Open and understand the Patch and Compliance tool

(Are you looking for information on the new Patch Automation tool? Click here.)

The Patch and Compliance tool, like all other Ivanti tools, is opened from either the Tools menu or the Toolbox and can be docked, floated, and tabbed with other open tool windows.

To open the Patch and Compliance tool, click Tools > Security and Compliance > Patch and Compliance.

The pane on the left shows a tree view of security type definition and detection rule groups.

The pane on the right displays information associated with what is selected in the tree view. When you have Patch and Compliance selected, you can view a dashboard of reports. When other items are selected, it displays a list of the selected group's definition details and a Find feature for searching in long item lists.

In the Find box, the following extended characters are not supported: < > ' " !

IMPORTANT: Patch and Compliance right
In order to access the Patch and Compliance tool, users must either be a Ivanti Administrator, or have the Patch and Compliance right. For more information about user roles and rights, see Role-based administration overview.

ClosedToolbar buttons

The Patch and Compliance tool window contains a toolbar with the following buttons:

All types: Displays the type of content you want to view. When you select Antivirus, it lists downloaded scanner detection definitions only. It does not list specific Ivanti Antivirus virus definition files.

Global (all devices): Limits the items displayed to a specific scope.

All items: Filters the displayed items based on a custom filter. For information on creating and using a custom filter, see Customize item lists with filters.

Download updates: Opens a dialog box where you can specify the security content you want to download. This includes selecting the platforms and languages, as well as which security content server to access. You can also configure whether to place definitions in the Unassigned group, whether to download associated patches concurrently, the location where patches are downloaded, and proxy server settings.

ClosedCreate a task: Includes a drop-down list where you can select which type of task you want to create:

Security scan: Lets you create a security scan task, specify whether the scan is a scheduled task or a policy, and select security scanner display options, reboot and interaction behavior, and the content types scanned for.

Compliance scan: Lets you create a security scan task that specifically checks target devices for compliance with your current security policy as defined by the contents of the Compliance group.

Change settings: Lets you create a task that changes the default settings on a managed device by writing the specified settings ID to the local registry. You can use this task as a quick and convenient way to change only the settings you want to without having to redeploy a full device agent configuration.

Reboot: Lets you create a device reboot task and select scan and repair settings that determine display and interaction behavior. Note that only the options on the reboot page of the dialog box apply to this task.

Repair: Lets you create a security repair task that remediates detected security exposures on scanned devices. You can configure the repair as a scheduled task or as a policy or both, divide the repair task into separate staging and repairing phases, select scan and repair settings, and download patches. Note that one or more repairable security definitions must first be selected in order to create a repair task.

Gather historical information: Lets you create a task that gathers the current scanned and detected counts (for a specified number of days) that can be used for reporting. You can also create and configure a scheduled task that performs the same action.

ClosedConfigure settings: Includes a drop-down list where you can select which type of settings you want to configure, change, or update:

Agent settings: Lets you create, edit, copy, and delete agent settings. Agent settings determine whether the security scanner displays on devices while running, reboot options, user interaction, and the content types scanned.

Definition group settings: Lets you create, edit, copy, and delete Definition group settings to automate security content downloads.

Alert settings: Lets you configure global security alerts.

Core settings: Lets you manage scan results, autofix retry preferences, and rollup core configuration.

Permissions: Lets you view the current user's Patch and Compliance console permissions. You can also adjust how the console interprets "edit" and "edit public" permissions.

Manage tags: Lets you create, edit, and delete tags to organize patch content.

Display dashboard in a separate window: Opens the Patch and compliance dashboard, allowing you to view and organize charts that display patch information.

Import definitions: Allows you to import an XML file containing custom definitions.

Export definitions: Allows you to export a custom definition as an XML file.

Scan information: Lets you view detailed patch and compliance activity and status information, by categories such as recently scanned and definition severity, for all of your managed devices.

Computers out of compliance: Lists devices that have been scanned to check for compliance with the predefined compliance security policy (based on the content of the Compliance group), and are determined to be unhealthy or out of compliance.

Refresh: Updates the contents of the selected group.

Add: Depending on what is selected in the tree, creates a new chart, custom definition, or tag. If the selected item in the tree is allowed to create a custom definition, it adds a custom definition. If Patch and Compliance is selected, it adds a new chart. If Tags is selected, a new tag is created.

Properties: Displays the properties of the selected chart, group, or definition.

Delete selected items: Removes the selected items from the core database.

Purge patch and compliance definitions: Lets you specify the platforms and languages whose definitions you want to remove from the core database. Only a Ivanti Administrator can perform this operation.

Disable replaced rules: Lets you select how you want replaced rules to be handled. Replaced rules are rules that are superceded by other definitions in your environment.

Help: Opens the help to the Patch and Compliance section.

ClosedAll items (definitions in the tree view)

The root object of the tree view contains all of the security types, such as vulnerabilities, spyware, security threats, blocked applications, and custom definitions.

The All types object contains the following subgroups:

Scan: (For the Blocked Applications type, this group is called Block.) Lists all of the security definitions that are searched for when the security scanner runs on managed devices. In other words, if a definition is included in this group, it will be part of the next scan operation; otherwise, it won't be part of the scan.

By default, collected definitions are added to the Scan group during a content update. (IMPORTANT: Blocked applications are added to the Unassigned group by default.)

Scan is one of the three possible states for a security definition, along with Do not scan and Unassigned. As such, a definition can reside in only one of these three groups at a time. A definition is either a Scan, Do not scan, or Unassigned and is identified by a unique icon for each state (question mark [?] icon for Unassigned, red X icon for Do not scan, and the regular vulnerability icon for Scan). Moving a definition from one group to another automatically changes its state.

By moving definitions into the Scan group (drag one or more definitions from another group, except the Detected group), you can control the specific nature and size of the next security scan on target devices.

CAUTION: Moving definitions from the Scan group
When you move definitions from the Scan to the Don't Scan group, the information about which devices detected those definitions is removed from the core database and is no longer available in either the definition Properties dialog boxes or in the device Security and Patch Information dialog boxes.

Detected: Lists all of the definitions detected by security scans, for all of the devices included in the scans. The contents of this group are cumulative based on all the security scans run on your network. Definitions are removed from this group only by being successfully remediated, being removed from the Scan group and running the scan again, or by actually removing the affected device from the database.

The Detected list is a composite of all detected security definitions found by the most recent scan. The Scanned and Detected columns are useful in showing how many devices were scanned, and on how many of those devices the definition was detected. To see specifically which devices have a detected definition, right-click the item and click Affected computers.

Note that you can also view device-specific information by right-clicking a device in the network view, and then clicking Security and Patch > Security and Patch Information.

You can only move definitions from the Detected group into either the Unassigned or Do not scan groups.

Note that in addition to having a definition's detection rules enabled, its corresponding patch executable file must also be downloaded to a local patch repository on your network (typically the core server) before remediation can take place. The Downloaded attribute indicates whether the patch associated with that rule has been downloaded.

Do not scan: (For Blocked Applications, this group is called Do not Block.) Lists all of the definitions that aren't searched for the next time the security scanner runs on devices. As mentioned above, if a definition is in this group, it can't be in the Scan or Unassigned group. You can move definitions into this group in order to temporarily remove them from a security scan.

Unassigned: Lists all of the definitions that do not belong to either the Scan or Do not scan groups. The Unassigned group is essentially a holding area for collected definitions until you decide whether you want to scan for them or not.

To move definitions, drag one or more from the Unassigned group into either the Scan or Do not scan groups.

New definitions can also be automatically added to the Unassigned group during a content update by selecting the Put new definitions in the Unassigned group option on the Download updates dialog box.

View by product: Lists all of the definitions organized into specific product subgroups. These subgroups help you identify definitions by their relevant product category.

View by vendor: Lists all of the definitions organized into specific product subgroups. These subgroups help you identify definitions by their relevant vendor.

You can use these product subgroups to copy definitions into the Scan group for product-specific scanning, or copy them into a custom group (see below in order to perform remediation for groups of products at once).

Definitions can be copied from a product group into the Scan, Do not scan, or Unassigned group, or any of the user-defined custom groups. They can reside in platform, product, and multiple custom groups simultaneously.


A group allows you to perform actions (such as a targeted scan, repair task, or a query) for a specific set of definitions. For example, you may choose to set up a Ready for Repair group that contains patches that are have been tested and are ready to be applied.

A definition can belong to more than one group at a time. Adding a definition to a group does not change its status in a Scan or Do not scan folder. However, you can perform tasks for that group that will move the definition.

The Groups object contains the following default subgroups:

Custom Groups: Lists the groups you've created and the definitions they contain. My custom groups provide a way for you to organize security definitions however you want.

To create a custom group, right-click My custom groups (or a subgroup) and then click New Group.

To add definitions to a custom group, drag one or more of them from any of the other definition groups. Or, you can right-click a custom group, and then click Add Definition.

Predefined groups: Lists any predefined vulnerability definition groups as determined by the Ivanti® Endpoint Security for Endpoint Manager content subscription. For example, this group might contain industry published definitions such as the SANS Top 20, which are the top 20 vulnerability definitions identified and published by Microsoft.

Alert: Lists all of the definitions that will generate an alert message the next time the security scanner runs on devices.

Compliance: Lists all of the definitions that are used to determine whether a device is Healthy or Unhealthy. The definitions and associated patch files contained in the Compliance group are copied to a special remediation server that scans devices, determines compliance or non-compliance, and can remediate non-compliant devices so that they can be granted full access to the corporate network. When you run a Compliance scan using the Create a task button, it uses the definitions in this group.


Tags are a way to organize definitions. A definition can have multiple tags associated with it. Create a filter or query to view the details of definitions that have been tagged.

No actions are taken based on tags. If you want to organize definitions and then take actions based on the groupings, use a group instead of a tag. A rollout project may edit the tags associated with a definition, but it does not take action based on the tag state.

Manage tags by clicking Configure settings > Manage tags.

ClosedDetection rules

The Detection rules object only appears in the tree when you have selected Vulnerability or Custom definition as the type. This object displays the detection rules associated with definitions.

IMPORTANT: Security definition types that use detection rules
These rules define the specific conditions (of the operating system, application, file, or registry) that a definition checks for in order to detect the associated security risk. Definitions (i.e., content types) that use detection rules include vulnerabilities and custom definitions. Spyware and blocked applications do not use detection rules.

The Detection rules group contains the following subgroups:

Scan: Lists all of the detection rules that are enabled for security scanning on devices. Detection rules are automatically added to this list when you update patch content.

Do not Scan: Lists all of the detection rules that are disabled for security scanning on devices. Some definitions have more than one detection rule. By disabling a detection rule, you can ensure that it won't be used to scan. This can simplify a security scan without redefining the definition.

View by Product: Lists all of the detection rules for collected definitions, organized into specific product subgroups. These subgroups help you identify detection rules by their relevant product category.

You can use these product subgroups to perform group operations.

NOTE: For more information on the Dashboard, see Dashboard editor.