Home » Features >> Decline Patches
srch-icn
 

Decline Patches

Overview

Declining Patch, is an important part of patch deployment. When we automate patch management, all the missing patches are downloaded and deployed to the target computers. This results in deploying patches even though, they might not be business critical. So, you will have to choose to ignore patches which are not critical. Ignoring to install some of missing patches will reflect on the system's health status. Computers in your network might be rated as highly vulnerable, or Vulnerable.

In order to avoid this, you can decline patches. Declining a patch results in the following:

  • When a patch is declined, it will not be considered as missing patch
  • It will not be calculated for the system health status
  • Patches that are declined will not be deployed via automated patch deployment.

Declining Patches to All Computers or Specific Group

You can choose to decline specific patches or all patches pertaining to a specific application. Patches can be declined to all computers or specific group of computers.  A default group named,  "All Computers Group" is created by Endpoint Central MSP. If you wanted to decline a specific patch to all computers, then you can choose this group and decline the required patches. If you want some of the patches to be declined to a specific group of computers, then you can create separate custom groups like, groups based on OS, or Remote Office, etc. and decline the  patches.

Here are few examples for of how decline patch works:

  1. Assume a specific patch "Adobe 1.1" has been declined for a All computers Group, then the patch "Adobe 1.1", will not be considered as missing patch and will not be downloaded in the network. Computers will not be considered as vulnerable, even if this patch is not installed.
  2. If a critical Patch "Chrome 23.1" is declined for specific custom groups, like custom group "Remote_Office1 & Remote_Office2" then the patch will be downloaded and deployed to all the missing computers, except for those computers in custom group "Remote_Office1 & Remote_Office2". If this patch "Chrome 23.1" is missing  in any computer other than the specified custom groups, then those computers might be rated as vulnerable, since a critical patch is missing.
  3. When a computer is added to a custom group "Remote_Office1", all the patches that are declined to the custom group will be considered as declined to the newly added computer.

Follow the steps mentioned below to decline know the steps involved in declining patches and applications:

  1. Click the Patch  Mgmt tab to on the Endpoint Central MSP console

  2. Click Decline Patch link available under Settings

  3. Click on Select Group and Decline Patches

  4. Select All computers Group, if you wanted the patch to be declined for all the managed computers, else choose/create a specific group which contains the required target.

  5. Add Description if  required  

  6. Choose patches based on KB Number, Bulletin, Patch ID, Application or Platform.

  7. Select the patches/application that needs to be declined

  8. Click Save to save the changes.

If you wanted to revoke, the declined patches then you can edit it by selecting Actions against the custom group name.

You have successfully declined patches for group. You can now see that Patches that are declined will not be reflecting the system health status or not been calculated as missing patches.