Automating patch review

NAVIGATION   Modules > Patch Management

VSA 10's Patch Review feature makes it easy to configure automation that intelligently approves or rejects the delivery of OS updates to your managed endpoints. By doing so, you increase the efficiency of your review process by eliminating manual work while maintaining security.

This article provides an overview and use cases for the feature. It also describes how to navigate and customize each tier of the review process.

Overview

During operating system patching, VSA 10 scans potentially-eligible endpoints in real time and assesses the patches against configured rules that you define. VSA 10 has three levels of rules that comprise Patch Review:

  1. Global rules: Tenant-level rules assessed for all patches

  2. Patch policy rules: Policy-level rules assessed for all patches within a patch policy

  3. Individual patch rules: Patch-level rules assessed for a single patch within a patch policy

Each type of rule must be configured in its own section of VSA 10. To learn how to do so, select a topic to continue.

Configuring rules

Global rules are configurable via Patch Management > Global Rules.

VSA 10 consults these rules first when analyzing a newly-discovered patch. They supersede all other rules and apply in a top-down order. You can set various criteria, such as patch name, description, category, or severity metrics, to approve or reject the patch.

Common use cases for global rules include excluding drivers or patches with known deployment issues. If a patch doesn't meet any global rules criteria, VSA 10 will next evaluate it by patch policy rules.

To view and manage patch policy rules, navigate to Patch Management > Policies. Then, click Windows settings and select OS Rules.

Patch policy rules are useful when creating patching strategies for individual organizations or devices with specific needs. For example, you can automatically approve patches if they have CVSS scores that adhere to an organization's security policies. Or, you can defer patch installation for devices that host vital infrastructure.

The workflows for configuring patch policy rules are similar to those for global rules. They have the same set of criteria to choose from.

NOTE  Approve and Install policies and Global rules may override the Hide action for a given patch.

If a patch does not match any of the global or patch policy rules, then you'll need to manually review it on the Patch Status page. To learn more, refer to the Individual patch rules section of this article.

Individual patch rules apply when a patch does not match any global or patch policy rules. They are manual actions taken by technicians who have reviewed the patch and have made a decision about how VSA 10 should proceed with its deployment. The manual review process is frequently leveraged by managed service providers (MSPs) and organizations where patches require multi-step approval and testing before full deployment.

By navigating to Patch Management > Patch Status, you can view a list of all available patches in use in your environment, grouped by their corresponding policies. The detail view for each policy includes review status tabs, enabling you to filter the list by the following patch statuses: 

  • Deployed: The patch has been successfully deployed.
  • Reboot Pending: The patch has been deployed but requires a reboot to complete the installation.
  • Failed: The patch has failed to deploy.
  • Deployment Pending: The patch is available but has not yet been deployed.

Clicking any patch surfaces its extended details, severity metrics, pending installations, and links to relevant Microsoft resources in a slide-out Patch Card. This card contains details presented is an aggregate of useful data, including information about the patch and its deployment progress.

The patch status is automatically determined by the rules within the patch policy and the Global Rules page, but you can either approve or reject the patch's use from the policy's Actions menu in the upper right.

The following Actions can be used to refine the Patch Status for each patch:

  • Approve: Sets the patch status to Approved for the selected patch(es)
    • This action supersedes the patch policy and Global Rules
    • This action does not modify the patch policy and Global Rules
  • Reject: Sets the Patch Status to Rejected for the selected patch(es)
    • This action supersedes the patch policy and Global Rules
    • This action does not modify the patch policy and Global Rules
    • A patch with a patch status of Rejected will be hidden on the local device
  • Apply Global and Policy Rules: Resets the patch status for the selected patch(es) based on the patch policy and Global Rules
  • Return to Pending: Sets the Patch Status to Pending for the selected patch(es)
    • This action supersedes the patch policy and Global Rules
    • This action does not modify the patch policy and Global Rules

NOTE  Global Rules take precedence over patch policy rules.

IMPORTANT   Endpoints with outdated VSA agents (versions below 10.6) will not take into account any manual rules configured on the Patch Status page. They will only follow Global and Patch Policy rules.

Learn more

For a comprehensive guide to creating and deploying patch policies, refer to Creating/editing Patch Management policies.