Patch Approval Actions

After running a scan, Patch Management reports back the patch status on the device.

To allow full control over whether these patches are deployed, you can set up the auto-approval action based on patch severity in the Patch Management Feature Policy. Configure actions for specific Patches down to the site level in the Management Workflow dialog, or choose what to do with individual patches on a device in the device's Manage Patches on Individual Devices through the Patches tab tab.

By default, devices inherit their settings from the site, which, in turn, inherits the policy of the client, which inherits the policy for all servers or workstations.

When configuring a child (Device, Site or Client) this setting takes precedence over the parent's configuration.

Approval Setting Description
Inherit

Takes the approval setting from the level above. Device automatically inherit their settings from their parent unless set at the device level

Approve

Sets the patch as 'approved' for install for the next scheduled remediation run.

Ignore

Sets the patch as 'ignored', which prevents it from being installed in future remediation runs, as long as the patch remains in an 'ignored' state

Do Nothing Sets the patch to NOT have any Patch Approval Action apply to it. The patch status will instead reflect what is set in the applied Feature Policy.

Examples

In the first example, the Feature Policy applied to the device is set to automatically approve all Microsoft Critical Patches. The Client, Site and Device are set to inherit these settings and the Critical patch installs.

Dialog Level Configuration Setting Action
Feature Policy Policy Microsoft: Critical Severity Patches Approve  
Management Workflow Client   Inherit Approve
  Site   Inherit Approve
Patches Tab Device 2018-10 Update for Windows 7 for x86-based Systems (KB3177467) Inherits from Site Approve

In the next example, the Feature Policy again automatically approves all Microsoft Critical Patches. But the Management Workflow at the Site level is set to Do Nothing. As the Device is set to Inherit, it honors the Site's setting and does not install the Critical Patch.

Dialog Level Configuration Setting Action
Feature Policy Policy Microsoft: Critical Severity Patches Approve  
Management Workflow Client   Inherit Approve
  Site   Do Nothing Do Nothing
Patches Tab Device 2018-10 Update for Windows 7 for x86-based Systems (KB3177467) Inherits from Site Do Nothing

In the final example, the Feature Policy automatically approves all Microsoft Critical Patches. The Approval Policy for the Client and site is set to Inherit (approve) but the Device is set to Ignore. As the Device is set to ignore, it does not install the Critical Patch and the patch is not reported as missing in its Patches tab or Reports.

Dialog Level Configuration Setting Action
Feature Policy Policy Microsoft: Critical Severity Patches Approve  
Approval Policy Client   Inherit Approve
  Site   Inherit Approve
Patches Tab Device 2018-10 Update for Windows 7 for x86-based Systems (KB3177467) Ignore Ignore

From Dashboard 2020.02.12 the Inherit option is only selectable in the Approval Policy dialog for multiple devices.