This article explains things that are important to know when considering and setting up patch auto-deployment, automatic software installation, or de-installation using GFI LanGuard. For the steps needed to configure Auto-Remediation, please refer to the following article
Automatic patch deployment works for both Microsoft and non-Microsoft patches. It, as well as all the rest of the auto-remediation operations, follows the same process as described in Patch Deployment Process in GFI LanGuard article.
Note: However, that also means that all the actual remediation operations are always performed by the LanGuard server (main installation), never by the Agent. Auto-remediation is performed right after the scan is completed.
Ie. when scanning a machine using the LanGuard Agent and enabling automatic patch deployment, the process will be as follows:
- The Agent performs a scan using the configured Scanning profile.
- Once the scan is completed the Agent passes the scan result to the LanGuard server.
- The LanGuard server evaluates the result and checks if:
- The scan result contains information about missing patches, and
- Automatic patch deployment is enabled for this machine, and
- The patches are approved
- If all conditions are true the LanGuard server initiates the deployment.
There are important notes that you may need to consider before enabling and configuring Auto-Remediation options and Patch Auto-Deployment. Studying them will help you to make informed decisions regarding deployment automation settings.
- Always test patches in a test environment before applying them to production systems. Windows patches may work well in isolation, but there is always a possibility for incompatibilities between a patch and other software.
- By default, Microsoft updates are not enabled for automatic deployment. Manually approve each patch (as it is tested) or set all Microsoft updates as approved, if you are making a weighted decision about it.
- When going the manual approval route, check the issues that Microsoft knows about for each patch.
- Keep up with news from third-party patch monitoring sites.
Note: It is not recommended to use Auto-remediation for feature updates.
To uninstall software, a three-stage process is required in order to identify whether the selected application supports silent uninstall:
|Stage 1||Select the application to auto–uninstall.|
|Stage 2||Ensure that the application supports silent uninstall. Test this by trying to remotely uninstall the application. This is the validation process.|
|Stage 3||Set up a scheduled audit that will remove the unauthorized application. This is done automatically (using agents) or manually (agentless approach).|
Auto-remediation and uninstallation of unauthorized applications only work with scanning profiles that detect missing patches and/or installed applications.