Endpoint Central periodically scans the systems in your network to identify the missing patches. The missing patches include both the operating system and third party application patches pertaining to that system. Generally, patches are released with varying severities ranging from Low to Critical. Based on these patch severities, Endpoint Central classifies the system into three categories to identify the health status of the systems in the network quickly. Health policy of the systems are calculated based on the missing security updates and third party updates. It is recommended to deploy all the security and third party updates to maintain the health status of the systems. If you do not want a specific missing patch, to impact the system health status, then you can choose to decline the patch. Patches that are declined will not be considered for the System Health Status calculation.
Based on the severity of the missing patches, the systems are categorized as Healthy, Vulnerable and Highly Vulnerable. The default health policy will be as follows:
Healthy Systems are those that have up-to-date patches installed.
Vulnerable Systems are those that have missing patches in "Moderate" or "Low" severity levels.
Highly Vulnerable Systems are those that have missing patches in "Critical" or "Important" severity levels.
NOTE - The patches that are declined will not be considered for arriving at the system health status. You can also choose to exclude all third party patches from system health calculation.
You can customize the criteria to determine the health of a system. You can specify the number of patches, which will be considered as a benchmark to rate a system as highly vulnerable or vulnerable. Refer to the example explained below:
Criteria specified to mark a computer a highly vulnerable:
3 or more critical patches are missing
3 or more important patches missing
0 Moderate Patches are missing
0 Low severity patches are missing.
Criteria specified to mark a computer a vulnerable:
2 or more critical patches are missing
1 or more important patches missing
1 Moderate Patches are missing
0 Low severity patches are missing.
Based on the above mentioned criteria, if 3 or more critical patches are missing, then a system will be marked as highly vulnerable. If only 2 critical patches are missing, then it will be marked as vulnerable. If 1 critical patch is missing, the system will be considered as healthy. Assume 5 moderate severity patches are missing, then the system will be marked as Vulnerable. If 10 low severity patches are missing, the system will still be considered as healthy, since you have not specified any number in the criteria.
You can configure the above explained settings by clicking on Threats & Patches → Settings → System Health Policy
Under Patch Severity Settings, specify the number of missing patches to determine the health status of a system, based on severity and count of missing patches
Under Advanced Settings, if you wish to calculate the system's health only based on the approved missing patches, enable the option Consider only 'Approved Patches' to determine the System's Health. You can also choose to exclude third party patches, BIOS updates and recently released patches from System Heath Calculation
Most of the time, the significance of missing third party patches does not precede over the patches related to operating system. This could be because of the vast number of third party applications and its real need towards the business. If you consider that your system's health should not be determined based on the missing 3rd party patches. You can configure your system health in such a way, that even if one or more third party patches are missing in your system, it can still be rated as healthy if all OS related patches are installed on it. You can exclude all the third party patches and choose to include a few of those which might be needed. To exclude them, enable the option Exclude all 3rd party patches to determine the System's Health. If you wish to add exceptions so that these third party patches need to be considered for System Health calculation, click on Add Exceptions.
BIOS updates are typically designed to address issues related to system hardware, firmware compatibility, stability, and performance and they don't necessarily relate to security vulnerabilities or software-related bugs in the operating system or applications. Patch system health, on the other hand, usually refers to the application of patches for the operating system (OS), applications, and security updates. The significance of BIOS patches does not precede over the patches related to operating system. Hence, if you wish to exclude BIOS updates to determine the System's Health, enable the option: Exclude BIOS updates to determine the System's Health.
Newly released patches often go through an internal testing and validation process within organizations. This ensures that the patch doesn't negatively impact the performance or stability of the system. Until a patch has been fully tested in a production environment, it might not be counted as fully deployed or applied. In this case, considering recent patches as part of the system health calculation could prematurely signal that the system is up-to-date when, in reality, the patch has not yet been thoroughly validated. Hence you may exclude the recently released patches to determine system health before testing and validating them. By mentioning the number of days under the option Exclude the patches released in the last days while calculating the system's health, the recently released patches will be considered for calculation only after that specified number of days.
After configuring all the settings, click on Save. The System Health will be determined accordingly.
