Patch policy

A patch policy is a group of patches that you want to install on SA managed servers. All patches in a patch policy must apply to the same Windows operating system.

A patch policy provides broad flexibility for distributing patches. For example, you can create a patch policy that contains security patches that you want to distribute only to servers used by your sales force. You can also create a patch policy that contains security patches that are applicable to specific software that is already installed on a server, such as Exchange Server, Internet Information Services (IIS), SQL Server, and so on. Or, you can create a patch policy that includes all patches ranked as critical by Microsoft and then installs them on all servers that are used by everyone in your organization.

Note
If you do not want to create a patch policy, you can use the vendor-recommended set of patches (by operating system) as a default patch policy. If you are working in WSUS patching mode, enable the Recommended binaries import option. In Offline Catalog mode, SA retrieves the recommended set of patches from the wsusscn2.cab file.

You can attach as many patch policies as you want to servers or groups of servers. If several policies are attached to one server, the installation logic is cumulative—all patches listed in all attached policies will be installed on the server. The Remediate window allows you to select an individual patch policy to remediate. You do not have to remediate all policies attached to a server. You cannot nest patch policies.

If a description of the patch policy is defined, it is recorded in the server’s patched state in the Model Repository. This information enables Patch Management to report on patch policies for patch compliance purposes. The patch compliance process compares patch policies with corresponding patch policy exceptions.

Windows Patch Management supports the following types of patch policies:

  • User-defined patch policy: This type of patch policy allows you to specify the patches you want in the policy. A user-defined patch policy can be edited or deleted by a user who has the required permissions.

    This type of patch policy allows a policy setter to opt out of patches. The policy setter can create a user-defined patch policy that is a subset of all available patches that are in a vendor-recommended patch policy. This enables the policy setter to apply only those patches that their environment needs.

  • Vendor-recommended patch policy: Depending on your selected patching mode, the list of recommended patches is retrieved on a server-by-server basis either by WSUS or from the wsusscn2.cab file. Vendor‑recommended patch policies are system defined and cannot be edited or deleted by a user.

Note
You can only export user-defined patch policies. You cannot export vendor-recommended patch policies.

Patch policies have the following characteristics:

  • All patches in a patch policy must apply to the same operating system.
  • A patch policy is associated with an operating system version.
  • A patch policy has a name and can (optionally) include a description that explains its purpose.
  • A patch policy can be either user-defined or vendor-defined.
  • A patch policy does not have sub-policies. There is no inheritance.
  • A patch policy is Customer Independent, which means that patches in the policy can be installed on any managed server, no matter what customer is associated with it. See the SA 10.51 Use section.
  • A patch policy is always public.
  • A patch policy can be attached to zero or more servers or public device groups.
  • More than one patch policy can be attached to a server or public device group.
  • Only user-defined patch policies can be created, edited, and deleted by a user who has permissions.