Just got a little time before crashing out, so going to pick one of those to answer briefly.
Re: "Flash doesn't get installed because of open browsers"
Yep - welcome to the #1 reason why Flash doesn't update.
The good news? You can fix it ... with either a Pre-script (i.e. "Before installing Flash, I shall go forth and murder every instance of FIREFOX, CHROME, IEXPLORE, NETSCAPE and so on..."). To do this "easily", you can copy the existing definition for the latest Adobe patch (because you have to make changes to it), and then add that script (in your preferred language of choice - VB, Powershell, BATCH...) and fix it as a "Custom Vulnerability".
You do that HERE (in the properties of a rule for a custom definition):
We (LANDesk) aren't that aggressive with our content for reasons that should be fairly obvious.
So you have the choice of either running the "STOP PROCESSES" section (and having a choice whether to prompt the user to shut down processes, but many end-users wouldn't know what a process is / how to kill it), and/or you can play around with the list of "Patch Install Commands" and have a PSKILL type approach to killing off processes.
Obviously, the gotcha here is communication with your end-users.
If you're just going to murder their browser sessions nilly willy without warning, that's a great way for finding out who spends 2 hours writing something on the WWW without ever saving it, as they'll be howling for your blood ... (yes, this sort of thing has happened).
Part of the tricky side of things with setting up your patching policy is "knowing your user" and what sort of corporate culture you have. Do you send them out an info-sheet with a "This is how it'll be from here on out" (without ACTUALLY being quite so draconic to begin with to "see how it goes"), or do you seek a gentler approach with perhaps some discussion (this has its own dangers, since a lot of end-users are under the impression that "I should NEVER have to reboot" is perfectly reasonable ).
I'm highlighting polar extremes, and the idea isn't to have you chose one of those two, and only those two - it's to get you thinking how this sort of stuff would work in your environment / corporate culture. How technically capable / reliable (or UN-reliable?) are your users? How much CAN you trust them to do the right thing ... or how much do you need to hand-hold them?
Certain patches (Flash first and foremost) are a major PITA because you don't just have to kill off processes, but browsers of all things ... something that can often cause some form of griefing from end-users. We give you various tools to deal with that situation - but in the end, only you can know your users.
Also - about CONTINUATION ("handling multiple reboots"). Remember you have this option in the scan & repair behaviour:
Here you have:
* A "Before I repair - run XXX" option (i.e. - another way to kill off annoying processes)
* A "Now that I'm finished, run X..." option
* A Continuation option ("How many reboots should I be able to handle) ... by default this is 5.
Depending on your reboot behaviour (so - assuming we're allowed to reboot) we can happily reboot the same box multiple times to install various patches. That tech exists in 9.5 SP2 (assuming you're on this version?) and has for most of 9.5 I think .
======================
Re: Configuraing AUTOFIX # of attempts.
That's done here:
First of all, go to CORE SETTINGS
Then you see the value/setting right away:
This is a user-configurable setting for historical reasons (it USED to be indefinitely by default IIRC to begin with ... then it was hard-coded to "5" I believe, when certain situations caused indefinite-autofixes to have problems ... and in the end, it just became a configurable value, as every customer has something that is "right" for them, and only them ).
Hope this helps.
- Paul Hoffmann