The approve/deny function under the Patch Management has no effect on the workstation. This is because it does not know about ITarian patch management server. Basically the patch management feature is useless and cannot be used in an enterprise environment. I have given many feedback in the past and I am fed up.
So this is what I have done in our environment.
-
Disable the ability of the user to click on “Check for Updates” on the workstation by By enabling the Group Policy setting under Computer Configuration\Administrative Templates\Windows Components\Windows update\Remove access to use all Windows update features .
-
Created a Monitor that will disable the Windows Update service if its running. Note that its required because if you disable the service then “WaaS Medic” service feature will automatically enable it and do the windows update without your knowledge. So creating a monitor to keep disabling the Windows Update service is a must.
Now when you really want to install the patch then do it with the help of the PROCEDURE. In that procedure the very first step that you need to do is ENABLE the Windows Update service and then peform the patching procedure. Make sure that you do this with Maintenance Window and ensure the setting for “Disable Monitors” is enabled.
You can use the Powershell module PowerShell Gallery | PSWindowsUpdate 2.2.0.3