work (after hours usually) to get the environment patched. I am now and am interested in doing this the right way if such a way exists. So high level advice is what I'm after.
Thanks for your time.
-Bo
Edit:
Environmental Information:
Most machines are in a domain and have Solar Windows WMI providers installed and working, but there are a couple machines where local admin credentials will need to be used.
WSUS role and Solar Windows 2.0.2207.2 are running on the same 2012 R2 server.
No additional WSUS instances are in the mix.
Message was edited by: Bo S.