I have a number of machines that are in a patch policy set to auto approve for most security updates. All new patches are getting auto approved and applied to the machine based on the schedule I set. The problem I have is that there are a ton of old patches sitting in the pending approval column all dating back to before a full update was run on the machines. I'm certain that the machines in the patch policy don't need these patches. I want to clear them down so that this column reads 0 unless there is a new patch that is waiting to be approved. Does anyone know the best way of doing this?
I'l stand corrected but as far as I am aware unfortunately the only way to do this is to work your way through the list. You'll need to do it on each individual classification too as if you try to load all 3k your browser/kserver will spit out it's dummy and throw up errors. I find it's quicker if you don't have any machines with the policy applied to it. If you do, create a duplicate then make the changes to the empty Policy and then apply, then either copy the settings back to the original policy or apply the new policy to the machines.
You're probably right in saying the machines don't need these patches but it'll do odd things to your patch scores if they're all denied.
Hope this makes some sense.
Alistair is correct in saying that you will need to process them if you don't want them to show in the Pending Approval column. The patches show because at least one machine in your environment is reporting the patch as needed. That's determined during patch scan. The scan invokes the Windows Update Agent (WUA) on the endpoint to communicate with Microsoft's patching servers to determine the missing applicable patches for the endpoint. The results are parsed by the KServer and presented to you for management in the VSA. When all machines 'needing' the patch are removed from your environment, those patches that are no longer needed become hidden. The patches are listed in your VSA either because at least one machine is reporting the patch as needed and/or at least one machine actually has the patch installed. You should also consider whether there is a chance that at some point a machine will be introduced into your environment that is older and might report the need for the patches. Keep that in mind as you approve/deny the patches to ensure that any older machines that you attach to the VSA for the first time get only those patches you actually want to deploy in your environment.
Thanks for the reply both of you. I've now run through all pending patches and set their status accordingly