It's always been challenging to choose either to check "Hide all deployments from end users" in "Software Updates Client Agent Properties".
If you decide to suppress it - you won't be able to patch the computers manually. It may be challenging for servers, where administrators want to do it manually, with notifications of service interruption involved, and so on.
If you don't suppress them, you'll face two challenges:
1. If you rely on Maintenance Windows, even if there is no maintenance window available, but deployment is active (after start time), your users will receive task bar notification
2. If your update fails, users will see it.
You may want to prevent it by setting "Hide updates" on all computers except servers. So, you set the site wide setting to "Hide" (check the box) and distribute the setting that will unhide it where needed (Servers and, for example, your "Patch testing group")
Here is a VB script for that:
' Initialize the updatesDeployment variable.
' Create the COM object.
set updatesDeployment = CreateObject ("UDA.CCMUpdatesDeployment")
' Set interactive mode on the client by using the SetUserExperienceFlag method
' and the newUserExperienceFlag (set with a value of 1) passed in.