Next Topic

Previous Topic

Book Contents

Approval by Patch

The Approval by Patch page approves or denies the installation of Microsoft patches on managed machines by patch for all patch policies. Changes affect patches installed by all users. This saves you the trouble of approving pending patches separately for each patch policy. See Methods of Updating Patches, Configuring Patch Management, Patch Processing, Superseded Patches, Update Classification and Patch Failure for a general description of patch management.

Setting Patch Approval Policies

Patch policies contain all active patches for the purpose of approving or denying patches. An active patch is defined as a patch that has been reported by a patch scan by at least one machine in the VSA. Any machine can be made a member of one or more patch policies.

For example, you can create a patch policy named servers and assign all your servers to be members of this patch policy and another patch policy named workstations and assign all your workstations to be members of this policy. This way, you can configure patch approvals differently for servers and workstations.

  • The patches of machines that are not a member of any patch policy are treated as if they were automatically approved.
  • When a new patch policy is created the default approval status is pending approval for all patch categories.
  • The default approval status for each category of patches and for each product can be individually set.
  • If a machine is a member of multiple patch policies and those policies have conflicting approval statuses, the most restrictive approval status is used.
  • Initial Update and Automatic Update require patches be approved before these patches are installed.
  • Approval by Policy approves or denies patch by policy.
  • Approval by Patch approves or denies patches by patch and sets the approval status for that patch in all patch policies.
  • KB Override overrides the default approval status by KB Article for all patch policies and sets the approval status for patches associated with the KB Article in all patch policies.
  • Patch Update and Machine Update can install denied patches.
  • Non-Master role users can only see patch policies they have created or patch policies that have machine IDs the user is authorized to see based on their scope.

Superseded Patches

A patch may be superseded and not need to be installed. See Superseded Patches for more information.

Patch Data Filter Bar

You can filter the data displayed by specifying values in each field of the Patch Data Filter Bar at the top of the page.

Word 60% / HTML 100%

Enter or select values in the KB Article, Classification or Products fields. You can also click the Edit... button to filter by additional fields and save the filtering selections you make as a view. Supports advanced filtering logic. Saved views can be shared using the Make Public (others can view) checkbox when editing the view.

Patch Status Notes

Optionally add a note, up to 500 characters, using Patch Status Notes. The note is added when the Approve or Deny buttons are selected. If the text box is empty when the Approval or Deny buttons are selected, the note is removed for selected patches.


Click Approve to approve selected patches for all patch policies.


Click Deny to deny selected patches for all patch policies.

Show Details

Check Show Details to display multiple rows of information for all patches. This includes the title of a patch, the number of patch policies that have been approved, denied, or are pending approval for a patch, patch status notes, and installation warnings, if any.

Select All/Unselect All

Click the Select All link to check all rows on the page. Click the Unselect All link to uncheck all rows on the page.

KB Article

Click the KB Article link to display a Details page about the patch. The Details page contains a link to display the knowledge base article.

Note: Microsoft may use a common knowledge base article for one or more patches, causing patches to appear to be listed more than once. Check the Product name or click the KB Article link to distinguish patches associated with a common knowledge base article.

Security Bulletin

Click the Security Bulletin link to review the security bulletin, if available. Patches classified as security updates have a security bulletin ID (MSyy-xxx).


The Product column helps identify the product category associated with a specific patch. If a patch is used across multiple operating system families (i.e., Windows XP, Windows Server 2003, Vista, etc.), the product category is Common Windows Component. Examples include Internet Explorer, Windows Media Player, MDAC, MSXML, etc.

Classification / Type

See Update Classification for an explanation of Classification and Type.

Approval Status

The approval status for this patch in all policies. Displays Mixed if even 1 policy differs from all other policies. Clicking the Approval Status link displays a page displaying the approval status assigned to this patch by each policy.


The date the patch was released.


The language the patch applies to.