Home » Decline Patches
 

Decline Patches

This feature is currently available for Windows and macOS. If you would like to decline patches on Linux systems as well, kindly let us know.

Overview

Declining Patch, is an important part of patch deployment. When we automate patch management, all the missing patches are downloaded and deployed to the target computers. This results in deploying patches even though they might not be business critical. So, you will have to choose to ignore patches which are not critical. Ignoring to install some of missing patches will reflect on the system's health status. Computers in your network might be rated as Highly Vulnerable, or Vulnerable.

Not all patches necessitate deployment. There are cases where certain patches have to be excluded from your deployment list. Declining a patch results in the following:

  • When a patch is declined, it will not be considered as a missing patch.
  • It will not be calculated for the system's health status.
  • Patches that are declined will not be deployed via automated patch deployment.

Declining Patches to All Computers or Specific Group

You can choose to decline specific patches or all patches pertaining to a specific application. Patches can be declined to all computers or specific group of computers.  A default group named,  "All Computers Group" is created by  Endpoint Central. If you wanted to decline a specific patch to all computers, then you can choose this group and decline the required patches. If you want some of the patches to be declined to a specific group of computers, then you can create separate custom groups like, groups based on OS, or Remote Office, etc. and decline the  patches.

Here are a few examples of how decline patch works:

  1. Assume a specific patch "Adobe Acrobat Reader DC 2022.003" has been declined for a "All computers Group", then that patch will not be considered as missing patch and will not be downloaded in the network. Computers will not be considered as vulnerable, even if this patch is not installed.
  2. If a critical Patch "Chrome 23.1" is declined for specific custom groups, like custom group "Remote_Office1" and "Remote_Office2", then the patch will be downloaded and deployed to all the missing computers except for those computers in the mentioned custom groups. If this patch Chrome 23.1 is missing in any computer other than the specified custom groups, then those computers might be rated as vulnerable, since a critical patch is missing.
  3. When a computer is added to a custom group "Remote_Office1", all the patches that are declined to the custom group will be considered as declined to the newly added computer.

Follow the steps mentioned below to decline know the steps involved in declining patches and applications:

  1. Click the Patch Mgmt tab on the product console.

  2. Click Decline Patch link available under Settings.

  3. Click on "Select Group and Decline Patches".

  4. Excluding Patches

  5. Select All Computers Group, if you wanted the patch to be declined for all the managed computers, else choose/create a specific group which contains the required target.

  6. Add Description if  required  

  7. Choose patches based on KB Number, Bulletin, Patch ID, Application or Platform.

  8. Excluding Patches

  9. Select the patches/application that needs to be declined

  10. Click Save to save the changes.

If you wanted to revoke the declined patches, then you can edit it by selecting Actions against the custom group name.

You have successfully declined patches for group. You can now see that Patches that are declined will not be reflecting the system health status or not been calculated as missing patches.

 


Related Articles: Patch Management Architecture, Patch Management Life Cycle, Scan Systems for Vulnerability, Patch Reports