Approval Policy

The Approval Policy is a set of one or more rules for each patch that determines the action to take on a server or workstation when identifying and remediating patches. This dialog lists all patches discovered across all of servers and workstations running Patch Management. As the number of entries may easily stretch to tens of thousands, we have included both dialog and column filters to assist in the identification and management of these patches to provide a more targeted view.

Choose a patch or selection of patches in the main Approval Policy dialog window then view the current status in the Patch Summary section. Hover over the count for a list of device names.

By default, servers and workstations Inherit the policy for each patch from the site, which will in turn inherit the policy of the client, which will in turn inherit the policy for all servers or workstations.

Once configured, this patch policy setting is applied to any instance of the patch (both now and in the future) that matches the selected Entity criteria.

The Approval Policy is accessible from two locations.

Settings menu

1. Log into the Dashboard
2. Go to Settings > Patch Management > Approval Policy

Dashboard 2020.01.20 introduced the ability to access the Management Workflow dialog directly from the Patches Tab. Previously this button opened the Approval Policy dialog.

Filter results and select Patches

1. Use the filters to provide a targeted view for easy patch identification

Dialog Filters	Notes
Filter by Status	Return patches that meet the selected Status criteria with this setting immediately applied: Missing A patch is available for the device and awaiting approval for installation Pending Patch was approved and is awaiting manual or scheduled installation Installing Patch is currently being installed Installed Patch was successfully installed. The Date Installed is populated where the patch was deployed via Patch Management Failed Installation of the patch was not completed successfully. On a small number of occasions a reboot may be required to complete this installation. Ignored A patch is available for the device, but was marked as Ignored, not listed as missing in future vulnerability checks on this server or workstation. Reboot Required A patch was installed but requires a reboot to complete the installation process
Filter by Client or Site	Displays the Set Patch Policy entities options to select the overall device type down to specific Clients and Sites
Clear filters	Remove all filters and return to the defaults
Column Filters	Notes
In addition to Sort Ascending and Sort Descending each column drop-down (apart from Release Date) has its own unique filter option
Severity	Filter using the following severity options: Severity Notes (from Microsoft's Security Bulletin Severity Rating System) Critical A vulnerability whose exploitation could allow code execution without user interaction. These scenarios include self-propagating malware (e.g. network worms), or unavoidable common use scenarios where code execution occurs without warnings or prompts. This could mean browsing to a web page or opening email. Microsoft recommends that customers apply Critical updates immediately. Important A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources. These scenarios include common use scenarios where client is compromised with warnings or prompts regardless of the prompt's provenance, quality, or usability. Sequences of user actions that do not generate prompts or warnings are also covered. Microsoft recommends that customers apply Important updates at the earliest opportunity. Moderate Impact of the vulnerability is mitigated to a significant degree by factors such as authentication requirements or applicability only to non-default configurations. Microsoft recommends that customers consider applying the security update. Low Impact of the vulnerability is mitigated to a significant degree by factors such as authentication requirements or applicability only to non-default configurations. Microsoft recommends that customers consider applying the security update. - No severity level specified by the vendor
Patch Name	The Patch name search supports partial string searches and returns those patches that contain an element of the entered string in their name. Please note that the returned results are based on the Filter by Status and Filter by Client or Site selection.
Product	As patches may be available for a large number of products, this filter allows the user to search alphabetically. Simply select the product initial (or # for numbers) then choose the product from the returned list.

 
2. Click on the link (where available) to visit the vendor's site for more information on a patch
3. Multi-select the patches (Shift and left-click for a range, Control and left-click for specific entries)
4. Choose the target entities in the Set Patch Policy dialog: all Servers or Workstations down to specific Clients and Sites
5. In the corresponding Policy drop-down choose the action to apply to the patches

Inherit	Inherit the patch settings from the parent entity. For example a Site will inherit the settings from a Client, and a Client will inherit the settings for all Servers or Workstations.
Approve	Approve the patch for deployment at the next installation time
Ignore	Do not list the patch as missing in future Patch Status Checks
Do Nothing	Indicates that you are aware of the patch but do not intend to immediately Approve it for installation. One example of using Do Nothing is where a Critical Operating System update is available, but due to it's potential system impact you wish to delay the roll-out until the update is fully tested internally. Once satisfied, change the action to Approve or Inherit (where Approve is set for a parent setting) to install out the patch.

Visit Patch Approval Actions for information on the patch approval hierarchy.

6. Where patches are in the Failed state the option to Reprocess failed becomes available at the bottom of the dialog
7. Once the policy action is selected for these patches click Apply to execute and where Approve is selected the existing Installation Schedule is applied

Where the patch requires a reboot to complete its installation, this is indicated in the Device's Summary tab and Reboot required column in the north pane. If a reboot is not configured as part of the Installation Schedule, it may be initiated directly from the Dashboard using Reboot Now or Later.