Using Autofix

Autofix enables you to remediate during the detection scan, when the vulnerability is detected. There is no need to create a separate task for remediation. If a patch requires a reboot, the target device always automatically reboots. By default, if the agent attempts to autofix a patch but it fails, the agent does not retry.

Autofix is generally used after a patch has been thoroughly tested and the administrator is confident that it won't negatively affect users. The feature is available for vulnerabilities, spyware, Ivanti software updates, and custom definitions.

Autofix has to be enabled in agent settings, and then configured for each definition. When you create a task for downloading definitions, you can use a filter to enable Autofix when a definition is downloaded.

IMPORTANT: Requirements for using Autofix
Only Administrators or users with the Patch Manager right and the default All Devices scope can enable the Autofix feature.

The Windows agent, Windows Server agent, and Windows Embedded Standard agent all have an option in agent configuration that overrides what is in the agent settings. By default, Windows Server agents are set to Never autofix. If autofix isn't working when you expect it to, investigate whether the Never autofix option is enabled in Agent Configuration > Standard Ivanti agent.

Endpoint Manager 2022 SU4 added options to enable or disable autofix when a vulnerability revision changes after a content update. You can set this globally in Tools > Configure > Security and Compliance by clicking Configure > Core settings on the toolbar. When disabled and a vulnerability's revision changes, the autofix setting for that vulnerability will be disabled and an alert is sent. Once you have evaluated the revision, re-enable autofix for that vulnerability in the vulnerability's Properties page (Autofix tab).

  1. Click Tools > Configuration > Agent settings.
  2. Select an existing Distribution and Patch agent setting or right-click Distribution and Patch in the tree and select New.
  3. Select Patch-only settings > Scan options.
  4. Enable the Enable autofix option at the bottom of the page.
  5. Save your changes.
  1. Click Tools > Security and Compliance > Patch and Compliance.
  2. Drag a downloaded definition to one of the Scan > Autofix folders in the tree view, or right-click and select Autofix.
  1. Click Tools > Security and Compliance > Patch and Compliance.
  2. In the toolbar, click Download updates.
  3. Select the definitions that you want to use autofix for.
  4. Click the Definition download settings button (on the Updates tab).
  5. In the Definition download settings dialog, click New.
  6. In the Definition filter properties dialog, click the Autofix tab.
  7. Enable the Assign Autofix option.
  8. Configure the other download settings and save your changes.
  1. Click Tools > Security and Compliance > Patch and Compliance.
  2. In the toolbar, click the Configure settings () button and then click Core settings.
  3. In the Autofix retry count section, specify the number of times to attempt an Autofix, or allow the agent to retry indefinitely.
  4. Click OK.

1.Click Tools > Security and Compliance > Patch and Compliance.

2.In the toolbar, click the Configure settings () button and then click Core settings.

3.In the Autofix settings for revision changed vulnerabilities section, select the vulnerability revision handling option you want.