Approval Policy

Missing patches represent a significant security threat to servers and workstations. Especially as after an update to fix a vulnerability becomes public knowledge, attackers will specifically target the exploit on unpatched devices. In line with security best practices to mitigate the impact of these types of attack it is always advisable to ensure computers are running the latest patches.

Patch Management requires approval before deploying patches and you can choose the default behavior for how patches are handled based on their severity. If the patch severity is set to automatically Approve, they are automatically deployed based on the Installation Schedule and do not require any manual intervention.

In the Auto Approval section choose whether to automatically Approve, Ignore or Manual (i.e. approve at a later date) missing security patches depending on their severity (Critical, Important, Moderate, Low or Other) from both Microsoft and Other Vendors.

Severity Levels of patches are defined by the software developer / vendor.

You can decide how patches are handled in line with your processes. For example, company policy may dictate that critical patches are rolled-out as soon as possible, whereas all other severities are trialled in a sandbox environment before deployment.

When patches are set for automatically approval they do not show as missing in the Patch Status Check (as an action is automatically applied for the patch). These patches automatically go to Pending in the Patches tab and deployed at the next remediation cycle.

Patch Management takes administrative control of Windows Update, ensuring Windows Updates will not attempt to install updates on its own.

Visit Patch Approval Actions for information on the patch approval hierarchy.