This set of Frequently Asked Questions (FAQs) about RMM Central's Patch Management module answers queries that you may have about RMM Central.

Patch Management

1. Can RMM limit the storage space used for downloading patches?
You can configure Patch Cleanup Settings, which will automatically remove superseded/unused patches from the patch repository.
2. If Microsoft "pulls" a bad patch, in the new distributed model, how can RMM remove it?
It is recommended to use "Test and Approve" feature, which can test the patches on lab machine and then approve it automatically before deployment. We also have patch removal/roll back option, which can be used to handle these situations.
3. Can I schedule a reboot for a specific time after patches are installed? For servers as well as desktops?
We do not have an option to schedule the reboot, however, you can customize the deployment to a specific time interval and configure a reboot to meet your requirement.
4. Is there a way to be alerted about when zero day patches become available to download so we can ensure to get those pushed instead of having to wait for the scheduled policy?
You can create a separate "Deployment Policy" for such requirements and get them deployed automatically.
5. How often should the patch scan be run? Is there a manual setting?
It depends on the number of computers. Usually in an enterprise, it is done at least once in a week using Automated Patch Deployment (APD) task.
6. Does the computer need to be connected to an admin account, for getting the patches deployed? Or can it be a regular user account?
Managed computers can use regular user accounts, since the agent is running in the system account it would have the privilege to install the patches.
7. How to specify languages for patches?
RMM will automatically detect the language based on the operating system.
8. What will happen when the patches are installing and the user accidentally turns off the computer?
RMM will retry to install the patch during the subsequent deployment window and the installation status would be updated.
9. I didn't catch the part about patch approval. Is there a way to approve patches automatically or do you have to approve the patch manually?
It is about testing the patches before deployment. You can choose to approve the patches automatically or manually. We also have the feasibility to test the patches before approving them automatically. The tested patches can be approved automatically after a specified number of days if no failures are found. Alternatively, you can manually approve it based on the result.
10. The patch management solution that we are using currently tells us what we need to download and then we manually download the patches. After the patches are deployed we can remove the downloaded patches which we no longer need. However, this is manually done. How does RMM handle this requirement?
RMM will allow you to automate the complete process. You can create an APD task, which will automatically scan computers, detect missing patches, automatically download the required patches and deploy it to the target computers. You can configure "Patch Clean up settings", to delete the unwanted patches automatically.
11. Can you limit patches to just laptops or desktops?
Yes, you can. You can target machines based on system type such as laptops and desktops. You can also create a custom group with system type as criteria.
12. Do we have the feasibility to split the scan & download from the patch deployment?
You can create separate APD task for scanning and downloading the patches. You will find different options such as scan, download, draft and deploy. You can choose any of them based on your requirements.
13. When there are patches in "yet to apply" status, is there a way to get notified about the patches, after deployment/failure?
You can configure notification settings for the APD task which can send you the status report multiple times based on the different status including scanning, downloading and deployment of patches Yes, RMM supports them.
14. Can we make single store for all MAC patches?
RMM maintains a single patch store for all the patches, including Windows, Mac Linux and 3rd party patches. You can customize it from Patch Mgmt -> Downloaded Patches -> Settings -> Download Settings.
15. Is it possible to schedule the patches to be installed and then the computer rebooted and then shut down after the reboot?
Deployment Policy can be used to schedule the patch and reboot/shutdown. However, if you want to shut down after reboot, you can use the remote shutdown/reboot tool to perform this operation.
16. Before I start creating a configuration for patching, should I be running a Vulnerability Database update? Once I update it, should I click "Sync Now" or should I run a "Scan Systems" and then sync?
Patch database will be synchronized automatically as per built-in-scheduler Patch Mgmt -> Patch Database Settings -> Enable Schedule. You can verify the latest sync time from, Patch Mgmt -> Update Vulnerability DB -> last updated time. However, you can sync it manually, using “sync now” option.
17. Right now we use WSUS for MS patches. What is the best way to switch over to RMM?
You can disable auto-updates from WSUS and install RMM agent on the computers to be managed, scan the computers and start deploying the patches.
18. Will there be a feature to pull local logs of failed deployments from the RMM site?
Yes, you can pull local agent logs from remote computers and upload it to support for analysis from, Support -> Create Support File.
19. Is the ability to create a test group of several computers and giving them patches before they are made available to all the computers in company?
You can create a custom group and test the patches before deploying them to all computers in the company using the "Test and deploy" feature.
20. How to setup automatic deployment of JRE to the latest release? It seems that computers that have JRE 1.7 are not flagged to receive JRE 1.8 automatically.
JRE update from 1.7 to 1.8 is considered as an upgrade and not as an update, which means, both the versions can co-exist. You can use software deployment to install JRE 1.8 and uninstall JRE 1.7.
21. Is there a way to configure the lists of computers, etc., permanently display more than 25 at a time?
You can customize the count of computers displayed. The changes you make will persist only for the technician and the view.
22. If I want to schedule patches to run in the next 20 minutes, is there a way to force the RMM agent on client machines to talk to the server, thus getting that task quicker than the 90 minute policy refresh? (Example - McAfee anti-virus has a feature called "wake up agent" that tells the agent to pull down fresh .)
You can achieve this by using the “deploy immediately option”, whenever you deploy a patch configuration. This will wake up the target computer on-demand, to perform the task initiated by RMM.
23. When viewing the results of an "Automate Patch Deployment", is there a way to see the history of what patches were installed by previous runs of this task?
You can view the status of the “Automate Patch Deployment Task” from, Patch Mgmt -> Automated Patch Deployment Tasks. You can also generate reports of these tasks and schedule it.
24. I do not see where I can push Anti-virus definitions using RMM.
You can deploy definition updates using RMM from, Patch Mgmt -> Automate Patch Deployment -> Schedule Anti-Virus Task.
25. Java updates -- is it possible to allow update for compatibility with app X and preserve legacy version for compatibility with app Y or app Z?
You can create a dynamic custom group and choose to decline the patches for a specific application like JRE. By doing this, you can maintain multiple versions of the JRE in your network.
26. What changes should I make in my firewall and proxy to patch computers??
Refer to this article to find the list of domains, which need to be excluded.
27. I have the patches set to automatically deploy how can I check the deployment since it is not making a configuration deployment?
Automated patch tasks are not regular configurations. You can view the status of the "Automate Patch Deployment Task -> System View". You can also configure the notification settings, Patch Mgmt -> Automate Patch Deployment -> Notification Settings, to receive email updates, whenever there is any change in the status of the task.
28. How do you make a separate policy that is specifically for server OSs and does not automatically restart the server?
This can be achieved by configuring the deployment policy and excluding servers from reboot, Patch Mgmt -> Deployment Policies -> Create Deployment Policy ->Deployment Window -> Reboot Policy -> Exclude Servers from Reboot.
29. We currently use McAfee encryption on some of our devices. We are trying to figure out how to continue auto deployment after hours once everything is encrypted. Does RMM have a method of handling this?
This can be achieved by configuring the deployment to happen after the encryption time window. You can configure it from, Patch Mgmt -> Deployment Policies -> Create Deployment Policy -> Deployment Window.
30. I want to patch computers which are not live. How does "wake-up & deploy" work?
You can wake up the computers and deploy the patches by configuring, Patch Mgmt -> Deployment Policies -> Create Deployment Policy -> Turn on computers before deployment.
31. Under all patches, I don't have "filter" option, decline patch option is shown , install patch, download patches, decline patch are the only options. there is no "mark as option" nor "filter". How do I approve patches?
“Mark As” - option, will be available only when you choose to approve patches. Manually, Patch Mgmt-> Settings -> Approval settings - > Approve Patches -> Manually. If you have chosen to approve all patches automatically, all the patches will be marked as approved by default.
32. How come I have not seen updates for Windows 10 or MS 2016?
Both Windows 10 and Microsoft Office 2016 are supported by RMM. You should ensure that your Patch Database is successfully synchronized in the recent past. Verify it from, Patch Mgmt -> Update Vulnerability DB -> Last update time.
33. Can I use RMM to manage 3rd Party applications? ?
34. Can I create a report for systems that need patches older than 30 days?
You can, create a report from, Patch Mgmt -> All Patches -> Missing Patches Tab -> Computer View and create a filter based on the “Release Date”
35. What is the timeline for adding McAfee antivirus to virus management section?
You can use the File Folder operations, configuration, software deployment, custom script configuration to update the definition updates and engine upgrades. We are also looking into the possibility of including this in the Patch Management section.
36. Can you install the RMM server in the cloud and have remote clients grab updates from that server to conserve bandwidth at the home office? ?
It is currently not available in cloud. However, we are looking at cloud based solution.
37. Is it possible to set patch deployment Policy schedule to run every 3rd Sunday of the month?
Yes, when you create an APD task, under scheduler select the monthly option and choose 3rd Sunday.
38. Why are dynamic custom groups not always available?
Dynamic custom groups are evaluated on the client side during deployment based on the criteria you have defined.
39. In previous versions of RMM, when selecting targeting computers under "Define Target" to install software/ patches you were able to see a list of all computers and check mark each device. Now it seems as if you select "computers" you have to type each device's computer name. Is there a way to have the previous layout?
The new UI is developed based on the usage. When you have more number of computers, you can move it to a group or an OU and add them as target.
40. Can you disable windows automatic updates?
Yes, under Patch Mgmt->Disable Automatic Updates, choose templates and disable.
41. If I want to scan computer for missing patches during the day to approve the patches for deployment overnight, how would I schedule that?
You might need to create 2 separate APD tasks as below to achieve this:
  • Create the first task to just scan the computers and schedule this at 10 AM. This will complete by 12 noon and you will get the list of missing patches, which you can choose and approve.
  • Create a second task scheduled to run at 3PM (assuming that you would approve the patches by then). For this task, define a Deployment policy with o Deployment Window with start and end times as required, say start at 8 PM o Select this option “Download Patches/Software during subsequent Refresh Cycle”.The second task will start at 3 PM and scan the computers again and download the necessary patches to the agents. Assuming that all the target computers are up, this will complete and keep things ready for deployment by 6 PM. The deployment will begin at the scheduled deployment window, 8 PM.
42. We currently have a large number of Laptops which need to be updated. These laptops are rarely connected to the domain, and when they are it is via a VPN. How do we push patches to these laptops without impacting the user experience or poking holes in our firewall?
When these computers connect to the network via VPN, the deployment will be initiated during the next refresh cycle (90 minutes).
43. Does RMM support Linux patches?
Yes, Ubuntu flavors are supported. The update will be made available next month for existing users.
44. Are all patches released by Microsoft available for patching via RMM?
Yes, most patches that have a download URL will be supported.
45. What is the average turn around time for patches to be updated in the Central Patch Repository?
We usually support within 24 hours.
46. How do you select which categories of windows updates are included? Specifically, we can not find KB3102467 in our RMM database.
This is a feature pack; not supported in patch. You can use Software Templates - > Search with Microsoft .NET Framework 4.6.1 and create package and deploy.
47. How much disk space does a Distribution Server need to have to cache patches?
It depends on the number of systems and patches that are maintained, maybe up to 1 GB. It is recommended to configure patch cleanup settings to remove older patches automatically. This will also clean up the distribution server.
48. If you do the clean up and then put a newer machine and it needs an older patch what will happen?
It will automatically be downloaded and installed.
49. How do I know which updates to run and the order to run them?
Patch inter-dependencies and sequencing will be automatically be taken care by RMM.
50. After the initial agent deployment, will patch management scan subnets for new machines that do not have the agent going forward?
No, agent should be deployed before scanning. You can define SoM Sync Policy to automatically identify new computers added to Active Directory and install agents on them.
51. Can you send a process on how to disable windows 10 creep update for Windows 7 computers?
Under Configuration Templates, we have a template to disable windows10 creep update (Disable Windows 10 Notification.)
52. Can one distribution Server support multiple remote offices?
Yes, it is technically possible if all the remote offices use the same agent and if all the remote office computers can reach the Distribution Server.
53. Is it possible to deploy patches to specific computers?
Yes, the ideal way to do this is go to the All Systems View, select the computer and install all missing patches to this computer.
54. Can RMM support updating of iTunes app on a Mac OS?
No, this is not feasible as download URL to this update is not publicly available.
55. If distribution server is stopped so whether client will be able to communicate to main server?
Yes, the agents will contact the server to post the failure messages. However, no deployment can happen.
56. How can I host my Patch Repository in another computer?
Go to Patch Mgmt->Settings->Cleanup Settings->Settings. Against Patch Repository Location, enter the new Patch Repository's location. For example, \\machine_name\example_patch_repository