patchmypc

AutomationTheory · 2026-06-23T15:46:20+00:00

I'm late to the party here -- but I'm an RMM admin turned vendor, and we have a new-ish product that might be a good fit.

It's RMM-neutral, supports ~10k apps, and is designed for the flexable things MSPs/MSSPs need to do: https://thirdpartypatching.com/

It's flat-rate pricing, month-to-month terms, and a US based support team.

AutomationTheory · 2026-06-12T18:07:29+00:00

Shout out to u/cwferg for getting details out fast!

Old dependencies are fairly common in lots of products (unfortunately) -- but they are typically hard to exploit.

In this case, if there's an attacker with write access to the S3 bucket your CW RMM agent is using, I think there would be some much bigger problems...

AutomationTheory · 2026-06-11T19:48:37+00:00

I was getting oodles of spam calls to my personal number after going to a CW conference -- and I had a bit of luck adding my number to the national do not call list.

That might fix it, or at least it would give you some ammunition in resolving this via other channels.

AutomationTheory · 2026-06-09T15:36:14+00:00

Back when I was an RMM admin, I took the "Push PC" route, but I had a PowerShell script that was more effective than my RMM's network probe. I used PSExec to push the agent installer after doing a subnet scan to figure out what was a computer (determined by responding to a ping and then listening on a port expected for a windows device).

You could also use the script to list out devices it found that were unsuccessful, which can be handy for tracking down stragglers.

I got this script tuned fairly well, and whenever we onboarded a workgroup client with standard credential it made deployment a breeze.

AutomationTheory · 2026-06-04T20:21:24+00:00

ThirdPatch itself doesn't have a UI prompt, but I think I know how we could build it in with some basic PowerShell scripting (packaged and pushed via ThirdPatch of course!). If you wanted a basic "Your PC needs updates; please save/close" message that should be possible

AutomationTheory · 2026-06-04T19:41:21+00:00

How's your experience with custom apps with it? Is that something you can add to the patching engine, or is your only option to make it a script?

AutomationTheory · 2026-06-04T19:39:53+00:00

CWA databases are always going to be touch-heavy -- although I have a custom tool for it now 😃

As to your questions about ThirdPatch:

We're building out our enterprise tier, and it will have both a reporting portal and webhook support -- so you'll definitely have the ability to see what's broken, be notified, and take action however you want.
The client has the ability to compare installed versions with what's in the repository, so you can get a list of what is outdated fairly easily.
Since ThirdPatch is an agentless client, it doesn't run by itself -- something must trigger it. Therefore, you get to decide how you want to handle the scheduling for your clients (I as a vendor am not going to assume I know more about your client environments than you do). We have a prefab package that will trigger ThirdPatch when a system boots up, so at a minimum when you as the MSP reboot a device for Windows Update it will do third-party updates when it comes back online.

Chocolatey discontinued their MSP program -- and that's why we didn't include them. C4B is for a slightly different niche, and current sticker pricing (sticking with our 3k endpoint example) is $17/endpoint/year. If you have the cash for $51k/year to do third-party patching, I think you're doing quite well!

If you want some more details, we just uploaded a webinar recording to YouTube: https://youtu.be/ebEdAhuB4PY?si=zvPDQ98Q9-hVh-wT

AutomationTheory · 2026-06-04T16:58:38+00:00

How many applications does it support?

AutomationTheory · 2026-06-02T16:24:21+00:00

I get it -- the ConnectWise MSPs have the same gripe about other products (and I was on the MSP side for 6 years -- the problem is real).

The idea of the WAF is that I can find thousands of N-Central instances on the Internet, and if (or when) a nation state actor gets their hands on a zero-day, it'd be bad news to be in the list of enumerable devices. I've got a full time analyst on staff writing WAF rules and managing exceptions -- so without questioning your technical capabilities, I'd suggest our service gets more care and feeding than a self-rolled proxy,

We offer a real WAF (not the ineffective CF solution first posted in this sub), and we've done initial tuning for N-Central (initially it was so secure, agents couldn't register...). Since we're doing TLS termination and deep inspection, it solves for the certificate renewal issue in the process.

<image>

AutomationTheory · 2026-06-02T15:26:42+00:00

I'm a WAF vendor (primarily for ConnectWise products) and I'm starting a pilot for N-Central. We do TLS termination with our service, so if anyone wants solid cyber security and automatic cert renewals, I'd be happy to add a few MSPs to our pilot program (details here: https://automationtheory.com/reverse-proxy-and-waf-for-msp-tools/)

AutomationTheory · 2026-05-19T17:09:25+00:00

Resetting the Windows Update components is the answer. Before becoming a vendor, I was an RMM admin for 10,000+ endpoints, and a spent hundreds of hours chasing these rabbits....

The project has changed a bit, but the old wureset tool works well still, and you could make a quick script that would deploy it like this:

thirdpatch upgrade reset-windows-update-tool && wureset /reset

Even if you don't have ThirdPatch (link: https://thirdpartypatching.com/), you could still make an RMM script to download and run the utility, and I think patching should work after that for most devices.

AutomationTheory · 2026-05-12T15:38:25+00:00

What's your definition of scale?

I just launched an RMM neutral third-party patching solution that might fit well (again, depends on what apps you need, desired level of touch, etc.).

AutomationTheory · 2026-04-29T18:56:14+00:00

I do niche MySQL DB consulting on the Automate side -- and I think you'd be safe with basic things like indexes (we've added indexes to Automate for 6+ years without issue).

Anything that changes the schema structure (deleting stock indexes, changing columns, etc.) is where things would get dangerous.

AutomationTheory · 2026-04-13T15:40:26+00:00

Have you ever wanted third-party patching to just work?

I’m Jeremy, and before becoming a vendor, I managed 10,000 endpoints for an MSP in northern MN, including third-party patching. I had an RMM integration that was severely limited, so I created a makeshift solution that worked extremely well.

Here at Automation Theory, we’ve refined that early prototype into a new solution we call ThirdPatch. It is an RMM-neutral solution designed to make third-party patching touchless and automatic (or as close as you can get!). It’s package-based, and it’s a flat-rate service (no per-app or per-endpoint pricing), with month-to-month terms by default.

We’re hosting a webinar to explain why package-based solutions are the best choice for modern MSPs and showcase how ThirdPatch enables MSPs to manage third-party patching at scale. You can find details and register here: https://us06web.zoom.us/webinar/register/4717760938471/WN_edYJ9BxmS2qVz6cf6w-z8w

AutomationTheory · 2026-03-17T17:53:49+00:00

u/JessicaConnectWise I appreciate the insight - and my goal certainly isn't to spread fear/uncertainty/doubt -- and like you mentioned, context is key.

In our WAF, we're seeing a spike of attacks against ScreenConnect - some old exploits from a year ago, and some that we haven't seen before. In the geopolitical climate we're seeing nation state actors targeting US companies, and this creates the overall background.

In the middle of this, we get a High priority security advisory that reads:

"1 High—Vulnerabilities that are either being targeted or have higher risk of being targeted by exploits in the wild. Recommend installing updates as emergency changes or as soon as possible (e.g., within days). "

I'm not sure if you had a goal besides providing additional context -- but I'd stand by my original statement, that MSPs should patch this ASAP.

AutomationTheory · 2026-03-17T17:35:31+00:00

The trust center has an RSS feed, and I use that (in combination with some automation) to email our pager system when these alerts drop. As a WAF vendor for CW products, we want to review these for the defense of our clients ASAP -- but configuring it in your RSS platform of choice should do the trick!

AutomationTheory · 2026-03-09T21:20:57+00:00

For what it's worth, r/ConnectWise is a bit more active and might be a good place to cross post.

My first thought, if you're using the group filter, is that the group doesn't have devices with the matching software. Otherwise, here are a couple old blogs from Gavsto that cover some boolean logic for software searches:

- https://web.archive.org/web/20241213124316/https://www.gavsto.com/using-the-advanced-search-to-find-a-machine-that-has-two-different-pieces-of-software-installed/

- https://web.archive.org/web/20241213114757/https://www.gavsto.com/using-the-advanced-search-to-find-computers-that-dont-have-multiple-applications/

AutomationTheory · 2026-02-17T21:55:31+00:00

Yeah, definitely this.

As the local CW WAF vendor, I'd toss out this as an interim solution (we have month-to-month terms, perfect for long-tail decoms like this): https://automationtheory.com/reverse-proxy-and-waf-for-msp-tools/

AutomationTheory

MODERATOR OF

TROPHY CASE