Patch Management Solution

Traditionally, we use WSUS to patch all of our Windows systems, including our servers.  For our client endpoints we have the systems configured to do the installs without prompting the users.  On the windows servers, we have it configured to automatically download the software updates but to not perform the installs.  This allows the server administrators to patch the systems on their schedule as long as it gets done by a certain time. 

 In the Symantec Management Console > Settings > All Settings > Agents/Plug-ins > Software > Patch Mgmt > Windows, I created two seperate policies, one for clients, and one for servers.  I am trying to configure our server policy to match our current group policy as close as possible.  Is there a way to configure the agents on our servers to download the update policies but to not install them until they are run by a server admin?  In our experience, if you let a server sit with an update installed but a reboot pending the CPU tends to run away and we dont want that to happen.  Thank you.

I tried configuring the policy without an install schedule configured but it wouldn't let me save it without one.

Configure a Policy to install once on 1/1/2030.

Then the targeted patches get downloaded and can be installed by server admins by clicking on "Start Software Update Cycle" when it suits them.

Make sure the Target of all your other policies always start with Exclude Computers Not In "Windows Workstations".