You will want to create and use a baseline to prevent newer patches from scanned for and deployed. There are no automated method of getting this done so you will need to manually add the patches to the Patch Group each month once they are released. You use a lot of automation when be this specific in regards to which patches are scanned for and deployed.
I would suggest scheduler a scan only WUScan just so you know what is missing on your servers. Too much filtering in scans may hide potential needed patches from being applied so it's prudent to spot check from time to time.
That's for the reply.
Just to confirm:
- I will schedule a domain scan once a month.
- Create a new Patch group called MS Month Year
- Then create a new template and add this patch Group in as a baseline.
You can create a new Scan Template and Patch Group each month or you can keep adding to the previous one. Either method would work, use what ever meets your need better. I would suggest keep adding the newer patches to the same Patch Group each month.