Membership: Patch Policy

Patch Management > Patch Policy > Membership

The Membership page assigns machine IDs to one or more patch policies. Patch policies contain all active patches for the purpose of approving or denying patches. An active patch is defined as a patch that has been reported by a patch scan by at least one machine in the VSA. Any machine can be made a member of one or more patch policies.

For example, you can create a patch policy named servers and assign all your servers to be members of this patch policy and another patch policy named workstations and assign all your workstations to be members of this policy. This way, you can configure patch approvals differently for servers and workstations.

• The patches of machines that are not a member of any patch policy are treated as if they were automatically approved.
• When a new patch policy is created the default approval status is pending approval for all patch categories.
• The default approval status for each category of patches and for each product can be individually set.
• If a machine is a member of multiple patch policies and those policies have conflicting approval statuses, the most restrictive approval status is used.
• Initial Update and Automatic Update require patches be approved before these patches are installed.
• Approval by Policy approves or denies patch by policy.
• Approval by Patch approves or denies patches by patch and sets the approval status for that patch in all patch policies.
• KB Override overrides the default approval status by KB Article for all patch policies and sets the approval status for patches associated with the KB Article in all patch policies.
• Patch Update and Machine Update can install denied patches.
• Non-Master role users can only see patch policies they have created or patch policies that have machine IDs the user is authorized to see based on their scope.

View Definitions

You can filter the display of machine IDs on any agent page using the following options in View Definitions.

• Show/Hide members of patch policy
• Use Patch Policy

Assign machines to a patch policy

Click one or more patch policy names to mark them for adding or removing from selected machine IDs.

Add

Click Add to add selected machine IDs to selected patch policies.

Remove

Click Remove to remove selected machine IDs from selected patch policies.

Always show all Patch Policies to All Users

If checked, always show all patch policies to all users. This allows all non-master role users to deploy patch policies, even if they did not create the patch policies and don't have machines yet that use them. If blank, only master role users can see all patch policies. If blank, non-master role users can only see patch policies assigned to machines within their scope or to unassigned patch policies they created. This option only displays for master role users.

Machine.Group ID

The list of Machine.Group IDs displayed is based on the Machine ID / Group ID filter and the machine groups the user is authorized to see using System > User Security > Scopes.

Policy Membership

Displays a comma separated list of patch policies that each machine ID is a member of.