Patch policy exception

A patch policy exception identifies a single patch that you want to explicitly include or exclude from a specific managed server, along with an optional reason for why the exception exists. The patch in a patch policy exception must apply to the same Windows operating system that the established patch policy is attached to.

A patch policy exception allows you to deviate from an established patch policy—one that is already attached to a server or a group of servers. You can do this by deselecting or adding individual patches to a server. Since patch policy exceptions override all patch policies attached to a server, you can use them to intentionally deviate from a patch policy on a server-by-server basis.

If a reason for a patch policy exception is defined, the description is recorded in the server’s patched state in the Model Repository. This information enables SA to report on patch policy exceptions for patch compliance purposes. The patch compliance results explain how patch policy exceptions compare with corresponding established patch policies. All users who have access to the managed server can view its attached patch policy exceptions.

Windows Patch Management supports the following types of patch policy exceptions:

  • Always Installed: The patch should be installed on the server, even if the patch is not in the policy.
  • Never Installed: The patch should not be installed on the server, even if the patch is in the policy.

Note
If you ever need to override a patch policy exception, you can manually install a patch.

The following information summarizes characteristics of a patch policy exception:

  • A patch policy exception can (optionally) include a description that explains its purpose.
  • A patch policy exception can have a rule value of Never Installed or Always Installed.
  • A patch policy exception can be set for one patch and one server of the same operating system version. If a patch policy exception is set for a public device group and a server in that group does not match the operating system version specified in the patch policy exception, the patch policy exception is not applied.
  • A patch policy exception can be set, copied, and removed by users who have permissions.