Approval Policy

The Approval Policy is a set of one or more rules for each patch that determines the action to take on a server or workstation when identifying and remediating patches. This dialog lists all patches discovered across all of servers and workstations running Patch Management. As the number of entries may easily stretch to tens of thousands, we have included both dialog and column filters to assist in the identification and management of these patches to provide a more targeted view.

Choose a patch or selection of patches in the main Approval Policy dialog window then view the current status in the Patch Summary section. Hover over the count for a list of device names.

By default, servers and workstations Inherit the policy for each patch from the site, which will in turn inherit the policy of the client, which will in turn inherit the policy for all servers or workstations.

Once configured, this patch policy setting is applied to any instance of the patch (both now and in the future) that matches the selected Entity criteria.

The Approval Policy is accessible from two locations.

Settings menu

  1. Log into the Dashboard.
  2. Go to Settings > Patch Management > Approval Policy.

Dashboard 2020.01.20 introduced the ability to access the Management Workflow dialog directly from the Patches Tab. Previously this button opened the Approval Policy dialog.

Filter results and select Patches

  1. Use the filters to provide a targeted view for easy patch identification.
  2. Dialog Filters Notes

    Filter by Status

    Return patches that meet the selected Status criteria with this setting immediately applied:

    patch_missing_icon

    Missing

    A patch is available for the device and awaiting approval for installation

    patch_pending_icon

    Pending

    Patch was approved and is awaiting manual or scheduled installation

    patch_installing_icon

    Installing

    Patch is currently being installed

    patch_installed_icon

    Installed

    Patch was successfully installed. The Date Installed is populated where the patch was deployed via Patch Management

    patch_failed_icon

    Failed

    Installation of the patch was not completed successfully. On a small number of occasions a reboot may be required to complete this installation.

    patch_ignored_icon

    Ignored

    A patch is available for the device, but was marked as Ignored, not listed as missing in future vulnerability checks on this server or workstation.

    patch_reboot_icon

    Reboot Required

    A patch was installed but requires a reboot to complete the installation process

    Filter by Client or Site

    Displays the Set Patch Policy entities options to select the overall device type down to specific Clients and Sites

    Clear filters

    Remove all filters and return to the defaults

    Column Filters

    Select the columns to display in the main window.

    From Dashboard v2020.02.19 we introduced the ability to see a list of devices for each patch status. Click on a patch's column value to view information on the devices that meet that criteria. For example, all of the devices where the patch was listed as missing.

     

     

    In addition to Sort Ascending and Sort Descending each column drop-down (apart from Release Date) has its own unique filter option

    Severity

    Filter using the following severity options:

    Severity Notes (from Microsoft's Security Bulletin Severity Rating System)

    Critical

    A vulnerability whose exploitation could allow code execution without user interaction. These scenarios include self-propagating malware (e.g. network worms), or unavoidable common use scenarios where code execution occurs without warnings or prompts. This could mean browsing to a web page or opening email.

    Microsoft recommends that customers apply Critical updates immediately.

    Important

    A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources. These scenarios include common use scenarios where client is compromised with warnings or prompts regardless of the prompt's provenance, quality, or usability. Sequences of user actions that do not generate prompts or warnings are also covered.

    Microsoft recommends that customers apply Important updates at the earliest opportunity.

    Moderate

    Impact of the vulnerability is mitigated to a significant degree by factors such as authentication requirements or applicability only to non-default configurations.

    Microsoft recommends that customers consider applying the security update.

    Low

    Impact of the vulnerability is mitigated to a significant degree by factors such as authentication requirements or applicability only to non-default configurations.

    Microsoft recommends that customers consider applying the security update.

    -

    No severity level specified by the vendor

    Patch Name

    The Patch name search supports partial string searches and returns those patches that contain an element of the entered string in their name.

    Please note that the returned results are based on the Filter by Status and Filter by Client or Site selection.

    Product

    As patches may be available for a large number of products, this filter allows the user to search alphabetically. Simply select the product initial (or # for numbers) then choose the product from the returned list.

     
  3. Click on the link pm_vendor (where available) to visit the vendor's site for more information on a patch.
  4. Multi-select the patches (Shift and left-click for a range, Control and left-click for specific entries).
  5. Choose the target entities in the Set Patch Policy dialog: all Servers or Workstations down to specific Clients and Sites.
  6. In the corresponding Policy drop-down choose the action to apply to the patches.
  7. Inherit

    Inherit the patch settings from the parent entity.

    For example a Site will inherit the settings from a Client, and a Client will inherit the settings for all Servers or Workstations.

    Approve

    Approve the patch for deployment at the next installation time

    Ignore

    Do not list the patch as missing in future Patch Status Checks

    Do Nothing

    Indicates that you are aware of the patch but do not intend to immediately Approve it for installation.

    One example of using Do Nothing is where a Critical Operating System update is available, but due to it's potential system impact you wish to delay the roll-out until the update is fully tested internally. Once satisfied, change the action to Approve or Inherit (where Approve is set for a parent setting) to install out the patch.

    Reprocess failed If the patch installation was recorded as failed, this option attempts to redeploy the patch.
    Uninstall

    This option removes the installed patch from the selected devices. This option is only available where the Patch Management supports uninstallation of the patch. This is indicated in the Patch Management Workflow dialog's Uninstallable column.

    Visit Patch Approval Actions for information on the patch approval hierarchy.

  8. Once the policy action is selected for these patches click Apply to execute and where Approve is selected the existing Installation Schedule is applied.

Where the patch requires a reboot to complete its installation, this is indicated in the Device's Summary tab and Reboot required column in the north pane. If a reboot is not configured as part of the Installation Schedule, it may be initiated directly from the Dashboard using Reboot Now or Later.

pm_approval_dialog