if you are using WSUS for workstations it is more or less easy, you set GPO to automatically download and install. Then you approve/reject updates in WSUS console. However for server it's better to setup automatically download. The installation itself should be manual. To automate the manual patch installation use this script:
Put this script on the file share, together with follwing cmd
c:\windows\system32\cscript.exe \\server\UpdateHF\updatehf.vbs action:install mode:silent email:firstname.lastname@example.org restart:1
Then you can use GUI for psexec or LANGuard Network Security Scanner or other tools to run this command remotely.