Patch Approval
Ankit Kumar
Last Update 18 days ago
The Patch Approval Workflow in SecOps Solution gives you control over which patches are allowed to deploy across your environment. Instead of letting every detected missing patch deploy automatically, you can require explicit approval, set auto-approval delays, or block declined patches entirely, all configurable at a global level and fine-tuned per policy.
This article explains how the workflow operates, how to configure it, and what happens to patches under different approval states.
This article explains how the workflow operates, how to configure it, and what happens to patches under different approval states.
Configuring Approval Settings
To manage the global approval settings:
1. Go to Settings → Configurations.
To manage the global approval settings:
1. Go to Settings → Configurations.
Patch Approval
Enable or disable the Approval Globally. When disabled, all patches deploy normally regardless of their approval status.
Allow Deployment of Non-Declined Patches
When enabled, all patches are deployed except those you have explicitly declined.
Use this setting when you want a review process: you review incoming patches and decline the ones you don't want, while everything else flows through normally.
Allow Deployment of Only Approved Patches
When enabled, only approved patches are deployed. All other patches are blocked.
Use this when you want strict control — no patch is deployed unless it has been explicitly approved.
> Note: Both modes can be enabled simultaneously. A patch will be deployed if it is not Declined.
> Important: If both modes are turned off, the patch approval is effectively disabled.
Enable or disable the Approval Globally. When disabled, all patches deploy normally regardless of their approval status.
Allow Deployment of Non-Declined Patches
When enabled, all patches are deployed except those you have explicitly declined.
Use this setting when you want a review process: you review incoming patches and decline the ones you don't want, while everything else flows through normally.
Allow Deployment of Only Approved Patches
When enabled, only approved patches are deployed. All other patches are blocked.
Use this when you want strict control — no patch is deployed unless it has been explicitly approved.
> Note: Both modes can be enabled simultaneously. A patch will be deployed if it is not Declined.
> Important: If both modes are turned off, the patch approval is effectively disabled.
How It Works:-
When the Patch Approval is enabled, every missing patch on your devices is assigned an approval status:
Not Approved :- Default state. The patch has been detected but no approval decision has been made yet.
Approved :- The patch has been explicitly approved, either manually, or automatically by a policy.
Declined :- The patch has been explicitly declined. It will be blocked from deployment based on your settings.
Not Approved :- Default state. The patch has been detected but no approval decision has been made yet.
Approved :- The patch has been explicitly approved, either manually, or automatically by a policy.
Declined :- The patch has been explicitly declined. It will be blocked from deployment based on your settings.
Important: Approving a patch does not automatically deploy it. You still need a patch policy configured to deploy approved patches. The approval status simply determines which patches are eligible when a policy or manual deployment runs.
Viewing Patches and Their Approval Status
To see the current approval state of all missing patches in your environment:
1. Go to Products → Patch Management.
2. Click the Approvals tab.
To see the current approval state of all missing patches in your environment:
1. Go to Products → Patch Management.
2. Click the Approvals tab.
Approving, Declining, and Resetting Patches
To take action on one or more patches:
- Decline — Mark the selected patches as Declined. They will be blocked from deployment.
- Reset — Clear the approval decision and return the patch to Not Approved state.
To take action on one or more patches:
- Decline — Mark the selected patches as Declined. They will be blocked from deployment.
- Reset — Clear the approval decision and return the patch to Not Approved state.
Approval Mode in Patch Policies
Each patch policy includes a Patch Approval section that controls how the policy handles patch approval during deployment.
To configure this:
1. Go to Products → Patch Management → Policies.
2. Open an existing policy or create a new one.
3. Scroll to the Patch Approval section (located below Patch Configuration).
4. Set the Approval Mode using the dropdown.
Each patch policy includes a Patch Approval section that controls how the policy handles patch approval during deployment.
To configure this:
1. Go to Products → Patch Management → Policies.
2. Open an existing policy or create a new one.
3. Scroll to the Patch Approval section (located below Patch Configuration).
4. Set the Approval Mode using the dropdown.
The available approval modes are:
Deploy Non-Declined Patches
The policy will deploy all patches except those you have explicitly declined.
Use this for a balanced approach — block only known problematic patches, while allowing everything else to deploy.
Deploy Approved Patches Only
The policy will only deploy patches that have an Approved status. Patches in the Not Approved or Declined state are excluded from the deployment.
Use this when you want the strictest control and patches must be explicitly approved before this policy will touch them.
Deploy Non-Declined Patches
The policy will deploy all patches except those you have explicitly declined.
Use this for a balanced approach — block only known problematic patches, while allowing everything else to deploy.
Deploy Approved Patches Only
The policy will only deploy patches that have an Approved status. Patches in the Not Approved or Declined state are excluded from the deployment.
Use this when you want the strictest control and patches must be explicitly approved before this policy will touch them.
Auto-Approval via Policy
Policies can be configured to automatically approve the patches they deploy, based on a delay you define. This is useful when you want different stability windows for different device groups.
To configure policy-level auto-approval:
1. Go to the policy's Patch Approval section.
2. Enable Auto-Approve Patches.
3. Set the Auto-Approve Delay (Days).
Policies can be configured to automatically approve the patches they deploy, based on a delay you define. This is useful when you want different stability windows for different device groups.
To configure policy-level auto-approval:
1. Go to the policy's Patch Approval section.
2. Enable Auto-Approve Patches.
3. Set the Auto-Approve Delay (Days).
Deployment Scenarios
Scenario 1: Block only specific patches (lightweight control)
Goal: Let most patches deploy freely, but block known-problematic ones.
Global Settings:
- Patch Approval Workflow: Enabled
- Allow Deploy Non-Declined Patches: On
- Allow Deploy Only Approved Patches: Off
Policy Approval Mode: Deploy Non-Declined Patches
How it works: All patches deploy unless you explicitly decline them. Go to the Approvals tab and decline any patch that is known to cause issues. Everything else flows through without requiring individual approval.
Scenario 2: Strict approval required before any deployment
Goal: No patch deploys unless an admin has explicitly approved it.
Global Settings:
- Patch Approval Workflow: Enabled
- Allow Deploy Non-Declined Patches: Off
- Allow Deploy Only Approved Patches: On
Policy Approval Mode: Deploy Approved Patches Only
How it works: All patches start in the Not Approved state and are blocked. Admins must approve patches from the Approvals tab before they are eligible for deployment. Declined patches are also blocked.
Scenario 3: Immediate auto-approval for a trusted QA group
Goal: Patches deployed to a QA environment should be auto-approved as soon as they are confirmed installed, so they can flow immediately to production policies.
Patch Approval (QA Policy):
- Approval Mode: Deploy all non-declined patches
- Auto-Approve: Automatically approve these patches
- Approval timing: Immediately
How it works: As soon as all QA devices confirm the patch as installed, it is immediately marked Approved. Your production policies, which may be set to deploy approved patches only, will then pick up those patches on their next run without any manual intervention.
Scenario 1: Block only specific patches (lightweight control)
Goal: Let most patches deploy freely, but block known-problematic ones.
Global Settings:
- Patch Approval Workflow: Enabled
- Allow Deploy Non-Declined Patches: On
- Allow Deploy Only Approved Patches: Off
Policy Approval Mode: Deploy Non-Declined Patches
How it works: All patches deploy unless you explicitly decline them. Go to the Approvals tab and decline any patch that is known to cause issues. Everything else flows through without requiring individual approval.
Scenario 2: Strict approval required before any deployment
Goal: No patch deploys unless an admin has explicitly approved it.
Global Settings:
- Patch Approval Workflow: Enabled
- Allow Deploy Non-Declined Patches: Off
- Allow Deploy Only Approved Patches: On
Policy Approval Mode: Deploy Approved Patches Only
How it works: All patches start in the Not Approved state and are blocked. Admins must approve patches from the Approvals tab before they are eligible for deployment. Declined patches are also blocked.
Scenario 3: Immediate auto-approval for a trusted QA group
Goal: Patches deployed to a QA environment should be auto-approved as soon as they are confirmed installed, so they can flow immediately to production policies.
Patch Approval (QA Policy):
- Approval Mode: Deploy all non-declined patches
- Auto-Approve: Automatically approve these patches
- Approval timing: Immediately
How it works: As soon as all QA devices confirm the patch as installed, it is immediately marked Approved. Your production policies, which may be set to deploy approved patches only, will then pick up those patches on their next run without any manual intervention.