Patch Approval lets you configure the OS patch installation and exclusion settings for critical, non-critical, and recommended updates across your end-user devices, providing enhanced control, flexibility, and protection.

Video link: Watch our video

What it means to approve, postpone, and exclude patches

Approve patches: If a category is marked as 'Always approve' when scanning for available patches, the patches will be installed when the profile is executed.

Postponed patches: If a category is marked as 'Postpone' when scanning for available patches, the patches won't be immediately installed on the devices to which the profile is applied. Instead, they will be installed in the next profile execution after the specified number of days before auto-approval. This allows you to test any new patches before deploying them to your monitored networks — and to exclude them if they are found to be risky.

Excluded patches: If a patch has been manually excluded, it won't be installed unless approved later on.

Set patch approval

Configuring OS patch approval settings ensures timely and secure updates, protecting your system from vulnerabilities while maintaining optimal performance.

Note:

• You'll need to enable Windows updates settings within Configuration Policies and select 'Control via Atera’s IT automation profiles (Recommended)' before configuring OS Patch approval settings. For more info, see Configuration policies: overview
• The 'Windows Critical Updates' section within the Patch Approval module will include only the Critical Updates category. The 'Windows Non-Critical Updates' section will include Security Updates, Service Packs, and Drivers and Tools categories, along with all their sub-categories.

To access OS patch approval settings:

1. Go to Admin > Monitoring and management > Patch management and IT automation.

The Patch management and IT automation page appears.

2. Select the profile or click Add profile to create a new one.

The Profile page appears.

3. Under OS patch approval settings, click Manage.

The OS patch approval settings page appears.

Here you can set postponement and approval by OS patch type, exclude specific OS patches, and manage all excluded or postponed patches.

Approve, postpone, and exclude patches

Configure your installation preferences for Windows updates (critical and non-critical), as well as recommended Mac updates. Updates can be set to 'Always approve' or 'Postpone'. Postponed patches will appear within Excluded and postponed patches. 

Note:

• Updates can be postponed for up to 30 days before they're auto-approved.
• Linux package upgrades cannot be postponed.

You can exclude OS patches from automatic installation. These patches will not be installed unless manually approved in the Excluded and postponed OS patches. You can search for patches by KB, description, product, or class.

Manage excluded and postponed patches

Patches that you've postponed or excluded appear here. Patches that were postponed via the OS patch installation settings will include an auto-approval date. 

You can update the status of postponed or excluded patches by clicking on the Status dropdown menu. You can approve or exclude postponed patches in bulk.

Note:

• Postponed patches can be excluded or approved. Once approved, they will be installed on the next scheduled IT automation run. Postponed patches, once excluded, cannot be postponed again.
• Approved patches can be excluded again, as long as it's before the next scheduled IT automation run.
• Excluded patches can be approved but don’t have an auto-approval date — they’ll only escape patching purgatory through manual intervention.