Frequently Asked Questions (FAQ)

It is recommended to use the "Test and Approve" feature, which can test the patches on lab machines and then approve them automatically before deployment. We also have the patch removal/roll back option, which can be used to handle these situations.

Yes, the target machines can be defined based on system type, such as laptops and desktops. A custom group can also be created with system type as criteria.

We do support reboot scheduling in deployment policy with "Reboot Window/ Specify Reboot Time" for Force Reboot.

You can create a separate "Deployment Policy" for such requirements and get them deployed automatically.

It depends on the number of computers, the internal security requirement, and related compliance. All systems are scanned automatically after the patch database synchronization, which happens everyday at the user specified time. In addition to this, patch scan can also be initiated manually when required.

Scanning will be initiated incrementally in order to avoid bandwidth bottlenecks.

No, as the agent installed in the managed computers would have the privilege to install the patches, the regular user account can be used for patch deployment.

Endpoint Central will automatically detect the language based on the operating system.

Endpoint Central will retry to install the patch during the subsequent deployment window, and the installation status will be updated.

You can configure the Deployment Policy to schedule the patch installation and reboot/shutdown. However, if you want to shutdown after reboot, you can use the remote shutdown/reboot tool to perform this operation.

You can disable auto-updates from WSUS and install Endpoint Central agent on the computers to be managed, scan the computers and start deploying the patches.

You can create a custom group with the computers that you wanted to exclude. Decline the application by navigating to Threats & Patches -> Settings -> Decline Patch -> Decline Patch for Group and specifying the application.

You can see the “Installed Time”, against the patch, if it is installed using Endpoint Central. If you do not find the “Installed Time”, then it could be patched using automatic updates. In such cases, you will have to disable auto-updates from, Configurations -> Script Repository -> Templates tab -> Search for AutomaticUpdates.exe -> add to repository. Create a configuration, select the target computers, and deploy it.

You can customize the count of computers displayed. The changes you make will persist only for the technician and the view.

You can achieve this by using the “Deploy Immediately" option when you deploy a patch configuration. This will wake up the target computer on-demand to perform the task initiated by Endpoint Central.

You can create a dynamic custom group and choose to decline the patches for the specific application like JRE. By doing this, you can maintain multiple versions of the JRE in your network.

Refer to this article to find the list of domains, which need to be excluded.

This can be achieved by configuring the deployment policy and excluding servers from reboot. Navigate to Threats & Patches -> Deployment -> Deployment Policies -> Create Policy ->Deployment Window -> Reboot Policy -> Exclude Servers from Reboot.

This can be achieved by configuring the deployment to happen after the encryption time window. You can configure it from Threats & Patches -> Deployment -> Deployment Policies -> Create Policy -> Deployment Schedule.

You can wake up the computers and deploy the patches by configuring Threats & Patches -> Deployment -> Deployment Policies -> Create Policy -> Pre-deployment Activities -> Wake-on LAN.

Both Windows 10 and Microsoft Office 2016 are supported by Endpoint Central. You should ensure that your Patch Database is successfully synchronized in the recent past. Verify it from Threats & Patches -> Update Now -> Last Successful Vulnerability DB Update.

Yes, Endpoint Central supports managing 3rd party applications. Find the list of supported 3rd party applications.

Dynamic custom groups are evaluated on the client side during deployment based on the criteria you have defined.

Navigate to Threats & Patches -> Deployment -> Disable Automatic Updates, choose templates and disable.

When these computers connect to the network via VPN, the deployment will be initiated during the next refresh cycle (90 minutes).

Yes, most patches that have a download URL will be supported. You can get the list of patches that we support from here.

We usually support within 24 hours.

It will automatically be downloaded and installed.

Patch interdependencies and sequencing will be automatically taken care of by Endpoint Central.

No, the agent should be deployed before scanning. You can define SoM Sync Policy to automatically identify new computers added to Active Directory and install agents on them.

Under Configuration Templates, we have a template to disable windows10 creep update (Disable Windows 10 Notification).

It depends on the number of systems and patches that are maintained, maybe up-to 1 GB. It is recommended to configure patch Cleanup Settings to remove older patches automatically. This will also clean up the distribution server.

Yes, it is technically possible if all the remote offices use the same agent and if all the remote office computers can reach the Distribution Server. However, this is not applicable for Endpoint Central Cloud since every remote office needs a unique Distribution Server.

Yes, the agents will contact the server to post the failure messages. But no deployment will happen.

Yes, the ideal way to do this is to go to the All Systems View, select the computer, and install all missing patches to this computer.

Navigate to Agent --> Computers in the console interface. Create a filter for Operating System with tags "server" and "Oracle". The Red Hat Enterprise Linux OS server machines cannot be identified using the web console as its subscription has to be checked.

To deploy Older version (6,7) Java patches, refer to this page.

You can configure Patch Cleanup Settings, which will automatically remove superseded/unused patches from the patch repository.

Endpoint Central maintains a single patch store for all the patches, including Windows, Mac, Linux, and 3rd party patches. You can customize it from Threats & Patches -> Settings -> Cleanup Settings -> Patch Download Settings.

The vulnerability database will be synchronized automatically as per the built-in-scheduler. Navigate to Threats & Patches -> Settings -> Patch Database Settings -> Enable Schedule. You can verify the latest sync time from Threats & Patches -> Update Now -> Last Successful Vulnerability DB Update. However, you can sync it manually using the “Update Now” option.

Go to Threats & Patches -> Settings -> Cleanup Settings -> Patch Download Location. Against Patch Repository Location, enter the new Patch Repository's location. For example, \\machine_name\example_patch_repository.

Endpoint Central will allow you to automate the complete process. You can create an APD task, which will automatically scan computers, detect missing patches, automatically download the required patches and deploy it to the target computers. You can configure the 'Cleanup Settings' to delete the unwanted patches automatically.

You can create separate APD tasks for scanning and downloading the patches. You will find four different options, such as scan, download, draft, and deploy. You can choose any of them based on your requirement.

You can configure notification settings of the APD task which will send you the status report multiple times based on the different status including scanning, downloading and deployment of patches.

You should configure an “Automated Patch Deployment Task” and ensure that the schedule is run every day to keep your computers up-to-date.

Yes, you can use the Test & Approve feature to create a test group of computers and pilot patch deployments before rolling them out to the entire organization. This allows you to test the patches for compatibility and performance issues. You can configure automatic approval after a specified period if no issues are detected, or manually approve the patches based on test results.

It is about testing the patches before deployment. You can choose to approve the patches automatically or manually. We also have the feasibility to test the patches before approving them automatically. The tested patches can be approved automatically after a specified number of days if no failures are found. Alternatively, you can manually approve it based on the result.

You can view the status of the Automated Patch Deployment task from Threats & Patches -> Deployment -> Automate Patch Deployment. You can also generate reports of these tasks and schedule them.

The Antivirus definition updates can be scheduled by navigating to Threats & Patches -> Deployment -> Automate Patch Deployment and creating an Automated Patch Deployment task with Anti-virus Updates.

Automated patch tasks are not regular configurations. You can view the status of the You can view the status of the Automated Patch Deployment task by navigating to Threats & Patches -> Deployment -> Automate Patch Deployment. The status of the tasks can be viewed under 'Current Status'. You can also configure notification settings, by navigating to Threats & Patches -> Deployment -> Automate Patch Deployment and modifying the 'Configure Notifications' setting of the task, to receive email updates whenever there is any change in the status of the task.

“Mark As” - option will be available only when you choose to approve patches manually by navigating to Threats & Patches -> Settings -> Test & Approve and going to the specific test group. Click Patch View and approve the patches manually. If you have chosen to approve all patches automatically, all the patches will be marked as approved by default.

Yes, when you create an APD task, under scheduler select Monthly option and choose 3rd Sunday.

You might need to create 2 separate APD tasks as below to achieve this:

• Create the first task to scan the computers and schedule this at 10 AM. This will complete by 12 noon, and you will get the list of missing patches, which you can choose and approve.
• Create a second task scheduled to run at 3PM (assuming that you would approve the patches by then). For this task, define a Deployment policy with Deployment Window with start and end times as required, say start at 8 PM. Select the option “Any time agent contacts the server" for download patches from server to agent.

The second task will start at 3 PM and scan the computers again and download the necessary patches to the agents. Assuming that all the target computers are up, this will complete and keep things ready for deployment by 6 PM. The deployment will begin at the scheduled deployment window, 8 PM.

If patches are missing and not already installed, the Automatic Patch Deployment (APD) task will attempt to deploy them again. In cases where there is an installation error at the machine level, the APD task will halt after two unsuccessful attempts to deploy the patches. However, if the issue is network-related, the APD will continue retrying until the patches are successfully deployed.

Once the Click-to-Run Settings have been enabled, the Office patches will be downloaded in the server's patch store i.e. the Patch Repository Location, as specified in the server.
In the case of a Distribution Server, the Office patches will be downloaded in the specified patch repository location of both the Central Server and the Distribution Server.

To enhance bandwidth usage, users can navigate to the Office Click-to-Run Settings and can set the Download source for Distribution Servers as Microsoft CDN. Once this is done, the Office patches will directly be downloaded to the Distribution Servers from the Microsoft CDN and will result in less bandwidth usage between the Central Server and the Distribution Servers.

NOTE: If the download source is set as Microsoft CDN, the patches will be downloaded to the Distribution Servers while a copy of the patches (as ZIP) will also be downloaded to the Central Server as a backup. This ensures that the systems get continued updates without any interruption, in case there are technical glitches in the Office Click-to-Run Settings.

As of now, all the patches will be deleted from the patch repository, based on the Cleanup Settings configured. Hence, it isn't currently possible to delete these patches before 3 months.

The Office patch and size displayed on the console are that of the Office deployment tool and not the installation files. Once this executable is downloaded in the Patch Repository, this will automatically be extracted to obtain the required setup and configuration files.
The language packs and proofing tools selected in the Click-to-Run Settings will automatically be applied to the configuration files, which in turn modifies their size.

Currently, if the operating systems meet any of the following criteria, we consider them as server machines:

• If the operating systems' name contains the keyword "server"
• If the machine with Red Hat Enterprise Linux OS has a Server subscription
• If the machine has Oracle Linux OS

We recommend purchasing server licenses for any Linux machine when deploying them as servers within the organization.

Yes, Ubuntu flavors are supported.

Yes, you can pull local agent logs from remote computers and upload them to support for analysis from Support -> Create Support File.

Yes, you can create a report from Threats & Patches -> Patches -> Missing Patches and create a filter based on the “Release Date”.

The Tenable API details are required to be configured in the Endpoint Central console (one-time setup). Once the integration is set, the vulnerabilities scanned by Tenable would automatically be imported to the Endpoint Central console and the required patches will be mapped.

Once a Manual Deployment task is created in Endpoint Central and the patches are successfully deployed, a scan is required to be performed in Tenable (this can also be scheduled). This will update the latest scan results.

Yes, both the Tenable and Endpoint Central agents need to be installed on the systems. This ensures that the patches are automatically mapped to the vulnerabilities scanned by Tenable.

Since Nessus does not support APIs for integration, it is not possible to integrate it with Endpoint Central.

Upon successful integration, the details of the vulnerabilities scanned by Tenable can be imported to the Endpoint Central console. Patches can then be deployed for the required vulnerabilities by creating a Manual Deployment task. Patches would not be automatically deployed (via Automate Patch Deployment tasks) for the imported vulnerabilities.

To import data for a specific group of systems, you can create an Access Group in Tenable containing only the assets data that you intend to import. Then, you can grant Can View permissions to the created Access Group. Subsequently, use the dedicated user API key for integrating with Endpoint Central.

Patches for vulnerabilities detected by Tenable are mapped by comparing with the imported CVE information. Specifically, only patches supported by Endpoint Central will be associated with Tenable-detected vulnerabilities. Check the list of supported applications for reference. Note: Endpoint Central currently does not support patching user installed applications.

Only vulnerabilities associated with certain Tenable plugin families is imported. Additionally, vulnerability details are imported solely for systems accessible to or within the scope of the specific integrated user.

• Threats detected by Tenable, with the patch availability, will be listed under Threats & Patches > Tenable.io Threats. Users can also deploy patches for vulnerabilities from this view.

Kindly contact support for any queries.

Data is imported using the provided credentials and configurations. Additionally, the Reports API is utilized to fetch data from InsightVM.

The patches are automatically corelated by utlizing the CVE IDs associated with the vulnerabilities.

After initiating a Manual Deployment task in Endpoint Central and successfully deploying the patches, it is necessary to perform a scan in InsightVM to ensure the latest scan results are updated.

Only assets with the Endpoint Central agent installed will be listed and their corresponding vulnerabilities will be added accordingly.

This is because certain vulnerabilities have multiple patches available. You can find further instructions in the Remediation section on Rapid7.

To integrate only a specific set of computers, you can add them to the Sites -> Asset Groups section on Rapid7 for seamless integration.

Patches for vulnerabilities detected by InsightVM are mapped by comparing with the imported CVE information. Specifically, only patches supported by Endpoint Central will be associated with InsightVM detected vulnerabilities. Check the list of supported applications for reference. You can find further instructions in the Remediation section on Rapid7. Note: Endpoint Central currently does not support patching user installed applications.

The Spotlight API details must be configured in the Endpoint Central console (one-time setup). After integration, vulnerabilities scanned by Spotlight will be automatically imported into the Endpoint Central console and the required patches will be mapped.

After creating a Manual Deployment task in Endpoint Central and successfully deploying the patches, a scan must be performed in Spotlight to update the latest scan results. This scan can also be scheduled for convenience.

Yes, you need to install both the Spotlight and Endpoint Central agents on the systems. This setup ensures that the patches are automatically mapped to the vulnerabilities identified by Spotlight.

Following integration, vulnerabilities identified by Spotlight can be imported into the Endpoint Central console. Patches can then be deployed manually by creating a Manual Deployment task.

Patches for vulnerabilities detected by Spotlight are mapped by comparing with the imported CVE information. Specifically, only patches supported by Endpoint Central will be associated with Spotlight-detected vulnerabilities. Check the list of supported applications for reference. Note: Endpoint Central currently does not support patching user installed applications. Threats detected by Spotlight with available patches will be listed under Threats & Patches > Spotlight Threats. Users can also deploy patches for these vulnerabilities directly from this view.
Kindly contact support for any queries.