Windows/Office patching - we handle this using a WSUS server that we manage centrally for our clients. We do two things to reduce impact:
1. We auto approve patches after 1 week of release. That gives a short amount of time for the rest of the world to discover issues before we deploy it. We do NOT forcibly reboot at that time.
1. We auto approve patches after 1 week of release. That gives a short amount of time for the rest of the world to discover issues before we deploy it. We do NOT forcibly reboot at that time.
2. For a lot of reasons (including patch and update installation), we need to reboot all machines weekly. We pick a day of the week that works for the client, and then set the machines to reboot at 5am if logged out, or pop up a message that they will reboot in 18 hours the next time they come online (which means that laptops generally come online at 8 am, get a pop-up notifying the user that they can reboot then or it will be done forcibly 18 hours later, and then it either reboots overnight when possible, or when the machine is off overnight, it will forcibly reboot itself first thing in the morning when it gets turned on.)