Patch approval by patch
Manually approving patches ensures that only the system and security critical patches needed and fully tested are downloaded and installed. Approving individual patches provides a way to approve or decline patches through Rules associated to devices.
Setting a patch approval at a specific level also applies to all levels below if they are configured to inherit from the level above.
For example, if you configure a patch to "Approve for install" at the SO level, the approval would also apply at the Customer and Site level as long as they are allowed to inherit from the parent level.
Outstanding patches are those that have an Existing Approval status of No Approval because no approval decision has been made.
Click Configuration > Patch Management.
- In the Patch Approval section, click By Patch.
- Select the Show Device Counts check box at the top of the window to identify which patches are currently outstanding.
- On the right-hand side of the screen, click Show Filter to identify patches by a classification that may not have automatic approval.
Patches with an Existing Approval value of Approved for Install, Mixed, or Declined may have some devices still needing the patches listed underneath them that have not been approved. Using Show Device Counts clarifies this situation.
Searches using the filter ignore leading and trailing periods and asterisks. For example, searching on ".NET" can include anything that includes "net" in the name or description, not just ".NET" results.
The search field employs a number of operators to enhance the search capability of the filter such as the operators "%", "*" and "?". The filter feature uses case-insensitive POSIX regex to search in the KB Number, Patch Name, and Patch Description fields.
4041?8?returns patch numbers 4041687 and 4041085.
^40to search for a patch starting with 40.
41$to search for patches ending with 41.
For more options, see section 22.214.171.124, Regular Expression Escapes in the PostgreSQL documentation at https://www.postgresql.org/docs/9.3/static/functions-matching.html.
You can also filter on patch products as well as status. On the bottom of the filter window, click the Products tab.
Some Microsoft patches do not accurately report their product. To cover this situation, click the Product filter option and click Product Unknown. Combined with a keyword, you can automatically approve patches where the product has not been defined by Microsoft.
Only select Perform Action Immediately to install the patch right away and not follow the patching schedule. Use this option only if you are approving one or two critical patches.
In the New Approval column, click the pencil icon to select the new approval property.
Configuring a third party patch as Approved for Removal will remove the entire application from the device and not just the software patch itself. Third party software patches are not incremental, and you cannot only remove the patch.
During the patch maintenance window, SolarWinds N-central will download and install the selected approved patches.
Patch status and approval values
The patch status is a combination of the individual patch status values across all applicable devices. The combined Status value can be one of:
- Not Needed
The highest-ranked of these statuses found on any device will be reported as the combined status for the patch. For example, if one device had a status of Failed, while two other devices have a status of Needed, the patch would have an overall combined status of Failed.
The Existing Approval value of each patch is a combination of the individual Approval values of that patch across all computer groups. The Approval values are combined as:
- Approved for Install + Approved for Removal = Mixed
- Approved for Install + Declined = Mixed
- Approved for Removal + Declined = Mixed
- Approved for Install + Not Approved = Approved for Install
- Approved for Removal + Not Approved = Approved for Removal
- Declined + Not Approved = Declined