Is there is a way in LANDesk to scan against all vulnerabilities in Scan group but repair only against a certain group?
Actually, this is kind of default as only things in the SCAN folder will be scanned on the devices, but how and what you repair is based on creating repair jobs for individual vulnerabilities or the contents of custom groups. Only when you put vulnerabilities on Autofix you loose control as they will be repaired on all devices that have autofix in enabled in their scan settings and on the agent.
This document will walk you through the process
Thanks for the response, I know we can do this using the repair jobs, may be I need to be more clear. What I need to know whether is there is any way to do it using scan and repair settings which has assigned to agents.
When creating a Scan and Repair setting I can either select a group to scan against or the types of patches, but I can no where specify that Scan for all and repair only for these. Reason I want this so that I can scan my systems against all the patches and can patch them only against baseline. This way I am not required to create patching jobs everymonth and push it to clients who are already running scan once a day, I'll just have to update my baseline group every month.
Using the basics of the document I pointed to you can achieve this, but you cannot do it as you are asking.. that I know of.
You can do it a couple ways...
Now, create a new Scheduled Task in the patch tool (let me know if need guidance on this)
Let me know if you need more info or are confused
What about using Autofix? You can set the Scan and Repair settings to either scan everything in the Scan folder, or just a particular group. You can then group your baseline patches into another group just for ease of management.
Once a patch is added to the baseline, you can move it into the group, but then you set it to Autofix. That means that anytime vulscan runs and finds the machine vulnerable to that definition, it will immediately (at the end of the scan) repair the vulernability and install the patch.
If you have machines where you can't allow Autofix, the Scan and Repair settings can be set to not allow Autofix, as can the Agent Configuration.
This way, you don't have to create repair jobs or anything like that. Once a patch is approved, you add it to the group and set it to Autofix. Then it rolls out to your environment.