I have been asked and responded many times on various forums on how I do my patch management. Granted every organization is different so take it with a grain of salt. In an organization that is only 8am to 5pm with some people working late or early and where IT has been been given the power to control the machines on Patch Tuesday from 8pm to 6am here is what I do.
1. My patches are set to pre authorize and not have any user interaction
2. Patches are approved and setup to install by 4pm on Patch Tuesday
3. A system scan is done at 4:30pm when I can be assured the computers are on
4. A WOL packet is sent all over the state to all machines by 6pm, we have an inhouse software for this
5. A system scan is done at 7:30pm when I can be assured the computers are on
6. At 8pm all logged out machines are started and restarted when complete
7. At 11pm all logged on machines are patched and restarted when complete
8. At 1 AM all machines are restarted and scanned and patched again.
9. This is done every 3 hours until 5am when they are all set to stop. This insures that if a computer failed to install a patch that it will retry and have a restart if something happened
10. At 9:30AM a system scan is done for the morning report
11. At 10am patch install is set to install logged in/logged out but popup a message to the user for a restart
Out side of this we have a collection for each MS07-0XX patch and a Collection that has the previous scan package version. This is so we can target HTA popup messages. On unscanned machines (scan package version is current -1) we push a message box as soon as it comes on line and so the users understands a scan is about to start and then a patch will begin. On Thursday we send down a popup for the MS07-0XX patch subcollections with apopup telling the user they are missing a patch and to be aware it will attempt to install. If they recieve it more than 3 times they are to notify us. This means a patch is having an issue and IT needs to check it out.
This requires many complex collections and adv but we can have more than 80% patched the night of patch tuesday and then catch the rest later. These could be laptops, computers in closets, or messed up machines.
