Overview

This article explains things that are important to know when considering and setting up patch auto-deployment, automatic software installation, or de-installation using GFI LanGuard. For the steps needed to configure Auto-Remediation, please refer to the following article

Introduction

Automatic patch deployment works for both Microsoft and non-Microsoft patches. It, as well as all the rest of the auto-remediation operations, follows the same process as described in Patch Deployment Process in GFI LanGuard article.

Note: However, that also means that all the actual remediation operations are always performed by the LanGuard server (main installation), never by the Agent. Auto-remediation is performed right after the scan is completed.

Ie. when scanning a machine using the LanGuard Agent and enabling automatic patch deployment, the process will be as follows:

1. The Agent performs a scan using the configured Scanning profile.
2. Once the scan is completed the Agent passes the scan result to the LanGuard server.
3. The LanGuard server evaluates the result and checks if:
   • The scan result contains information about missing patches, and
   • Automatic patch deployment is enabled for this machine, and
   • The patches are approved
4. If all conditions are true the LanGuard server initiates the deployment.

There are important notes that you may need to consider before enabling and configuring Auto-Remediation options and Patch Auto-Deployment. Studying them will help you to make informed decisions regarding deployment automation settings. 

 

Description

Installing Software

• Always test patches in a test environment before applying them to production systems. Windows patches may work well in isolation, but there is always a possibility for incompatibilities between a patch and other software.
• By default, Microsoft updates are not enabled for automatic deployment. Manually approve each patch (as it is tested) or set all Microsoft updates as approved, if you are making a weighted decision about it.
• When going the manual approval route, check the issues that Microsoft knows about for each patch. 
• Keep up with news from third-party patch monitoring sites.

Note: It is not recommended to use Auto-remediation for feature updates.

Uninstalling Software

To uninstall software, a three-stage process is required in order to identify whether the selected application supports silent uninstall:

Stage	Description
Stage 1	Select the application to auto–uninstall.
Stage 2	Ensure that the application supports silent uninstall. Test this by trying to remotely uninstall the application. This is the validation process.
Stage 3	Set up a scheduled audit that will remove the unauthorized application. This is done automatically (using agents) or manually (agentless approach).

Auto-remediation and uninstallation of unauthorized applications only work with scanning profiles that detect missing patches and/or installed applications.