For Windows server we usally patch every month as per microsoft releases security patches. First we do patch testing on Non Prod like (staging/UAT ) environment. After will monitor for 2 weeks and then implement on Prod environment. After patch is install we use to scan systems for missing patches or known vulnerabilities. For Patching we use SCCM and HPSA tools, Some time download and install manually.