Using Autofix

Autofix enables you to remediate during the detection scan, when the vulnerability is detected. There is no need to create a separate task for remediation. If a patch requires a reboot, the target device always automatically reboots. By default, if the agent attempts to autofix a patch but it fails, the agent does not retry.

Autofix is generally used after a patch has been thoroughly tested and the administrator is confident that it won't negatively affect users. The feature is available for vulnerabilities, spyware, Ivanti software updates, and custom definitions.

Autofix has to be enabled in agent settings, and then configured for each definition. When you create a task for downloading definitions, you can use a filter to enable Autofix when a definition is downloaded.

IMPORTANT: Requirements for using Autofix
Only Administrators or users with the Patch Manager right and the default All Devices scope can enable the Autofix feature.

The Windows agent, Windows Server agent, and Windows Embedded Standard agent all have an option in agent configuration that overrides what is in the agent settings. By default, Windows Server agents are set to Never autofix. If autofix isn't working when you expect it to, investigate whether the Never autofix option is enabled in Agent Configuration > Standard Ivanti agent.

Endpoint Manager 2022 SU4 added options to enable or disable autofix when a vulnerability revision changes after a content update. You can set this globally in Tools > Configure > Security and Compliance by clicking Configure > Core settings on the toolbar. When disabled and a vulnerability's revision changes, the autofix setting for that vulnerability will be disabled and an alert is sent. Once you have evaluated the revision, re-enable autofix for that vulnerability in the vulnerability's Properties page (Autofix tab).