Queue & targeting
Queue actions in a tenant-scoped way and apply them to the right systems without “spray and pray”.
This is ideal for repeatable workflows such as reboot waves, patch rings or software cleanup.
Targeting can be as precise as you need — by host, tags/groups, OS type, online/offline status and
health signals — so you can start small (pilot) and roll out confidently.
Before executing, you can use lightweight pre-flight checks (recommended) such as pending reboot,
disk space, agent version and uptime, so high-impact tasks don’t surprise you during production hours.
Execution & safety (guardrails)
Controlled remediation is about making actions safe, predictable and auditable — not just “run a command”.
Tasks run via the agent using its local permissions, which means changes happen close to the system, but
are still governed by tenant boundaries and platform guardrails.
Safety first
Keep actions tenant-scoped, logged and limited by role permissions and policy rules. This gives you the
confidence to automate routine work while preserving oversight and change traceability.
What you can add next
If you want to take controlled remediation from “useful” to “enterprise-grade”, these additions usually
deliver the most value:
- Approvals: require a second person for high-impact actions (reboot, uninstall).
- Maintenance windows: enforce allowed execution windows per tenant/group.
- Rate limiting: cap concurrency to avoid storms during broad rollouts.
- Dry-run: validate targets and pre-checks before executing.
- Rollback hooks: “undo” tasks or compensating actions where feasible.
- Notifications: Teams/Email/Slack/Telegram on start/fail/complete.
Auditable, tenant-scoped, and executed with local agent permissions.
OS updates
Trigger patch actions from a single place and track outcomes end-to-end. In practice, this works best when
you combine update signals with inventory and health: you can prioritize systems that are missing critical
updates, have older patch age, or are drifting from your baseline.
After patching, it’s common to follow up with a verification step (for example: reboot required state,
service health or telemetry freshness) so you know the rollout actually improved posture — not just “ran”.
Application actions
Software remediation becomes much safer when actions are standardized and traceable. You can remove
unwanted applications (for example via blacklist logic), keep estates consistent with controlled updates
(such as Chocolatey where applicable), and link outcomes back to vulnerability findings to close the loop.
A natural next step is policy-driven workflows: detect an unapproved version, generate a finding, and
propose or schedule the right remediation task automatically.
Agent lifecycle
Keeping agent versions consistent directly improves visibility and reliability of remote actions. With
staged rollouts, you can update agents gradually, validate telemetry and heartbeats, and only then expand
the rollout. This reduces the risk of “fleet wide” surprises and keeps remediation predictable.
You can also enforce minimum agent versions for specific task types, which is especially helpful when you
introduce new task capabilities or safety checks.
Audit & reporting
The biggest benefit of controlled remediation is traceability: who executed what, where, when, with which
parameters — and what the outcome was. That makes it easier to prove change control, speed up incident
review and continuously improve your operational playbooks.
As a next step, many teams export task history into scheduled reports (CSV/XLSX/PDF) and correlate tasks
with alerts and findings so remediation status becomes measurable over time.