Patch Approval Actions
After running a scan, Patch Management reports back the patch status on the device.
To allow full control over whether these patches are deployed, you can set up the auto-approval action based on patch severity in the Patch Management Feature Policy. Configure actions for specific Patches down to the site level in the Management Workflow and Approval Policy dialogs, or choose what to do with individual patches on a device in the device's Patches tab - Manage Patches on individual Devices tab.
By default, devices inherit their settings from the site, which, in turn, inherits the policy of the client, which inherits the policy for all servers or workstations.
When configuring a child (Device, Site or Client) this setting takes precedence over the parent's configuration.
| Approval Setting | Description |
| Inherit | Takes the approval setting from the level above |
| Approve |
Sets the patch as 'approved' for install for the next scheduled remediation run. |
| Ignore |
Sets the patch as 'ignored', which prevents it from being installed in future remediation runs, as long as the patch remains in an 'ignored' state |
| Do Nothing | Sets the patch to NOT have any Patch Approval Action apply to it. The patch status will instead reflect what is set in the applied Feature Policy. |
Examples
In the first example, the Feature Policy applied to the device is set to automatically approve all Microsoft Critical Patches. The Client, Site and Device are set to inherit these settings and the Critical patch installs.
| Dialog | Level | Configuration | Setting | Action |
|---|---|---|---|---|
| Feature Policy | Policy | Microsoft: Critical Severity Patches | Approve | |
| Management Workflow | Client | Inherit | Approve | |
| Site | Inherit | Approve | ||
| Patches Tab | Device | 2018-10 Update for Windows 7 for x86-based Systems (KB3177467) | Inherit | Approve |
In the next example, the Feature Policy again automatically approves all Microsoft Critical Patches. But the Management Workflow at the Site level is set to Do Nothing. As the Device is set to Inherit, it honors the Site's setting and does not install the Critical Patch.
| Dialog | Level | Configuration | Setting | Action |
|---|---|---|---|---|
| Feature Policy | Policy | Microsoft: Critical Severity Patches | Approve | |
| Management Workflow | Client | Inherit | Approve | |
| Site | Do Nothing | Do Nothing | ||
| Patches Tab | Device | 2018-10 Update for Windows 7 for x86-based Systems (KB3177467) | Inherit | Do Nothing |
In the final example, the Feature Policy automatically approves all Microsoft Critical Patches. The Approval policy for the Client and site is set to Inherit (approve) but the Device is set to Ignore. As the Device is set to ignore, it does not install the Critical Patch and the patch is not reported as missing in its Patches tab or Reports.
| Dialog | Level | Configuration | Setting | Action |
|---|---|---|---|---|
| Feature Policy | Policy | Microsoft: Critical Severity Patches | Approve | |
| Approval Policy | Client | Inherit | Approve | |
| Site | Inherit | Approve | ||
| Patches Tab | Device | 2018-10 Update for Windows 7 for x86-based Systems (KB3177467) | Ignore | Ignore |
From Dashboard 2020.02.12 the Inherit option is only selectable in the Approval Policy dialog for multiple devices.