Patch Approval Actions

After running a scan, Patch Management reports back the patch status on the device.

To allow full control over whether these patches are deployed, you can set up the auto-approval action based on patch severity in the Patch Management Feature Policy. Configure actions for specific Patches down to the site level in the Management Workflow and Approval Policy dialogs, or choose what to do with individual patches on a device in the device's Patches tab - Manage Patches on individual Devices tab.

By default, devices inherit their settings from the site, which, in turn, inherits the policy of the client, which inherits the policy for all servers or workstations.

When configuring a child (Device, Site or Client) this setting takes precedence over the parent's configuration.

Examples

In the first example, the Feature Policy applied to the device is set to automatically approve all Microsoft Critical Patches. The Client, Site and Device are set to inherit these settings and the Critical patch installs.

Dialog Level Configuration Setting Action
Feature Policy Policy Microsoft: Critical Severity Patches Approve  
Management Workflow Client   Inherit Approve
  Site   Inherit Approve
Patches Tab Device 2018-10 Update for Windows 7 for x86-based Systems (KB3177467) Inherit Approve

In the next example, the Feature Policy again automatically approves all Microsoft Critical Patches. But the Management Workflow at the Site level is set to Do Nothing. As the Device is set to Inherit, it honors the Site's setting and does not install the Critical Patch.

Dialog Level Configuration Setting Action
Feature Policy Policy Microsoft: Critical Severity Patches Approve  
Management Workflow Client   Inherit Approve
  Site   Do Nothing Do Nothing
Patches Tab Device 2018-10 Update for Windows 7 for x86-based Systems (KB3177467) Inherit Do Nothing

In the final example, the Feature Policy automatically approves all Microsoft Critical Patches. The Approval policy for the Client and site is set to Inherit (approve) but the Device is set to Ignore. As the Device is set to ignore, it does not install the Critical Patch and the patch is not reported as missing in its Patches tab or Reports.

Dialog Level Configuration Setting Action
Feature Policy Policy Microsoft: Critical Severity Patches Approve  
Approval Policy Client   Inherit Approve
  Site   Inherit Approve
Patches Tab Device 2018-10 Update for Windows 7 for x86-based Systems (KB3177467) Ignore Ignore