Policies

An Agent policy deploys settings to affect the operation and configuration of the Datto RMM Agent. An Agent policy may affect Privacy Mode, Agent installation and service, security, and the Agent Browser mode. For information about the Agent, refer to Datto RMM Agent.

Privacy mode options

Select any of the following options:

Option	Description
Activate Privacy Mode on devices	Automatically turns on Privacy Mode for all devices targeted by the policy and will require end-user permission when connecting to a targeted device. Once Privacy Mode is enabled on a device, the Datto RMM Administrator cannot disable this setting. Privacy Mode can only be disabled by the end user on the device itself. For further information, refer to Privacy Mode.
Allow connections to the device when no user is logged in	Allows you to connect to a device when no user is logged in but Privacy Mode is enabled on the device. NOTE  This setting will apply to all remote connections.
Only require permission from the device when connecting with Restricted Tools	Allows you to configure Privacy Mode in a way that end user permission is only required when the following restricted tools are used: VNC, RDP, Splashtop, Screenshot, or Web Remote. NOTE  The Web Remote restriction applies only to remote takeover sessions and does not apply to PowerShell sessions.

Service options

Select any of the following options:

Option	Description
Install the Agent as Service-only, preventing the application displaying in the System Tray or Start menu for Windows devices	No system tray icon or Start menu shortcuts will be installed. It is only available for Windows devices. Hiding the Datto RMM Agent icon in the system tray may be useful if you do not want your end users to access all of the options it offers (for example, the option to create a ticket), or because you want to prevent end users from stopping the Agent or turning on Privacy Mode. When this option is selected, the gui.exe process (Agent Browser) will not start on the targeted devices, and the following features will not be available: Remote takeover toaster notifications. If the targeted device is using Privacy Mode, the end user will be unable to authorize remote takeover requests. Patch reboot toaster notifications Prompts to authorize the execution of jobs Chat Screenshot IMPORTANT  Selecting this option will not close the gui.exe process if it is already running. The targeted device needs to be restarted in order for the gui.exe process to not start on boot. NOTE  If this option is selected, then jobs set to Run as a logged-in user will not work, as they rely on the agent browser interface (gui.exe) being active.
Prevent the Agent from running Jobs	Prevents the Agent from running jobs. NOTE  Even if this option is selected, components enabled as User Tasks can still be installed. Refer to User Tasks.
Prevent remote access from another device	Prevents remote access to the targeted device when initiated from Datto RMM. NOTE  Remote options for the targeted device will be visible on the device summary page and on device list pages but no remote request will be processed.
Prevent the Agent from submitting audits to the platform	Prevents the Agent from submitting audits to the platform.

User actions

Select any of the following options:

Option	Description
Remove user access to the Privacy Mode options	Removes access to Privacy Mode Options from the system tray icon. NOTE  You cannot disable Privacy Mode in the Agent using this setting if Privacy Mode has already been activated. Once Privacy Mode is enabled on a device, it can only be disabled by the end user. For further information, refer to Privacy Mode.
Remove user access to the Settings menu	Disables the following features: Access to the Settings menu from the system tray. Refer to Settings. The ability to edit the device description from the system tray. Refer to Device description.
Remove user access to the Quit option	Removes the option for the user to exit the Agent.
Prevent users from creating tickets from the Agent Browser tickets tab	Removes the option for the user to log a ticket through the Agent.
Allow users to select ‘Take screenshot and request support’ from the menu	This option is only available if an integration with a PSA is enabled. When this option is selected, the Take screenshot and request support menu entry is added to the Agent. For more information about Autotask, refer to Autotask Integration. For more information about ConnectWise PSA, refer to ConnectWise PSA Integration.
Allow users to select ‘Request support’ from the menu	This option is only available if an integration with a PSA is enabled. When this option is selected, the Request support menu entry is added to the Agent. For more information about Autotask, refer to Autotask Integration. For more information about ConnectWise PSA, refer to ConnectWise PSA Integration.

Agent Browser mode

Select one of the following options from the drop-down list:

Option	Description
Disabled	Prevents any access to the Agent Browser window.
User - no access to support tab	Allows the user to open the Agent Browser window but prevents them from logging in. For more information, refer to Log in to the Agent Browser.
Admin - can log in to support tab	Allows full access to the Agent Browser window. This option is selected by default. Refer to Agent Browser.

To learn about the Endpoint Security features in Datto RMM, refer to Endpoint Security overview.

An Endpoint Security policy allows you to keep your devices secure and respond to active threats by configuring and deploying various endpoint security technologies through one centralized policy. The three available configurations are turned off by default. Turn on the toggles to enable the configurations, and click to expand any of the tiles to view or modify the settings.

IMPORTANT  A warning will be displayed if both the Datto Endpoint Security and Ransomware Detection toggles are turned on, if both the Datto Endpoint Security and Managed Windows Defender Antivirus toggles are turned on, or if all three toggles are turned on. This warning advises against enabling Datto Endpoint Security in conjunction with the other available security policy configurations. Adhering to this warning will prevent configuration conflicts that may lead to security gaps, unexpected statuses and alerts, and unanticipated billing requirements for standalone Ransomware Detection. We recommend exclusively enabling Datto Endpoint Security for optimal performance.

NOTE  To be able to save the policy, at least one of the endpoint security configurations must be enabled.

NOTE  A device should be targeted by only one Endpoint Security policy. If multiple Endpoint Security policies target the device, the Datto RMM Agent will continue to use the policy that was deployed first. If that policy is then disabled, the Datto RMM Agent will use the next active (enabled) policy targeting the device.

NOTE  A widget displaying the number of devices in each of your sites that do not have certain security features configured is available in the Widget Library. Refer to Security Threats.

An ESXi policy allows you to apply one or more monitors to multiple ESXi devices to monitor their performance, datastore, temperature, and hardware status.

1. In the Monitors section, click Add Monitor.

2. In the Monitor Type section, click Select.
3. In the Select a Monitor pane, use the search bar to search for a monitor type or scroll down in the list. Click Select to specify the monitor type.
   
4. Once the monitor type has been selected, you can configure the monitor criteria. To choose a different monitor type, click Change Monitor Type and modify your selection.

5. Configure the monitor criteria. For information on all available monitor types, refer to Alert details per monitor type and Response details.
6. Once you have configured the monitor details, click Add Monitor.
7. To add further monitors to the policy, repeat the steps above. To review the details of a monitor, click its description. Refer to Viewing monitor details. To delete a monitor, click the delete icon .
   

A Maintenance policy allows you to pause monitoring while doing scheduled maintenance work on your devices. Pausing monitoring lets you prevent false alerts, for example, during a backup.

During a maintenance window, the following actions will be taken if an alert condition is met:

• Monitors will be able to raise alerts; however, these alerts will not be listed as open alerts. You can only view them when selecting All from the Status column in a list of alerts. Refer to Alerts. Alerts raised by webhooks will also be suppressed.
• Monitors will not create tickets or send email notifications; however, response components will be executed as normal.
• If the alert condition is still in effect when the maintenance window ends, the alert created during the maintenance window will become active and be listed under Open Alerts. Tickets and email notifications will be created and sent from this alert.

When configuring the policy, the calendar view in the Schedule > Recurrence section provides a visual indicator of when the maintenance window will occur according to the selected schedule.

Field	Option	Description
Recurrence	At selected date and time	The policy will run once on the date and at the time specified in the Start date and execution time section.
	Daily	The policy will run every day starting from the date and time specified in the Start date and execution time section.
	Weekly	The policy will run every week starting from the date and time specified in the Start date and execution time section. In the This Policy will run on these days section, select the days on which the policy should run. Clicking a second time will clear the selected day.
	Monthly	The policy will run in the selected months starting from the date and time specified in the Start date and execution time section. In the This Policy will run in these months section, select the months in which the policy should run. Clicking a second time will clear the selected month. In the On these days section, enter the days of the month (1-31) on which the policy should run, separating each day by a comma (for example: 1, 2, 3-7), and click Add. Once added, the days will be listed below this field and can be removed by clicking the X next to the day you wish to remove.
	Monthly day of week	The policy will run in the selected months on the specified occurrence of the selected days of the week starting from the date and time specified in the Start date and execution time section. Clicking a second time will clear the selected option.
Duration	Hour/minutes	Specify the duration of the maintenance window (0-24 hours, 0-59 minutes).

Once a device has been placed into maintenance mode, an icon is displayed next to the device name at the top of the device summary page. For more information, refer to Maintenance mode status indicator.

NOTE  You can create a maintenance mode widget to see all devices currently in maintenance. Refer to Devices Under Maintenance.

A few things to note

• Changes made to a Maintenance policy while it is running or within 15 minutes of the start of a maintenance window will only take effect at the next run. For example, if you are creating a new Maintenance policy with a daily schedule, and the start date and execution time is set to 10 minutes from now, the first run time will only occur on the following day.
• You can end a scheduled maintenance mode window by updating the associated Maintenance policy so that it no longer targets the device. Refer to Editing a policy.
• You can also end a maintenance mode window on the device summary page or on a device list page. Refer to Ending a maintenance mode window.

A Monitoring policy allows you to apply one or more monitors to multiple devices.

1. In the Monitors section, click Add Monitor.

2. In the Monitor Type section, click Select.
3. In the Select a Monitor pane, use the search bar to search for a monitor type or scroll down in the list. Click Select to specify the monitor type.
   
4. Once the monitor type has been selected, you can configure the monitor criteria. To choose a different monitor type, click Change Monitor Type and modify your selection.

5. Configure the monitor criteria. For information on all available monitor types, refer to Alert details per monitor type and Response details.
6. Once you have configured the monitor details, click Add Monitor.
7. To add further monitors to the policy, repeat the steps above. To review the details of a monitor, click its description. Refer to Viewing monitor details. To delete a monitor, click the delete icon .
   

NOTE  Datto also offers best practice Monitoring policies. For more information, refer to Download a ComStore policy.

With a Patch Management policy, you are pre-approving patches to be installed on your Windows devices on an ongoing basis as per the conditions you define. A Patch Management policy can not only manage the patches made available in Windows Update, but it also gives you more control, lowers your workload, and increases the security of your devices.

You can set up a global or site-level policy that can target multiple devices. You can define conditions such as the patch window and patch approval rules. You can also create a Patch Management policy for audit purposes only, and apply site-level overriding of global policy options.

IMPORTANT  Only Windows Managed Agents support Patch Management. Refer to Managed and OnDemand Agents.

TIP  We recommend that you create at least two Patch Management policies: one for workstations and one for servers.

NOTE  Patch Management support for macOS devices is available via the ComStore component Install Updates with SUPER [MAC]. For more information, refer to macOS Patch Management.

To ensure that a device only receives updates that you have approved, we recommend that you do the following:

1. Target the device with a Windows Update policy and select Turn off automatic updates in the Update options section.
2. Target the device with a Patch Management policy as well and specify the patches you want to approve.

To create a Patch Management policy, refer to Schedule, Power, and Approval.

To learn how to override global policies for a specific site, refer to Overriding a global Patch Management policy at the site level.

NOTE  While multiple Patch Management policies can target the same device or group of devices to support different scheduling needs, it is important that the patch approval criteria remain consistent across all policies, otherwise it can lead to undesirable behavior regarding approved patch statuses and installation on individual devices.

Schedule

Select one of the following options:

• Schedule: Selected by default. When configuring the policy, the calendar view in the Schedule > Recurrence section provides a visual indicator of when the Patch Management policy will run according to the selected schedule. The policy will run at the local time zone of the targeted devices.

NOTE  Only Patch Management policies will always use the local time zone of the targeted device. All other scheduled tasks use the time zone defined in Account Settings by default.

Field	Option	Description
Recurrence	At selected date and time	The policy will run once on the date and at the time specified in the Start date and execution time section.
	Daily	The policy will run every day starting from the date and time specified in the Start date and execution time section.
	Weekly	The policy will run every week starting from the date and time specified in the Start date and execution time section. In the This Policy will run on these days section, select the days on which the policy should run. Clicking a second time will clear the selected day.
	Monthly	The policy will run in the selected months starting from the date and time specified in the Start date and execution time section. In the This Policy will run in these months section, select the months in which the policy should run. Clicking a second time will clear the selected month. In the On these days section, enter the days of the month (1-31) on which the policy should run, separating each day by a comma (for example: 1, 2, 3-7), and click Add. Once added, the days will be listed below this field and can be removed by clicking the X next to the day you wish to remove.
	Monthly day of week	The policy will run in the selected months on the specified occurrence of the selected days of the week starting from the date and time specified in the Start date and execution time section. Clicking a second time will clear the selected option.
Install updates for	1-24 hours	Specify the duration of the policy (1-24 hours). If this time window is overrun, the targeted device will stop installing patches once the ongoing operation has completed. EXAMPLE  If patches 1-10 should be installed on a device but the set time limit is reached while the installation of patch 6 is still in progress, patch 6 will be installed on the device but patch 7 will not. Patch 7 will resume during the next scheduled policy run.
Monitoring Maintenance Window	Turn on the toggle to enable maintenance mode on targeted devices for the duration of the patch window, or when the device finishes patching, whichever comes first. Enabling this will suppress unnecessary alert generation and creation of tickets during this time. For an explanation of monitoring maintenance mode windows, refer to Create a Maintenance Mode Window in Device summary.

NOTE  Time zones will be taken into account at run times. For example, if the policy is set to run at midnight and it is applied to two devices in different time zones, one UTC and one PST, then the policy will run at midnight UTC on the UTC device and at midnight PST on the PST device. The policy cannot be scheduled to run at a time that has already passed in all time zones.

• Audit only: Select this option to use the policy for audit purposes only. This will allow you to see missing patches on your devices without the ability to (unintentionally) run the policy on them.

Power

Select any of the following options:

Option	Description
Wake devices for scheduled updates	Select this option to wake the targeted devices before the policy is due to start. You must have a Network Node device in the same site as your targeted devices to use this feature. (Local Caches can also be nominated as Network Nodes.) If multiple Network Nodes are nominated, all will send requests. Be aware that Wake-on-LAN must be enabled in BIOS/EFI and it typically only works for laptops when they have an active mains connection. For more information, refer to the Network Node field in the Summary card. NOTE  Network Nodes will receive Patch Management policy definitions which have the option enabled to wake devices before patching if the devices targeted by the policy are in the same site as the Network Node. This will not be shown in the web interface but will be evident in log files. IMPORTANT  With the 10.0.0 release, the local cache functionality has been deprecated as part of Datto's continued commitment to security. References to the local cache remain in the UI at present, but will be removed in the future.
Shut down	Shuts down the targeted devices after installing the updates.
Restart	Restarts the targeted devices, if required, after installing the updates. When this option is selected, the following additional option will become available: Allow devices to start if a USB mass storage device is connected NOTE  Leave the Allow devices to start if a USB mass storage device is connected option unchecked if you want to prevent servers from rebooting into a LiveUSB. NOTE  Selecting Restart may reboot targeted devices multiple times in a patch window, as some patches will require a reboot before continuing further updates.
Do not restart	Selected by default. Does not restart the targeted devices after installing the updates. When this option is selected, the following additional option will become available: Display a restart reminder to users: From the drop-down list, specify how often a reminder should be displayed (every hour, every 2-6 hours, every 12 hours, every day, or every 2 days). The reminder will be displayed on the screen until the user dismisses it. The user has the option to dismiss the reminder indefinitely. The following screenshot displays what the user will see on their device by default, but you can customize the dialog box in the Agent section on the Branding page. When the Display a restart reminder to users option is selected, the following additional option will become available: Allow users to postpone restarting, after which time reminders will persist: Specify the number of times users are allowed to postpone restarting the targeted devices (maximum value: 99). Once a user has reached the maximum number of permitted dismissals, the reminder will persist on the screen and the Postpone button will become inactive.

Approval

You can configure the following options:

• Approve patches that match the following criteria: Allows you to configure filters to automatically approve patches. Refer to Patch filter criteria.
  These filters can be overridden by the Do not approve patches that match the following criteria and the Manual approval options below.
• Do not approve patches that match the following criteria: Allows you to configure filters to automatically deny patches. Refer to Patch filter criteria.
  These filters take precedence over your approval filters above. For example, configurations such as “Approve critical security patches but do not approve critical security patches with ‘Defender’ in the title” are entirely possible.
  
  These filters can be overridden by the Manual approval option below.
• Manual approval: Allows you to configure individual patches regardless of any previous filters. Refer to Manual approval.

Overriding a global Patch Management policy at the site level

Global Patch Management policies can be overridden at the site level to change only the most necessary settings of the policy for a smaller subset of devices without modifying the global policy.

1. Navigate to the list of policies. Refer to List of policies.
2. Select the check box next to the global Patch Management policy and click Override. Refer to Override. The edit page will open.
   Alternatively, click the name of the global Patch Management policy to open the edit page, and click Override on the edit page.
   Refer to Editing a policy.
3. In the Scope section, specify the site for which you want to override the policy. Refer to Scope.
4. To override a section of the policy, the Override toggle can be enabled in the Schedule and/or Power sections, and the Add rules toggle can be enabled in the Approval section, as needed. Refer to Schedule, Power, and Approval.
   

Patching at the device level

Using the Patch Now action button, you can patch one or multiple devices outside of the schedule configured in a Patch Management policy. Refer to Patch Now on the device summary page and Patch Now in device lists.

A Software Management policy allows you to configure third-party software application updates and define when those updates should be installed.

Once a policy is configured, you can create a Software Management Status widget to have an overview of the software compliance status of your devices. Refer to Software Management Status.

You can also use the Software Management pages at the global and site levels and the Software card at the device level. Refer to Software Management.

IMPORTANT  Multiple global (account-level) and site-level Software Management policies can be enabled at a time, but only one Software Management policy can be enabled per device at a time. If an additional Software Management policy is configured to target a device that already has a Software Management policy enabled, the additional policy will be automatically disabled at the device level. You can change the Software Management policy enabled on a device in the Software card on the Device summary page.

NOTE  The third-party software applications you want to manage through a Software Management policy do not have to be downloaded from the ComStore. A Software Management policy can be configured independently of what's already present in your Component Library.

To create a Software Management policy, configure the following settings:

Timing

Select one of the following options:

• Immediately On Detection: An application update will be installed as soon as the Agent detects that an update is ready after the device completes an audit.
• Schedule: The Agent only checks for and installs software updates on a scheduled basis. The calendar view in the Schedule > Recurrence section provides a visual indicator of when software updates will occur according to the selected schedule. The policy will run at the local time zone of the targeted devices.

Field	Option	Description
Recurrence	Daily	The policy will run every day starting from the date and time specified in the Start date and execution time section.
	Weekly	The policy will run every week starting from the date and time specified in the Start date and execution time section. In the This Policy will run on these days section, select the days on which the policy should run. Clicking a second time will clear the selected day.
Duration	Hour	Specify the duration of the policy (1-24 hours).

NOTE  Time zones will be taken into account at run times. For example, if the policy is set to run at midnight and it is applied to two devices in different time zones, one UTC and one PST, then the policy will run at midnight UTC on the UTC device and at midnight PST on the PST device. The policy cannot be scheduled to run at a time that has already passed in all time zones.

Software

NOTE  For a list of applications supported through standard Software Management, refer to Supported software applications and operating systems. If using Advanced Software Management, refer to Advanced Software Management application catalog for the expanded list of available applications.

In the Action column, select the installation/update behavior to apply to each application. To apply the same action to all added applications, select the action from the Apply to all rows drop-down menu.

Action	Description	Compliance Reporting
Unmanaged	Selected by default. The Agent will neither install nor update the application.	The application will always be considered compliant.
Manually approve	You must manually approve individual updates for this application as they become available. If the application is not already installed, it will not be installed.	The application is considered compliant either when it is absent or when it is installed and up to date.
Manually approve and install if not present	You must manually approve individual updates for this application as they become available. If the application is not installed, you must approve its installation.	The application is considered compliant only when it is both present and up to date.
Auto approve	The Agent will automatically update the application without requiring approval. If the application is not already installed, it will not be installed.	The application is considered compliant either when it is absent or when it is installed and up to date.
Auto approve and install if not present	The Agent will automatically update the application without requiring approval. If the application is not installed, it will be installed automatically.	The application is considered compliant only when it is both present and up to date.

Advanced Software

BEFORE YOU BEGIN  To unlock this section, Advanced Software Management must be activated for the Datto RMM account. Refer to Advanced Software Management and Add Advanced Software Management licenses.

If Advanced Software Management is active for the Datto RMM account and the Advanced Software section appears in the policy, the configuration is affected as follows:
• All available standard software applications are visible and can continue to be managed through standard Software Management via the Software section. Refer to the preceding section in this topic (Software).
• If an application in the Software section is set to any action other than Unmanaged, and you subsequently add that application to the Advanced Software section, the matching application in the Software section will be automatically reset to Unmanaged. As a result, that application will be managed through Advanced Software Management.
• If matching applications are added to both the Software section and Advanced Software section, and you subsequently change the action for that application to anything other than Unmanaged in the Software section, the matching application in the Advanced Software section will be automatically removed. As a result, that application will be managed through standard Software Management.
• By design, it is not possible to manage an application through both standard Software Management and Advanced Software Management in a single policy.
• Whether Advanced Software Management is active or inactive, existing policies will continue to work as originally configured.

Click Add Software to open the list of available software on the right side of the page.

NOTE  For information about these applications and the tier-based software update system, refer to Advanced Software Management application catalog.

Click Add next to each application you wish to manage through this policy.

If you add an application to the Advanced Software section that already exists in the standard Software section, the application will be automatically removed from the Software section, as it will be managed through Advanced Software Management.

NOTE  Advanced Software Management supports only Windows devices. If any macOS devices are targeted in the policy, applications in the standard Software section that can be managed on macOS will be used for the macOS devices, even if those applications are also added to the Advanced Software section. The advanced software will be used for any targeted Windows devices. The advanced software will be displayed on the Software Management page and in the Software card on the device summary page. The action selected in the Advanced Software section is applied, but the Uninstall action is not supported for macOS devices, as the standard software applications are used for macOS.

NOTE  If a software application that supports only 32-bit architecture systems is added, Advanced Software Management will skip scanning targeted 64-bit systems.

To remove an advanced application you do not wish to manage through this policy, click the delete icon . To add more applications, click Add Software.

In the Action column, select the installation/uninstallation/update behavior to apply to each application. To apply the same action to all added applications, select the action from the Apply to all rows drop-down menu.

Action	Description	Compliance Reporting
Manually approve	Selected by default. You must manually approve individual updates for this application as they become available. If the application is not already installed, it will not be installed.	The application is considered compliant either when it is absent or when it is installed and up to date.
Manually approve and install if not present	You must manually approve individual updates for this application as they become available. If the application is not installed, you must approve its installation.	The application is considered compliant only when it is both present and up to date.
Auto approve	The Agent will automatically update the application without requiring approval. If the application is not already installed, it will not be installed.	The application is considered compliant either when it is absent or when it is installed and up to date.
Auto approve and install if not present	The Agent will automatically update the application without requiring approval. If the application is not installed, it will be installed automatically.	The application is considered compliant only when it is both present and up to date.
Uninstall	The Agent will automatically uninstall the application if it is installed.	If successfully uninstalled, the application is considered compliant and will not appear on the Software Management page or in the Software card on the device summary page.

When Windows Update is enabled on a device, you allow Microsoft to take control of update installations. A Windows Update policy in Datto RMM allows you not only to manage the settings of Windows Update but also to control the installation of updates.

NOTE  The Windows Update service gets restarted when a Windows Update policy is running. However, if patches are being installed via a Patch Management policy at the same time, the Windows Update service will not be restarted, and this will be noted in the Agent logs. If an audit is in progress while a Windows Update policy is running, the Windows Update service will wait for the audit to finish before restarting. This occurs in incremental periods (30, 60, 90, 120, 150, and 180 seconds; that is, a total of 10.5 minutes). If the audit does not complete within this period, the Windows Update service will not be restarted, and this will be noted in the Agent logs. The Windows Update service will be restarted at the next Windows Update policy run time, and all recent changes will then be applied to the targeted devices.

IMPORTANT  Removal or disabling of a Windows Update policy does not revert targeted devices back to their original configuration. If different settings need to be applied to targeted devices before off-boarding from a Windows Update policy, update the policy to reflect how you want the devices to be configured after being removed from the policy, and ensure the policy has applied before off-boarding.

NOTE  Patch Management support for macOS devices is available via the ComStore component Install Updates with SUPER [MAC]. For more information, refer to macOS Patch Management.

For step-by-step recommendations, refer to Step 1: Configuring a Windows Update policy in Best practices for Patch Management.

Update options

Select one of the following options:

Option	Description
Automatically detect recommended updates for my computer and install them	When any of these options is selected, the Legacy (Windows 7 / Server 2008 R2 or below) section with additional options will become available further below.
Download updates for me, but let me choose when to install them
Notify me of updates, but do not automatically install them
Turn off automatic updates	Selected by default. Disables automatic updates via Windows Update.

Disabling Windows updates

To ensure that a device only receives updates that you have approved, we recommend that you do the following:

1. Target the device with a Windows Update policy and select Turn off automatic updates in the Update options section.
2. Target the device with a Patch Management policy as well and specify the patches you want to approve. Refer to Patch Management policy.

IMPORTANT  Windows updates cannot be disabled on devices running Windows 10 build 1909 and below; however, you can configure various aspects of the updates. Refer to Windows as a service (Windows 10 / Server 2016 or above).
For more information about Windows as a service and Datto RMM Patch Management, refer to Patch Management and Windows as a service.

Universal (all Windows versions)

These settings apply to all Windows versions. The screenshot below shows the default settings.

Select any of the following options:

Option	Description
Receive updates for other Microsoft products when Windows is updated	Selected by default. NOTE  When this option is selected and applied in the policy, the change will not be visible in the Windows UI; however, the status can be queried by running get-wuservicemanager from a PowerShell prompt and verifying Microsoft Update is set to True.
Configure Windows Server Update Services (WSUS) settings	If you have set up a Windows Server Update Services (WSUS) server, it will act as a central location for other Windows devices to pull updates from rather than each device downloading Windows updates separately. Essentially, the server acts like a local cache, but only for Windows patches. When this option is selected, the following additional options will become available: Server address: Enter the server address (for example: http://192.168.1.1). Do not allow connections to Windows Update Internet locations Enable client-side targeting: When this option is selected, you can enter a target group name or names separated by semicolons (if the intranet Microsoft update service supports multiple target groups). The specified target group information is then sent to the intranet Microsoft update service which uses it to determine which updates should be deployed to the device. If this option is not configured, no target group information will be sent to the intranet Microsoft Update service. NOTE  The WSUS server specified will be defined as registry key values for both WUServer and WUStatusServer in HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\

Windows as a service (Windows 10 / Server 2016 or above)

These settings apply to devices adopting the Windows as a service model (for example, Windows 10). The screenshot below shows the default settings.

Select any of the following options:

Option	Description
Configure active hours	When this option is selected, you can specify when active hours should start (00:00-23:00 hours) and for how long they should last (1-18 hours). NOTE  This setting only applies if using any update option other than Turn off automatic updates. NOTE  If a Patch Management policy is set to restart devices in the power settings, then devices will reboot if required after patching, regardless of active hours settings.
Configure update channel	When this option is selected, device telemetry will be enabled and the following additional options will become available: Semi-Annual Channel (Targeted): Updates are received immediately following general release. Semi-Annual Channel: Selected by default. Updates are received later, after receiving community feedback. When the Semi-Annual Channel option is selected, the following additional options will become available: Defer feature updates Defer quality updates When any of the deferral options is selected, the following additional options will become available: Defer for the maximum possible time Defer for a time as close as possible to (0-365) days. This option is selected by default. NOTE  If you choose the Defer for a time as close as possible to (0-365) days option, Datto RMM will defer to what the device's Windows version permits. Different versions of Windows have different maximum values. For example, if you enter 35 days but the device's Windows version only supports 28, the update will be deferred to 28 days. NOTE  Security Updates fall under quality updates.
Allow devices to share updates within the local network	Selected by default. Peer sharing can significantly reduce the amount of bandwith consumed for downloading updates. When this option is selected, the following additional option will become available: Allow devices to share updates outside of the local network
Disable Windows Fast Startup to allow update installation on shutdown as well as reboot	Selected by default. When this option is selected, updates will be installed on both shutdown and reboot (instead of only on reboot).

Legacy (Windows 7 / Server 2008 R2 or below)

This section is only available if one of the following options has been selected in the Update options section above:

• Automatically detect recommended updates for my computer and install them
• Download updates for me, but let me choose when to install them
• Notify me of updates, but do not automatically install them

The screenshot below shows the default settings.

Option	Description
Install new updates	Select on which day and at what time you want to install the updates.
Include recommended with important updates	When this option is selected, recommended updates will be included together with important updates.
Allow non-administrators to receive update notifications	Selected by default. When this option is selected, non-administrator users will receive update notifications.
Do not auto-restart while users are logged on	Selected by default. When this option is selected, automatic updates will wait for the device to be restarted by any user who is logged on, instead of causing the device to restart automatically. When this option is disabled, the logged-on user will be notified that the device will automatically restart in 5 minutes to complete the scheduled installations.
Re-prompt for restart	When this option is selected, you can configure when a new prompt notifying of a restart for scheduled installations should appear after the previous prompt for restart was postponed. Specify the interval by selecting the number of hours (0-24 hours) and minutes (1-59 minutes) from the drop-down lists. The maximum interval can be 24 hours. When this option is disabled, the default interval is 10 minutes.
Delay restart	When this option is selected, you can configure for how long a restart for scheduled installations should be delayed. Specify the interval by selecting the number of minutes from the drop-down list (1-30 minutes). When this option is disabled, the default interval is 15 minutes.

You can disable a policy from applying to all of it's targets from the Policies page, and see which policies are disabled, right from the list of policies. This is done via the Enabled column.

In order to disable a policy from the policies list, find the policy in the list and click the Enabled slider to the off position.

Once the policy is disabled, it will immediately no longer apply to any of it's targets.

NOTE  You can also disable a policy while editing it. Refer toEditing a policy.