Patch Management - Legacy UI
SECURITY Refer to Permissions.
NAVIGATION Legacy UI > Account > Manage > Patch Management
NAVIGATION Legacy UI > Sites > select a site > Manage > Patch Management
NAVIGATION Legacy UI > Sites > select a site > Devices > select a device > Manage > Patch Management
Refer to Patch Management.
What are Patch Management and Patch Management policies?
Datto RMM Patch Management allows you to both control and automate the deployment of patches to your Windows devices. The main objective of Patch Management is to create a consistently configured environment that is secure against known vulnerabilities in the operating system.
Patch Management is controlled in accordance with a device's patch status through policies at the account and site levels. Individual patch installations can be configured at the device level to permit exclusions or tolerances for individual patches without needing to alter entire policies.
IMPORTANT Only Windows Managed Agents support Patch Management. Refer to Managed and OnDemand Agents.
NOTE Patch Management support for macOS devices is available via the ComStore component Install Updates with SUPER [MAC]. For more information, refer to macOS Patch Management.
1. Disable Automatic Windows Update
If you would like to use a Patch Management policy to install only the patches you have approved, and to make sure that the Patch Management process is not interfered with, you need to disable Automatic Windows Update on your devices. We recommend that you create a Windows Update policy in Datto RMM to achieve this. For more information, refer to the Disable automatic Windows Updates section of Create a Windows Update policy - Legacy UI.
2. Set up a Patch Management policy
You can then set up a Patch Management policy to ensure that you install the necessary patches on your devices. Refer to Create a Patch Management policy - Legacy UI.
3. Device audit and patch installations
With an active Patch Management policy, the Datto RMM Patch Management process works in the following manner:
- Devices submit their audit data to the platform. The information includes patches that Windows Update requires.
- The platform runs the devices' required patches as defined by Windows Update through the Patch Management policies that target the devices. These policies can be account-level or site-level policies (including the ability to override account-level policies at the site level). The policy filters will define which patches get approved or disapproved. Refer to Create a Patch Management policy - Legacy UI.
- Individual patch installations (approvals or disapprovals) at the device level are also taken into consideration. Refer to Patch Management at the device level.
- The final approval list is sent back to the devices, which then download the patches during the defined Patch Management policy window. For information on the order in which patches are installed, refer to Order of patch installations.
To learn how to configure the permissions, refer to Security levels - Legacy UI.
Depending on the patching operation you would like to initiate at either the account, site, or device level, various permissions are required. For further information, refer to the tables below.
Policies tab | ||
---|---|---|
Activity | Permissions | Notes |
Create or edit an account-level patch policy | Account > Policies: Manage | Users without Manage permission who are viewing account-level patch policies will see everything, but all configurable options will be disabled. It is for reference only. The Save button at the bottom of the policy is not displayed. |
View an account-level patch policy | Account > Policies: View | |
Push the changes of an account-level patch policy from the Policies tab | Account > Policies: Manage | Without permission to manage Policies: Push changes... button is not displayed. |
Manage tab | ||
Activity | Permissions | Notes |
Push the changes of an account-level patch policy from the Manage tab | • Account > Policies: Manage • Account > Manage: Manage |
• Without permission to manage Policies: Push changes... button is not displayed. • Without permission to manage Manage: Push changes... button is not displayed. • Without permission to view Manage: Manage tab is not displayed. |
View account-level policies, regardless of whether site-level overrides are active | • Account > Policies: View • Account > Manage: View |
• Without permission to view Manage: Manage tab is not displayed. • Without permission to view Policies: Patch Management section is not displayed on the Manage tab. |
View historical patching data (Hourglass icon ) | • Account > Policies: View • Account > Manage: View |
• Without permission to view Policies: Patch Management section is not displayed on the Manage tab. • Without permission to view Manage: Manage tab is not displayed. |
View approved pending patches (Calendar icon ) | • Account > Policies: View • Account > Manage: View |
• Without permission to view Policies: Patch Management section is not displayed on the Manage tab. • Without permission to view Manage: Manage tab is not displayed. |
Enable or disable a policy | • Account > Policies: Manage • Account > Manage: Manage |
• This also applies to the per-site options when clicking on the Target icon. • Without permission to view Policies: Patch Management section is not displayed on the Manage tab. • Without permission to manage Policies: Enabled toggle is grayed out. • Without permission to view Manage: Manage tab is not displayed. |
Run a policy now (Run now icon ) | • Account > Policies: Manage • Account > Manage: Manage |
• Without permission to view Policies: Patch Management section is not displayed on the Manage tab. • Without permission to manage Policies: Run now icon is grayed out. • Without permission to view Manage: Manage tab is not displayed. • If a Patch Management policy is used for audit only, the Run now icon is grayed out. Refer to TIMING OPTIONS. |
From either the Policies or the Manage tab | ||
Activity | Permissions | Notes |
View applicable sites or devices (Target icon ) | • Account > Policies: View • Account > Manage: View |
Permissions to view and manage Manage are only required when performing actions from the Manage tab. The user can conduct the same actions via the Policies tab without those permissions. |
Configure applicable sites or devices (Target icon ) | • Account > Policies: Manage • Account > Manage: Manage |
NOTE Account-level policies shown at the site level will require Manage permissions on the account level to edit and View permissions to view, regardless of where they are being seen from. This applies to both the Manage and Policies tab.
Policies tab | ||
---|---|---|
Activity | Permissions | Notes |
View an account-level policy that is being overridden at the site level | Sites > Policies: View | The Override/Edit Override button here reverts to View Override if the user only has view permission. Policy options in this case will be visible but disabled. Users here are not editing the Account-level policy so do not require permission to manage Account > Policies. |
Edit an account-level policy that is being overridden at the site-level | Sites > Policies: Manage | |
View an independent patch policy (that is not overriding an account-level policy) | Sites > Policies: View | All configuration options are set but disabled, and the Save button is not displayed. |
Edit an independent patch policy (that is not overriding an account-level policy) | Sites > Policies: Manage | |
Push the changes of an account-level or site-level patch policy | • Sites > Policies: Manage • Sites > Manage: Manage |
• Without permission to manage Manage: Push changes... button is not displayed. (Pushing the changes from the Policies tab may be possible.) • Without permission to manage Policies: Push changes... button is not displayed. (Pushing the changes from the Manage tab may be possible.) |
Manage tab | ||
Activity | Permissions | Notes |
NOTE All restrictions specified at the Account level apply here as well. |
||
View the status of Patch Management | • Sites > Policies: View • Sites > Manage: View |
• If the user has no permission to view Policies or Manage, the Patch Management section is not displayed. When clicking on the Manage tab, the user will be redirected to the next management option. • If the user has permission to view Account > Policies but does not have permission to view Sites > Policies, the Site Policies section is not displayed at the bottom of the page. The section called 10 Most vulnerable devices in terms of Approved Pending Changes is always displayed on the top right of the page and will show policy names. • If the user has permission to view Sites > Policies but does not have permission to view Account > Policies, only independent Site Policies are shown at the bottom of the page. The section called 10 Most vulnerable devices in terms of Approved Pending Changes is always displayed on the top right of the page and will show policy names. |
Push the changes of an account-level or site-level patch policy | Sites > Policies: Manage | Without permission to manage Policies: Push changes... button is not displayed. |
From either the Policies or the Manage tab | ||
Activity | Permissions | Notes |
View policy status for individual devices (Target icon ) | • Sites > Policies: View • Sites > Manage: View |
Permissions to view and manage Manage are only required when performing actions from the Manage tab. The user can conduct the same actions via the Policies tab without those permissions. |
Amend policy status for individual devices (Target icon ) | • Sites > Policies: Manage • Sites > Manage: Manage |
|
Patch Management policy | ||
Activity | Permissions | Notes |
Configure individual patches in the PATCH APPROVAL section when creating or editing a site-level patch policy | Account > Manage: View | Without permission to view Account > Manage, access to individual patch configuration is denied in a site-level Patch Management policy. |
Manage tab | ||
---|---|---|
Activity | Permissions | Notes |
View a device's approved or unapproved patches | Sites > Manage : View | |
Approve or unapprove a patch at the device level | Sites > Manage: Manage | Without permission to manage Manage: the user cannot perform actions on the page. |
View device activity | Refer to The Audit tab - Legacy UI. | |
View policies pertaining to this device | • Sites > Policies: View • Sites > Manage: View |
|
Run a policy pertaining to this device | • Sites > Policies: Manage • Sites > Manage: Manage |
The Patch Management page at the account and site level allows you to see:
- A summary (pie chart) of your Windows devices' patch status
- A list of these devices and further details with various filter options
- A list of Patch Management policies with various actions to be performed
By default, the pie chart shows the patch status of all Windows devices at the account or site level. The number of devices of each patch status is shown in brackets. When a filter is applied on the page, the pie chart is automatically refreshed. To learn about the patch status process flow, refer to Determining a device's patch status.
Field | Description |
---|---|
Column Chooser | The Column Chooser allows you to select which columns should be visible in the list. |
Show me 25 / 50 / 100 per page | Select to show 25 / 50 / 100 entries per page. 50 is selected by default. |
Actions | Select any of the items and click one of the following actions: • Request device audit(s) • Schedule a job • Run a quick job • Export to CSV NOTE Microsoft Excel is unable to properly display UTF-8 compliant CSV files when they contain non-English characters. • RefreshFor further information, refer to Action bar icons. |
Account Policy / Policy | Select a Patch Management policy. Account-level policies are listed at both the account and site level, while site-level policies are only listed at the site level. By default, no policy is selected. |
Type | Select one of the following options: • All Windows - Selected by default. • Windows Workstation • Windows Servers |
Patch Status | Select one of the following options: • All - Selected by default. • No Policy • No Data • Reboot Required • Install Error • Approved Pending • Fully Patched |
Search | Enter any text and click Search to narrow the results. For further information, hover over the Search Help icon next to the Search button. |
NOTE The values for the Patch Status, Patches Approved Pending, Patches Installed, and Patches Not Approved fields are updated at device audit time.
NOTE With the exception of the Policy, Last Run, and Schedule columns, click any of the column names to sort the data. By default, the devices are sorted by the Patches Approved Pending column.
The following columns are displayed by default:
Field | Description |
---|---|
Selection check box | Check to select any of the devices. |
Context menu | Refer to Context menu. |
Device status icon | Shows the online / offline status, privacy status, and Network Node status of the device. |
Site Name | The name of the site that the device is associated with. Click the hyperlink to open the site summary page. Refer to Site summary - Legacy UI. |
Device Hostname | The name of the device. Click the hyperlink to open the device summary page. Refer to Device summary - Legacy UI. |
Device Description | The description of the device. This can be edited on the device summary page. Refer to Device summary - Legacy UI. |
Policy | The name(s) of one or more patch policies that target the device. Click the hyperlink to open the policy. Refer to Create a Patch Management policy - Legacy UI. NOTE While multiple Patch Management policies can target the same device or group of devices to support different scheduling needs, it is important that the patch approval criteria remain consistent across all policies, otherwise it can lead to undesirable behavior regarding approved patch statuses and installation on individual devices. |
Last Run | Date, time, and time zone when the Patch Management policy or policies last ran. |
Schedule | The schedule(s) of the Patch Management policy or policies. Policies with an overridden schedule show the overridden data, not the original data. |
Patch Status | The patch status of the device. |
Patches Approved Pending | The number of approved pending patches. The device with the highest number is listed first. |
This section displays the list of Patch Management policies created at the account or site level. Account-level policies are listed at both the account and site level, while site-level policies are only listed at the site level. You can collapse or expand each list.
The following details are displayed:
Field | Description |
---|---|
Override active | Only appears if the account-level policy in question is overridden at the site level. To edit the override, locate the policy at the site level. Refer to Override account-level patch policy options at the site level. |
Policy | The name of the Patch Management policy. Click the hyperlink to edit the policy. Refer to Create a Patch Management policy - Legacy UI. |
Targets | The targets of the Patch Management policy. |
Last Run | Date, time, and time zone when the Patch Management policy last ran. |
Schedule | The schedule of the Patch Management policy. Policies with an overridden schedule show the overridden data, not the original data. |
Push Changes... | Click Push changes... to immediately push any policy changes to all devices targeted by the policy. The target icon changes color when changes are being pushed. |
Actions | • Hourglass - Allows you to view the results from the last time the policy ran. If the policy has not been run, the icon will be disabled and not clickable. Click the icon to open a window showing the Last Run Time and the following Patch Information: Patch Description, Download Size, Targeted Devices, Successes, Failures. Click the hyperlinked number under Successes and Failures to see more details. If you are viewing an account-level policy, then the hyperlink will direct you to the list of affected sites. You can expand each site to see the results for the targeted devices. If you are viewing a site-level policy, then the hyperlink will direct you to the list of targeted devices. On the Successes and Failures page, you can control the items per page view and you can search for your devices. You can also filter by Desktops, Laptops, Servers, or All devices. • Calendar - Allows you to see what patches would be installed if the policy was run now. Click the icon to open a window listing all Approved Pending Patches. At the account level, the patches listed are from all sites in the account. At the site level, the patches listed are from that particular site only. The patches listed reflect the last audit data. Devices show data from all policies targeting them. You can expand or collapse each patch to see further information. You can control the items per page view and you can search for your devices. • Target - Click this icon to open a window listing included and excluded sites and/or devices targeted by the policy. The Override active icon is displayed in front of sites that override the account-level policy options. You can filter by All Sites, Included Sites, and Excluded Sites in the case of account-level policies, and you can also filter by All Devices, Included Devices, and Excluded Devices in the case of both account- and site-level policies. You can turn the policy on or off for your sites and devices by toggling the Enabled button to ON or OFF. You can push the changes by clicking the Push changes... button. The target icon changes color when changes are being pushed. • Run now - Click this icon to open a dialog box where you can confirm whether you want to run the policy now, outside of its schedule. If the policy has been deactivated, or used for audit only, the icon will be disabled and not clickable. Account-level policies will run on all targeted devices in the account, while site-level policies will only run on targeted devices in the site in question. If a device is offline at this time, the policy will run on it when it next comes online. For information on the Audit only option in a Patch Management policy, refer to TIMING OPTIONS. NOTE If you have just made changes to your policy, we recommend that you wait five minutes before you click the Run now icon to ensure that the changes have been applied. |
Enabled / Enabled for this site | A toggle to turn the policy ON or OFF. |
You can configure individual patch installations at the device level, permitting exclusions or tolerances for individual patches without needing to alter entire policies.
Compared to the Patch Management page at the account and site level, the layout of the Patch Management page at the device level is different:
Field | Description |
---|---|
Operating System | The operating system of the device. |
Service Pack | The Service Pack Installed on the device. |
Policies | The patch policies that target the device. • Name - The name of the Patch Management policy. Click the hyperlink to edit the policy. Refer to Create a Patch Management policy - Legacy UI. • Last Run - Date, time, and time zone when the Patch Management policy last ran. • Schedule - The next run time of the Patch Management policy. Policies with an overridden schedule show the overridden data, not the original data. • Run Now - Click the icon to run the policy on this device now, outside of its schedule. If the policy has been deactivated, or used for audit only, the icon will be disabled and not clickable. If the device is offline, the policy will run on it when it next comes online. For information on the Audit only option in a Patch Management policy, refer to TIMING OPTIONS. NOTE If you have just made changes to your policy, we recommend that you wait five minutes before you click the Run now icon to ensure that the changes have been applied. NOTE While multiple Patch Management policies can target the same device or group of devices to support different scheduling needs, it is important that the patch approval criteria remain consistent across all policies, otherwise it can lead to undesirable behavior regarding approved patch statuses and installation on individual devices. |
Operating System Patches | This section has three drop-down lists: • Approved • Installed • Not Approved The following options are available in each list: • Filter - You can filter by Microsoft Security Response Center Priorities (Critical, Important, Moderate, Low, Unspecified), May Require Reboot, and May Require User Input. For more information on Priority, refer to Filter patches. • Search - As you type into the dynamic search field, the search results are narrowed to match your search string. • Sort - You can sort the patches by clicking on any of the following columns: Title, Microsoft Security Response Center Priority, Download Size, Reboot behavior. • Patch title - Click the hyperlink to open a page showing all devices for which this patch has been approved / that have this patch installed / for which this patch has been denied (when clicking from the Approved / Installed / Not Approved list, respectively). • Click for more information - Click the icon to display further information about the patch. Further details of each drop-down list are discussed below. |
Approved | |
This drop-down denotes patches that have been marked for approval on this device by the site- and/or account-level policies targeting it. The number of patches is displayed in brackets next to the list name. The list is only updated following a device audit. Patches that are approved are pushed to the device during the policy schedule window, and following their installation, are moved to the next list called Installed. The policy schedule and other settings can be changed in the Patch Management policy. Refer to Create a Patch Management policy - Legacy UI. You can perform the following action in this list: • Remove from list - Hover over the patch and click this icon at the end of the row to move the patch to the Not Approved list. |
|
Installed | |
This drop-down denotes patches historically approved for this device, either by policy or as a result of user intervention. The number of patches is displayed in brackets next to the list name. The list is only updated following a device audit. | |
Not Approved | |
This drop-down denotes patches that have not been approved by the policy targeting the device. The number of patches is displayed in brackets next to the list name. You can add patches to this table by clicking on the Remove from list icon next to a patch in the Approved list. To remove the patch from a device and stop it from re-installing, it must be excluded here and then removed manually using the Uninstall Windows Update by KB Number component from the ComStore. Refer to ComStore - Legacy UI. You can perform the following action in this list: • Remove from list - Hover over the patch and click this icon at the end of the row to move the patch to the Approved list. NOTE If you have a device with no patch policies targeting it, all patches that Windows Update required in the last patch scan will be listed in the Not Approved drop-down. This is the expected behavior as no policy was able to approve these patches. If you then target this device in a Patch Management policy, the device will need to be re-audited before the patches can move to the Approved list. To learn about the frequency of audits and how you can perform a manual audit, refer to Audits - Legacy UI. |
A Datto RMM device’s patch status is determined and represented by the platform based on a sliding criteria evaluation against the device’s last audit data submission. The platform evaluates each device’s patch data submission on a true or false basis of each possible status, as outlined below, in descending order. The first such status that is true will be the device's patch status until the next audit is submitted when the same process will take place to ascertain the device’s patch status at that time.
A device can have one of the following patch statuses:
- No Policy: The device is not targeted by any Patch Management policy.
- No Data: No patch audit data is available. For more information, see the process flow and explanation of steps below.
- Reboot Required: The device requires reboot.
- Install Error: One or more errors were encountered during the most recent patch installation run.
- Approved Pending: The device has approved pending patches that will be applied during the next patch window.
- Fully Patched: The device is fully patched.
EXAMPLE If a device is targeted by a Patch Management policy and has patch audit data available, but it requires reboot, has install errors, and has approved pending patches, its overall patch status will be Reboot Required, as that is the first item to return a true value in the check results.
Process flow
In order to understand the aforementioned more clearly, it is important to understand the process that takes place during a device audit: how patch information is gathered and how that information is analyzed to determine the overall patch status for an individual device. The following process flow and explanation of steps have been designed to help you assess and determine why a particular status (for example, No Data) has been determined for a particular device.
- A device must be targeted by a Patch Management policy. Without a policy assigned, the platform will always determine the status of the device to be No Policy.
- An audit is carried out on the device. By default, it's initiated by the Datto RMM Agent but can also be requested manually. For more information about audits, refer to Frequency of audits.
- In the case of patch status calculation, every audit is a three-step process, regardless of how the audit was initiated. The audit data is submitted to the platform to determine the device's patch status upon completion of the following three steps:
- Gather device hardware information.
- Gather device software information.
- Ask the Windows Update Service via the Windows Update API to carry out a patch scan. (See step 4.)
To learn which events trigger a patch scan at audit time, refer to Frequency of patch scans at audit time.
- After the Windows Update API has been called, the control for patch scanning and the resultant compiled data set is passed over to the operating system and its Windows Update Service. The Datto RMM Agent audit process will now wait as long as it takes for this scan to be completed.
4.1. Windows Update will perform a scan for all software and drivers relevant to the OS and any installed applications supported by Windows Update. It will ask its configured source server for any pertinent software or driver information to be returned.
4.2. Source Server for Windows Updates: Microsoft Update Servers (standard) OR WSUS (custom)
By default (standard), a Windows operating system contacts Microsoft’s Update Servers for information about available updates and hotfixes for the enquiring device.
However, a device can be configured (custom) to use a WSUS server or Microsoft’s own Intune service to retrieve updates and hotfixes. This will alter the source that the device connects to in order to retrieve such update information and may often differ from the information returned using Microsoft’s standard update servers.
Therefore, it is very important to understand which source server devices are querying when running their patching enquiries. A device can only be configured to contact one source for its updates.
If the Windows Update Service itself is disabled on a device, the query will fail and no information regarding patch data will be returned from the enquiry (that is, the device's patch status will be No Data).4.3. Based on the outcome and health of the information returned from the Windows Update enquiry, we can categorize the result as being Successful or Failed.
A successful enquiry is the result of a good connection with the device’s configured source server and a successful completion of the software and driver enquiry it asks of that source. Successful completion constitutes that the Windows Update Service was enabled, the enquiry was completed, and no errors were returned.
The returned data will most commonly consist of patches to be installed and patches currently missing. However, it is possible for no patch data to be returned following a successful scan enquiry (see 4.3 > SUCCESSFUL > ZERO in the diagram above). The two primary reasons for this are as follows:- It is a Windows 10 device that has been recently installed with the latest available Feature Update. Because of the nature of Windows 10 Feature Updates, all former patch history is removed and there may be no updates applicable for installation from Microsoft until the following month. As such, no patch data is returned from the enquiry and the device will have a patch status of No Data.
- The source WSUS server is not presenting any applicable patch data to the enquiring device. This is most likely due to a misconfiguration or a fault with the WSUS server. The device will therefore have a patch status of No Data. The WSUS source server and its configuration should be assessed and addressed accordingly so as to provide information to the device when it requests patch information data.
A failed enquiry may be the result of a number of issues. These may include:
- Windows Update Service is disabled
- WSUS server is unreachable
- WSUS server is reachable but unable to service the request
- The local Windows Update cache is corrupt
- WinHTTP proxy settings obstruct service from contacting Windows Update when run under the system profile
In the majority of these circumstances, an HRESULT error is thrown by the Windows Update Service and recorded by the Datto RMM Agent in the device’s activity log.
NOTE Windows Update error codes are, unfortunately, numerous and not always easy to decipher. We recommend researching the particular error with a view to employing a suitable resolution to address the issue and resume standard Windows Update behavior. Because these errors are environmental and not under the control of the Datto RMM Agent, troubleshooting or fixing HRESULT errors is not supported by Datto RMM.
NOTE All information and activity of the Windows Update Service is captured in the operating system’s WindowsUpdate.log file. For more information and how to read and analyze the log, refer to this Microsoft article.
- The patch scan is completed and the result, along with its associated data, is passed back to the Datto RMM Agent.
- The audit process is completed, and all data is compiled for submission to the platform by the Datto RMM Agent.
- The device audit data is sent to the platform.
- The platform evaluates the device's audit data against the Patch Management policy applied to the device to determine the device's patch status.
Set up a Patch monitor to get an alert when a device fails to install any patches as part of a Datto RMM Patch Management policy. Refer to Patch Monitor.
To see detailed information about patch installations, check Patch Management reports. Refer to Report scheduler - Legacy UI.
NOTE On Windows 10 devices, Windows Update settings > View update history may not reflect patches that were installed by Patch Management. This list is only updated when manually checking for updates; it does not reflect activities performed via the API. From the View update history page, click Uninstall updates to view a list of patches that have been installed on the device. To view the device’s full update history, you can also run the Windows Update Toolkit component from the ComStore. Refer to ComStore and components - Legacy UI.
Notes
Datto RMM uses the Microsoft Security Response Center (MSRC) severity for all Windows updates. You can search for a KB number in the Microsoft Update Catalog where you can see an overview of the update including the MSRC severity.
Patches are prioritized the following way:
Criterion | Order |
---|---|
Category | 1. Security Updates |
2. Service Packs | |
3. Update Rollups | |
4. Critical Updates | |
5. Updates | |
6. Any remaining patches | |
Microsoft Security Response Center Priority | 1. Critical |
2. Important | |
3. Moderate | |
4. Low | |
5. Unspecified | |
Release date of the patch | Most recent first, descending |
Based on the above prioritization, patches are installed in the following order:
Order | Category | Microsoft Security Response Center Priority | Release date of the patch |
---|---|---|---|
1 | Security Updates | Critical | Most recent first, descending |
2 | Security Updates | Important | Most recent first, descending |
3 | Security Updates | Moderate | Most recent first, descending |
4 | Security Updates | Low | Most recent first, descending |
5 | Security Updates | Unspecified | Most recent first, descending |
6 | Service Packs | N/A | Most recent first, descending |
7 | Update Rollups | N/A | Most recent first, descending |
8 | Critical Updates | N/A | Most recent first, descending |
9 | Updates | N/A | Most recent first, descending |
10 | Any remaining patches | N/A | N/A (all remaining patches are treated as equal) |
Updates for Windows as a service devices must be handled differently from the operating systems that came before them. For more information, refer to Patch Management and Windows as a service.
The ComStore component Install Updates with SUPER [MAC] can be used as the macOS alternative to the Patch Management policy available for Windows devices.
This component uses a third-party app made available on GitHub to download and install all pending updates on a macOS device. The device will attempt to reboot, and the end user will be notified and given options to defer the updates.
To learn how to download the component, refer to the following topics:
- Download a component in ComStore - Legacy UI (legacy UI) and Download a component in ComStore (New UI)
- Managing components - Legacy UI (legacy UI) and Component Library (New UI)
To learn how to use the downloaded component in jobs and policies, refer to the following topics:
- Job scheduler - Legacy UI (legacy UI) and Scheduled jobs (New UI)
- Quick jobs - Legacy UI (legacy UI) and Quick jobs (New UI)
- Create a Monitoring policy - Legacy UI (legacy UI) and Monitoring policy in Policies (New UI)
- Manage monitors - Legacy UI (legacy UI) and Component monitor in Monitors (New UI)