Patch approval by patch

Manually approving patches ensures that only required and fully tested system and critical security updates are downloaded and installed. You can approve or decline individual patches by using rules associated with devices.

Setting a patch approval at a specific level also applies that approval to all lower levels that are configured to inherit from the parent. For example, if you set a patch to Approve for install at the Service Organization (SO) level, the same approval applies at the Customer and Site levels if inheritance is enabled.

A patch is considered outstanding when its Existing Approval status is No approval, meaning no approval decision has been made.

To manually approve patches:

  1. Select Configuration > Patch Management.

  2. In the Patch Approval section, select By Patch.
  3. Select the Show Device Counts checkbox to identify patches that are currently outstanding.

    4. Patches with an Existing Approval value of Approved for Install, Mixed, or Declined may still show devices that need one or more of the patches in that category. Use Show Device Counts to view the devices that still require approval.

  4. In the right pane, select Show filter to filter patches that do not have automatic approval.

    5. When you use the filter, leading and trailing periods and asterisks are ignored. As a result, searching for .NET returns items that include net anywhere in the name or description.

    The search field supports several operators to improve filtering, including %, *, and ?. The filter uses case‑insensitive POSIX regular expressions to search the KB Number, Patch name, and Patch description fields.

    For guidance on using the search filter to locate patches, including superseded patches, see Filtering Patches.

    For example:

    • Entering 4041.8. or 4041?8? returns patch numbers 4041687 and 4041085.
    • Include ^40 to search for a patch starting with 40.
    • Include 41$ to search for patches ending with 41.

    For more options, see section 9.7.3.3, Regular Expression Escapes in the PostgreSQL documentation at https://www.postgresql.org/docs/9.3/static/functions-matching.html.

    You can also filter patch products and status. At the bottom of the filter window, select the Products tab.

    Because some Microsoft patches do not correctly report their product, select the Product filter and then choose Product unknown. You can combine this with a keyword to automatically approve patches whose product information is missing.

    If you do not include Product Unknown in your Automatic Approval Rules you may unintentionally miss patches that you would wish to have approved. This can occur because, on rare occasions, Microsoft releases patches without specifying all required metadata, including the Product a given Patch will relate to. For more details, see Patch is not approved by Automatic Approval Rule.

  5. Select the check box next to each patch you want to include, and then select Next.
  6. Select Perform action immediately to install the patch right away instead of following the patching schedule. Use this option only when approving one or two critical patches.

  7. In the New approval column, select the Edit (pencil) icon to choose the new approval option.

    If you set a third‑party patch to Approved for removal, the entire application is removed from the device. Third‑party patches are not incremental, so you cannot remove only the patch.

  8. Select Next. If applicable, the EULA for the selected patches opens so you can accept the agreement.
  9. Select Next and review the approval list to confirm your settings.
  10. Select Finish.

During the patch maintenance window, N-able N-central downloads and installs the approved patches you selected. During installation, users may see a notification in the system tray indicating that updates are in progress.

When you approve a patch, the approval is processed in the background and may take time to complete. As a result, the N-able N-central screen may not immediately reflect your selection.

Patch status and approval values

The patch status represents a combined status based on the individual status values from all applicable devices. The combined status can be one of the following:

  • Failed: The patch installation didn’t complete successfully.
  • Needed: At least one device still requires the patch and the patch has not yet reached an installed state. This includes states such as approved, installing, scheduled, awaiting approval, or No approval (temporary hold).
  • Installed: Patch Monitor detected that the patch exists on the device. If it's the first detection after discovery, it is treated as an installation event.
  • Not Needed: The patch doesn’t apply to the device (for example, it was deleted, superseded, or removed) or it has been explicitly declined by the MSP.

The highest‑ranked status found on any device becomes the overall combined status for the patch. For example, if one device reports Failed and two devices report Needed, the patch’s combined status is Failed.

The Existing approval value for a patch reflects the combined approval states of that patch across all computer groups. The Approval values are combined as:

  • Approved for Install + Approved for Removal = Mixed
  • Approved for Install + Declined = Mixed
  • Approved for Removal + Declined = Mixed
  • Approved for Install + Not Approved = Approved for Install
  • Approved for Removal + Not Approved = Approved for Removal
  • Declined + Not Approved = Declined

Advanced filtering configurations

Using the filtering options, you can filter updates that have devices in one or more approval states, including devices that remain in the No Approval non‑state. The Mixed with any option helps you build more advanced filtering combinations to identify devices in unique patching scenarios.

  • To display all patches that contain No Approvals, select Mixed with any from the Approval options and the No Approval checkbox.
  • To display all patches that contain No Approvals and also looks for only one specific approval, select All from the Approval options and No Approval as well as any other specific approval from the list of options.

  • To display all patches that contain No Approvals:

    Select Mixed with any from the Approval options, and then select the No Approval checkbox.

  • To display all patches that contain No Approvals and a specific approval state:

    Select All from the Approval options, then select No Approval, plus any additional specific approval state you want to include from the list.