Policies

An Agent policy deploys settings to affect the operation and configuration of the Datto RMM Agent. An Agent policy may affect Privacy Mode, Agent installation and service, security, and the Agent Browser mode. For information about the Agent, refer to Datto RMM Agent.

Privacy mode options

Select any of the following options:

Service options

Select any of the following options:

User actions

Select any of the following options:

Agent Browser mode

Select one of the following options from the drop-down list:

To learn about the Endpoint Security features in Datto RMM, refer to Endpoint Security.

An Endpoint Security policy allows you to keep your devices secure and respond to active threats by configuring and deploying various endpoint security technologies through one centralized policy. The endpoint security tools listed below are enabled by default; however, you can disable them. Click to expand any of the tiles to view or modify the settings.

NOTE  To be able to save the policy, at least one of the endpoint security tools must be enabled.

NOTE  A device should only be targeted by one Endpoint Security policy. If multiple Endpoint Security policies target the device, the Datto RMM Agent will continue to use the policy that was deployed first. If that policy is then disabled, the Datto RMM Agent will use the next active (enabled) policy targeting the device.

NOTE  A widget displaying the number of devices in each of your sites that do not have certain security features configured is available in the Widget Library. Refer to Security Threats.

Datto EDR and Datto AV

Supported operating systems: Windows, macOS, Linux

NOTE  This option is only available if Datto Endpoint Detection and Response (EDR)/Antivirus (AV) is enabled for your Datto RMM account. Refer to Datto EDR and Datto AV Integration.

NOTE  On Datto EDR/AV-enabled Datto RMM accounts, disabling an Endpoint Security policy or turning off the Datto EDR and Datto AV toggle in an Endpoint Security policy will automatically uninstall Datto EDR and Datto AV from the devices targeted by the policy. You will be prompted to confirm that you wish to execute this action.

NOTE  The Threat Detection monitor requires a Datto EDR/Datto AV license.

This tool will deploy the Endpoint Detection engine, which will start analyzing activity on the targeted endpoints. By default, when indicators of compromise are detected, an alert of critical priority will be generated. Datto EDR and Datto AV policies can be managed from within Datto EDR. Refer to the policies overview in the Datto EDR Help system.

Refer to Threat Detection monitor in Creating a monitor. The default configuration of the monitor can be modified by clicking Edit next to the alert details.The monitor type cannot be modified. To review the monitor settings, click View Details.

When a device is no longer targeted by a Threat Detection monitor, the Datto EDR process will be uninstalled from the device. For more information, refer to Datto EDR module in Agent modules.

NOTE  A widget displaying the Datto EDR status of your devices is available in the Widget Library. Refer to Datto EDR.

NOTE  The Endpoint Security card on the device summary page provides an overview of a device's security state. Refer to Endpoint Security.

NOTE  To learn more about Datto EDR and Datto AV, review this comparison resource and peruse the FAQs in the Datto EDR Help system.

Ransomware Detection

Supported operating system: Windows

NOTE  This option is only available if Ransomware Detection or Datto EDR is enabled for your Datto RMM account. Refer to Licenses.

NOTE  The Ransomware monitor requires a license. Refer to Add Ransomware Detection licenses.

NOTE  While it is best practice to use Ransomware Detection as part of an Endpoint Security policy, it is possible to have other Ransomware monitors targeting your endpoints both at the device level and as part of a Monitoring policy.

This tool will deploy the Datto RMM Ransomware Detection engine, which will start analyzing file activity on the targeted endpoints. Refer to Ransomware Detection. By default, when ransomware activity is detected in the system drive, the activity will be stopped, and an alert of moderate priority will be generated. If the issue stops occurring, the alert will be auto-resolved within one minute.

The default configuration of the monitor can be modified by clicking Edit next to the alert details. Refer to Ransomware monitor in Creating a monitor. The monitor type cannot be modified. To review the monitor settings, click View Details.

NOTE  A widget displaying the Ransomware Detection status of your devices is available in the Widget Library. Refer to Ransomware Status.

NOTE  The Endpoint Security card on the device summary page provides an overview of a device's security state. Refer to Endpoint Security.

Managed Windows Defender Antivirus

Supported operating system: Windows

NOTE  Windows Defender must be enabled on the targeted devices for the Managed Windows Defender Antivirus configuration to take effect. The Windows Defender Antivirus monitor will enforce the configured settings, but it will not enable Windows Defender if it is not already enabled on a device.

Managed Windows Defender Antivirus will enforce a more secure configuration for the built-in anti-malware engine in Windows. When threats are detected or when the engine is not compliant, an alert of moderate priority will be generated. If the issue stops occurring, the alert will be auto-resolved within one minute.

The default configuration of the monitor can be modified by clicking Edit next to the alert details. Refer to Windows Defender Antivirus monitor in Creating a monitor. The monitor type cannot be modified. To review the monitor settings, click View Details. You can disable the monitor by clicking the toggle button next to Alert.

NOTE  The Windows Defender Antivirus monitor is only supported on Windows 8.1 and above. On lower Windows versions, the Datto RMM Agent will not enforce any settings defined in the Endpoint Security policy and it will report back blank data.

You can also configure further settings most of which are not customizable in the front end in Windows. The screenshots below display the default configuration for Managed Windows Defender Antivirus. These settings are recommended as best practice by Datto RMM.

NOTE  Some of the options listed below are enabled but not editable.

NOTE  Real-time protection in Virus & threat protection settings in Windows cannot be turned off or on using an Endpoint Security policy.

User Experience

• Disable user interface, scan pausing, and notifications
• Use a Proxy Server

Protection

• Detection based on heuristics
• Cloud-delivered Protection
• Monitor file and program activity
• Network Inspection protocol recognition
• Behavior-based monitoring
• Microsoft Outlook protection
• Keep Defender Service alive in all circumstances
• Scan scripts that are used in Microsoft browsers

Scanning

• Schedule scans: Select the scan type (Quick or Full), the execution time, and the day of the scan or a Daily scan.
• Catch-up scans: Select the scan type (Quick or Full) and when to force a catch-up scan (after 2-20 days).
• Scan network drives
• Scan network files
• Scan through NTFS symbolic links
• Scan archives
• File size scan limit (MB): Enter a number or use the slider to set a limit. When zero is set, the file size is unlimited.

Scanning Exclusions

• Exclusions and Exceptions

Defender Attack Surface Reduction

• Use advanced ransomware protection
• Block abuse of exploited or vulnerable signed drivers
• Block untrusted and unsigned processes running from USB
• Block advanced malware attack techniques
• Use advanced Office and Adobe Reader protection

Attack Surface Reduction Exclusions

• Process exclusions: Enter a path to be excluded. To add another path, click the plus sign. To remove a path, click the minus sign.

When exclusions are defined here, the Datto RMM Agent will enforce them on the targeted device and remove any exclusions already set on the device. If a device already has exclusions defined, leaving the Process exclusions field blank will not remove those exclusions. To remove those exclusions using an Endpoint Security policy, you must enter a path in the Process exclusions field (even if that path does not exist). If a device is no longer targeted by a Windows Defender Antivirus monitor, the exclusions set on the device will remain unchanged.

NOTE  A widget displaying the Managed Windows Defender status of your devices is available in the Widget Library. Refer to Managed Windows Defender Status.

NOTE  The Endpoint Security card on the device summary page provides an overview of a device's security state. Refer to Endpoint Security.

NOTE  To learn about Microsoft Defender Antivirus with Datto EDR, refer to Using Microsoft Defender Antivirus with Datto EDR in the Datto EDR Help system.

An ESXi policy allows you to apply one or more monitors to multiple ESXi devices to monitor their performance, datastore, temperature, and hardware status.

1. In the Monitors section, click Add Monitor.

2. In the Monitor Type section, click Select.
3. In the Select a Monitor pane, use the search bar to search for a monitor type or scroll down in the list. Click Select to specify the monitor type.
   
4. Once the monitor type has been selected, you can configure the monitor criteria. To choose a different monitor type, click Change Monitor Type and modify your selection.

5. Configure the monitor criteria. For information on all available monitor types, refer to Alert details per monitor type and Response details.
6. Once you have configured the monitor details, click Add Monitor.
7. To add further monitors to the policy, repeat the steps above. To review the details of a monitor, click its description. Refer to Viewing monitor details. To delete a monitor, click the delete icon .
   

A Maintenance policy allows you to pause monitoring while doing scheduled maintenance work on your devices. Pausing monitoring lets you prevent false alerts, for example, during a backup.

During a maintenance window, the following actions will be taken if an alert condition is met:

• Monitors will be able to raise alerts; however, these alerts will not be listed as open alerts. You can only view them when selecting All from the Status column in a list of alerts. Refer to Alerts. Alerts raised by webhooks will also be suppressed.
• Monitors will not create tickets or send email notifications; however, response components will be executed as normal.
• If the alert condition is still in effect when the maintenance window ends, the alert created during the maintenance window will become active and be listed under Open Alerts. Tickets and email notifications will be created and sent from this alert.

When configuring the policy, the calendar view in the Schedule > Recurrence section provides a visual indicator of when the maintenance window will occur according to the selected schedule.

Once a device has been placed into maintenance mode, an icon is displayed next to the device name at the top of the device summary page. For more information, refer to Maintenance mode status indicator.

NOTE  You can create a maintenance mode widget to see all devices currently in maintenance. Refer to Devices Under Maintenance.

A few things to note

• Changes made to a Maintenance policy while it is running or within 15 minutes of the start of a maintenance window will only take effect at the next run. For example, if you are creating a new Maintenance policy with a daily schedule, and the start date and execution time is set to 10 minutes from now, the first run time will only occur on the following day.
• You can end a scheduled maintenance mode window by updating the associated Maintenance policy so that it no longer targets the device. Refer to Editing a policy.
• You can also end a maintenance mode window on the device summary page or on a device list page. Refer to Ending a maintenance mode window.

A Monitoring policy allows you to apply one or more monitors to multiple devices.

1. In the Monitors section, click Add Monitor.

2. In the Monitor Type section, click Select.
3. In the Select a Monitor pane, use the search bar to search for a monitor type or scroll down in the list. Click Select to specify the monitor type.
   
4. Once the monitor type has been selected, you can configure the monitor criteria. To choose a different monitor type, click Change Monitor Type and modify your selection.

5. Configure the monitor criteria. For information on all available monitor types, refer to Alert details per monitor type and Response details.
6. Once you have configured the monitor details, click Add Monitor.
7. To add further monitors to the policy, repeat the steps above. To review the details of a monitor, click its description. Refer to Viewing monitor details. To delete a monitor, click the delete icon .
   

NOTE  Datto also offers best practice Monitoring policies. For more information, refer to Download a ComStore policy.

Exporting a Monitoring policy

Exporting a Monitoring policy allows you to share the file with other users who can then import the policy into their own Datto RMM account. Refer to Importing a Monitoring policy.

An exported Monitoring policy includes the targets (limited to the Default Device Filters provided by Datto RMM) and the configured monitors' alert details (everything configured in the Alert section). However, it does not include any custom configuration in the monitors' Response section. When an exported Monitoring policy is imported, the policy's scope will be set to Global by default.

The following monitor types cannot be exported:

• Antivirus Status monitor
• Component monitor
• Datto Continuity monitor

To export a Monitoring policy, follow these steps:

1. Open a Monitoring policy by following one of the navigation paths described in Security and navigation.
2. Click Export.
3. The policy will be saved as a .pcy file.

Importing a Monitoring policy

If an exported Monitoring policy (.pcy file) has been shared with you, you can import it into your own Datto RMM account. For export instructions and details, refer to Exporting a Monitoring policy.

To import a Monitoring policy, follow these steps:

1. Navigate to any Policies page by following one of the navigation paths described in Security and navigation.
2. Click Import.
3. Select the .pcy file saved on your device.
4. The imported policy will open in the edit page with the Global scope by default. You can edit all policy details except for the policy type. Refer to Creating a policy.

About Patch Management

For general information about Patch Management for Windows devices in Datto RMM, including determining a device's patch status, patch reporting, and more, refer to Patch Management.

NOTE  Patch Management support for macOS devices is available via the ComStore component Install Updates with SUPER [MAC]. For more information, refer to macOS Patch Management.

Default Patch Management policy

All new accounts are provisioned with a default Patch Management policy that can be found in Policies > Patch Management > Default Windows Patching policy. It is configured the following way:

Field	Description
Name	Default Windows Patching policy
Scope	Global
Type	Patch Management
Schedule	Audit only
Power	Do not restart
Approval	Approve patches that match the following criteria: • Category > contains > Security updates or Update rollups or Critical updates or Definition updates
Targets	• Default Device Filter: All Windows Desktops • Default Device Filter: All Windows Servers
Enabled	Enabled
Disable Sites	All sites are enabled.
Disable Devices	All devices are enabled.

You can create another Patch Management policy or modify the default one by following the steps below.

With a Patch Management policy, you are pre-approving patches to be installed on your Windows devices on an ongoing basis as per the conditions you define. A Patch Management policy can not only manage the patches made available in Windows Update, but it also gives you more control, lowers your workload, and increases the security of your devices.

You can set up a global or site-level policy that can target multiple devices. You can define conditions such as the patch window and patch approval rules. You can also create a Patch Management policy for audit purposes only, and apply site-level overriding of global policy options.

IMPORTANT  Only Windows Managed Agents support Patch Management. Refer to Managed and OnDemand Agents.

NOTE  We recommend that you create at least two Patch Management policies: one for workstations and one for servers.

NOTE  Patch Management support for macOS devices is available via the ComStore component Install Updates with SUPER [MAC]. For more information, refer to macOS Patch Management.

To ensure that a device only receives updates that you have approved, we recommend that you do the following:

1. Target the device with a Windows Update policy and select Turn off automatic updates in the Update options section.
2. Target the device with a Patch Management policy as well and specify the patches you want to approve.

To create a Patch Management policy, refer to Schedule, Power, and Approval.

To learn how to override global policies for a specific site, refer to Overriding a global Patch Management policy at the site level.

NOTE  While multiple Patch Management policies can target the same device or group of devices to support different scheduling needs, it is important that the patch approval criteria remain consistent across all policies, otherwise it can lead to undesirable behavior regarding approved patch statuses and installation on individual devices.

Schedule

Select one of the following options:

• Schedule: Selected by default. When configuring the policy, the calendar view in the Schedule > Recurrence section provides a visual indicator of when the Patch Management policy will run according to the selected schedule. The policy will run at the local time zone of the targeted devices.

NOTE  Only Patch Management policies will always use the local time zone of the targeted device. All other scheduled tasks use the time zone defined in Account Settings by default.

NOTE  Time zones will be taken into account at run times. For example, if the policy is set to run at midnight and it is applied to two devices in different time zones, one UTC and one PST, then the policy will run at midnight UTC on the UTC device and at midnight PST on the PST device. The policy cannot be scheduled to run at a time that has already passed in all time zones.

• Audit only: Select this option to use the policy for audit purposes only. This will allow you to see missing patches on your devices without the ability to (unintentionally) run the policy on them.

Power

Select any of the following options:

Option	Description
Wake devices for scheduled updates	Select this option to wake the targeted devices before the policy is due to start. You must have a Network Node device in the same site as your targeted devices to use this feature. (Local Caches can also be nominated as Network Nodes.) If multiple Network Nodes are nominated, all will send requests. Be aware that Wake-on-LAN must be enabled in BIOS/EFI and it typically only works for laptops when they have an active mains connection. For more information, refer to the Network Node field in the Summary card. NOTE  Network Nodes will receive Patch Management policy definitions which have the option enabled to wake devices before patching if the devices targeted by the policy are in the same site as the Network Node. This will not be shown in the web interface but will be evident in log files. IMPORTANT  With the 10.0.0 release, the local cache functionality has been deprecated as part of Datto's continued commitment to security. References to the local cache remain in the UI at present, but will be removed in the future.
Shut down	Shuts down the targeted devices after installing the updates.
Restart	Restarts the targeted devices, if required, after installing the updates. When this option is selected, the following additional option will become available: • Allow devices to start if a USB mass storage device is connected NOTE  Leave the Allow devices to start if a USB mass storage device is connected option unchecked if you want to prevent servers from rebooting into a LiveUSB.
Do not restart	Selected by default. Does not restart the targeted devices after installing the updates. When this option is selected, the following additional option will become available: • Display a restart reminder to users: From the drop-down list, specify how often a reminder should be displayed (every hour, every 2-6 hours, every 12 hours, every day, or every 2 days). The reminder will be displayed on the screen until the user dismisses it. The user has the option to dismiss the reminder indefinitely. The following screenshot displays what the user will see on their device by default, but you can customize the dialog box in the Agent section on the Branding page. When the Display a restart reminder to users option is selected, the following additional option will become available: • Allow users to postpone restarting, after which time reminders will persist: Specify the number of times users are allowed to postpone restarting the targeted devices (maximum value: 99). Once a user has reached the maximum number of permitted dismissals, the reminder will persist on the screen and the Postpone button will become inactive.

Approval

You can configure the following options:

• Approve patches that match the following criteria: Allows you to configure filters to automatically approve patches. Refer to Patch filter criteria.
  These filters can be overridden by the Do not approve patches that match the following criteria and the Manual approval options below.
• Do not approve patches that match the following criteria: Allows you to configure filters to automatically deny patches. Refer to Patch filter criteria.
  These filters take precedence over your approval filters above. For example, configurations such as “Approve critical security patches but do not approve critical security patches with ‘Defender’ in the title” are entirely possible.
  
  These filters can be overridden by the Manual approval option below.
• Manual approval: Allows you to configure individual patches regardless of any previous filters. Refer to Manual approval.

Patch filter criteria

The Approve patches that match the following criteria and Do not approve patches that match the following criteria sections can be configured based on the following filter criteria:

Criterion	Restriction	Value
All	Not applicable.Selecting the All criterion will include all patches.
Category	Select one of the following options: • contains • does not contain • is empty • is not empty • begins with • does not begin with • ends with • does not end with	If applicable, select one of the following options: • Applications: Releases relating to specific applications that receive updates via Windows Update. • Connectors: Software that helps establish links between endpoints and a server running Windows Server software. • Critical updates: Non-security-related updates that help maintain the operation of a system. • Definition updates: Updates for Windows Defender malware definitions. These are disabled when the endpoint is using alternative antivirus software. • Drivers: Driver updates to ensure Windows can communicate properly with the hardware connected to it. • Feature packs: Packs designed to unify the functionalities of Windows versions outside of full service pack releases. • Security updates: Updates that help maintain the security and safety of a system. These should be installed as soon as possible. • Service packs: A collection of individual updates for issues reported both internally and from Microsoft customers. • Tools: Utilities or features that help to complete a task or a set of tasks. • Update rollups: A collection of individual updates designed to target a specific element of Windows (for example, security). • Updates: Updates that are neither critical nor security related, but which deliver a fix for a reported issue. • Upgrades: Windows feature updates. NOTE  When using the does not contain criterion in the Restriction column, the is empty criterion is implicitly included. Refer to A note on the "does not contain" criterion.
Description	Select one of the following options: • contains • does not contain • is empty • is not empty • begins with • does not begin with • ends with • does not end with	If applicable, enter a value. You can use the % symbol as a wildcard character. All searches are case-insensitive. NOTE  When using the does not contain criterion in the Restriction column, the is empty criterion is implicitly included. Refer to A note on the "does not contain" criterion.
Max Size	Select one of the following options: • less than • less or equal to • equal to • greater or equal to • greater than • between	Enter a value. Use G (gigabytes), M (megabytes), K (kilobytes), or exact number for bytes. For example: 4G, 21M, 4K, or 435. For the between option, enter a minimum and a maximum value. NOTE  You can enter whole and decimal numbers and the byte unit can be lower or upper case (for example, 4G or 3.5g). Decimal numbers without any byte unit will be rounded down to the nearest whole number and treated as bytes (for example, 1.5 will be treated as 1 byte).
KB Article	Select one of the following options: • contains • does not contain • is empty • is not empty • begins with • does not begin with • ends with • does not end with	If applicable, enter a value. You can use the % symbol as a wildcard character. All searches are case-insensitive. NOTE  A KB number is a Microsoft Knowledge Base article number that is associated with the patch. NOTE  When using the does not contain criterion in the Restriction column, the is empty criterion is implicitly included. Refer to A note on the "does not contain" criterion.
Severity	Select one of the following options: • less than • less or equal to • equal to • greater or equal to • greater than • between	Select one of the following options: • Critical • Important • Moderate • Low • Unspecified NOTE  Severity refers to Microsoft Security Response Center (MSRC) severity as specified in Microsoft Security Bulletins. Datto RMM Patch Management policies reference Security Bulletin classifications, not the severity specified by Windows Update. Refer to About Microsoft Update classifications.
Require Reboot	Select one of the following options: • less than • less or equal to • equal to • greater or equal to • greater than • between	Select one of the following options: • Never reboot • Always requires reboot • Can request reboot For the between option in the Restriction column, select two values. NOTE  This filter allows you to avoid installing updates that require a reboot during business hours.
Release date	Select one of the following options: • before • after • older than 7 days • older than 14 days • older than 30 days • older than 60 days • older than 90 days	If applicable, select a date from the calendar.
Request user input	Not applicable.	Select one of the following options: • Yes • No NOTE  If you filter for patches that require user input, schedule them to install during business hours.
Title	Select one of the following options: • contains • does not contain • is empty • is not empty • begins with • does not begin with • ends with • does not end with	If applicable, enter a value. You can use the % symbol as a wildcard character. All searches are case-insensitive. NOTE  When using the does not contain criterion in the Restriction column, the is empty criterion is implicitly included. Refer to A note on the "does not contain" criterion.
Type	Not applicable.	Select one of the following options: • Software • Driver

Adding multiple criteria

1. Configure a patch filter criterion.
2. Click the plus icon below the configured criterion.
   
3. Select the AND or OR operator and configure another criterion.
   

NOTE  If both conditions must be true for the patch to be included in the search results, select AND. If either one must be true, select OR.

4. When you add additional criteria, you cannot combine AND and OR. The selection you made first is repeated for any subsequent criterion.
   

Adding sub-criteria

1. Configure a patch filter criterion.
2. Click the plus icon next to the configured criterion.
   
3. Select the AND or OR operator and configure another criterion.
   
4. When you add additional criteria, you cannot combine AND and OR. The selection you made first is repeated for any subsequent criterion.
   

NOTE  Standard SQL dictates that positive sub-criterion queries (for example, "Title contains 1", "Title contains 2", "Title contains 3") need to be grouped with OR. For example, "Title contains 1 OR 2 OR 3" will return patches whose title contains either 1 or 2 or 3.
Negative sub-criterion queries (for example, "Title does not contain 1", "Title does not contain 2", "Title does not contain 3") need to be grouped with AND. For example, "Title does not contain 1 AND 2 AND 3" will only return patches whose title contains neither 1 nor 2 or 3.

Removing one or more criteria

To remove any of the criteria, click the minus icon below or next to the criterion. To remove all criteria in either the Approve patches that match the following criteria or the Do not approve patches that match the following criteria section, click the Reset button.

Manual approval

This section allows you to configure individual patches regardless of any previous filters configured in the Approval section (Approve patches that match the following criteria and Do not approve patches that match the following criteria). Refer to Approval. The patches listed in this table for manual approval will not change based on filters configured in the Approval section. This section is designed to allow you to manually approve any patches that may not meet the criteria for any of the filters configured in the Approval section.

When editing a Patch Management policy, this section displays the following lists:

• Available: Lists all patches available for install, collected from the audit data of all of the devices in the account. You can approve or deny patches.
• Approved: Lists all patches that have been approved through the Available list. You can move patches back to the Available list or deny them.
• Not approved: Lists all patches that have been denied through the Available or the Approved list. You can move patches back to the Available list or approve them.

The table displays the following information when creating or editing a Patch Management policy:

Field	Sortable?	Description
Title		The title of the patch. To narrow the list, click the filter icon , enter a term, and click Apply. To see the full list, click Reset.
Release Date		Displays when the patch was released.
Severity		Displays the priority of the patch as specified in Microsoft Security Bulletins. Refer to About Microsoft Update classifications. Click the filter icon and click Critical, Important, Moderate, Low, or Unspecified to filter by the priority of the patch.
Max Size		Displays the size of the patch.
Require Reboot		Displays if a reboot is required after the patch installation. Click the filter icon and click Yes or No. To see the full list of patches, click All.
Require User Input		Displays if user input is required during the patch installation. Click the filter icon and click Yes or No. To see the full list of patches, click All.
KB Article		Displays a Microsoft Knowledge Base article number that is associated with the patch. Click the number to open the associated article in a new tab. To narrow the list, click the filter icon , enter all or part of an article number, and click Apply. To see the full list, click Reset.
Manual Override		Displays the individual override status of the patch. If the patch approval has been overridden at the device level, this field shows Yes. Otherwise, this field shows No.

The table density is set to condensed theme by default. To change it to relaxed theme, click the density toggle icon. The selection will persist across all pages.

The number of results displayed can be specified by selecting the desired number from the pagination control. This selection will persist the next time the page is accessed.

Action buttons

The action buttons are unavailable if no row is selected or if the action is not applicable to the selected rows. The check boxes allow you to select one or more rows. Select all rows shown on the page by selecting the check box in the table header. To access all action buttons, click the Row Actions icon. The table below lists all available action buttons.

Action Button	Description
Approve	Approves the patch and moves it to the Approved list from either the Available or the Not approved list.
Do Not Approve	Denies the patch and moves it to the Not approved list from either the Available or the Approved list.
Make Available	Moves the patch back to the Available list from either the Approved or the Not approved list.
Export All (Max. 500) Rows to CSV	This action button is available only if all rows have been selected across all pages in the table. In the confirmation dialog box that appears, click Confirm to download the file or Cancel to close out of the dialog box. Pop-up notifications will inform you of the start and completion of the CSV export action. Click the X to close the notification; otherwise, the notification will automatically be cleared after five minutes. Any column selections, filters, and sorting that have been applied to the table will also be applied in the CSV file.
Uncheck All	Clears all selected rows. The number of selected rows is indicated next to the Row Actions icon.

Overriding a global Patch Management policy at the site level

Global Patch Management policies can be overridden at the site level to change only the most necessary settings of the policy for a smaller subset of devices without modifying the global policy.

1. Navigate to the list of policies. Refer to List of policies.
2. Select the check box next to the global Patch Management policy and click Override. Refer to Override. The edit page will open.
   Alternatively, click the name of the global Patch Management policy to open the edit page, and click Override on the edit page.
   Refer to Editing a policy.
3. In the Scope section, specify the site for which you want to override the policy. Refer to Scope.
4. Click the Override toggle in the Schedule and Power sections and the Add rules toggle in the Approval section to modify the policy details as necessary. Refer to Schedule, Power, and Approval.
   

Patching at the device level

Using the Patch Now action button, you can patch one or multiple devices outside of the schedule configured in a Patch Management policy. Refer to Patch Now on the device summary page and Patch Now in device lists.

About Software Management

For general information about Software Management in Datto RMM, including the supported applications and operating systems, security level permissions, Software Management status, software compliance reporting, and more, refer to Software Management.

If Advanced Software Management is active for the Datto RMM account, an Advanced Software section is available for configuration in a Software Management policy. While Datto RMM's standard Software Management functionality updates key applications, the Advanced Software Management module integrates an expanded library of software applications and enables both installation and uninstallation via a Software Management policy. Refer to Advanced Software.

For an overview of Advanced Software Management, refer to Advanced Software Management.

Default Software Management policy

All new accounts are provisioned with a default Software Management policy that can be found in Policies > Software Management > Default Software Management Policy. It is configured the following way:

Field	Description
Name	Default Software Management Policy
Scope	Global
Type	Software Management
Timing	Immediately On Detection
Managed Applications	All Actions are set to Unmanaged.
Targets	• Default Device Filter: All Desktop O/S • Default Device Filter: All Server O/S
Enabled	Enabled
Disable Sites	All sites are enabled.
Disable Devices	All devices are enabled.

You can create another Software Management policy or modify the default one by following the steps below.

A Software Management policy allows you to configure third-party software application updates and define when those updates should be installed.

Once a policy is configured, you can create a Software Management Status widget to have an overview of the software compliance status of your devices. Refer to Software Management Status.

You can also use the Software Management pages at the global and site levels and the Software card at the device level. Refer to Software Management.

IMPORTANT  Multiple global (account-level) and site-level Software Management policies can be enabled at a time, but only one Software Management policy can be enabled per device at a time. If an additional Software Management policy is configured to target a device that already has a Software Management policy enabled, the additional policy will be automatically disabled at the device level. You can change the Software Management policy enabled on a device in the Software card on the Device summary page.

NOTE  The third-party software applications you want to manage through a Software Management policy do not have to be downloaded from the ComStore. A Software Management policy can be configured independently of what's already present in your Component Library.

To create a Software Management policy, configure the following settings:

Timing

Select one of the following options:

• Immediately On Detection: An application update will be installed as soon as the Agent detects that an update is ready.
• Schedule: The Agent only checks for and installs software updates on a scheduled basis. The calendar view in the Schedule > Recurrence section provides a visual indicator of when software updates will occur according to the selected schedule. The policy will run at the local time zone of the targeted devices.

NOTE  Time zones will be taken into account at run times. For example, if the policy is set to run at midnight and it is applied to two devices in different time zones, one UTC and one PST, then the policy will run at midnight UTC on the UTC device and at midnight PST on the PST device. The policy cannot be scheduled to run at a time that has already passed in all time zones.

Software

NOTE  For a list of applications supported through standard Software Management, refer to Supported software applications and operating systems. If using Advanced Software Management, refer to Advanced Software Management application catalog for the expanded list of available applications.

In the Action column, select the installation/update behavior to apply to each application. To apply the same action to all added applications, select the action from the Apply to all rows drop-down menu.

Advanced Software

BEFORE YOU BEGIN  To unlock this section, Advanced Software Management must be activated for the Datto RMM account. Refer to Advanced Software Management and Add Advanced Software Management licenses.

If Advanced Software Management is active for the Datto RMM account and the Advanced Software section appears in the policy, the configuration is affected as follows:
• All available standard software applications are visible and can continue to be managed through standard Software Management via the Software section. Refer to the preceding section in this topic (Software).
• If an application in the Software section is set to any action other than Unmanaged, and you subsequently add that application to the Advanced Software section, the matching application in the Software section will be automatically reset to Unmanaged. As a result, that application will be managed through Advanced Software Management.
• If matching applications are added to both the Software section and Advanced Software section, and you subsequently change the action for that application to anything other than Unmanaged in the Software section, the matching application in the Advanced Software section will be automatically removed. As a result, that application will be managed through standard Software Management.
• By design, it is not possible to manage an application through both standard Software Management and Advanced Software Management in a single policy.
• Whether Advanced Software Management is active or inactive, existing policies will continue to work as originally configured.

Click Add Software to open the list of available software on the right side of the page.

NOTE  For information about these applications and the tier-based software update system, refer to Advanced Software Management application catalog.

Click Add next to each application you wish to manage through this policy.

If you add an application to the Advanced Software section that already exists in the standard Software section, the application will be automatically removed from the Software section, as it will be managed through Advanced Software Management.

NOTE  Advanced Software Management supports only Windows devices. If any macOS devices are targeted in the policy, applications in the standard Software section that can be managed on macOS will be used for the macOS devices, even if those applications are also added to the Advanced Software section. The advanced software will be used for any targeted Windows devices. The advanced software will be displayed on the Software Management page and in the Software card on the device summary page. The action selected in the Advanced Software section is applied, but the Uninstall action is not supported for macOS devices, as the standard software applications are used for macOS.

NOTE  If a software application that supports only 32-bit architecture systems is added, Advanced Software Management will skip scanning targeted 64-bit systems.

To remove an advanced application you do not wish to manage through this policy, click the delete icon . To add more applications, click Add Software.

In the Action column, select the installation/uninstallation/update behavior to apply to each application. To apply the same action to all added applications, select the action from the Apply to all rows drop-down menu.

When Windows Update is enabled on a device, you allow Microsoft to take control of update installations. A Windows Update policy in Datto RMM allows you not only to manage the settings of Windows Update but also to control the installation of updates.

NOTE  The Windows Update service gets restarted when a Windows Update policy is running. However, if patches are being installed via a Patch Management policy at the same time, the Windows Update service will not be restarted, and this will be noted in the Agent logs. If an audit is in progress while a Windows Update policy is running, the Windows Update service will wait for the audit to finish before restarting. This occurs in incremental periods (30, 60, 90, 120, 150, and 180 seconds; that is, a total of 10.5 minutes). If the audit does not complete within this period, the Windows Update service will not be restarted, and this will be noted in the Agent logs. The Windows Update service will be restarted at the next Windows Update policy run time, and all recent changes will then be applied to the targeted devices.

NOTE  Patch Management support for macOS devices is available via the ComStore component Install Updates with SUPER [MAC]. For more information, refer to macOS Patch Management.

For step-by-step recommendations, refer to Step 1: Configuring a Windows Update policy in Best practices for Patch Management.

Update options

Select one of the following options:

Disabling Windows updates

To ensure that a device only receives updates that you have approved, we recommend that you do the following:

1. Target the device with a Windows Update policy and select Turn off automatic updates in the Update options section.
2. Target the device with a Patch Management policy as well and specify the patches you want to approve. Refer to Patch Management policy.

IMPORTANT  Windows updates cannot be disabled on devices running Windows 10 build 1909 and below; however, you can configure various aspects of the updates. Refer to Windows as a service (Windows 10 / Server 2016 or above).
For more information about Windows as a service and Datto RMM Patch Management, refer to Patch Management and Windows as a service.

Universal (all Windows versions)

These settings apply to all Windows versions. The screenshot below shows the default settings.

Select any of the following options:

Windows as a service (Windows 10 / Server 2016 or above)

These settings apply to devices adopting the Windows as a service model (for example, Windows 10). The screenshot below shows the default settings.

Select any of the following options:

Option	Description
Configure active hours	When this option is selected, you can specify when active hours should start (00:00-23:00 hours) and for how long they should last (1-18 hours).
Configure update channel	When this option is selected, device telemetry will be enabled and the following additional options will become available: • Semi-Annual Channel (Targeted): Updates are received immediately following general release. • Semi-Annual Channel: Selected by default. Updates are received later, after receiving community feedback. When the Semi-Annual Channel option is selected, the following additional options will become available: • Defer feature updates • Defer quality updates When any of the deferral options is selected, the following additional options will become available: • Defer for the maximum possible time • Defer for a time as close as possible to (0-365) days. This option is selected by default. NOTE  If you choose the Defer for a time as close as possible to (0-365) days option, Datto RMM will defer to what the device's Windows version permits. Different versions of Windows have different maximum values. For example, if you enter 35 days but the device's Windows version only supports 28, the update will be deferred to 28 days. NOTE  Security Updates fall under quality updates.
Allow devices to share updates within the local network	Selected by default. Peer sharing can significantly reduce the amount of bandwith consumed for downloading updates. When this option is selected, the following additional option will become available: • Allow devices to share updates outside of the local network
Disable Windows Fast Startup to allow update installation on shutdown as well as reboot	Selected by default. When this option is selected, updates will be installed on both shutdown and reboot (instead of only on reboot).

Legacy (Windows 7 / Server 2008 R2 or below)

This section is only available if one of the following options has been selected in the Update options section above:

• Automatically detect recommended updates for my computer and install them
• Download updates for me, but let me choose when to install them
• Notify me of updates, but do not automatically install them

The screenshot below shows the default settings.

Option	Description
Install new updates	Select on which day and at what time you want to install the updates.
Include recommended with important updates	When this option is selected, recommended updates will be included together with important updates.
Allow non-administrators to receive update notifications	Selected by default. When this option is selected, non-administrator users will receive update notifications.
Do not auto-restart while users are logged on	Selected by default. When this option is selected, automatic updates will wait for the device to be restarted by any user who is logged on, instead of causing the device to restart automatically. When this option is disabled, the logged-on user will be notified that the device will automatically restart in 5 minutes to complete the scheduled installations.
Re-prompt for restart	When this option is selected, you can configure when a new prompt notifying of a restart for scheduled installations should appear after the previous prompt for restart was postponed. Specify the interval by selecting the number of hours (0-24 hours) and minutes (1-59 minutes) from the drop-down lists. The maximum interval can be 24 hours. When this option is disabled, the default interval is 10 minutes.
Delay restart	When this option is selected, you can configure for how long a restart for scheduled installations should be delayed. Specify the interval by selecting the number of minutes from the drop-down list (1-30 minutes). When this option is disabled, the default interval is 15 minutes.