We're struggling to find out how we should best handle this and how others are handling things.
Right now we only apply Security Patches and Security Tools. We haven't jumped into the Non-Security Patches due to the sheer quantity.
How is everyone else doing this?
So right now, if I scan my workstations for missing "Security Patches and Security Tools" I come up with 114 unique missing patches and a total of 3132 for all 120 systems.
Then, if I scan that same group of computers, but only look for missing "Non-Security Patches" my numbers go through the roof. 513 additional, unique patches and a whopping total of 12,816 for these same 120 systems, and this is ON TOP of the security patches.
So, do you apply all patches in your environment? Security, Security Tools, Non-Security?
How do you possibly review all of these without having a massive staff? (Who has the time to review 513 patches and understand what each one does?)
Do you have a change control board/process in place? Do they review patches?
Just trying to learn what everyone else is doing. Security auditors are beating us up because we have some patches missing but most of those missing patches are Non-Security Patches (so they should not matter for a security audit) but they are are dinging us for not applying them anyways.
Just looking for feedback.