It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda RMM
formerly Managed Workplace

Setting Up Microsoft Patch Approval Groups

  • Last updated on

An Microsoft patch approval group is a container for devices against which you either manually or automatically approve updates. There are two default approval groups for Microsoft patches:

  • All Computers Contains every managed device reporting into Microsoft patch management.
  • Unassigned Computers Contains every managed device belonging to the All Computers Microsoft patch approval group and no others. Devices are automatically put in this group when a Windows Update Agent Policy is first applied. They will remain there until they are moved to another approval group.

A device can only belong to one Microsoft patch approval group in addition to the All Computers approval group.

Why Use a Microsoft patch Approval Group?

Use Microsoft patch approval groups for testing patches, restricting installation of patches, and controlling the installation of patches.

Approval groups can also be used to set up automatic approval. See Automatically Approving Microsoft Patches for an Approval Group.

Although creating your own approval groups is optional, they ease management because you work with higher numbers of similar devices at one time. It also simplifies keeping a standard update level across your client base so technicians are always working on similarly updated operating systems and applications.

What You Can Do

You can:

  • Create a Microsoft patch approval group to apply patches to a subset of All Computers.
  • Move devices between approval groups.
  • Set up automatic approval for specific approval groups.
  • Apply different Microsoft patch approval settings for each approval group.
  • Delete an approval group you no longer use.

Don't use automatic approval for higher risk devices. The time it takes to manage patches is minimal when using approval groups, so it isn't worth the risk.

Example 1

For example, you can create a Microsoft patch approval group called Critical Servers and another one called Workstations.

New Microsoft OS and application patches for the Critical Servers approval group can be set to Not Approved until you have tested them on non-production devices and confirmed their quality.

New Microsoft OS and application patches for the Workstations approval group can be set to Install.

Example 2

If you have an approval group that contains a server running Windows Server 2012, a server running Windows 2016 with Exchange 2016 and a Windows 10 desktop and you approve an Exchange 2016 patch, only the system that needs the patch will install the patch.

Example 3

If you have a site where Internet Explorer 11 is installed, and you don’t want to patch it, you can create an approval group called "Do not approve IE11" and move the patch managed devices affected into this approval group and never approve IE11 for that approval group.

Example 4

You can use approval groups to control the installation of .NET patches. Devices sometimes have problems after installing .NET updates. When you want to install .NET patches, you can move selected devices into a .NET Microsoft Patch approval group. When the installation is complete, you can verify that the devices have no problems and then move the devices out of the .NET approval group.

Creating a Microsoft Patch Approval Group
  1. In Service Center, click Patch Management > Settings > Approval Groups.
  2. Click Add.
  3. Type a name for the new approval group.
    Note: Approval group names cannot contain special characters ("~!@#$^&*()=+[]{}|:;',''<>/).
  4. Click Add.
    This approval group is empty. Next, you must move devices into this approval group.
Moving Devices into a Microsoft Patch Approval Group

Devices can only belong to the All Computers Microsoft patch approval group and one other Microsoft patch approval group.

What If...

Then...

A device is moved into an approval group

The computer will end up with all the approved updates for that group. If they are installed, they won't be re-installed. If they are needed, they will be installed.

A device is moved into an approval group that does not allow installs for a patch it already has

It will not remove any updates that are already installed.
  1. In Service Center, click Patch Management > Settings > Approval Groups.
  2. From the Approval Group list, select the approval group that contains the devices you want to move.
  3. Do one of the following:
    • To select one device at a time, select the check box that corresponds with each device you want to add to the approval group.
    • To select all the check boxes at once, select the check box at the top of the column.
  4. Click Move selected devices.
  5. From the drop-down list, select the approval group to which you want to move the devices.
  6. Click OK.
    The devices now belong to the All Computers Microsoft patch approval group and this approval group.
Deleting a Microsoft Patch Approval Group

When you delete a Microsoft patch approval group, all devices that were members of the group are automatically moved into the Unassigned Computers approval group.

You cannot delete the All Computers or the Unassigned Computers approval groups.

  1. In Service Center, click Patch Management > Settings > Approval Groups.
  2. From the Approval Group list, select the approval group that you want to delete.
  3. Click Delete.