The hairline shows how long I've been in IT
Someone asked an interesting question in the mssms mailing list recently. I answered it there, and thought it was worth recording in a blog as well. He wanted to know how to deploy patches so that some users could postpone the update, while the others could not. It's actually fairly simple. What follows is even easier than my original email response.
First, create an interactive patch package with the Date Authorized in the past, and allowing the maximum postponement you want for the group that's allowed to postpone the patches. See Settings for Distribute Software Updates Wizard for details.
Second, create a second program in that SMS package that's identical to the first. Use a name includes something like "No Delay" and change the g: parameter in the command line to G:1. That allows one hour postponement from the date authorized. Since that time is long since past, this program will cause patches to be run as soon as the countdown time expires, then reboot after a second countdown.
The third step could be the hardest. You need to get the collections set up properly. First create a collection of computers where you want to allow postponement, based on whatever user-to-machine data is available to you. Second create a collection using a query that specifies all machines not in the "allow postponement" collection, and limited to your existing production deployment collection. That will end up being all machines you want to patch except those that can postpone.
Finally create the advertisements. The "Allow postponement" collection is advertised to the SMS program that was created by the wizard, and the "All other machines" collection is advertised to the "No Delay" program you created manually.
In another email in that thread, Marcus Oh suggested another solution that would be better in some environments. His idea was to create a program that checks which groups the logged-on user is in. If the user is a member of Group A, the program would then execute patchinstall.exe with the command line options to postpone, otherwise run it with the command line options no not postpone. You'd update the SMS program command line to run this program instead of patchinstall.
As always, test carefully before proceeding!