NetLock RMMNetLock RMM Docs
III — How-To Guides

Set up patch management for a group

Approve patches globally, then configure per-policy rollout rules for a Windows group.

Set up patch management for a group

Patch management in NetLock RMM is split across two places that do different jobs, and getting both configured is what makes patching work. The /patch-management page is the global approval queue — "which patches are allowed on any device at all?" The Policy Settings editor's Patch Management tab is the per-policy rollout — "when and how do these particular devices install the approved patches?" This guide covers both, using a Windows group as the worked example.

Patch Management page, Update Approval tab, with a pending list

Before you start

  • A policy already exists and is routed to the target Windows group via an automation (see Guide H.4).
  • At least one Windows device is online in that group.
  • Patches have been detected and sit in the Pending state on the Patch Management page. If the list is empty, agents have not yet reported their update inventory — wait a sync cycle.
  • Required permissions: patch_management_enabled for the approval page, plus policies_enabled and the policy edit flag for the rollout configuration.

Steps

Stage 1 — Approve patches globally

  1. Open Patch Management from the navigation. The Update Approval tab is the default.
  2. Filter by Windows and browse the Pending patches.
  3. Select a manageable first set — critical security updates from the previous month are a safe start. Avoid bulk-approving every pending patch on day one.
  4. Click Approve. The selected patches move into the Approved state. The server flags every device for a resync so agents pick up the updated approval list on their next poll.

Use the other actions as needed:

  • Reject — explicitly block a patch; devices never install it.
  • Defer — postpone a patch for a number of days (default 7).
  • Reset to Pending — revert any state decision back to pending for later review.

Approvals are global. There is no per-device or per-group target selector on this page — scoping happens in stage 2.

Stage 2 — Configure the per-policy rollout

  1. Open Policies from the navigation and click Manage on the policy that routes to your Windows group.
  2. Open the Patch Management tab in the Policy Settings editor. The tab is split into Global and per-platform sub-tabs; pick Windows.
  3. Under the Windows sub-tab, fill in at least these three sub-tabs for a minimal rollout:
    • General — enable patching for Windows and select which sources participate (at minimum OS-Mandatory, optionally Winget and Chocolatey).
    • Schedule — pick a maintenance window. Outside the window the agent will not start an install.
    • Reboot — decide whether the agent may reboot, whether it prompts the user, and how long the prompt is visible. This is the only place in the product where reboot behaviour is configured.
  4. Optionally fill in Approval & Filtering (narrow approved patches by severity or source), Deployment Rings (stage the rollout across Pilot → Early → Broad), Notifications, and Retry.
  5. Save the policy.

Verify it worked

  • On the Patch Management page's Update Approval tab, the patches you approved show the Approved state and the Installed and Pending columns begin moving as devices pick up the change.
  • On a target device's detail view in Devices, the Events entries reflect patch install activity within the configured maintenance window.
  • The Update History tab on the Patch Management page shows the install outcomes per patch per device.

Troubleshooting

  • Patches stay at 0 installed. Check that a policy with Patch Management → Windows → General enabled is actually assigned to the device. If the device's detail view shows no_assigned_policy_found, the automation is missing.
  • Patches approved but devices ignore them. Check the policy's Approval & Filtering sub-tab — a filter there can veto a globally approved patch.
  • Reboots happen at unexpected times. Review Patch Management → Windows → Reboot and Schedule in the policy. Reboot prompts follow the schedule's maintenance window.
  • SLA chips show Overdue. Adjust the SLA thresholds on the Patch Management Settings tab if the defaults (7 / 15 / 30 / 60 days by severity) do not fit your environment.

Configure Windows Defender via policy

Turn on Microsoft Defender, add an exclusion, and schedule a scan — all from a policy.

Write, test, and schedule a PowerShell script

Create a script in Collections, run it on one device, and schedule it to recur as a job.

On this page

Set up patch management for a groupBefore you startStepsStage 1 — Approve patches globallyStage 2 — Configure the per-policy rolloutVerify it workedTroubleshootingRelated