One of the interesting things to consider here though... if you have your endpoints locked down to this extent, do you need to patch?
If the machine is physically prevented from running unknown applications and processes, then how can a machine be compromised?
We have customers who run System Lockdown without AV, they haven't had any infections for many years now.
Admittedly the installation thing is a bit harder to manage, but you can checksum the installer and all associated files with the install before providing it to the machine and load multiple fingerprint lists onto the same group, so it is possible.