I'm looking for suggestions on patching:
1.Schedule - How often do you patch?
2. Do you notify your users before patching?
3. Timeout Action - How many times do you prompt your users before restarting?
4. How do you stop Windows from managing updates. Since we have moved to KACE many of our users are receiving feature updates automatically since we have removed the agent for what used to manage these updates.
4. Any other suggestions?
Answer Chosen by the Author
I work at Dickinson College and we put together page that informs users of our update policies. The answers to questions 1, 2, and 3 for all of our scenarios can be found on that page:
We stop Windows from managing updates via group policy. We are, however, moving towards using Group Policy to control updates in a more granular manner to supplement patches coming from KACE. In particular controlling the Feature Updates and when they are applied. We also use Group Policy to set the Office update channels to establish early adopters/testers and production computers.
We took a lot of time to develop the schedules and their settings and collected feedback from users. Working in a higher education environment makes it more difficult for us to just put policies in place than corporate, but raising the importance of security helped.
Dickinson is also highly focused on sustainability with a goal of being carbon neutral by 2020, which meant balancing when computers are powered on with our patching requirements. We push BIOS power on settings using Dell CCTK to match when machines should be on for patching and also use energy policies to hibernate machines. The smart labels which push those settings are configured to allow exceptions and only apply where necessary, e.g. we don't set laptops to power on for patching.
I recommend setting up a default patching schedule in this manner:
Create a smart label that includes any machines that don't have a label applied that ends in "Patching" (We call this label "Patch Production")
Create other labels for your patching schedules that end with the word patching, e.g. "Lab Patching", "Admissions Patching" (they're special), "Test Patching", etc. And yes, we even have a "No Patching" label for very special people.
This setup automatically places machines into a default patching schedule and our technicians then add the necessary labels to those machines which require exceptions. Those patching labels can also be smart labels, e.g. computers in the Admissions department are in the Admissions OU, an LDAP label is applied to those machines and a smart label applies the Admissions Patching label to the machines with the Admissions Department ldap label.