Automating patch review

Global rules are configurable via Patch Management > Global Rules.

VSA 10 consults these rules first when analyzing a newly-discovered patch. They supersede all other rules and apply in a top-down order. You can set various criteria, such as patch name, description, category, or severity metrics, to approve or reject the patch.

Common use cases for global rules include excluding drivers or patches with known deployment issues. If a patch doesn't meet any global rules criteria, VSA 10 will next evaluate it by patch policy rules.

To view and manage patch policy rules, navigate to Patch Management > Policies. Then, click Windows settings and select OS Rules.

Patch policy rules are useful when creating patching strategies for individual organizations or devices with specific needs. For example, you can automatically approve patches if they have CVSS scores that adhere to an organization's security policies. Or, you can defer patch installation for devices that host vital infrastructure.

The workflows for configuring patch policy rules are similar to those for global rules. They have the same set of criteria to choose from.

NOTE  Approve and Install policies and Global rules may override the Hide action for a given patch.

If a patch does not match any of the global or patch policy rules, then you'll need to manually review it on the Patch Status page. To learn more, refer to the Individual patch rules section of this article.

Individual patch rules apply when a patch does not match any global or patch policy rules. They are manual actions taken by technicians who have reviewed the patch and have made a decision about how VSA 10 should proceed with its deployment. The manual review process is frequently leveraged by managed service providers (MSPs) and organizations where patches require multi-step approval and testing before full deployment.

By navigating to Patch Management > Patch Status, you can view a list of all available patches in use in your environment, grouped by their corresponding policies. The detail view for each policy includes review status tabs, enabling you to filter the list to pending, approved or rejected patches.

Clicking any patch surfaces its extended details, severity metrics, pending installations, and links to relevant Microsoft resources.

The patch status is automatically determined by the rules within the patch policy and the Global Rules page, but you can either approve or reject the patch's use from the policy's Actions menu in the upper right.

The following Actions can be used to refine the Patch Status for each patch:

• Approve: Sets the patch status to Approved for the selected patch(es)
  • This action supersedes the patch policy and Global Rules
  • This action does not modify the patch policy and Global Rules
• Reject: Sets the Patch Status to Rejected for the selected patch(es)
  • This action supersedes the patch policy and Global Rules
  • This action does not modify the patch policy and Global Rules
  • A patch with a patch status of Rejected will be hidden on the local device
• Apply Global and Policy Rules: Resets the patch status for the selected patch(es) based on the patch policy and Global Rules
• Return to Pending: Sets the Patch Status to Pending for the selected patch(es)
  • This action supersedes the patch policy and Global Rules
  • This action does not modify the patch policy and Global Rules

NOTE  Global Rules take precedence over patch policy rules.

IMPORTANT   Endpoints with outdated VSA agents (versions below 10.6) will not take into account any manual rules configured on the Patch Status page. They will only follow Global and Patch Policy rules.