Automatic patch approval

Automatic patch approval allows you to make the process of installing updates on machines easier. Let's consider the example how it works.

How it works

You should have two environments: test and production. The test environment is used for testing the patch installation and ensuring that they do not break anything. After you tested patch installation on the test environment, you can automatically install these safe patches on the production environment.

Configuring automatic patch approval

To configure automatic patch approval

1. For each vendor whose products you are planning to update, you most read and accept the license agreements. Otherwise, automatic patch installation will not be possible.
2. Configure the settings for automatic approval.
3. Prepare the protection plan (for example, "Test patching") with the enabled Patch management module and apply it to the machines in the test environment. Specify the following condition of patch installation: the patch approval status must be Not defined. This step is needed to validate the patches and check if the machines work properly after patch installation.
4. Prepare the protection plan (for example, "Production patching") with the enabled Patch management module and apply it to the machines in the production environment. Specify the following condition of patch installation: the patch status must be Approved.
5. Run the Test patching plan and check the results. The approval status for those machines that have no issues can be preserved as Not defined while the status for machines working incorrectly must be set to Declined.
6. According to the number of days set in the Automatic approval option, those patches that were Not defined will become Approved.
7. When the Production patching plan is launched, only those patches that are Approved will be installed on the production machines.

The manual steps are listed below.

Step 1. Read and accept the license agreements for the products that you want to update

1. In the service console, go to Software management > Patches.
2. Select the patch, then read and accept the license agreement.

Step 2. Configure the settings for automatic approval

1. In the service console, go to Software management > Patches.
2. Click Settings.
3. Enable the Automatic approval option and specify the number of days. This means that after the specified number of days starting from the first attempt of patch installation, the patches with the status Not defined will become Approved automatically.

   For example, you specified 10 days. You performed the Test patching plan for test machines and installed patches. Those patches that broke the machines, you marked as Declined while the rest of patches stay as Not defined. After 10 days passed, the patches in the Not defined status will be automatically switched to Approved.

4. Enable the Automatically accept the license agreements option. This is needed for automatic license acceptance during patch installation, no confirmation is required from a user.

Step 3. Prepare the Test patching protection plan

1. In the service console, go to Plans > Protection.
2. Click Create plan.
3. Enable the Patch management module.
4. Define which updates to install for Microsoft and third-party products, schedule, and pre-update backup. For more details about these settings, refer to "Patch management settings".

   Important: For all the products to be updated, define Approval status as Not defined. When the time to update comes, the agent will install only Not defined patches on the selected machines in the test environment.

   

Step 4. Prepare the Production patching protection plan

1. In the service console, go to Plans > Protection.
2. Click Create plan.
3. Enable the Patch management module.
4. Define which updates to install for Microsoft and third-party products, schedule, and pre-update backup. For more details about these settings, refer to "Patch management settings".

   Important: For all the products to be updated, define Approval status as Approved. When the time to update comes, the agent will install only Approved patches on the selected machines in the production environment.

   

Step 5. Run the Test patching protection plan and check the results

1. Run the Test patching protection plan (by schedule or on-demand).
2. After that, check which of the installed patches are safe and which are not.
3. Go to Software management > Patches and set the Approval status as Declined for those patches that are not safe.