# Patch Approval

## Table of contents
- [Overview](#overview)
- [Manual Approval](#manual-approval)
- [Test and Approve](#test-and-approve)
  - [Patch Approval Settings](#patch-approval-settings)
  - [Test Group Settings](#test-group-settings)
    - [Deployment Option](#deployment-option)
    - [Deployment Settings](#deployment-settings)
    - [Notification Settings](#notification-settings)
    - [Approval Mode](#approval-mode)

## Overview

An approved status for a patch means that, according to the IT admin, it is a valid and trusted update. The approved status also indicates that when a patch is deployed, it will be an optimal fit for the systems within that network and will also behave in the predictable manner as intended by the vendor. This approval can be done manually by the IT admin or using the **Test and Approve** feature.

## Manual Approval

You can opt for manual means if you want granular control over the patch approval process. To change the approval status of patches manually, click on **Threats & Patches** and then click any of the following views:

- **Missing Patches**
- **Installed Patches**
- **Applicable Patches**
- **Top-Priotity Patches**
- **Supported Patches**
- **Latest Patches**

Under these sections, select the respective patches you wish and click **Mark as**, and from the drop down menu, choose either **Approved, Declined or Not Approved**.

![Manual Approval](https://www.manageengine.com/products/desktop-central/help/images/am1.png)

## Test and Approve

Testing the patches in pilot computers before deploying them in wider networks and approving them is always considered a [best practice](https://www.manageengine.com/products/desktop-central/help/patch_management/best-practices-for-automatic-patch-deployment.html). Installing critical patches in all network computers without testing can sometimes lead to unexpected issues, such as software incompatibility, system crashes, or data loss. Pilot testing on a limited set of machines helps identify these risks early, ensuring that any negative effects are contained and addressed before widespread deployment. Also, by testing patches on pilot systems first, you can determine the best deployment strategy for the broader organization. If issues arise, it’s easier to fix them when only a limited number of systems are affected.

To configure the Test and Approve feature click on **Threats & Patches → Deployment → Test and Approve.**

### Patch Approval Settings

![Patch Approval Settings](https://www.manageengine.com/products/desktop-central/help/images/am2.png)

Under **Patch Approval Settings**, by default, the **Approve Patches** feature will be configured as **Automatically without testing**. This means whenever a new patch get released, it will get approved automatically if it passes the evaluation performed by the ManageEngine. Those patches approval status will automatically be listed as **Approved**. This is useful if your enterprise has less critical machines and you want to automatically deploy all the released patches immediately.

If you wish to re-evaluate the compatibility or integrity of the patches, click on **Modify** and change it to **Test and Approve**.

![Test and Approve page](https://www.manageengine.com/products/desktop-central/help/images/am3.png)

Under **For the Existing Patches** section, select **Retain Approval Status** if you prefer to keep the current approval status of the existing patches. The new patches will be marked as **Not Approved**; which can tested and later approved.

If you wish to test all patches and then give them the approval status as **Approved**, select **Mark Patch as Not Approved**. Every patch, other than **Declined** Patches, will be marked as **Not Approved**.

After configuring these settings, click on **Save**.

**NOTE**- If you change the **Patch Approval Settings** in **Approve Patches** from **Test and Approve** to **Automatically without testing**, all the created test groups will be deleted automatically.

To create a test group, click on **Add Group**. You will be redirected to a new window where you can configure the **Test Group Settings**.

![Click on Add Group](https://www.manageengine.com/products/desktop-central/help/images/am4.png)

### Test Group Settings

![Test Group Settings](https://www.manageengine.com/products/desktop-central/help/images/am5.png)

Under **Define Task** section, choose the **Platform** in which you want to test patches. Currently supported Operating Systems are **Windows, Mac and Linux**. Then under **Group Name**, select the Target Group of pilot computers where you want to test the patches. If you want to know how to create custom groups, refer to [this page](https://www.manageengine.com/products/desktop-central/help/configuring_desktop_central/creating_custom_groups.html).

#### Deployment Option

Choose the **Microsoft Updates** for testing based on **Updates and Severities** as shown in the image.

![Microsoft Updates](https://www.manageengine.com/products/desktop-central/help/images/am6.png)

After selecting them, choose:

**Patch All Applications** to test the patching of all applications whenever patches with that severity and update type are released.

**Patch Specific Applications** to test the patching of specific applications whenever patches with that severity and update type are released. Select those particular applications under **Selected Applications** section.

**Patch All Applications Except** to exclude specified applications and test the patching of all other applications whenever patches with that severity and update type are released. Select the applications to exclude under the **Selected Applications section**.

You can choose to test **Third Party Updates** based on **Updates and Severities** as shown in the below image.

![Third Party Updates](https://www.manageengine.com/products/desktop-central/help/images/am7.png)

Similar to Microsoft Updates, you can also choose to **Patch All Applications, Patch Specific Applications and Patch All Applications Except** in this section.

To test the patches of the device drivers, enable **Driver Updates** checkbox. To know the supported drivers for patching, refer to [this page](https://www.manageengine.com/patch-management/supported-drivers.html).

#### Deployment Settings

![Deployment Settings](https://www.manageengine.com/products/desktop-central/help/images/am8.png)

Under **Deployment Criteria**, choose the number of days from vendor release after which you need to deploy the patches in pilot computers in **Deploy patches after**. Set it **0 Days**, as it is preferable to test the patches immediately after their release.

**NOTE**- Only patches that have been marked **Not Approved** will be deployed to the Test Group. Patches that are marked as **Approved or Declined** won't be deployed.

Under **Deployment Policy → Apply Deployment Policy**, select your preferred deployment policy that needs to be followed while deploying the patches in pilot computers. It is recommended to choose the policy **Deploy any time at the earliest** as you can test the patches at the earliest possible time. To learn more about deployment policies, refer to [this page](https://www.manageengine.com/products/desktop-central/help/patch_management/patch-deployment-policy.html).

#### Notification Settings

![Notification Settings](https://www.manageengine.com/products/desktop-central/help/images/am9.png)

Under **Notification Settings**, if you wish to receive notifications whenever a patch is approved or a patch deployment has failed during the testing stage, select the checkbox in the **Enable Notifications** option. Notification Settings are optional. To learn more about configuring notifications, refer to [this page](https://www.manageengine.com/products/desktop-central/help/configuring_execution_settings.html#notifications).

#### Approval Mode

Under the section **Approval mode for tested patches**, you can select the number of days after which the tested patches need to be auto-approved by enabling the option **Automatically approve tested patches after**. Only those patches that are successfully installed on at least one machine and have no failures across any machines will be approved after those specified number of days. Set these specified number of days to evaluate the results of testing and then if the patch evaluation is successful it will be approved automatically. If it failed in any pilot computers, it won't get approved.

![Approval Mode](https://www.manageengine.com/products/desktop-central/help/images/am10.png)

After configuring all the settings, click on **Create** and the test group will be created. Now, the mentioned patches will be tested in that specified test group of computers according to the mentioned deployment policy and then later can be approved. You can later deploy these patches either using an [automated task](https://www.manageengine.com/products/desktop-central/help/patch_management/apd.html) or [manually](https://www.manageengine.com/products/desktop-central/help/patch_management/manual-deployment.html).

If you have any further questions, please refer to our [Frequently Asked Questions](https://www.manageengine.com/products/desktop-central/help/patch_management/patch-faq.html#apdfaq) section for more information.