An approved status for a patch means that, according to the IT admin, it is a valid and trusted update. The approved status also indicates that when a patch is deployed, it will be an optimal fit for the systems within that network and will also behave in the predictable manner as intended by the vendor. This approval can be done manually by the IT admin or using the Test and Approve feature.
You can opt for manual means if you want granular control over the patch approval process. To change the approval status of patches manually, click on Threats & Patches and then click any of the following views:
Under these sections, select the respective patches you wish and click the Mark as, and from the drop down menu, choose either Approved, Declined or Not Approved.
Testing the patches in pilot computers before deploying them in wider networks and approving them is always considered a best practice. Installing critical patches in all network computers without testing can sometimes lead to unexpected issues, such as software incompatibility, system crashes, or data loss. Pilot testing on a limited set of machines helps identify these risks early, ensuring that any negative effects are contained and addressed before widespread deployment. Also, by testing patches on pilot systems first, you can determine the best deployment strategy for the broader organization. If issues arise, it’s easier to fix them when only a limited number of systems are affected.
To configure the Test and Approve feature click on Threats & Patches → Deployment → Test and Approve.
Under Patch Approval Settings, by default, the Approve Patches feature will be configured as Automatically without testing. This means whenever a new patch get released, it will get approved automatically if it passes the evaluation performed by the ManageEngine. Those patches approval status will automatically be listed as Approved . This is useful if your enterprise has less critical machines and you want to automatically deploy all the released patches immediately.
If you wish to re-evaluate the compatibility or integrity of the patches, click on Modify and change it to Test and Approve.
Under For the Existing Patches section, select Retain Approval Status if you prefer to keep the current approval status of the existing patches. The new patches will be marked as Not Approved; which can tested and later approved.
If you wish to test all patches and then give them the approval status as Approved, select Mark Patch as Not Approved. Every patch, other than Declined Patches, will be marked as Not Approved.
After configuring these settings, click on Save.
NOTE- If you change the Patch Approval Settings in Approve Patches from Test and Approve to Automatically without testing, all the created test groups will be deleted automatically.
To create a test group, click on Add Group. You will be redirected to a new window where you can configure the Test Group Settings.
Under Define Task section, choose the Platform in which you want to test patches. Currently supported Operating Systems are Windows, Mac and Linux . Then under Group Name, select the Target Group of pilot computers where you want to test the patches. If you want to know how to create custom groups, refer to this page.
Choose the Microsoft Updates for testing based on Updates and Severities as shown in the image.
After selecting them, choose:
Patch All Applications to test the patching of all applications whenever patches with that severity and update type are released.
Patch Specific Applications to test the patching of specific applications whenever patches with that severity and update type are released. Select those particular applications under Selected Applications section.
Patch All Applications Except to exclude specified applications and test the patching of all other applications whenever patches with that severity and update type are released. Select the applications to exclude under the Selected Applications section.
You can choose to test Third Party Updates based on Updates and Severities as shown in the below image.
Similar to Microsoft Updates, you can also choose to Patch All Applications,Patch Specific Applications and Patch All Applications Except in this section.
To test the patches of the device drivers, enable Driver Updates checkbox. To know the supported drivers for patching, refer to this page.
Under Deployment Criteria, choose the number of days from vendor release after which you need to deploy the patches in pilot computers in Deploy patches after. Set it 0 Days, as it is preferable to test the patches immediately after their release.
NOTE- Only patches that have been marked Not Approved will be deployed to the Test Group. Patches that are marked as Approved or Declined won't be deployed.
Under Deployment Policy→ Apply Deployment Policy, select your preferred deployment policy that needs to be followed while deploying the patches in pilot computers. It is recommended to choose the policy Deploy any time at the earliest as you can test the patches at the earliest possible time. To learn more about deployment policies, refer to this page.
Under Notification Settings, if you wish to receive notifications whenever a patch is approved or a patch deployment has failed during the testing stage, select the checkbox in the Enable Notifications option. Notification Settings are optional. To learn more about configuring notifications, refer to this page.
Under the section Approval mode for tested patches, you can select the number of days after which the tested patches need to be auto-approved by enabling the option Automatically approve tested patches after. Only those patches that are successfully installed on at least one machine and have no failures across any machines will be approved after those specified number of days. Set these specified number of days to evaluate the results of testing and then if the patch evaluation is successful it will be approved automatically. If it failed in any pilot computers, it won't get approved.
After configuring all the settings, click on Create and the test group will be created. Now, the mentioned patches will be tested in that specified test group of computers according to the mentioned deployment policy and then later can be approved. You can later deploy these patches either using an automated task or manually.
If you have any further questions, please refer to our Frequently Asked Questions section for more information.
