Automated Windows Updates Using Policies

Automate Patch Management Using Policies

Policies are used to automate patch management by selecting/deselecting Windows Update Categories; they can be approved/denied/deferred in the Policies tab on the Control Grid View.

Navigate to the Policies tab on the Control Grid view, select Create New Policy > Windows Policy. Go to the Windows Updates tab once the policy comes up.

Depending on the Update Mode selected (for more information on Update Modes, see Policy Update Mode) under the policy General Settings, Windows Update categories will be set to Automatically Install or Install Only if Approved.

The screenshot below shows all Windows Updates automatically installed (the Update Mode for this Policy is Semi-Automatic).

Alternatively, if the Manual Update Mode is selected (shown in the screenshot below), the following will appear in the Policy screen for Windows Updates.

Note that you can deselect the top three Windows Update Types (Critical Update, Security Update, and Definition Update); they are there by default.

Approve Categories

To approve a Windows Update Category and automatically install it on all computers using this Policy, select the box under the Automatically Install column beside the category name you want to approve (Security Update in this example).

Deny Categories

To deny a Windows Update Category, select the box under the Denied column beside the category name(s) you want to Deny (Critical, Security, Rollup, and Tools in this example).


The “Automatically Install” Deferral column is used to specify the number of days for the deferral. If set to 20 days, patches under that category will only install 20 days after release.

Note that the Automatic Install column needs to be checked and the "Automatically Install" Deferral Days need to be set for a deferral.

Install Only if Approved / Manual Approval

To manually approve or deny patches under a certain category, the boxes beside the category name under the columns Automatically Install and Denied should be unchecked.

Patches under these categories can then be manually approved or denied using the Windows Updates Control Grid.

Last updated