I don’t send the post-action reboot as part of each baseline. I’ll start with a simplification of how I’d do it, which I think is pretty common here:
I’ll send all of the baselines out, targetting all machines, every month, with no post-action. Some machines install more patches than others, depending on the relevances, how long it’s been since the machine last patched, whether it’s a laptop coming back from an extended offline state, etc.
In addition to the patching actions, I send a separate set of reboot actions to occur at the end of the patching window. The relevance on that reboot action is just “pending restart”, with one or two retries waiting an hour between. So whether a machine installed one patch or two hundred, there’s only one reboot (ideally). If some patches failed and need to be retried after a restart, the “reapply” behavior of the reboot action gives enough time for a patch retry to happen and then triggers a second restart.
So that’s the simple version. The more complex version (and what I actually use), is that I send all of the Patch actions out with a Custom Constraint - “Run only when … setting PatchWindowState … is not ‘closed’”. I send out all the patch actions, and they start out Constrained. I have a separate action (an Offer) to allow clients to “Opt-In” for patching, it changes the value of a client custom setting “PatchWindowState”. So I can send out one action for each Patch Baseline, targetting “All Windows Computers” (not breaking it up by target platform). I let the local system owners decide when they kick off the Opt-In for patching. I send another action (not Offer) to force their patch window setting at a certain deadline time each month. So I have a deadline set, but the local system owners/operators can “Opt In” to have their patching start early.
I work in a 24x7 Critical system, so in many cases the local system owners have multiple sets of redundant equipment. The Opt-In allows them to schedule their patch times around complex ops or service failovers, so I don’t have to be as involved in their scheduling. The Patchwindow Deadline action only forces them to patch if they have not already Opted-In (based on
effective date of setting "PatchWindowState" of client)
The action that handles rebooting the client also increments a client setting tracking how many times we triggered the client reboot during this cycle; when the client no longer needs to reboot (all the patches finished) or the client reaches a certain reboot count (patches have retried too many times), an action resets the client PatchWindowState setting back to “closed”, ending the patch cycle for that period.