Approval Policy

Missing patches represent a significant security threat to servers and workstations. Especially as after an update to fix a vulnerability becomes public knowledge, attackers will specifically target the exploit on unpatched devices. In line with security best practices to mitigate the impact of these types of attack it is always advisable to ensure computers are running the latest patches.

Patch Management for Windows requires approval before deploying patches and you can choose the default behavior for how patches are handled.

For Microsoft updates this is based on their classification.

Other software vendors (such as Adobe) the behavior is by product.

Where patches are set to automatically Approve, they are automatically deployed based on the Installation Schedule and do not require any manual intervention.

You can decide how patches are handled in line with your processes. For example, company policy may dictate that critical patches are rolled-out as soon as possible, whereas all others are trialled in a sandbox environment before deployment.

When patches are set for automatically approval they do not show as missing in the Patch Status Check (as an action is automatically applied for the patch). These patches automatically go to Pending in the Patches tab and are deployed at the next remediation cycle.

Patch Management for Windows takes administrative control of Windows Update, ensuring Windows Updates will not attempt to install updates on its own.

Visit Patch Approval Actions for information on the patch approval hierarchy.