Patch Manager Deployment Questions and other Patch Manager Questions

Hello Everyone -

I am looking for information and some guidance to others that have deployed Patch Manager.  We recently deployed this over the past year and are running into a few issues that I am hoping someone here can assist with.  

WSUS Setup - We currently have a dedicated servers in both of our data centers WSUS using a SQL back end.  One is main WSUS server and one is the down stream server.

Patch - We have one server that is dedicated to Patch Manager right now. 

This past weekend we added 250-300 Pre-Production nodes for patching and the Patch Manager server slowed down quite a bit. The patching team will normally watch the patching tasks go by in one of the Windows and when they did this push the Window did not update or it did very slowly.  We only patch Windows servers with Patch Manager right now we utilize SCCM for patching workstations. 

Questions and looking for input.

1. If you patch a large number of nodes what does your patch manager deployment look like?  Do you use one main server and then configure downstream servers from there? 

2. Do you patch anything hosted at Azure, RackSpace, or AWS? If so did you setup downstream servers do they all connect to your main patch server?

3. How do you have all of our servers sized out for this? 

If you have any other kind of information that we could utilize that would be great.  We have done a call or two with Solarwinds to go over Patch Manager but we are looking for how this works out in the real world.  

Thanks everyone!


  • Our setup sounds quite similar. We have a primary WSUS and a downstream (the downstream hosted in Asia, the primary in the UK). A single dedicated PM server and  we have just under 400 nodes, about 30 of which are on the downstream in Asia. We are entirely on-prem so nothing in the cloud being patched but I do have 2 devices off-domain in DMZ which I had to add local creds to the ring for. 

    I haven't noticed any additional slowness than if I'd manually installed although I have over 100 schedules that break everything up over the month and run 3 passes for each collection, each with a specific task (eg. pass 1 installs only security patches and criticals with no reboot, 2nd gives priority to exclusive updates but if there are none will install anything thats been approved and the 3rd pass is a mop up anything not taken and to rerun failures then force a reboot). This 3 pass system took some testing over the past few months to get right and has made an improvement in reducing reboots (which on 2016/19 for some reason can take up to 2 hours on our VMs so doing this multiple times caused updates to extend into production hours) and mopping up failures.

    I will say though that after the last PM update our patch manager is no longer pushing new data to it's DB - the DB has gone blank which I use to produce all our stats through SWQL queries although is still patching. Its obviously pushing data somewhere but its not local SQL express and the remote DB is registering hits from the account, just all the tables remain blank. 

  • Thank you. I shared this with our patching team and let them know to hop on into THWACK. 

Reply Children
No Data