Declining Patch, is an important part of patch deployment. When we automate patch management, all the missing patches are downloaded and deployed to the target computers. This results in deploying patches even though they might not be business critical. So, you will have to choose to ignore patches which are not critical. Ignoring to install some of missing patches will reflect on the system's health status. Computers in your network might be rated as Highly Vulnerable, or Vulnerable.
To avoid this, you can decline patches. Declining a patch results in the following:
You can choose to decline specific patches or all patches pertaining to a specific application. Patches can be declined to all computers or specific group of computers. A default group named, "All Computers Group" is created by Endpoint Central. If you wanted to decline a specific patch to all computers, then you can choose this group and decline the required patches. If you want some of the patches to be declined to a specific group of computers, then you can create separate custom groups like, groups based on OS, or Remote Office, etc. and decline the patches.
Here are a few examples of how decline patch works:
Follow the steps mentioned below to decline know the steps involved in declining patches and applications:
Click the Patch Mgmt tab on the product console.
Click Decline Patch link available under Settings.
Click on "Select Group and Decline Patches".
Select All Computers Group, if you wanted the patch to be declined for all the managed computers, else choose/create a specific group which contains the required target.
Add Description if required
Choose patches based on KB Number, Bulletin, Patch ID, Application or Platform.
Select the patches/application that needs to be declined
Click Save to save the changes.
|If you wanted to revoke the declined patches, then you can edit it by selecting Actions against the custom group name.|
You have successfully declined patches for group. You can now see that Patches that are declined will not be reflecting the system health status or not been calculated as missing patches.
Related Articles: Patch Management Architecture, Patch Management Life Cycle, Scan Systems for Vulnerability, Patch Reports