Great question, the EMSS suite has been designed from the ground up as one of the most advanced and accurate patch detection and delivery mechanisms available. The approach that our customers have always looked for was more control over the update process, automating this process of selecting vulnerabilities and automatically deploying everything is generally not the best approach. Most environments test, or at least ensure a basic level of sanity for deployments before scheduling them and this would be the intention of the product design.
The reasons are numerous for this as you may break the endpoints, break services running on servers, change versions of Java, .Net that applications rely on, upgrade browser versions not supported by web apps just as a few examples. I can understand your enviroment and the lack of full testing on virtual disposable endpoints but we still find this process is the best to ensure reliable endpoints, applications and user experiences. We have observed this in customer environments in the past where the automation resulted in some or all of the above mentioned issues.
You have a couple of methods to simplify the patching process and reduce the workload.
The design of the product flows around patching through groups bringing all machines up to date and in regards to Microsoft releases patching only on the patch Tuesday cycles sending out the small number of Critical patches that are released on a monthly basis after the initial update.
This will require you at one stage to bring all machines as up-to date as possible. From what you have described in your enviroment this sounds like it should be fairly straight forward in that you can look at all the outstanding vulnerabilities from the Vulnerabilities view in the interface and deploy these to all your endpoints.
Once all endpoints have been patched you will only need to login to the interface and schedule the patch Tuesday patches once a month. You can even create a custom patch list with these and simply deploy this custom patch list to all your endpoint groups. You will be able to track the deployment as it progresses and in addition you can report on compliance after the patching, trending using enhanced reporting to show your progress in the enviroment.
Another option as you mentioned is the mandatory baseline which allows you to add patches into a baseline for installation. This is helpful for applications or patches that must exist on all endpoints. We normally would advise using the custom patch list as displayed below in place of the baseline for all patches as baseline can become very large over time and won't provide the same level of performance as the custom patch list deployments which leverage our vulnerability intelligence.
In a simple enviroment without any testing framework or change controls the patching process is very straight forward. Login as you do and patch via a high level group like Windows or My Groups at the most basic level and send out all the outstanding Critical (New) content. Job done. This process in a simple enviroment should take easily less than 5 minutes.
A second option from the more controlled approach that some customers use is to enable Windows Automatic Updates and allow clients to update themselves through other means in addition to scheduled patching or in place of scheduled patching. This ensures updates are applied you have reporting, vulnerability detection through the EMSS suite to have a view into this and ensure compliance. We have a package built into the interface that can be leveraged to enable and disable the Windows Update service. Many times this approach would be used for clients that are not on the network, VPN and still need to update from coffee shop Wifi or hotel connections although you can use it for network connected machines.