About Autofix and Scan by Scope changes in LDMS 9.6

Version 4

    Verified Product Versions

    Endpoint Manager 9.6Endpoint Manager 2016.x

    Overview

    Autofix and Scan by scope have been implemented to allow different computers to be scanned or autofixed by the scope(s) they are in and still use the same Distribution and Patch settings.

     

    Patch and Compliance Tree Changes

    2014-12-07 12_32_18-blah-96 - VMware Workstation.png

    The Scan tree in Patch Manager has been changed to show both global and scoped Autofix and Scan groups.

    Notice that the "All Items" has been incorporated into the root of the tree "Vulnerabilities (all items)"

     

    If you don't see a "Current Scope" option, make sure at least one scope is created and that you have selected to view the Patch and Compliance under one of those scopes.

    For example, in the screenshot above my scope is currently set to "Blah".

    If I changed the scope to "Global (all devices)" I would no longer see the Autofix (current scope) and Scan (current scope) options.

     

    Setting to Global or Current Scope

    To set a definition to Global or Current scope they can be copied and pasted into the desired category: Autofix (current scope), Autofix (global), Scan (current scope), or Scan (global).

     

    If multiple scopes are needed to be set you can open individual definitions and select multiple scopes as seen in the next section.

     

    Definition View of Scope

    2014-12-07 12_37_47-blah-96 - VMware Workstation.png

    When opening a single definition you can view the Scan or Autofix tab.

    This screen shows the current status of a definition, in this example "Scan (global)"

    The available scopes are also show with checkboxes.

     

    To enable this definition to be scanned by scope you can check the checkboxes next to the available scopes.

    Autofix tab has a similar view.

     

    Scan by Scope process

    When a computer gets vulnerability definitions from the core it will also ask the core for its list of scopes.

    The client uses this list of scopes to compare against the list of definitions it should scan.

     

    The vulnerability definitions are stored on the core server in the LDLogon\VulnerabilityData directory.

    2014-09-24 02_18_21-blah-96 - VMware Workstation.png

    The .xmlz are the compressed versions of the .xml files.

    The .xmlz is copied down by the client and put into a "mergedGetVulnerabilitiesOfType_?.<Coreserver>.xml

    The scopes will be listed in the .xml files as "Scanscopes"

     

    For example, this custom definition is set to be scanned by scope 3:

    <vulnerability Lang="INTL" Vul_ID="CD-order1" Date="1415725397" T="4">

      <Status>Available</Status>

      <ScanScopes>.3.</ScanScopes>