I'm putting together a patch management process from scratch. Up to now patching has been managed by simply running Windows Update every so often and deploying what's available.
There is a lot of information available about how to download, deploy, and report on patches and patch compliance but I don't see anyone discussing the discretionary parts of the process. When do you force patch deployments and reboots on your end users? How long do you wait before applying patches to production servers? Do you really test each patch or simply run them for a while on less important systems and install to Prod if nothing crashes?
I'm interested in hearing from other administrators how they handle patch compliance, what has worked or not worked, and why.
Thanks.