Patch Management
Patch Management provides centralized control over Windows Updates across all hosts. Instead of blindly installing all updates, you can use Patch Policies to precisely control which updates are automatically approved, manually reviewed, or blocked.
Concept
Update Categories
Windows Updates are classified by Microsoft into different categories. Each category serves a different purpose:
| Category | Description | Recommendation |
|---|---|---|
| Security Updates | Security patches that fix known vulnerabilities (CVEs). Critical for protection against attacks. | Approve |
| Critical Updates | Non-security fixes for critical bugs that affect stability or could cause data loss. | Approve |
| Definition Updates | Signature updates for Windows Defender and other security software. Published daily. | Approve |
| Update Rollups | Collections of multiple updates in one package. Often monthly cumulative updates. | Manual |
| Service Packs | Large update packages that bundle all previous patches (rare in modern Windows versions). | Manual |
| Feature Packs | New Windows features (e.g., .NET Framework versions, Windows features). May cause compatibility issues. | Deny |
| Drivers | Device driver updates via Windows Update (graphics, network, storage, etc.). Can overwrite existing driver configurations. | Deny |
| Tools | Diagnostic and maintenance tools from Microsoft (e.g., Malicious Software Removal Tool). | Manual |
| Updates | General non-security improvements and bug fixes. | Manual |
Severity Levels
Microsoft rates security updates by severity:
| Severity | Description |
|---|---|
| Critical | Vulnerability can be exploited without user interaction (e.g., worm propagation, remote code execution). Patch immediately! |
| Important | Vulnerability can compromise confidentiality, integrity, or availability (e.g., privilege escalation, data theft). |
| Moderate | Impact is mitigated by factors such as authentication requirements or unusual configurations. |
| Low | Minimal risk, difficult to exploit or with limited impact. |
| Unspecified | No severity level assigned by Microsoft (common for non-security updates). |
Approval Status
Each pending update receives an approval status based on the applicable Patch Policy:
| Status | Meaning |
|---|---|
| Approved | Update may be installed. Will be automatically installed with "Install Approved". |
| Denied | Update is blocked and will not be installed. |
| Manual | Update must be manually approved or denied. Will be skipped during "Install Approved". |
Patch Policies
Policy Hierarchy
Policies are resolved hierarchically. The most specific policy wins:
- Group - Policy assigned to a host group (highest priority)
- Customer - Policy assigned to a customer
- Global Default - The default policy (lowest priority, always present)
Example
A Windows host belongs to the group "Production Servers" and the customer "ACME Inc.". If the group has its own Patch Policy, it applies. Otherwise, the customer policy is checked. If no customer policy exists either, the global Default Policy applies.
OS Filter (Workstation/Server)
Each policy can be restricted to a specific operating system type:
| Filter | Description |
|---|---|
| All | Policy applies to all Windows hosts (default) |
| Workstations | Policy applies only to Windows Workstations (Windows 10/11) |
| Server | Policy applies only to Windows Server (including Domain Controllers) |
This enables different patch strategies for servers and workstations. Example: approve driver updates on workstations but block them on servers.
Approval Resolution
For each individual update, the approval status is determined in the following priority:
- Blocked KBs - Is the KB number on the blocklist? → Denied (highest priority)
- Approved KBs - Is the KB number on the approval list? → Approved
- Category Rule - Is there a rule for the update category? → Approve/Deny
- Severity Rule - Is there a rule for the severity level? → Approve/Deny
- Fallback → Manual
Default Policy
A Default Policy is automatically created during initial setup:
Severity Rules:
- Critical: Approve
- Important: Approve
- Moderate: Manual
- Low: Manual
- Unspecified: Manual
Category Rules:
- Security Updates: Approve
- Critical Updates: Approve
- Definition Updates: Approve
- Update Rollups: Manual
- Drivers: Deny
- Feature Packs: Deny
- Service Packs: Manual
- Tools: Manual
- Updates: Manual
Recommendation
The Default Policy is intentionally configured conservatively. Security updates are automatically approved, while drivers and feature packs are blocked to prevent unwanted changes.
Creating a Policy
- Navigate to Windows → Patch Management → Policies
- Click New Policy
- Configure:
- Name - Descriptive name (e.g., "Production Servers - Conservative")
- Target - Customer or group (or empty for an additional global policy)
- OS Filter - All, Workstations, or Server
- Severity Rules - Approve/Deny/Manual per severity level
- Category Rules - Approve/Deny/Manual per category
- Blocked KBs - Block individual KB numbers
- Approved KBs - Manually approve individual KB numbers
- Reboot Policy - Restart behavior after installation
- Auto-Install - Automatically install approved updates at next schedule
- Click Save
Blocking a KB
Individual updates can be blocked regardless of severity and category:
- Open the policy in the editor
- Enter the KB number (e.g.,
KB5034441) - Click the block button
- The update is immediately marked as "Denied"
This is useful when a specific update causes problems (e.g., Blue Screen, compatibility issues).
Manually Approving a KB
Updates with "Manual" status can be approved directly from the Updates overview:
Via the Updates Table:
- Navigate to Windows → Patch Management → Updates
- Find the update with "Manual" status
- Click the green checkmark icon in the Action column
- The update is immediately marked as "Approved"
Via the Policy:
- Open the policy in the editor
- Add the KB number under Manually Approved KBs
- Save the policy
Per-Host Approval
In the detail modal of a Windows host (tab Windows Updates), updates with "Manual" status can also be directly approved or blocked.
Global Updates Overview
The view Windows → Patch Management → Updates shows all pending Windows Updates across all hosts, aggregated by KB number.
Summary
Key metrics are displayed at the top:
- Total Hosts - Number of all Windows hosts
- With Updates - Hosts with pending updates
- Approved - Approved updates
- Manual - Updates requiring manual review
- Denied - Blocked updates
Updates Table
| Column | Description |
|---|---|
| Status | Approval status (Approved/Denied/Manual) with colored badge |
| KB | Microsoft KB number |
| Title | Full update name |
| Severity | Severity level with colored badge |
| Category | Update category/categories |
| Hosts | Number of affected hosts (clickable for details) |
| Action | Approve/Deny buttons for updates with "Manual" status |
Filters
- Approved / Manual / Denied / All - Filter by approval status
- Search field - Search by KB number or title
Install Approved
The Install Approved button creates update tasks on all hosts that have approved updates pending. Only KBs marked as "Approved" will be installed - not all updates.
Compliance
The view Windows → Patch Management → Compliance shows the patch status per host:
| Status | Meaning |
|---|---|
| 🟢 Green | No pending approved updates |
| 🟡 Yellow | 1-4 pending approved updates |
| 🔴 Red | 5 or more pending approved updates |
Per host, the following is displayed:
- Hostname and customer
- Number of pending approved updates
- Install button for immediate installation
Reboot Policy
The reboot policy in the Patch Policy controls the restart behavior after update installation:
| Policy | Behavior |
|---|---|
| Never | No automatic restart. Updates requiring a reboot will only take effect after a manual restart. |
| When Required | The agent checks after installation whether Windows requests a restart. Only then is a reboot scheduled in 60 seconds. |
| Always | After every update installation, the system is automatically restarted regardless of whether a reboot is required. |
Caution with "Always"
The "Always" reboot policy restarts the server immediately after every update installation. Only use this setting for hosts where an unplanned restart is acceptable.
Per-Host Updates
In the detail modal of a Windows host, the Sub-tab: Windows Updates additionally shows:
- Approval Status per update (Approved/Denied/Manual badge)
- Policy Name - Which Patch Policy applies to this host
- Install Approved - Button to install all approved updates on this individual host
MCP Integration
Patch Management is also available via the MCP Server:
| Tool | Description |
|---|---|
get_windows_updates | Global update overview with approval status |
install_approved_updates | Install approved updates on a host |
See MCP (AI Integration) for details.