Patch Management
The One RMM centralizes patch management for Windows, macOS, and Linux across your entire managed fleet. Scan for missing patches, approve updates, schedule deployments to maintenance windows, and report compliance — all from one console.
Supported Patch Sources
| Platform | Patch Source |
|---|---|
| Windows | Windows Update (via the local WU agent) |
| macOS | macOS Software Update |
| Ubuntu / Debian | apt package manager |
| RHEL / CentOS / Rocky | yum / dnf package manager |
| Windows (third-party) | Chocolatey (if installed) |
| macOS (third-party) | Homebrew (if installed) |
Scanning for Missing Patches
To scan devices for available patches:
- Navigate to Patches in the left sidebar.
- Click Scan Devices.
- Select the devices or device groups to scan (up to 500 devices per scan operation).
- Click Start Scan. The agent on each device queries its local patch source and reports available updates.
Scans complete within 5–15 minutes depending on device count and network conditions. Results appear in the Patches list grouped by patch name, severity, and affected device count.
You can also trigger a scan from the Device Detail view under the Patches tab.
Patch Approval Workflow
Manual Approval
All patches start in Pending status. An administrator must review and approve before deployment.
- Navigate to Patches → Pending Approval.
- Review the patch list. Click a patch name to see its KB article / CVE details.
- Select one or more patches and click Approve or Deny.
- Denied patches are marked and excluded from future deployments until you un-deny them.
Auto-Approve
To automatically approve patches by category without manual review:
- Navigate to Settings → Patch Policies.
- Create or edit a policy and enable Auto-Approve.
- Select which categories to auto-approve (e.g., Security Updates, Definition Updates).
- Assign the policy to device groups.
Auto-approve applies to future patches discovered after the policy is saved. Previously pending patches require manual approval.
Patch Deployment
Once patches are approved, schedule a deployment:
- Navigate to Patches → Approved.
- Select the patches to deploy.
- Click Deploy.
- Configure the deployment:
- Name — e.g., "June 2026 Security Patches"
- Target Devices — select devices or device groups (up to 500)
- Scheduled For — datetime for deployment start
- Reboot Policy — controls device reboots after patching
Reboot Policies
| Policy | Behavior |
|---|---|
never | No automatic reboot; technician reboots manually |
if_required | Reboot only if the patch requires it |
always | Always reboot after patching |
maintenance_window | Reboot at the start of the next maintenance window |
Maintenance Windows
Maintenance windows restrict patch deployments and reboots to approved time slots:
- Navigate to Settings → Maintenance Windows.
- Click New Window.
- Configure:
- Name — e.g., "Weekday Nights 2–4 AM"
- Days — weekdays, weekends, or specific days
- Start Time / Duration — 2:00 AM for 2 hours
- Timezone — per client timezone
- Assign the maintenance window to a device group or individual devices.
- Patch deployments scheduled during non-window hours are held until the window opens.
Emergency Patch Deployment
For critical security patches that cannot wait for the next maintenance window:
- Create a deployment as normal.
- Enable the Bypass Maintenance Window toggle.
- The patch deploys immediately regardless of any scheduled window.
Bypassing maintenance windows may cause unexpected reboots during business hours. Reserve this for actively-exploited vulnerabilities.
Patch Compliance Reports
Track patch status across your entire fleet:
- Navigate to Reports → Patch Compliance.
- The report shows for each client:
- Total devices
- Fully patched devices (%)
- Devices with critical patches missing
- Devices with non-critical patches pending
- Filter by client, device group, or patch severity.
- Export to CSV for client-facing reports.
The Patches widget on the main dashboard shows a fleet-wide compliance percentage updated daily.
Patch Rollback (Windows)
To roll back a patch deployment on Windows:
- Navigate to Patches → Deployments.
- Click the deployment name.
- Click Rollback.
- Confirm the rollback and optionally provide a reason.
- The agent runs Windows Update rollback (
wusa.exe /uninstall) on each affected device.
Rollback is only available for Windows deployments. macOS and Linux patch rollback must be performed manually via Remote Commands.
Third-Party Application Patching
Windows — Chocolatey
If Chocolatey is installed on Windows devices, RMM can scan for and update Chocolatey-managed packages:
# RMM runs this automatically during patch scans if Chocolatey is detected
choco outdated --no-color --limit-output
Chocolatey packages appear in the patch list alongside Windows Update patches and follow the same approval/deployment workflow.
macOS — Homebrew
If Homebrew is installed, RMM scans for outdated formulae and casks. Homebrew updates are listed separately from macOS Software Update and require the same approval before deployment.