Chicago Endpoint Management User Group

I need to setup a group of clients so that they download their patches outside of production and only during maintenance.  I understand the maintenance window being configured means the patches will install when the maintenance window opens.  But I'd also like to suppress the download as well.  The best idea I can come up with is to...

Windows Patch Remediation Settings - Patch Filter Update Interval - Change from every 30 minutes to daily at the same time our maintenance window opens. (Or every 30 minutes within our maintenance window).  

That way when the patch filters are updated, the clients will then need to check in (currently hourly) and they'll get there policies applied and follow up with the package downloads.     The thing is, I have agents around the globe and I can't have patch filter updates specific to a group of machines.

Is there a way to setup the package downloads for the patches to only run during the general agent maintenance window?  Or any other way to assure the patch packages are only downloaded within a certain time period?  I'd prefer not to do an agent blackout as there are times we need to run tasks and choose "override maintenance window".  I could do throttling but the goal is for NO download traffic.  If it where I software management policy I would have the ability to control this with the compliance check schedule.  

There is no way, currently, to schedule package download for patches.  It's going to take some tricky scheduling to make sure they only get downloaded after production hours.  Once the patch policy is created, as soon as a machine checks in, it gets the policy and then forces a quick assessment scan to see which updates need to be installed.  Then, it proceeds to download them.  To actually install them, it waits until the maintenance window is open, as you have already pointed out.  Do you have package servers?  Maybe you can block them somehow so they don't get the Patch packages until after hours, which in return would delay the download to the clients?

As a followup, I confirmed at Symantec Vision in a couple of sessions that this is unfortunantly the case.  Options included setting up a blackout window but I don't want to lose visability of the clients.  Package server was mentioned but to further detail the issue, it isn't WAN Bandwidth that is our concern.  We are a trading company so any latency introduced to the workstation during production has to be limited.

I will say at Vision in one of the patch sessions, it was brought up that another orginization uses the ASDK to trigger the enabling of the policies in batches.  I might look in the direction of the ASDK to schedule the enabling of the policy at a specific time.