In the fairly small organisation (1000+ screens in two sites) I work in the PCs switch themselves on overnight and do the updates then. I gather the updates are pushed from a server after being tested by the IT support chaps.
That is certainly ideal. Unfortunately, many (maybe even most) of the machines here are laptops which are taken home each night. I could probably overlook the Windows updates if it weren't for the noon full-disk virus scan every day, but that's a topic for another day :)
Noon full-disk virus scan even once a week is a great way to alienate your user base. If your enterprise AV doesn't support "start at a scheduled time or if sleeping/off start upon next wake/power on" then you need a new enterprise AV suite. If not that at least temporary deferment.
Yeah, laptops are a pain. We have laptop trollies with 30 machines in each trolley (education). The techies pull in each trolley in rotation to do updates.
