Patch approval by patch

Manually approving patches ensures that only the system and security critical patches needed and fully tested are downloaded and installed. Approving individual patches provides a way to approve or decline patches through Rules associated to devices.

Setting a patch approval at a specific level also applies to all levels below if they are configured to inherit from the level above.

For example, if you configure a patch to "Approve for install" at the SO level, the approval would also apply at the Customer and Site level as long as they are allowed to inherit from the parent level.

Outstanding patches are those that have an Existing Approval status of No Approval because no approval decision has been made.

  1. Click Configuration > Patch Management.

  2. In the Patch Approval section, click By Patch.
  3. Select the Show Device Counts check box at the top of the window to identify which patches are currently outstanding.

    4. Patches with an Existing Approval value of Approved for Install, Mixed, or Declined may have some devices still needing the patches listed underneath them that have not been approved. Using Show Device Counts clarifies this situation.

  4. On the right-hand side of the screen, click Show Filter to identify patches by a classification that may not have automatic approval.

    5. Searches using the filter ignore leading and trailing periods and asterisks. For example, searching on ".NET" can include anything that includes "net" in the name or description, not just ".NET" results.

    The search field employs a number of operators to enhance the search capability of the filter such as the operators "%", "*" and "?". The filter feature uses case-insensitive POSIX regex to search in the KB Number, Patch Name, and Patch Description fields.

    For details on using the search filter for finding patches, including superseded patches, see Filtering Patches.

    For example

    • Entering 4041.8. or 4041?8? returns patch numbers 4041687 and 4041085.
    • Include ^40 to search for a patch starting with 40.
    • Include 41$ to search for patches ending with 41.

    For more options, see section 9.7.3.3, Regular Expression Escapes in the PostgreSQL documentation at https://www.postgresql.org/docs/9.3/static/functions-matching.html.

    You can also filter on patch products as well as status. On the bottom of the filter window, click the Products tab.

    Some Microsoft patches do not accurately report their product. To cover this situation, click the Product filter option and click Product Unknown. Combined with a keyword, you can automatically approve patches where the product has not been defined by Microsoft.

  5. Select the checkbox(es) next to the desired patch(es) and click Next.
  6. Select Perform Action Immediately to install the patch right away and NOT follow the patching schedule. Use this option only if you are approving one or two critical patches.

  7. In the New Approval column, click the pencil icon to select the new approval property.

    Configuring a third party patch as Approved for Removal will remove the entire application from the device and not just the software patch itself. Third party software patches are not incremental, and you cannot only remove the patch.

  8. Click Next, and if applicable, the EULA for the selected patches will open to accept the agreement.
  9. Click Next and review the list of approvals to confirm that the configuration is correct.
  10. Click Finish.

During the patch maintenance window, N-able N-central will download and install the selected approved patches. During the installation, the user may see a notification in their system tray that updates are occurring.

Note that once you approve a patch, the approval is processed as a background task that may take some time to complete, depending on a number of factors. Because of this, the N-able N-central screen may not immediately reflect your selection.

Patch status and approval values

The patch status is a combination of the individual patch status values across all applicable devices. The combined Status value can be one of:

  • Failed
  • Needed
  • Installed
  • Not Needed

The highest-ranked of these statuses found on any device will be reported as the combined status for the patch. For example, if one device had a status of Failed, while two other devices have a status of Needed, the patch would have an overall combined status of Failed.

The Existing Approval value of each patch is a combination of the individual Approval values of that patch across all computer groups. The Approval values are combined as:

  • Approved for Install + Approved for Removal = Mixed
  • Approved for Install + Declined = Mixed
  • Approved for Removal + Declined = Mixed
  • Approved for Install + Not Approved = Approved for Install
  • Approved for Removal + Not Approved = Approved for Removal
  • Declined + Not Approved = Declined

Advanced filtering configurations

Using the filtering options, you can filter on updates that have some devices in one or more approval states as well as outstanding devices in a No Approval non-state. The Mixed with any option will help to achieve more advanced filtering configurations to find those devices in unique patching situations.

  • To display all patches that contain No Approvals, select Mixed with any from the Approval options and the No Approval check box.
  • To display all patches that contain No Approvals and also looks for only one specific approval, select All from the Approval options and No Approval as well as any other specific approval the list of options.