Patch Approval lets you configure the OS patch installation and exclusion settings for critical, non-critical, and recommended updates across your end-user devices, providing enhanced control, flexibility, and protection.
Notes
- You'll need to enable Windows updates settings within Configuration Policies and select 'Control via Atera’s IT automation profiles (Recommended)' before configuring OS Patch approval settings. Learn more
- The "Windows Critical Updates" section within the Patch Approval module will include only the Critical Updates category. The "Windows Non-Critical Updates" section will include Security Updates, Service Packs, and Drivers and Tools categories, along with all their sub-categories.
- Linux package upgrades cannot be postponed.
Access OS Patch Approval Settings
Configuring OS patch approval settings ensures timely and secure updates, protecting your system from vulnerabilities while maintaining optimal performance.
To access OS patch approval settings:
1. From Admin (on the sidebar), click Patch management and IT automation.
The Patch management and IT automation page appears.
2. Select the profile or click Add profile to create a new one. The Profile page appears.
3. Under OS Patch Approval Settings, click Manage.
The OS patch approval settings: {name} page appears.
The page is divided into 3 sections:
- OS patch installation settings
- Exclude OS patches
- Excluded and postponed patches
What it means to approve, postpone, and exclude patches
Approve patches: If a category is marked as 'Always approve' when scanning for available patches, the patches will be installed when the profile is executed.
Postponed patches: If a category is marked as 'Postpone' when scanning for available patches, the patches won't be immediately installed on the devices to which the profile is applied. Instead, they will be installed in the next profile execution after the specified number of days before auto-approval. This allows you to test any new patches before deploying them to your monitored networks — and to exclude them if they are found to be risky.
Excluded patches: If a patch has been manually excluded, it won't be installed unless approved later on.
Approve and postpone patches
Configure your installation preferences for Windows updates (critical and non-critical), as well as recommended Mac updates. Updates can be set to 'Always approve' or 'Postpone'. Postponed patches will appear within Excluded and postponed patches.
Note: Updates can be postponed for up to 30 days before they're auto-approved.
Exclude patches
You can exclude OS patches from automatic installation by the host IT automation profile. These patches will not be installed unless manually approved in the Excluded and postponed OS patches.
To exclude OS patches:
1. Search for the patch (by KB, description, product, or class) in the search field.
2. Select the patch from the generated list. Then click Exclude.
The excluded patch appears in the Excluded and postponed patches section. From here, you can approve it, should you decide it's worthy of installation.
Manage excluded and postponed patches
Patches that you've postponed or excluded appear here. Patches that were postponed via the OS patch installation settings will include an auto-approval date.
Note:
- Postponed patches can be excluded or approved. Once approved, they will be installed on the next scheduled IT automation run. Postponed patches, once excluded, cannot be postponed again.
- Approved patches can be excluded again, as long as it's before the next scheduled IT automation run.
- Excluded patches can be approved.
To change the status of excluded or postponed patches:
1. From Excluded and postponed patches, click the dropdown menu on the relevant patch.
2. Select Approve or Exclude.
The profile is updated.
To change the status of multiple excluded or postponed patches:
1. From Excluded and postponed patches, check the devices you want to approve or exclude.
2. Select Approve or Exclude.
The profile is updated.