Approval by Policy

Patch Management > Patch Policy > Approval by Policy

The Approval by Policy page approves or denies the installation of Microsoft patches on managed machines by patch policy. Patches pending approval are considered denied until they are approved. This gives you the chance to test and verify a patch in your environment before the patch automatically pushes out. See Methods of Updating Patches, Configuring Patch Management, Patch Processing, Superseded Patches, Update Classification and Patch Failure for a general description of patch management.

Setting Patch Approval Policies

Patch policies contain all active patches for the purpose of approving or denying patches. An active patch is defined as a patch that has been reported by a patch scan by at least one machine in the VSA. Any machine can be made a member of one or more patch policies.

For example, you can create a patch policy named servers and assign all your servers to be members of this patch policy and another patch policy named workstations and assign all your workstations to be members of this policy. This way, you can configure patch approvals differently for servers and workstations.

• The patches of machines that are not a member of any patch policy are treated as if they were automatically approved.
• When a new patch policy is created the default approval status is pending approval for all patch categories.
• The default approval status for each category of patches and for each product can be individually set.
• If a machine is a member of multiple patch policies and those policies have conflicting approval statuses, the most restrictive approval status is used.
• Initial Update and Automatic Update require patches be approved before these patches are installed.
• Approval by Policy approves or denies patch by policy.
• Approval by Patch approves or denies patches by patch and sets the approval status for that patch in all patch policies.
• KB Override overrides the default approval status by KB Article for all patch policies and sets the approval status for patches associated with the KB Article in all patch policies.
• Patch Update and Machine Update can install denied patches.
• Non-Master role users can only see patch policies they have created or patch policies that have machine IDs the user is authorized to see based on their scope.

Superseded Patches

A patch may be superseded and not need to be installed. See Superseded Patches for more information.

Policy

Select a patch policy by name from the drop-down list.

Note: See Standard Solution Package > Patch / Update Management > Patch Approval/Denial Policies for more information about standard "ZZ" patch policies.

Save As...

Click Save As... to save the currently selected patch policy to a new policy with identical settings. All patch approval/denial statuses are copied as are the default approval statuses for the policy. Machine membership is not copied to the new policy.

Copy Approval Statuses to Policy <Policy> / Copy Now

Select a policy to copy approval statuses to, from the currently selected policy. Then click Copy Now. This enables you to perform patch testing against a group of test machines using a test policy. Once testing has been completed and the patches have been approved or denied, use the copy feature to copy only the approved or denied statuses from the test policy to a production policy.

Policy View / Group By

Display patch groups by classification or product.

Patch Approval Policy Status

This table displays the approval status of patches by update classification or product group. Approved, Denied, Pending Approval, and Totals statistics are provided for each update classification or product group.

Select a Default Approval Status for any category for this patch policy. Newly identified patches for this patch policy are automatically set to this default value. Choices include:

- Approved

- Denied

- Pending Approval

Note: If the same patch is assigned two different Default Approval Status settings—one by update classification and the other by product group—then the more restrictive of the two defaults has precedence: Denied over Pending Approval over Approved.

Click any link in this table to display a Patch Approval Policy Details page listing individual patches and their approval status. The list is filtered by the type of link clicked:

• Classification or Product
• Approved
• Denied
• Pending Approval
• Totals

In the Patch Approval Policy Details page you can:

• Approve or deny approval of patches individually.
• Click the KB Article link to display a Details page about the patch. The Details page contains a link to display the knowledge base article.

  Note: Microsoft may use a common knowledge base article for one or more patches, causing patches to appear to be listed more than once. Check the Product name or click the KB Article link to distinguish patches associated with a common knowledge base article.

• Click the Security Bulletin link to review the security bulletin, if available. Patches classified as security updates have a security bulletin ID (MSyy-xxx).
• The Product column helps identify the product category associated with a specific patch. If a patch is used across multiple operating system families (i.e., Windows XP, Windows Server 2003, Vista, etc.), the product category is Common Windows Component. Examples include Internet Explorer, Windows Media Player, MDAC, MSXML, etc.
• See Update Classification for an explanation of Classification and Type.
• Click the Show Details checkbox to display the expanded title, patch status notes and installation warnings, if any, of each patch.
• Click Filter... to restrict the amount of data displayed. You can specify a different advanced filter for each column of data displayed. See Advanced Filtering.
• Optionally add a note, up to 500 characters, using Patch Status Notes. The note is added when the Approve or Deny buttons are selected. If the text box is empty when the Approval or Deny buttons are selected, the note is removed for selected patches.

Override Default Approval Status with Denied for "Manual Install Only" updates in this policy

If checked, all existing and future Manual Install Only updates are set to denied for this policy.

Override Default Approval Status with Denied for "Windows Update Web Site" updates in this policy

If checked, all existing and future Windows Update Web Site updates are set to denied for this policy.

Override Default Approval Status with Denied for superseded updates in this policy

If checked, all existing and future superseded patches are set to denied for this policy.

Note: Checking an override checkbox has a one-time effect on existing patches for that category of patches. If you approve an existing patch belonging to an override category after checking its override checkbox, the patch will remain approved regardless of any override setting. Future patches will continue to default to denied.

Set New Patch Product Default Approval Status in this policy

Selects the initial default approval status for new Microsoft products identified during patch scans. These new products display when the Policy View / Group By drop-down list is set to Product.