Skip to main content

Patch plans

Create, track, pause, and retry signature-verified patch deployments with patch plans.

A patch plan is a controlled, signature-verified deployment of one vendor fix to the devices affected by a finding. Patch plans replace ad-hoc remote scripts with audited rollouts you can pause, schedule, and retry. Open the page from Security > Patch & vulnerability > Patch plans.

The patch plans table

Each row is one plan. Columns show the Plan name and the finding it is linked to, its Severity, Status, Progress, the Devices count (succeeded out of total, with failures flagged), and when it was Created and by whom. A plan's status is one of:

  • Draft – Created but not yet started.

  • Running – Actively deploying.

  • Paused – Temporarily stopped; resume to continue.

  • Done – Completed.

  • Failed – Finished with failures that need a retry.

  • Cancelled – Stopped for good and cannot be resumed.

Creating a patch plan

Select Create patch plan to open the wizard. It walks you through four steps:

  • 1. Select finding – Choose the finding to remediate. Only findings with a vendor patch available can be selected.

  • 2. Patch source – Choose where the fix comes from: the verified Trio patch library (recommended), Upload a custom package (.pkg, .msi, .deb, or .dmg), or Run a custom script. Trio MDM will not deploy unsigned packages.

  • 3. Deployment – Set target devices (all affected, sandbox only, or specific device groups), when to start (immediately or scheduled), and the reboot policy.

  • 4. Review – Confirm the plan, then create it or save it as a draft.

For reboots you can choose Reboot immediately, Prompt user, force after 24 hours (recommended), or Reboot only in maintenance window. When the source is the patch library, the plan starts with a pre-check that verifies the patch signature and device reachability before any device is touched.

Tracking and managing a plan

Open a plan to see its detail view: overall rollout progress, a device breakdown (patched, in progress, pending, failed), the deployment settings, and a per-device Devices tab and Activity log.

Depending on status, you can Start, Pause, Resume, Cancel, Retry failed devices, or Duplicate a plan. While a plan is running its configuration is locked — pause it first to change the schedule or scope. Each device shows a status of patched, in progress, scheduled, queued, pending, failed, or excluded.

If you have any questions, please contact Trio support.

Related Articles
Vulnerability and patch management
Create Custom Command
Patch & vulnerability overview
Auto-patch
Implementing SAMA Compliance for Endpoints with Trio — Technical Overview
Did this answer your question?