By Joseph Yedid
As of late I have had to create a bunch of fresh VMs and patch them up. Just so happens that one of those VMs was a new domain controller (DC). All of the patching was done by pushing out updates via Configuration Manager. As most people will know, patching a fresh operating system (OS) is a very long task as it requires a lot of updates since the initial release. The patching of the new DC stalled at 0% during the reboot process. Ultimately, the OS never progressed past this point and rolling back was also a failed attempt.
I wasn’t sure what was going on, but we did lose the DC and I had to spin up a new one.
A few weeks later I was tasked with creating a new VM for testing a web application. Again, I had to patch this VM from the ground up, but it was another failed patch job. What the hay was going on here?? Losing VMs left and right to patching?? I had to redo this VM and you guessed it, lost it to patching. Something was very wrong.
One thing to note about these VMs was that they were all running Windows Server 2012 R2.
I spun up another VM and decided not to patch it with Configuration Manager this time. Instead, I used Windows Update to see exactly which KBs were being installed and their file sizes.
After seeing the list of required updates (1.2GB initially for a fresh install of Windows Server 2012 R2), I noticed KB3000850 – 751MB (available for Windows 8.1 and Server 2012 R2). Boy that’s a big patch! Almost forgot it was released back in November 2014.
In doing some research, it turns out there are potentially 2 issues at hand:
1) Trying to install too many patches all at once causes the update process to get overwhelmed and stall out.
2) KB3000850 is the cause behind it.
Doing incremental patching with Windows Update, 25-30 patches at a time, and then installing KB3000850 alone seems to have done the trick. KB3000850 basically doesn’t play well with other patches. Being as large as it is this doesn’t really surprise me.
The solution: I had to create a base VM that is patched up to and including KB3000850. All other patches after that can be installed through Windows Update or Configuration Manager with no issues or fear of crashing.
Overall, there has to be a better patching solution. If possible, having KB3000850 set so that it does not install with other patches would seem reasonable.