In an environment with multiple windows servers what is the best way to ensure patch compliance accross all systems?
Is there a simple tool (some sort of client/server app?) that allows reports to be generated showing the status of all the systems so any that aren't automatically patching themselves can be fixed without having to manually check each systemevery time an audit is needed?
WSUS is good for Windows, it's for large distributed enterprises.
Microsoft Windows Server Update Services
Microsoft Windows Server Update Services (WSUS) enables information technology administrators to deploy the latest Microsoft product updates to computers running the Windows operating system. By using WSUS, administrators can fully manage the distribution of updates that are released through Microsoft Update to computers in their network.
A WSUS server will download all of the patches you specify, for the products you choose. You then configure your clients to get their updates from the local WSUS server instead of directly from Microsoft. You can group your client machines and approve/disapprove the patches that you want each group to install. The WSUS server will give you lots of reports as to which clients need what patches, etc.
It's pretty easy to setup, if you follow the Microsoft white paper.