|
|
|
Patch Approval
The Patch Approval page approves or denies the installation of Microsoft patches on managed machines. Patches pending approval are considered denied until they are approved. This gives you the chance to test and verify a patch in your environment before the patch automatically pushes out. Initial Update and Automatic Update require patches be approved before they are installed. Patch Update and Machine Update can override a Patch Approval policy and install denied patches. See Methods of Updating Patches, Configuring Patch Management, Patch Processing and Patch Failure for a general description of patch management.
Setting Patch Approval Policies
Patch approval policies are defined by machine collection using Agent > Create/Delete Collection. For example, by setting up a separate approval policy for each collection, you can automatically deploy a patch to all your workstations while blocking deployment to servers.
- The patches of machines that are not a member of any collection are automatically approved.
- If no approval policy is defined for a collection—for example, when a new collection is created—the patch approval policy is approved by default for all patches of machines in that collection.
- If you click the Set Policy button to approve patches individually in a collection, then existing patches are approved by default.
- Clicking the Remove Policy button clears the approval policy for that collection.
- If a machine is a member of two collections and each collection has a separate policy, and if a patch is denied by either collection then the patch is denied for that machine. Note that if one collection does not have any policy set, then only the policy that is set is used.
Collection
Select a collection by name from the drop down list.
Set Policy
Available only when the selected collection does not have a defined policy. Click Set Policy to create a new patch approval policy for this collection.
Note: The following options are only available when the selected collection has a set approval policy.
Default Approval Status
Select a default approval status for this collection. Newly identified patches for this collection are automatically set to this default value.
Remove Policy
Click Remove Policy to delete the current policy and automatically approve all current and future patches for this collection.
Note: Clicking this button permanently deletes the approval policy. To enable an approval policy, you must recreate the policy by clicking the Set Policy button.
Patch Approval Policy Status
This table displays the approval status of patches by update classification group. Approved, Denied and Pending Approval summary statistics are provided for each update classification group.
Click any link in this table to display a Patch Approval Details page listing individual patches and their approval status. The list is filtered by the type of link clicked:
- Update classification
- Approval status
- Summary statistic
In the Patch Approval Details page you can:
- Approve or deny approval of patches individually.
- Click the knowledge base article link to display a Details page about the patch. The Details page contains a link to display the knowledge base article.
Note: Microsoft may use a common knowledge base article for one or more patches, causing patches to appear to be listed more than once. Check the patch file name on the Details page to distinguish patches associated with a common knowledge base article.
- Click the Security Bulletin link to review the security bulletin, if available. Patches classified as security updates have a security bulletin ID (
MSyy-xxx). - Display the title of each patch.
Topic 2173: Send Feedback