ITSM Patch Management Feature Needed


A much needed addition to Comodo One ITSM Patch Management would be the ability to stop the OS/user being able to control settings for automatic updates/patches this should not be possible if ITSM Patch Management is being used to manage windows and other Microsoft software patching.

I agree, as I would assume that if the automatic updates are running before the PM, the PM reports would be empty, when we send them to our customers.

Hi @BOSS ,

Yes and would allow more management to us MSP’s regarding how and when the patches get deployed or even if a certain patch should be installed on a specific site. bottom line an MSP geared Patch Management/update solution should be a “Managed service” and out of the end point/users control

@Marveltec and @BOSS
Thank you for your suggestions to improve our platform. We have forwarded your feature request related to this forum post and we will update you through email.

Yes SIr, I was just looking at a report I pulled for a new managed client, just signed them up this month, and the update report is empty, even though I know that some updates have been installed. The main updates I don’t always want installed, are the optional ones, I install all security and critical updates, especially after the wannacry!!

Hi @BOSS , @Marveltec

We are going to provide you a script to enable the update checks on endpoints for immediate concern. We are also going to make this part of the patch profile on later releases (in Q3).


Hi @BOSS , @Marveltec

Please refer below procedures,

Enable windows auto update services

Disable windows auto update services

Let us know your feedback.


I tried it on one system, and it said it finished successfully, but as far as I could tell auto updates was still active. It still showed as set in the control panel, and the windows update service still showed as auto start in the services.

Hello @BOSS Thank you for the feedback. May we know on what OS did you run the script? We will investigate this and we will get back to you as soon as possible

@Marveltec Please let us know if the above scripts works on your end.

Hi @Cristina ,

I did manage to use the script for disabling/enabling windows update service. My question is will ITSM patch management still be able to check and install missing patches/updates of a system that is not running the windows update service?

Hello @Marveltec ,

Patch Management via ITSM is dependent on the local Windows Update service.
ITSM checks the Microsoft update servers for available Windows patches and updates lists them in the interface.

So let me get this right, if the PM is dependent on the service, why would we want to shut it off??? This would not allow us to control the updates??? This seems like I miss understood what was happening here. I don’t want to not be able to control the updates, I want to be able to control them. I guess what I am looking to do is only turn off automatic updates. @Cristina It was Windows 7 Pro, but it does not matter, since the script doe not do what I was wanting anyway.

Hi @Jay @BOSS ,

That is exactly what i thought when the scripts were put forward as a solution. Normally when you use an RMM including Patch Management solution such as Nable or the others it will show you under windows update that it is being managed by your organization and wont let the user allow or force updates unless they are pushed through the Patch Management “managed solution”.

I don’t want to stop the device from being able to update i just want the ability to Manage it as the MSP

@BOSS , @Marveltec

We should provide you a script to set the Windows Update settings as “Check automatically but don’t download” option for the short term approach, so that you can see what is available on endpoints and control which and when to deploy.

Sorry for the previous inconvenience. We will share the script soon.


Hi @Ilker , I don’t think that option will work on Windows 10 endpoints


Correct, W10 can be managed more granular rules over GPO I believe. We will look for alternatives and better approaches on this issue in the mid term. Script is going to be provided as a quick solution for short term.


Hi @BOSS @Marveltec

We recommend below-mentioned script procedure to temporarily fix the problem on seeing applicable patches.

  • This script will set Windows 7 automatic update settings as "Check for an update and notify before download and install" in local group policy level.
  • In the case of Windows 8 and above version it will make sure that necessary windows update services are being run, as complete background control is restricted
  • You can also control automatic update settings of all your network endpoints by changing "Computer Configuration\Administrative Templates\Windows \Components\Windows Update\Configure Automatic Updates" options available in the group policy management of your Domain controller.

Hi @mkannan

your last point refers to the use of group policy management however most of our clients and their endpoints are not connected to domain controllers and we are finding more and more organizations opting for cloud systems and using decentralized offices which makes domain controllers/servers more likely to fade away somewhat (depending on setups) going forward with all the capabilities of RMM and Remote Security management systems/SECaas its becoming easier to manage organizational policies and security without the need for domains/domain controllers

so not sure that option will work for us


Interesting insight. Thank you for sharing!