This article describes the available options for Automatic Remediation and the instructions to follow in order to configure these auto-remediation options.
Automatic Remediation allows you to automatically perform the following actions during scheduled operations:
- download and deploy missing patches
- download and deploy missing service packs and update rollups
- uninstall unauthorized applications.
It is possible to configure certain actions before and after the remediation, like whether or not to display a warning message, wait for user approval, or stop services. You also have the option to reboot or shutdown the system after remediation.
Auto-remediation can be configured both for the Agent scheduled scans and Interactive Scheduled Scans. These Scans have the same auto-remediation options available, the only difference is the steps to reach the Auto remediation settings.
NOTE: Please review the Auto-Remediation Considerations article first. There are important notes that you may need to consider before enabling and configuring auto-remediation.
- Launch GFI LanGuard.
- Go to the Dashboard or Remediate tab. From the Computer Tree, right-click a computer/computer group and select Properties, Agent Status tab, and from the Auto remediation settings, click on Change settings.
When Creating, Editing, or Configuring an Interactive Schedule Scan you will eventually reach the same Auto remediation settings window.
- Select the actions to take after receiving the scan results and click on Configure auto-remediation options.
- Configure the Before Deployment options.
Option Description Wake up offline computers Start computers if they are turned off. For more information refer to Configuring Wake-on-LAN on scan targets. Warn user before deployment (show message) Display a message on the target machine to warn the user before deploying software. Wait for user’s approval Wait for the user’s approval before deploying software. Messages Click Messages to select the end-user computer language and define the warning message. For more information refer to Configuring auto-remediation messages. Stop services before deployment You can choose to stop certain services before the deployment. Services Click Services to specify the list of services to stop before the deployment and in what order to stop them. Administrative shares Make a copy of the software on the default network shares. Custom shares Make a copy of the software in a custom share. Key–in the folder name in the text box.
- Configure the After Deployment options.
The following table describes the options available from the After Deployment tab:
Option Description Do not reboot/shut down the computers Leave scan targets turned on after remediating vulnerabilities, even if patches require a reboot to be installed completely. Reboot the target computers (only if required) GFI LanGuard reboots a target machine only if at least one patch requires a reboot. If no patches require a reboot, a reboot is not executed. Reboot the target computers Always reboots computers after remediating vulnerabilities. Shut down the target computers Target machines shut down after deploying software. Immediately after deployment Reboots/shuts down computers immediately after remediating vulnerabilities. At the next occurrence of Specify the time when the computers reboot/shut down. When between Enables you to specify time and day values. If the remediation job is completed between the specified times (start time and end time), the computers reboot/shut down immediately. Otherwise, the reboot/shut down operation is postponed until the next entry into the specified time interval. Let the user decide Click Preview to view a screenshot of the dialog in the user manual. This dialog opens on the end user's computer after remediating vulnerabilities. Show notification before shut down for Enter a custom message to show on the end user’s computer for a specified number of minutes before reboot/shut down. Delete copied files from remote computers after deployment
Deletes the downloaded patches/service packs after they are deployed.
Run a patch verification scan after deployment
Verifies deployed patches, scanning target(s) when the deployment process is complete.NOTE:
- If the user chooses to reboot the computer after the deployment, the Patch Verification Scan occurs after the machine was restarted.
- If the user chooses to shut down the computer after deployment, the computer will be restarted and the Patch Verification Scan will shut down the computer.
- (optional) Configure the Advanced options.
The following table describes the options available from the Advanced tab:
Option Description Number of deployment threads
Specify the maximum number of processing threads allowed to start when deploying software updates. The number of threads determines the number of concurrent deployment operations an agent can handle.
Deployment timeout (seconds)
Specify the time (in seconds) an agent attempts to deploy an update. If the specified time is exceeded, the agent stops the unresponsive deployment and starts a new deployment thread.
This feature enables you to stop the process thread so that if an update is taking longer than normal deployment time, the remediation operation continues without jeopardizing the rest.
Deploy patches under the following administrative account Use a custom administrative account to log and deploy patches on target machines. The account selected must have Log–on as service privilege on the target computers.
- Click on OK to apply the changes.