Patch Management
Automate Windows updates with policies, maintenance windows, and compliance tracking.
Compliance Overview
The Patches dashboard shows a fleet-wide compliance summary:
- Total agents — Number of enrolled endpoints
- Compliant — Agents with all approved patches installed
- Non-compliant — Agents with pending patches
- Pending reboot — Agents that need a restart to finalize updates
- Total pending patches — Sum of unapplied patches across all agents
Each agent row shows its individual compliance status, pending patch count, and last patch scan time.
Patch Policy
The patch policy controls which updates are auto-approved and when they are installed. Navigate to Patches → Policy to configure:
Auto-Approve Settings
| Setting | Default | Description |
|---|---|---|
autoApproveCritical | true | Automatically approve critical security updates |
autoApproveImportant | true | Automatically approve important updates |
autoApproveModerate | false | Automatically approve moderate updates |
autoApproveLow | false | Automatically approve low-priority updates |
deferFeatureUpdateDays | 30 | Number of days to defer Windows feature updates (e.g., 23H2 to 24H2) |
Maintenance Window
Restrict patch installations to specific times to avoid disrupting users:
| Setting | Example | Description |
|---|---|---|
maintenanceWindowStart | 22:00 | Start time in 24-hour format (agent local time) |
maintenanceWindowEnd | 06:00 | End time in 24-hour format |
maintenanceWindowDays | ["Tuesday", "Saturday"] | Days of the week when patching is allowed |
Tip: A common configuration is to allow patching Tuesday through Wednesday nights (22:00-06:00) to align with Microsoft's Patch Tuesday releases.
Triggering a Patch Scan
Agents scan for patches automatically. To trigger an immediate scan:
Single agent
Go to the agent detail → Commands → Patch Scan
All online agents
POST /api/patches/scan
Authorization: Bearer <access-token>Specific agents
POST /api/patches/scan
{
"agentIds": ["agent-id-1", "agent-id-2"]
}Installing Patches
To trigger patch installation on all online agents:
POST /api/patches/install
Authorization: Bearer <access-token>Or target specific agents:
POST /api/patches/install
{
"agentIds": ["agent-id-1", "agent-id-2"]
}The agent will install all approved pending patches. If a reboot is required, the agent flags it — the reboot itself must be triggered separately (either by the user or via a scheduled reboot command).
Winget Application Policy
In addition to Windows Updates, MaxRMM supports application updates via winget (Windows Package Manager). Configure a winget policy to auto-update specific applications:
PUT /api/patches/winget-policy
{
"policy": {
"autoUpdate": true,
"allowedPackages": ["Google.Chrome", "Mozilla.Firefox", "7zip.7zip"],
"blockedPackages": []
}
}Patch History
View a timeline of all patch events (scans, installs, failures) under Patches → History. Filter by agent to see a specific machine's patch timeline.