Sometimes, patch management may not function as expected; there might be some deviations, such as patch deployment failures. These deviations and some other situations such as EOL systems or Systems without the agent contact may require your immediate attention and will be displayed under Attention Required section. By properly analyzing them, you have to decide what to do next.
click on: Threats & Patches → Systems
You can see a separate section called Attention Required; which comprises the following sections:
By clicking on this section, you can see the BIOS protection status of all the managed computers. If a computer BIOS is password protected and that BIOS authentication credentials have been added to the Credential Manager, under the BIOS Protection Status column for that computer, it will be displayed as Protected and Mapped. Once deployed, BIOS patching will happen seamlessly without any manual intervention for Protected and Mapped computers. If the BIOS is password protected but the authentication credentials have not been added to the Credential Manager, it will be displayed as Protected and Unmapped. Unless you add the BIOS credentials to the database, manual authentication is required to proceed the deployment whenever BIOS patching is happening. For seamless deployment without manual intervention during the deployment process, add the BIOS crendentials to the Credential Manager. Click on Admin → Global Settings → Credential Manager → Add Credentials and add the required BIOS credentials. If a computer BIOS is not password protected, it will be displayed as Unprotected.
If any managed computer has EOL Windows operating system installed in it, you can see it by clicking on EOL Systems.
Windows Legacy EOL systems: Under this section you can the managed systems thay has Windows Legacy OS installed in them, such as Windows Server 2012, Windows 7. As these OS reached the legacy status, patching is not supported in them.
Windows 10 EOL systems: You can see the Windows 10 installed computers that has EOL versions of OS present in them under this section. By selecting the required computers and clicking on Install/Publish Patches, you can deploy the feature pack and upgrade to Windows 11 24H2.
Windows 11 EOL systems: You can see the Windows 11 installed computers that has EOL versions of OS present in them under this section. By selecting the required computers and clicking on Install/Publish Patches, you can update them to the latest version: Windows 11 24H2.
Any managed computer failing to communicate with the agent for a more than 3 days signals a critical concern. You cannot know the current patching status of that computer. That system may have vulnerabilities too, about which you may not be aware as you have lost the contact. By clicking on Systems without Agent Contact, you can see detailed status such as last contact time, last patching time, last successful scan time for the computers that have lost agent contact for more than 3 days. To address this issue, manual intervention is required from your side.
Some patches require a reboot for successful deployment. But if any user is working on a business critical task, he/she might have skipped the reboot. You can see the computers for which the reboot is pending by clicking on this section. By selecting the particular computer and clicking on Reboot, you can initiate reboot.
In macOS systems with silicon processors, OS patching requires manual authentication, necessitating user intervention each time you deploy a patch. To overcome this, enroll that macOS system in Endpoint Central's MDM, else that system will be displayed under this section. The Remarks will be displayed as:
Not enrolled with MDM, if you have not enrolled that system in Endpoint Central's MDM.
Incomplete enrollment configuration, if the MDM enrollement in Endpoint Central has failed for that particular computer.
Enrollment with a different vendor, if you have enrolled that system with a different vendor but not with Endpoint Central.
In all these above-mentioned three cases, manual user intervention is required whenever you are patching macOS.
If the patch deployment has failed in any computer, then that computer will be listed under this section. You can select the required computer and click on Deploy Failed Patch to re-initiate the deployment of that failed patch.
