# N-1 patching: Stay in control of your patching strategy

Patch management requirements vary across environments. The operating systems, software versions, and business-critical applications you run all influence the type of patching strategy you need. Some applications require frequent updates, while others only support specific software versions. To support these scenarios, we’ve introduced N-1 patching, which lets you deploy older, superseded patches when needed.

This document explains what the feature does, how to enable it, and what to expect once it’s configured.

## Table of contents

- [What is N-1 patching?](https://www.manageengine.com/products/desktop-central/help/patch_management/n-1-patches.html#what-is-n1)
- [What are superseded patches?](https://www.manageengine.com/products/desktop-central/help/patch_management/n-1-patches.html#superseded-patches)
- [How to identify superseded patches](https://www.manageengine.com/products/desktop-central/help/patch_management/n-1-patches.html#identify-superseded)
- [When is N-1 patching required?](https://www.manageengine.com/products/desktop-central/help/patch_management/n-1-patches.html#when-required)
- [ManageEngine N-1 patch settings](https://www.manageengine.com/products/desktop-central/help/patch_management/n-1-patches.html#n1-settings)
- [Enable N-1 patching (Windows)](https://www.manageengine.com/products/desktop-central/help/patch_management/n-1-patches.html#enable-windows)
- [Best practices for N-1 patching (Windows)](https://www.manageengine.com/products/desktop-central/help/patch_management/n-1-patches.html#best-practices)
- [Enable N-1 patching (Linux)](https://www.manageengine.com/products/desktop-central/help/patch_management/n-1-patches.html#enable-linux)
- [FAQ](https://www.manageengine.com/products/desktop-central/help/patch_management/n-1-patches.html#faq)

## What is N-1 patching?

In IT, N-1 patching refers to installing a version of software that is one release behind the latest update. Depending on your requirements, this may extend to N-2, N-3, and so on.

## What are superseded patches?

When a vendor releases an update that includes or replaces an earlier patch, the new patch is called the superseding patch, and the older one becomes a superseded patch.

## How to identify superseded patches

In ManageEngine’s patch management products, go to **Threats & Patches → Patches → Supported patches**. Create a filter where **Status = Superseded** to view all supported superseded patches.

## When is N-1 patching required?

### Server patching

Admins who patch servers sequentially may not complete deployment before a new update is released. As a result, servers may run different patch versions. N-1 patching allows you to install superseded patches to maintain consistency.

### Organizational policies

Some organizations intentionally deploy older patches, waiting a few weeks to ensure new releases are stable. The N-1 patching option supports this workflow.

### Compatibility requirements

Certain applications may only support older software versions. If a newer patch introduces issues, you can deploy a stable, superseded version instead.

## ManageEngine N-1 patch settings

The reasons stated above are only a few of the actual requirements that enterprises have. It is to tackle such situations that ManageEngine has introduced its latest settings — **N-1 patch settings**. N-1 patching is available for Windows and Linux platforms (Red Hat and Debian).

![n-1](https://www.manageengine.com/products/desktop-central/images/n-1-patches.png)

### Viewing and managing schedules

## Enable N-1 patching (Windows)

- Navigate to **Threats & Patches → Settings → N-1 patch settings**.
- Select **Enable N-1 patching for Windows** to retain superseded patches for 3 months.
- After enabling the feature, superseded patches appear across patch views once the Central Patch Repository synchronizes with the Central Server. You can deploy superseded patches from the **Missing patches** view.

## Best practices for N-1 patching (Windows)

- Enable **Download the patches missing in the network** under **Patches → Settings → Cleanup settings → Patch download settings**.
- Disable **Remove superseded patches** under **Patches → Settings → Cleanup settings → Patch cleanup**.
- Adjust the cleanup schedule under **Patches → Settings → Cleanup settings → Patch cleanup → Remove the patches that are older than** to suit your N-1 patching needs.

## Enable N-1 patching (Linux)

For detailed steps and management instructions, see:

- [N-1 patching on Debian](https://www.manageengine.com/products/desktop-central/help/patch_management/n-1-patching-in-debian-linux.html)
- [N-1 patching on Red Hat](https://www.manageengine.com/products/desktop-central/help/patch_management/n-1-patching-in-redhat-linux.html)

## FAQ

### What happens when this option is enabled?

For Windows, superseded OS and third-party patches from the past 3 months appear under **Missing patches**, **Installed patches**, **Applicable patches**, and **Supported patches**.

For Linux, superseded patches from the past 6 months are shown.

### What happens if I deploy all patches from previous months at once?

The agent installs the oldest patches first.

### How are third-party patches with dynamic URLs handled?

Some vendors host the latest patch version at the same download URL. If you enable N-1 patching, download older patches before they are replaced by the latest version.

### How does this option affect the Decline patches feature?

When enabled, both superseded and latest patches appear under **Missing patches**. You can decline superseded patches individually based on your requirements.

[Back to top](https://www.manageengine.com/products/desktop-central/help/patch_management/n-1-patches.html#top)