Approving patches automatically with rules
Automatic patch approvals ensure that typical system patches or system critical patches are downloaded and installed without waiting for review. Automatic approvals ensure that timely system and security critical patches are immediately approved when they become available, ensuring the customer's devices are safe and up-to-date.
There may be patches that you and your customers always want to schedule for download and installation once they have been detected. For example, one customer may be confident that all Microsoft patches except device drivers and tools can be installed automatically on their laptops and workstations, rather than waiting for you to verify and approve them manually. Another customer may be more cautious and may want only Microsoft Critical patches and Security Update patches installed automatically, preferring to wait for other patches to be manually approved.
For information on the different types of Microsoft patches, see Microsoft patch classifications.
Typically when you are first starting with Patch Management, you need to set up three rules; one for Laptops, one for Workstations and one for Servers.
After adding automatic approval for patches to rules, patching can take place without further input from you, or waiting for your review. For information on the approval types definitions, see Approval Definitions.
Add an automatic approval rule
- Click Configuration > Patch Management .
- In the Patch Approval area, click Automatic Approval, and click Add.
- Enter a name and description for the Patch Approval Rule.
- In the Products and Classifications section, select the classification of updates for the rule.
- Select products by clicking the pencil icon for a product and click Selected.
- Click the Targets tab for a list of SO and Customer-level sites and rules.
- Select the pencil icon for the desired rule and select Approved for Install.
- For each Rule, select the appropriate approval from the list.
It is recommended that you do not select Perform Action Immediately unless it is a critical update that you are concerned about, as this will install auto-approved patches immediately, ignoring the installation schedule.
- Click Save.
To ensure that you select both the top level and the children under the top level, click the pencil icon and click Apply to Children.
You can select the top level to apply approvals across all Rules, however, SolarWinds MSP recommends that you perform your approvals against the patch rules you have created. You can review the list of patch enabled rules by going to Configuration > Patch Management.
With the new approval rule, when a patch for the selected product becomes available, MSP N-central will automatically download and install the patch on the customer's devices during the next patch install maintenance window.
Some software patches require the target device be re-started to complete the installation. Until the target device is re-started, patches will be reported as Approved but not installed even after a successful installation.
After you set up automatic approvals, there will still be patches that are not covered by these Rules. You will need to perform some maintenance by manually approving and declining patches that are not covered by the automatic rules. For more information, see Approving patches manually.
Run Rule Now
Run Rule Now executes a selected automatic approval against all existing patches that are waiting to be installed, and patches that will be approved according to the Rule. This includes previously configured Declined states and Device level approvals.
When you create Automatic Approval Rules, new patches are applied immediately according to your specifications, and existing patches that have been waiting for approval are applied to existing patches.
If you use Run Rule Now, it applies all patches. This means if you declined a patch, it will be switched to whatever the auto approval asked for, unless you left that section as No Approval. This means some patches set as "Declined" may now switch to "Approved for Install" if your auto approval rule was set this way. The device level declines will not change.