Views:

Create or edit update policies to manage agent program and component versions in your environment.

Important
Important
  • Version control policies only support endpoints with the Trend Vision One Endpoint Security agent version 202412 or later installed. For detailed information, see Version control policies agent requirements
  • Endpoint groups not assigned to a user-created policy automatically adopt the Default policy.
  • Endpoint groups can only be assigned to one policy at a time.
  • You must enroll your Protection Manager instances to manage updates for the Server & Workload Protection or Standard Endpoint Protection endpoint protection components. For more information, see Version control policies feature enrollment.
  • Bandwidth throttling for update downloads can be configured in Endpoint SecurityEndpoint InventoryGlobal SettingsSensor Settings. For more information, see Sensor Settings.
Configure version control policies to manage the agent and component updates for endpoints with the Trend Vision One Endpoint Security agent installed which report to Trend Vision One Endpoint Inventory.

Procedure

  1. In the Trend Vision One console, go to Endpoint SecurityEndpoint Security ConfigurationVersion Control Policies.
  2. Create or edit a policy.
    • To create a new policy, click Create Version Policy.
    • To edit a policy, find the policy you want to edit and click the name.
    The policy configuration screen appears.
  3. Specify a unique Policy Name.
    Note
    Note
    You cannot edit the policy name for the Default policy.
  4. Select one or more endpoint groups to assign to the policy.
    1. In the Endpoint group field, click the edit icon (proxyConfigIcon=20230614160101.jpg).
      The Select Endpoint Group window appears.
    2. Locate and select the endpoint group you want to add.
      Important
      Important
      • Endpoint groups can only be assigned to one policy at a time. Selecting a group that is already assigned to a policy moves that endpoint group to the new policy.
      • Selecting an endpoint group automatically selects any child groups including those already assigned to a policy. You can clear the selection for any child group you do not want to include in the new policy.
        Child groups can be assigned to a different policy than the parent group.
    3. After selecting one or more endpoint groups, click Select.
  5. Configure your priority rules.
    1. To add a new priority rule, click Add Priority and provide a name for the rule.
      New rules are automatically added to the top of the priority list as Priority 1.
    2. To change the order of your priority rules, click and drag the priority rule you want to change.
      The priority rule number changes automatically.
      For example, moving Priority 1 under Priority 3 automatically changes the original Priority 1 to Priority 3, and the old Priority 2 and Priority 3 become Priority 1 and Priority 2, respectively.
    3. To change the name of a priority rule, click the options icon next to the name (options=ddb0b67f-0654-4aa5-8bc7-48ec554c5448.png) and select Rename.
    4. To delete a priority rule, click the options icon next to the name (options=ddb0b67f-0654-4aa5-8bc7-48ec554c5448.png) and select Delete.
      Important
      Important
      You cannot delete the Default priority rule.
  6. Click the priority rule you want to configure.
  7. Configure the General settings for the selected priority rule.
    Important
    Important
    If an endpoint matches multiple priority rule criteria, the endpoint uses the highest priority rule matched.
    If an endpoint does not match any priority rule criteria, the endpoint uses the Default priority rule.
    The Default priority rule criteria is All endpoints and cannot be changed.
    1. Select the Criteria type.
    2. Specify the criteria values.
      The criteria is used to determine which endpoints within the assigned endpoint groups the priority rule applies to. The criteria value input method changes depending on which criteria type you select.

      Criteria type
      Description
      Input method
      Endpoint name
      The priority rule is applied to any endpoint containing at least one specified value in the endpoint name
      For example, if you specify Test, the priority rule is applied to the endpoint Test01.
      Specify a value and either type a comma (,) or press ENTER to separate values.
      Endpoint policy
      The priority rule is applied to any endpoint assigned to the selected Server & Workload Protection or Standard Endpoint Protection policy
      Click the edit icon (proxyConfigIcon=20230614160101.jpg) to find and select endpoint policies.
      IP range
      The priority rule is applied to any endpoint with an IP address within one of the specified ranges
      Specify an IP range in either IPv4 or IPv6 format. Click the add icon (add_icon=cf892c2f-1a1f-4d22-848f-023067e4a507.png) to add up to 200 IP ranges.
      Operating system
      The priority rule is applied to any endpoint with the specified operating system
      Click the edit icon (proxyConfigIcon=20230614160101.jpg) to select the OS family or a specific OS version.
      Specify target(s)
      The priority rule is applied to specific endpoints from the Endpoint Inventory
      Click the edit icon (proxyConfigIcon=20230614160101.jpg) to select up to 200 endpoints from Endpoint Inventory.
      Click the filter icon (filter_icon=GUID-3D0D5E25-ACBE-403D-AB65-9CF54DD7EC46.png) to help find the endpoints you want to target.
  8. Configure the Agent update settings for the selected priority rule.
    1. Select the Update check setting for the agent update.
      • Scheduled: The endpoint agent checks for updates.
      • Disabled: The endpoint agent does not check for updates.
    2. Select the Update policy.
      Specify the agent program version the endpoint agents update to when the agents run the scheduled update check.
      Setting
      Description
      n (latest version)
      The agent always updates to the latest version available
      The version listed next to this option is the current latest version. Use this setting if you want the agent to always update to the latest version when a new version is released.
      n - 1 (previous)
      The agent always updates to the previous released version
      The version listed next to this option is the current previous version. Select this option if you want the agent to only update to the previous version when a new agent program version is released.
      n - 2
      The agent always updates to the next older version prior to n - 1
      The version listed next to this option is the current n - 2 version. Select this option if you want the agent to always update to two versions behind the latest version when a new version is released.
      Fixed
      The agent only updates to the specified version
      The agent updates to the selected version and does not continue to update past the selected version even if a newer version is released. You can select a version within the last 12 releases.
      Important
      Important
      This setting requires you to manually change the selected version when you wish to update the agent version. Older agent versions might require redeployment if they are too outdated.
      Note
      Note
      In the case that a hotfix is required to patch the latest version, the hotfix replaces the latest version and the unpatched version is made unavailable. The hotfix version keeps the same version number as the unpatched version. For example, if a hotfix for version 202412 is released, the hotfix version still shows 202412. The hotfix version is used in subsequent updates for policies set to n - 1 and n - 2.
      Occasionally, Trend Micro makes custom hotfixes available for limited regions or customers. Custom hotfixes usually have an amended version number, such as 202412A. A custom hotfix can only be selected as a fixed version. Policies set to n, n - 1, and n - 2 ignore custom hotfixes when updating.
  9. Under Component update, select the Update policy for the agent detection components.
    The endpoint agent has many different detection components which update at different times and frequencies. The update policy utilizes a series of daily snapshots to allow you to control which component versions your agents update to.
    Setting
    Description
    n (latest version)
    The agent always update to the latest component versions available
    This policy does not use a snapshot and instead updates to the latest component versions. Use this setting if you want your agents to always update to the latest security component releases.
    n - 1 (one snapshot prior)
    The agents always update to the snapshot from the day before the current date
    n - 2 (two snapshots prior)
    The agents always update to the snapshot from two days before the current date
    n - 3, n - 4, …, n - 8
    The agents always update to the snapshot from the corresponding number of days before the current date
    For example, n - 5 updates to the snapshot from five days before the current date.
    Important
    Important
    Scheduling of component updates is configured in Server & Workload Protection and Standard Endpoint Protection.
    • For Standard Endpoint Protection, access the managing product server and go to UpdatesAgentsAutomatic Update.
      To configure update settings within the Protection Manager, see Component Updates.
    • For Server & Workload Protection, go to Endpoint SecurityServer & Workload ProtectionAdministrationScheduled Tasks and create a component update task.
      To configure update settings, see Apply security updates.
  10. After you have configured all of your priority rules, click Save.
    Tip
    Tip
    If you are creating a new policy, make sure you configure the Default priority rule.