Patching endpoints is simple in principle, but difficult in practice. From users who refuse to reboot, to patches that break major functionality, to software that can't be patched while other software is running (looking at you, Java!), patching is fraught. When you add in the differences between research and business IT environments, the complexity of patching can spiral out of control. Aggie Desktop at UC Davis has taken an incremental approach toward implementing a patching strategy that works for both business and research units, and that now secures more than 6,500 endpoints used by staff, faculty and students. At this session, we will describe out approach, report our progress along the journey, and share our roadmap for next steps.