Automatic Approval Rules
Automatic patch approvals let you download and install common or critical patches as soon as they are detected, without manual review.
You can tailor automatic approvals to meet different customer needs. For example:
-
One customer may choose to automatically install all Microsoft patches except device drivers and tools on laptops and workstations.
-
Another customer may prefer a more cautious approach and automatically install only Microsoft Critical and Security updates, while reviewing other patches manually.
When adding or editing approval rules, you can specify the following filters:
-
KB (Knowledge Base)
Identifies a Microsoft patch. Each KB number links to a Microsoft support article and can be used to filter and approve specific patches. Enter exact KB numbers only (no partial values). Leave the field blank to ignore this filter. To enter multiple KB numbers, separate them with a semicolon.
-
Keywords
Filters patches based on words in the patch title. Leave the field blank to ignore this filter. To enter multiple keywords, separate them with a semicolon.
-
CVSS score
Filters patches by vulnerability severity. You can specify a score range to show or approve patches that meet a defined risk threshold (for example, higher‑severity vulnerabilities). Enter decimal values only.
After adding automatic approval for patches to rules, patching can take place without further input from you, or waiting for your review. For information on the approval types definitions, see Approval Definitions.
By default, automatic approvals do not override existing approvals. They apply only to patches that have no current approval, that is, patches with a status of No Approval. You can choose to override existing approvals if required.
To override an existing approval rule:
-
Select Configuration > Patch Management.
-
Select Automatic Approvals.
-
Select the check box for the rule, then select Run Rule Now and Clear and Re-evaluate.
This will clear any existing approvals and replace them with the rule you are running.
When you approve a patch, the approval is processed in the background and may take time to complete. As a result, the N-able N-central screen may not immediately reflect your selection.
If Microsoft re‑issues a patch, Patch Management retains the existing approval status. This ensures that your defined approvals remain in effect without requiring you to re‑select or reset them.
To create automatic approvals, ensure that at least the following role permissions are assigned:
-
Patch Management: Patch Approval, Patch Configuration
-
Monitoring: Filters and Rules
Rules only execute in order if the targets are identical.
For example, if five rules target servers - windows and one rule targets servers - windows + exchange servers, running all six will result in the five rules executing in order, while the single rule will run independently.
Select target devices
When you create an automatic approval rule, you can choose which devices it applies to. On the Targets tab, select one or more device collections defined by filtering rules. To add a new device collection, add a new rule.
Read More
You cannot choose client/site-level actions.
When automatic approval rules have the exact same targets, these rules form a hierarchy and only one approval is generated, based on hierarchy & rule order.
Install Patches Immediately
You can also use Install patches immediately. This option installs or removes a patch right away, outside the scheduled maintenance window, without notifying the user.
-
If a patch is Approved for Install, it installs immediately.
-
If a patch is Approved for Removal, it is removed immediately.
When you select this option, the Patch Installation Schedule for the selected devices is ignored.
Set rule priority
Changing the order of automatic approval rules determines which rules take precedence. Reorder the rules by dragging and dropping them on the Automatic Approval Rules page. After you reorder the rules, you can re‑run them to update patch approvals for your customer devices and device groups. This updates which patches are rolled out and when. You can achieve a phased patch rollout by adjusting automatic approval rules over time and configuring approval delays.
Read More
Reordering automatic approval rules lets you:
-
See how your rules affect devices across multiple levels at the same time.
-
Review and streamline your configuration by reducing the number of rules you manage.
-
Ensure rules run in the correct order and take effect as intended.
For example, you can place a specific Decline rule (such as decline Java 8 updates) before a general Approve rule (such as approve all patches). This ensures the decline rule runs first and prevents the Java update from being approved.
To reorder automatic approval rules:
- Go to Configuration > Patch Management.
- Select Automatic Approvals.
- Drag rules to arrange them in the order you want.
To move multiple rules at the same time, hold Shift or Ctrl and select the rules. You can move multiple rules only if they belong to the same customer or site.
You can’t move rules created at a higher level when you’re working at a lower level. For example, you can’t move a Service Organization (SO)–level rule at the Customer level. However, you can move Customer‑level rules when viewing them at the SO level.
- Select Save.
N-able N-central executes auto approvals in the configured order. The Run Rule Now feature also follows this rule order. For more information, see Automatic patch approvals.
Limitations on rule order
You can reorder automatic approval rules by dragging and dropping them. The order is saved when you select Save at the bottom of the page.
The following limitations apply:
-
You can reorder rules only at your current level or any level below it. For example, you can’t move Service Organization (SO)–level rules when you are at the Customer level.
-
You can only move rules within the same customer level (you cannot place a SO-level rule between another customer-level rule or a rule from one customer in between rules from another).
-
You can move multiple rules at the same time, as long as all the ordering constraints are met.
-
Rules from lower customer levels are always displayed first. The general order is:
- Site‑level rules
- Customer‑level rules
- SO‑level rules
- System‑level rules
-
Any resulting approvals also follow precedence rules. For more information, see how rule order and hierarchy work.
Execute automatic approval rules
You can execute automatic approval rules in three ways:
-
Run Rule Now (Clear and re-evaluate): Runs rules from bottom to top. Each rule can overwrite the results of the previously executed rule.
-
Run Rule Now (Preserve settings): Runs rules from top to bottom. Results from one rule aren’t overwritten by subsequent rules.
-
Automatic execution: Runs automatically when some new patches are reported to N-central. This method follows the same behavior as Run Rule Now (Preserve settings).
How rule order and hierarchy work
Patch approvals ensure that only valid patches are installed on a device and help prevent issues or conflicts. Conflicts can occur when a device is included in multiple patching rules.
When conflicting patch approval statuses are applied to a device from either a rule or a device level approval, the system resolves them by using a strict approval hierarchy, as shown in the table below. To reduce conflicts and simplify management, it’s best to assign devices to a single patching rule .
Read More
| Level Order | |
| 1 | Device |
| 2 | Site |
| 3 | Customer |
| 4 | Service Organization |
| Status Order | |
| 1 | Declined |
| 2 | Approved for Install |
| 3 | Approved for Removal |
| 4 | Not Approved |
| 5 | No Approval |
Example: Automatic Approval workflow
This example shows how new patches move through the automatic approval rules workflow.
View the Steps
Step 1
New Patches enter the system.
Patch KB 5017500
Patch KB 5017501
Patch KB 5017502
Patch KB 5017503
Step 2
The system searches through the list of rules, identifies which rules (highlighted in green below) have targets that are affected by these patches and generates approvals accordingly.
| Site-level Rules | Customer-level Rules | SO-level Rules | System-level Rules |
|---|---|---|---|
| rule m | rule y | rule a | rule k |
| rule b | rule d | rule f | rule i |
| rule t | rule j | ||
| rule x | rule n | ||
| rule s |
The rules in the columns above are ordered based on priority. Priority can be changed by clicking-and-dragging the rule order. See set rule priority.
Step 3
The system then orders the rules based on priority and level.
| Site-level rules | rule m |
| rule t | |
| Customer-level rules | rule y |
| SO-level rules | rule f |
| System-level rules | rule j |
Step 4
When determining which approval status to apply to a patch, the system evaluates the automatic approval rules in order. Approved and declined statuses are preserved as the system processes rules from site-level (in order of priority) to the system level. If multiple rules exist at the same level ( (rule m and t in the example below), the system evaluates them by status order priority. See How rule order and hierarchy work.
| Patch # | Site-level Rules | Customer-level Rules | SO-level Rules | System-level Rules | Final Setting | |
|---|---|---|---|---|---|---|
| rule m | rule t | rule y | rule f | rule j | ||
| KB 5017500 | declined | approved for install | declined | approved for removal | not approved | rule m: declined |
| KB 5017501 | not approved | approved for install | declined | rule t: not approved | ||
| KB 5017502 | declined | approved for install | rule y: declined | |||
| KB 5017503 | approved for install | approved for install | approved for removal | approved for install | rule m: approved for install | |
Example Scenarios
These examples show how automatic approval rules behave when they target the same devices compared to when they target different devices.
Read more
Scenario 1
In this scenario, the two automatic approval rules have the exact same targets.
| Rule | Approval | Target |
| # 1 | Approve all upgrades: Approves everything in the upgrades class and product unknown category. | Workstations-Windows rule |
| # 2 | Decline Windows 11: Declines the upgrade class and product unknown category and specifies Windows 11 in keywords so as to target only Windows 11 upgrades. | Workstations-Windows rule |
| Generated approval: Whichever rule is above the other in the Patch Management > Automatic Approvals view in the UI would win. See set rule priority to change this order. If rule #2 (Decline Windows 11) was at the top, all upgrades would be approved except for Windows 11, which would be declined. If rule #1 (Approve all upgrades) was at the top, all upgrades are approved. |
|
Scenario 2
In this scenario, the two automatic approval rules have different targets.
| Rule | Approval | Target |
| # 1 | Approve all upgrades: Approves everything in the upgrades class and product unknown category. | Workstations-Windows & Laptop-Windows rule |
| # 2 | Decline Windows 11: Declines the upgrade class and product unknown category and specifies Windows 11 in keywords so as to target only Windows 11 upgrades. | Workstations-Windows rule |
|
Generated approval: This scenario will generate two approvals:
Since rule #1 also targets Windows 11 upgrades for workstations like rule 2, the approval that wins depends on the hierarchy. In this case, a declined status wins over an approval status. Thus, the approval that wins is: Approve all upgrades except Windows 11 for workstations and approve all upgrades on laptops. |
|