You create your compliance groups. It can be a group if you want for critical updates. In your agent configuration under the scan and repair options there are several tabs. If you click on the "scan" tab There is an option to select the group you created, and if you choose you can select the radio button to "Immediately repair all detected items".
In our situation, all of our machines are using a single image. We have two different agent settings, for machines that are part of an exceptions group, and then everything else. We are just putting our patches straight into compliance group after an initial push done after hours. Is there particular situations where it would be better to have multiple group in the compliance group?