Patch policy to update everything

A small group of our users have admin privileges and can install everything they want.

Would it be a good idea to create a patch policy with just one rule for their devices:

  • Age >= 7 Days

This to make sure their devices are up-to-date.

I assume that initially the policy would contain a lot of patches, but after some time this should normalize.

Has anyone done the same? Is there a better way to achieve this?

  • I haven't gotten to this level yet, but it sure is a temptation, and I have thoughts to contribute.

    Do you have a good culture/habit of users, especially this group, of restarting/shutting down their systems very regularly (daily/weekly)?   Without those, many patches still show as unapplied even if pushed out.  

    Are your systems generally up to date already, and this is just to keep them up to date?

    If I was to do this, I would start with the     Age >= 180 days and crank it down by 30 every week, while monitoring that they are getting applied.   Starting point based oh how well you are patched currently.     Going all the way is likely to cause more than a few issues as it settles out.   After all, the latest isn't always the greatest (we just wish it was) as some do break things.  I wouldn't want to hit them all at once.


    Andy of in Toronto
    Please use the "Like" and/or "Verified Answers" as appropriate as that helps us all.