Best way to handle "catchup" patches for newly deployed OS

I’ve always struggled with how to install all missing patches on a newly deployed Windows server.

Depending on which OS is installed, whether it’s installed from Bare Metal or VMware Template, it needs X patches.

We’d like to streamline the provisioning process, but I’ve never been able to figure out how to tell the new machine to Install all missing MS Security Bulletins without having to maintain a Baseline that changes every month.

I was curious how other people handle their fresh OS deployments.

Do you have WebUI available? Especially with the recent updates, I think “Patch Policies” are probably the way to go. That’s an out-of-box automation for a lot of what I’ve built up internally for catching up new systems.

We have deployed the WebUI but I have not really used it over the console. We envisioned providing administrative users access to their tasks through the WebUI.

I’ll definitely explore patch polices, thanks for the breadcrumb!

After exploring it a little bit. Do you know of a way for it to take effect more often that once a day? I was thinking of having a Dynamic Computer Group based on a Deployment OU and would want for it to immediately apply the policy after checking in.