This is mostly a strategy question/discussion. I was curious to hear from others and how they choose to deploy their patches, vs how they are choosing to deploy software updates, etc. My end goal is to make it as invisible as I can to the end user, but it’s not always possible for some things.
Security patches are pretty easy since they can be applied in the background and do not require an immediate reboot. I typically apply things after business hours, and I can eventually hit the unreachable/offline targets during business hours at a later time as necessary. The main ‘gotcha’ with them, at least for windows 10, is how long the reboot can take to fully apply and finish installing updates. I try to keep everyone informed of when this might occur, so they can be ready for the potential downtime.
Software updates are a little trickier. Usually the software needs to be closed while being upgraded, so it can introduce a small outage window. I typically try to push these after business hours to hit the bulk of my targets. My largest concern/opportunity for improvement is for the eventual push to computers that are typically offsite/offline/can’t wake-on-lan during the upgrades. I’ve tried communicating the expected upgrade time/outage through email, and BigFix messaging on the action etc, but nobody reads it :). Offers are interesting, but relying on users to execute them is not reliable. Curious to hear what others are doing for that scenario!