Policies are used to automate patch management by selecting/deselecting Windows Update Categories; they can be approved/denied/deferred in the Policies tab on the Control Grid View.
Navigate to the Policies tab on the Control Grid view, select Create New Policy > WindowsPolicy. Go to the Windows Updates tab once the policy comes up.
Depending on the Update Mode selected (for more information on Update Modes, see Policy Update Mode) under the policy General Settings, Windows Update categories will be set to Automatically Install or Install Only if Approved.
The screenshot below shows all Windows Updates automatically installed (the Update Mode for this Policy is Semi-Automatic).
Semi-Automatic Update Mode - All Windows Updates are automatically installed
Alternatively, if the Manual Update Mode is selected (shown in the screenshot below), the following will appear in the Policy screen for Windows Updates.
Note that you can deselect the top three Windows Update Types (Critical Update, Security Update, and Definition Update); they are there by default.
Manual Update Mode - Only 3 Windows Updates are automated
To approve a Windows Update Category and automatically install it on all computers using this Policy, select the box under the Automatically Install column beside the category name you want to approve (Security Update in this example).
Approve the Security Update Category for automatic install
To deny a Windows Update Category, select the box under the Denied column beside the category name(s) you want to Deny (Critical, Security, Rollup, and Tools in this example).
Critical, Security, Rollup and Tool Categories Denied updates in this Policy
The “Automatically Install” Deferral column is used to specify the number of days for the deferral. If set to 20 days, patches under that category will only install 20 days after release.
Note that the Automatic Install column needs to be checked and the "Automatically Install" Deferral Days need to be set for a deferral.
Security Update Automatic Deferral for 20 days
Install Only if Approved / Manual Approval
To manually approve or deny patches under a certain category, the boxes beside the category name under the columns Automatically Install and Denied should be unchecked.
Install unchecked Windows Updates Categories only if approved manually
Patches under these categories can then be manually approved or denied using the Windows Updates Control Grid.