First we are still running 5.1, can not update to 6 /K2 at this time due to other constraints.
When looking at our patch status for a specific customer earlier today I noticed that there were a *LOT* of patches missing denied, and typically the only patches that we've denied at our various clients in any patch approval policy are things like Windows Search service, and/or things of that nature, so there shouldn't be nearly that many denied patches. So investigating this issue, I found that for this particular machine group we are utilizing the "Default" patch approval policy which is specifically set to have a default approval status of "Approved". If I go look at the "Approval by Policy" for the default approval policy I see that I actually have 205 total patches in the "Pending Approval" state for this policy. This makes absolutely no sense since the default for this policy should be to automatically approve any new patches.
I see no rhyme or reason to it, as some of the latest patches to come out are properly automatically approved and others are set in this pending approval state. The other thing with this is that if I click on the "Pending Approval" heading to determine what patches are actually in this state, they all show "Pending Approval (Default Override)" for the status.... Does anyone have any clue what that actually means?
I went through the same headache a short while back.
When you're in the 'approval by policy' portion, Change the 'Policy View / Group By' drop down on the right hand side of the screen from "product" to "classification" or vice versa. Kaseya considers these groupings different even though they contain the same patches but are just sorted differently. Didn't make much sense to me at the time and still doesn't but I'm willing to bet you'll see that there are some groups there that show as 'pending approval' here. Change these to your auto-approve and you should be back on track.
You are exactly correct... Thanks for the tip. I agree that it doesn't make much sense, but at least I don't have to scratch my head wondering any more.
Thanks a lot.
Essentially, if there's a conflict between Classification Policy and Product Policy, the more restrictive will be applied i.e. denied over pending over approved. Same if you have multiple policies applied to a machine (which would be an admin nightmare!)
It would make a lot more sense if instead of adding (Default Override), they added (Classification Override) or (Product Override) and leave (Default Override) for the actual default overrides that can be set at the bottom of the main Approval By Policy page e.g. internet install only.
I guess if you want to control everything by Classification, set the default Product approval status to approved, or vice versa.