MSx Endpoints Product Description

Solution Summary

The MSx Managed Endpoints service line provides unified performance and security management across a customer’s server and workstation environments. It is designed to keep your supported systems healthy, secure, and performing optimally.  Support includes remote monitoring and alerting, automated patch management, reporting, and managed next-generation endpoint protection technology to guard against viruses and malware.  MSx Managed Endpoints OPTIMUM service also includes comprehensive troubleshooting, support, and system administration.  All services are provided 24x7x365 and delivered by 100% North America-Based support personnel with relevant certifications and experience.

Solution Benefits

MSx Managed Endpoints delivers significant benefits to organizations of all sizes and in all industries.    By combining leading support, management, and security technologies, with expert resources available 24x7x365, Our customers can:

Increase Security – MSx Managed Endpoints includes next-generation security software that protects systems from viruses and malware.  In addition, our maintenance processes will ensure that security vulnerabilities on systems are patched, which will lessen the chances that an exploit is successful.

Improve System Visibility – MSx Managed Endpoints uses sophisticated Remote Monitoring and Management (RMM) software that constantly collects comprehensive data about the health, performance and security of servers and workstations.  This provides technicians and management with valuable information that helps them detect and resolve problems quicker, identify trends that could indicate a larger issue, or facilitate better equipment lifecycle planning.

Shorten Time to Repair – Using the enhanced visibility provided by MSx Managed Endpoints, technicians can be more efficient in their troubleshooting and support efforts.  Instead of wasting time trying to identify systems and pertinent information, they can quickly begin troubleshooting.  With OPTIMUM support, customers also benefit from having a virtual team of TPx technicians that are available 24/7 to address system failures. Shortening the time to repair reduces downtime and lost productivity for our customers.

Enhanced Service Levels – Our team of certified and expert remote resources are consistently trained to keep up with the changing technology landscape. Because we work with hundreds of customers across the country, we have broad experience resolving issues across a wide-range of technologies and use-cases.   In addition, TPx manages to a specific service level and we staff to handle peak workloads.  All of this allows our team to work very efficiently and effectively to resolve issues, and to deliver a level of service that cannot be matched by most in-house IT staffs or MSPs.

Reduced Support Costs – Many customers struggle with limited budgets, a lack of support technology, and staffing challenges.  This often results in poor service delivery and inflated costs because they lack the support tools to help them manage and support systems and users efficiently, or don’t have enough staff to handle the workload, or they over-staff to get the variety of expertise they need.  As a leading National MSP, we do not have the same budget constraints that our customers have.  We invest in technology and support personnel to meet the needs of our customers and as those needs change and grow we can change and grow with them.  This allows us to deliver a better and more consistent service level at a reduced cost for you.

Maximize Resource Availability – Our​ certified and experienced MSx Support Personnel become an extension of your staff.  By delivering the ongoing proactive and reactive maintenance and administration of supported servers and workstations, your team is freed up to perform other tasks that are more strategic and unique to your business.

Enhanced Investment Protection – Keeping your systems secure, healthy, and performing optimally will contribute to a longer useful life for that equipment.  This protects the customer’s capital investment and it also keeps employees happy and productive, which protects their human investment as well.

​​Available Service Levels

MSx Managed Endpoints is available in two different service levels to meet a variety of customer use cases.

CORE – The CORE service Level delivers the basic security service that all organizations need.  TPx provides Next Generation Antivirus Software, as well as patching for windows and select 3rd party applications so the customer’s team can focus on other issues and the customer will know that patching is being done consistently and effectively.   We also provide our leading RMM platform and make it available for customer use.  Customers can access system status information, take secure remote control, launch available maintenance scripts, and run reports.

OPTIMUM – The OPTIMUM service level includes everything that CORE does and adds remote monitoring, management, troubleshooting and repair by TPx’s experienced support team. All service is delivered by TPx’s U.S.-based support personnel and, should a problem arise, our MSx support team is immediately aware and will begin working to address the issue.  With MSx Endpoints OPTIMUM service, end-users can contact MSx support personnel directly 24×7 to request service.

Important Service Considerations

The following information summarizes some key service exclusions and considerations.

Virus remediation: Virus remediation is not included in the standard contract deliverable.  Generally, TPx staff will perform initial troubleshooting and routine remediation of viruses using the capabilities included within the TPx-provided Next Generation Antivirus software, or select other tools as a courtesy for OPTIMUM customers. SECURE and SECURE ENDPOINT BUNDLE customers will include automated and advanced mitigation of identified security threats, but we reserve the right to invoice (With prior customer approval) for all virus remediation work.

Hardware Support: requires that the customer maintain a separate 3rd party hardware support contract (Typically from the manufacturer -such as warranty or post-warranty agreement).  TPx will manage the ticket from start to finish, assist with troubleshooting, and coordinate with the 3rd party provider who dispatches onsite labor and provides parts.

3rd Party application support:  TPx provides limited 3rd party application support.  Support is limited to installing/uninstalling and updating software to facilitate troubleshooting supported applications and typically includes common 3rd party applications installed on workstations (See patching section for detail on applications). “Line of Business” (LOB) applications are not typically supported.  If a contract requires TPx to provide support for any LOB applications, prior approval from the Product Manager is required before any quote/order will be accepted.

Helpdesk: While the MSx Support team operates like a helpdesk, it is important to qualify this term “helpdesk”, and to ensure that you set customers’ expectations properly.  For example, TPx Does not provide “how to” assistance for any applications, or support for Line of Business applications.  TPx also does not receive and manage helpdesk tickets for equipment or services outside of the scope of our MSx Endpoints service description.

Supported Operating Systems

Microsoft Windows

MSx Endpoints is a Microsoft Windows-based service and while the RMM platform will support a variety of older versions of the operating systems listed below, TPx business policy is to support only Operating System versions that are fully supported by the manufacturer.  This is specifically to ensure that security and operational patches are available from the manufacturer.  Without these patches, you put your businesses at significant additional risk of data loss and downtime due to a cyberattack. Furthermore, TPx would not be able to deliver a consistent and acceptable level of service for you without the support of the manufacturer. This policy also applies to Microsoft Office products.  The following software versions are currently supported.

Microsoft Windows

Microsoft Office

Other Operating Systems

A limited service scope is possible for VMWare ESXi, Apple MacOS, and Linux systems as identified below. The RMM agent can be installed on these devices and monitoring & alerting is available.  Managed patching is not provided.

Service Levels

  • For VMWare ESXi:  MSx Support Level is Limited Best Effort.  ESXi device monitoring available.
  • For macOS: MSx Support Level is Limited Best Effort.  macOS device monitoring is available.
  • For Linux:  MSx Support Level is None.  Linux device monitoring is available

Operating Systems

  • ​​​​​​​VMware ESXI
  • Remote monitoring agents installable on OS X 10.7+, but tested on latest two versions of the operating system
  • Fedora, Debian, CentOS (requires yum-utils), and Ubuntu: latest two versions
  • RedHat Enterprise Linux 7 and later using EPEL
  • Mono, .NET compatibility software, will be installed on Linux-based systems

Service Details

​​​​​​Remote Monitoring and Management 

MSx Endpoints leverages Datto RMM Remote Monitoring and Management (RMM) Software. Using DATTO RMM, MSx support technicians can collect information about the health and performance of supported endpoint hardware and software, monitor and alert on endpoint issues, deploy patches, and schedule maintenance jobs.  This cloud-hosted technology platform, combined with our best-practice configuration, allows TPx to deliver powerful automation and support capabilities that create a robust set of IT services that drives operational efficiencies, increases system security, and ensures we can provide extremely reliable service levels. The MSx Endpoints platform allows us to manage customers, sites, and individual devices while achieving the most efficient use of IT resources possible and offers the broadest and deepest set of IT management capabilities in a single solution.

​​​​​​​​​​​​​​The Datto RMM platform consists of two separate applications: the RMM Portal and the RMM Agent.  The RMM Portal is a cloud-based browser application that is used by TPx technicians to securely and remotely manage devices across all our clients.   The RMM Agent is a lightweight software program that is installed on all supported devices.  It collects data on the devices and communicates it to the Portal.

Note: RMM features and services are available based on MSx Endpoints service levels.  Refer to Available Service Levels for details. 

RMM Portal Overview

The RMM Portal is the endpoint management control console.  It is cloud-based and delivers exceptional availability and scalability.  The Platform is built using a secure multi-tenant architecture that allows different levels of access and roles so that TPx can efficiently manage all of our customers, while allowing our customers own IT staff to securely access and manage their own systems.  To further enhance security, Multi-factor Authentication is required to login to the RMM platform as an Administrator.  When logged in as an Administrator all the functionality That TPx Technicians and authorized Customer IT Staff need to manage their endpoints is available from a single pain of glass.  The user interface is very intuitive and easy to navigate, allowing easy drill down from Site to groups to individual machines.

Many of the RMM Portal functions and settings are configured at the Global level and are used / accessed only by TPx technicians.  This includes, for example; setting up patching and monitoring policies and standard reporting.  Customers can, however, leverage the RMM Portal to self-manage their own supported endpoints using Components which include application installers, third-party integrations, scripts, or even device monitors.  Customers can also contact TPx support to request a new component be made available for them.  Billing for such requests will be considered on an Individual Case Basis (ICB).  The list of components that TPx makes available to its clients is currently over 70 and more are added frequently.  Components are grouped into the following categories.

  • Applications– The Applications category contains programs such as web browsers and browser plug-ins, Adobe products, Flash players etc., ready to be pushed out to as many endpoints as required.
  • Integrations– Integrations enable Datto RMM to connect to PSA platforms, such as Autotask PSA.
  • Device Monitors– Device monitors allow you to monitor the state of your devices, e.g. backup, services, processes, antivirus, and more.
  • Extensions– Extensions provide additional functionality, such as Mobile Device Management or Splashtop Remote Screen Sharing.
  • Scripts– This area contains scripts for activities, such as installing uVNC mirror drivers, clearing the print spooler, rebooting the system, and various other

RMM Agent Overview

The MSx Endpoints platform manages machines by installing a software client called an “Agent” on a managed machine. The Agent is a system service that does not require the end user to be logged on for the agent to function and does not require a reboot for the agent to be installed. The agent software also has a very small footprint and communication uses extremely low bandwidth so these items should not impact system or network performance.

The agent communicates securely with the cloud RMM Portal to provide specific information about device health, properties, and performance.  It can execute a variety of actions on the remote device such as:

  • Audit the installed hardware and software
  • Proactively monitor the device
  • Deploy software, patches, and updates
  • Enable the remote takeover of devices that have the Agent installed

The Agent allows IT staff to manage remote devices through the Agent Browser, which is an application launched from the Agent.  Through the Agent Browser, TPx technicians, or authorized Customer IT staff can perform many remote support tasks.  It allows you to diagnose and fix many issues remotely, and often in the background, without the user being aware of it.  Some of the tasks you can execute through the Agent Browser include:

  • Take a screenshot of the remote device or open a remote takeover tool like RDP, VNC, or Splashtop
  • Open a Command Shell and add and edit registry items on the remote device
  • Control Windows Services on the remote device
  • Wake up, shut down, or restart the remote device
  • Monitor resources such as CPU or memory in real time
  • Manage files
  • View event logs
  • View drive information
  • Deploy the Datto RMM Agent to devices on the remote network

When the agent is installed on an end-users Endpoint, the end-user will see a small MSx icon in their system tray.  By right clicking this they can launch the Self-help Portal which provides the following capabilities:

  • Summary:  Summarizes device information such as hostname, IP Address, Manufacturer, Model, Serial Number and key specifications
  • Tasks: This page provides some self-help resources where users can run certain fixes on their own. (Such as a disk cleanup)
  • Tickets:  End-users can submit support requests directly from the agent portal.

​​​​Device Auditing

An audit is an inventory of the hardware and software installed on a device as logged by the Datto RMM Agent.  Auditing provides valuable information that is used in both troubleshooting and planning.   If a technician is troubleshooting an issue on a PC, they can, for example, immediately determine the current patch level, check CPU performance, and verify Windows Process status to gain an immediate understanding of the PC’s status.  If management is planning to upgrade to a new software application which requires that PCs and servers meet certain minimum requirements (CPU speed, Memory, Disk Space, Operating System version, etc.) , and needs to determine if existing systems will support the application, they can quickly access this information for individual devices or in mass.

As consecutive audits are performed, changes to the hardware and software are tracked in a change log. The data is stored on the device and added to the device record in the RMM Portal. Network discovery information is also displayed on the Audit tab. The following audit levels are available:

  • Account:  View all sites’ discovered devices in a table form. You can also see all hardware and software installed on the devices associated with all sites in the account, including quantity and version information.
  • Site:  View the discovered devices in the site. You can also see all hardware and software installed on the devices associated with that particular site, including quantity and version information.
    Monitor the number of devices a software package is installed on. This allows you to manage site or team licenses.
  • Device:  View all hardware and software currently installed on that particular device. You can also see the status of the installed Windows services and the changes that have been made to the device over time.
  • Account and site:  Monitor the number of devices a software package is installed on. This allows you to manage site or team licenses.

There are two types of audits performed in Datto RMM.  A full audit is a complete inventory audit of a device taken at the time the Agent is installed. A full audit of a device can also be initiated manually at any time.  A delta audit is a list of the changes to the audit information on the device since the last audit. Delta audits are performed automatically every 24 hours.  Delta audits are also performed after successful completion of a job, after patches have been applied, or can be performed manually at any time.

Monitoring and Alerting

Using the RMM Platform, TPx delivers 24x7x365 device monitoring and alerting.  Since CORE customers are responsible to self-administer their devices, these customers will directly receive the alerts, allowing them to quickly identify and address problems.  OPTIMUM customers receive comprehensive maintenance and administration by TPx’s certified and experienced technicians.  Alerts for OPTIMUM customers are received and addressed directly by TPx 24x7x365.

Monitors keep track of a variety of attributes, processes, settings, statuses, events, and much more, on devices they are deployed to, and raise an alert when the device is not operating within specified parameters. Datto RMM provides a comprehensive list of monitor types and categories.

TPx configures our monitoring policies based on the device type, operating system, and role.  A Windows File Server will have different monitoring and alerting requirements than a Windows SQL Server for example.  Multiple Policies can be applied to individual machines, which allows TPx to provide comprehensive alerting profiles for a wide-range of hardware and operating system errors, events, and statuses.  When a specific trigger is set – such as a stopped windows process or a spike in CPU or Memory usage, the system automatically alerts.  This allows TPx Technicians to quickly identify an issue and proactively begin troubleshooting & repair.

The list below shows various devices for which we have configured Standard Monitoring Policies.

  • Windows: Hardware Events
  • Windows: Server
  • Windows: Workstation
  • Windows: Role – DHCP Server
  • Windows: Role – DNS Server
  • Windows: Role – Domain Controller
  • Windows: Role – Exchange Server
  • Windows: Role – Hyper-V Server
  • Windows: Role – IIS Webserver
  • Windows: Role – SQL Server
  • Physical Servers
  • Servers – Dell
  • Hardware: DELL Server Event Logs
  • Servers – HP
  • Hardware: HP Server Windows Event Logs
  • Hardware: HP Server ILO (Array)
  • ESXi Monitor Policy
  • APC Windows Event Log Monitor
  • Operating System: macOS
  • Datto RMM Agent

Remote System Support

Remote system support is included with the OPTIMUM service levels.  With the CORE service level the customer has access to perform remote system support using the RMM Agent, or they can request billable assistance from TPx technicians.  Service is delivered 24x7x365 and includes proactive maintenance, system administration, and troubleshooting & support of issues because of an alert of customer request.  Examples of support tasks include, but are not limited to:

  • Accessing system audit information to determine device HW & SW inventory
  • Reviewing system logs, disk space, CPU and memory utilization, and other KPI’s to quickly identify system health and status.
  • Performing specific updates to fix software or hardware issues
  • Running system maintenance scripts to resolve identified issues
  • Performing antivirus scans
  • Accessing the end user system via remote control to actively troubleshoot and resolve systems problems.
  • Opening and managing support tickets with 3rd party hardware manufacturers or pre-approved SW vendors.
  • Proactive notification of pending warranty expiration for supported servers

The RMM Agent delivers real-time remote control across distributed networks so a technician can perform maintenance tasks from any location without ever disturbing the end user.  If a User is requesting support, the Technician can also take remote control of the user’s session and directly assist the user.  To enhance security, Remote Control is configured to be accepted by the end-user. To take remote control of a device, the technician clicks a button to request it and the user then sees a prompt to accept or deny the request.  End-users can contact TPx for assistance on their individual machines but only the designated Customer Point(s) of Contact can authorize service on supported servers or that is outside the scope of standard monthly charges.

Patch Management

System Patching

A patch is an update to a computer program or system to improve performance or fix existing flaws such as security vulnerabilities, bugs, or other issues.  System patching is necessary for all businesses, period.  Windows systems are especially vulnerable to cyberattack, and system performance and reliability can be significantly impacted if systems are not properly patched.  It is, therefore, important to ensure that patching is completed regularly and consistently.  But, It can be difficult to know which patches should be applied.  System patches can negatively impact performance for any number of reasons – maybe the hardware is too old and doesn’t have enough resources to handle the new patch, or there are hidden issues within the patch itself that affect system operation.  It can be a time-consuming and frustrating task for a business to manage the process of patching their systems internally.  System patching is included in MSx both the Endpoints CORE, and OPTIMUM service levels.  Our service ensures that the right patches are applied on a timely and consistent schedule, freeing customer IT staff from the burden of managing this important process.

TPx provides managed patching of select Microsoft Server and Workstation Operating Systems and Software, as well as approved 3rd party applications. Once approved, the individual agent configuration will govern the automated deployment of all missing approved patches based on a mutually agreed upon schedule and reboot selection.  Generally, workstations are patched daily from 10am to 12pm EST. Servers are patched the 3rd or 4th Wednesday of each month and scheduled off-hours.  Urgent security patches may be applied immediately based on individual circumstances.

Patching Policy for Microsoft Windows

Critical Updates, Security Updates, Applications updates, Definition Updates and general Updates are auto-approved within 14 days of release unless TPx pushes a zero-day patch or holds back a patch that has been identified by the news and personal experience to adversely affect the end user experience.

Service Packs, Feature Updates (akin to Windows 10 service packs), Cumulative Updates (which often include blacklisted patches and nagware) are not automatically pushed, but should be scheduled and rolled out gradually due to size and likelihood of impacting user performance.

Drivers and BIOS/EFI are not updated except to resolve an issue known to be corrected by an update.

Patching Policy for 3rd Party Software

Approved third party applications are updated if installed, as the respective vendors release updates, and when Datto adds the installation packages to their repository. Individual applications, such as Java, may have updates disabled, if updating the utility may have adverse effects to a Line-of-Business application.

Currently the automatically patched list is: 7-Zip, Adobe Air, Adobe Acrobat Reader DC, Adobe Flash Player, Adobe Shockwave Player, Foxit Reader, Google Chrome, Java Runtime Environment, Mozilla Firefox, VLC Media Player. Also available but not activated: FileZilla FTP Client, Notepad++, Paint.NET, PuTTY, Skype. Datto is continually adding to their list.

Any application available from Ninite Pro can be managed separately from the native Datto RMM Software Management module, upon request.

Other 3rd-party applications may be deployed by the RMM platform if the package can be run silently at the system console level. Development and testing of a custom script can be requested by a customer as a separate service ticket.  This work may be billable.

Consistency and Compliance Audits

The audit and assessment elements of this patch management program are in place to help identify systems that are out of compliance within an organization. Where systems and security are in a constantly evolving state, patch management is an ongoing set of processes designed to ensure the most secure and stable environment possible, without preventing users from performing their primary duties with undue interruptions. To supplement post-implementation auditing, patch audit scans have been scheduled to track and maintain the patch level database for all systems covered under patch management.

A full audit scan occurs on agent installation. Delta audits occur every 24 hours, as well as upon completion of any scheduled job, or completion of a patch cycle. This ensures that the latest audit data is available for review in the event a critical mid-stream patch is detected as being needed for any server or workstation. Full and delta audits may be scheduled on an “as needed” basis in the event it is required for regulatory or third-party compliance audits.

Newly rebuilt or deployed systems that are introduced into this patch management program will be added to the existing patch schedule and reboot configuration for the respective site to which they are being installed, unless an override is otherwise specified by the build or agent deployment request. Outstanding patches will begin deploying automatically during the next scheduled patch cycle, which may adversely affect the end user experience.

Monthly consistency and compliance reviews are performed prior to the approval of all newly released updates to identify errors or failures that are preventing systems from attaining compliance with the patch policy that is assigned to the agent. Remediation is performed on an as needed basis across all client systems.

TPx can make no guarantee of patch compliance for systems that are not online and available on a regular basis.

Approval Process

TPx provides a 3-phase approach for the review and approval of regularly scheduled update releases.  Each phase is intended to ensure the timely and safe deployment of newly released updates.

Research Phase

TPx will research and assess the effect of newly released updates to the Client prior to its deployment by analyzing the criticality, scope, and potential impact on security, regulatory and industry compliance requirements.

If TPx categorizes a patch as an Emergency, the Patch Management Team considers it an imminent threat to the security of our client’s networks and assumes the greater risk is not implementing the patch vs. not waiting to test it before implementation.

The Research Phase is typically completed within 2 business days after a regularly scheduled patch release date, but may be extended for any update found to have significant negative or undesirable side effects.

Review & Testing Phase

Updates deemed Normal or Non-Critical will undergo standard internal testing for each affected platform before general approval is made. TPx  will expedite testing for critical patches in a manner dictated by the criticality of the update. The Patch Management Team will complete validation against all available operating systems prior to approval.

The Review & Testing Phase is typically completed within 3 business days after a regularly scheduled patch release date, but may be extended for any update that is found to have significant stability issues or a high incident of installation failure. Updates that fail the testing phase will be returned to the Research Phase until a suitable workaround can be found, a new version of the update is released by the vendor, or the security concerns addressed by the update outweigh the risk of introducing a potentially unstable update into a client’s environment.

Approval Phase

Updates that have reached the Approval Phase have been certified through research and testing to be warranted, stable, and ready for deployment within the standard TPx Patch Management offering. Production deployment is typically authorized no more than 3 business days after regularly scheduled update release dates.

A note on Windows 10

TPx is unable to withhold patches indefinitely on Windows 10 operating systems. With Windows 10 Pro, Enterprise, Education and S systems, Microsoft permits us to defer feature (service pack type) updates a maximum of 365 days, quality (security) updates a maximum of 30 days; by which time broken patches should be rectified. Windows Home edition will not permit any delay of operating system updates.

Ongoing Analysis

Updates that are approved and are found to have compatibility or stability issues, or induce adverse effects on the performance of third-party and line of business applications not included in the Review & Testing Phase, will be returned to the Research Phase for escalation to a product specialist or vendor support for remediation. Updates already deployed that meet these criteria and that permit removal will be uninstalled by script from any system found to contain the update. Updates that do not permit removal after installation may require special scripting to manually remove the update.

Ongoing analysis has no set expectation of action unless an issue is detected and reproducible. Standard Escalation SLAs apply.

Default Reboot Policy

New clients will be assigned our default patch and reboot policy, to ensure that operating systems and applications are kept up-to-date and secured as much as possible against new exploits, with as minimal user impact as possible.

Workstation Policy
  • Frequency: Every weekday
  • Patch window: 10am to 2pm at local time zone of the agent software
  • Local Cache: Use a Local Cache to download and distribute updates to targeted devices if available; used for larger enterprises; not available in Windows 10
  • Reboot action: Do not reboot devices after patch window has concluded but show Endpoint a branded reboot reminder every 24 hours until rebooted
  • Expectation: Customer is expected to reboot/shutdown their machine every night for the updates installed during the day to be applied
  • 3rd Party Software Patching: Deploy 3rd Party utility software application updates listed in the Products Managed section above, immediately upon availability to the RMM platform
Server Policy
  • Frequency: Monthly on 3rd Thursday
  • Patch window: 9 pm to 10 pm at local time zone of the agent software (patches starting late in the hour may extend into and complete in a second hour)
  • Local Cache: Use a Local Cache to download and distribute updates to targeted devices if available; used for larger enterprises; not available in Windows Server 2016+
  • Reboot action: Reboot automatically once patching concludes, unless the server is a Hyper-V host or the policy is overridden at the site or device level
  • 3rd Party Software Patching: Manually upon request, dependent on role; if terminal server, we’ll deploy standard 3rd Party utility software application updates listed in the Products Managed section above during a arranged maintenance window

The client may choose options from both of the Scheduling Options and Reboot Action sections below, if the default policy proves undesirable or user impacting. Adjustments after onboarding must be submitted via ticket or request, from a contact authorized to make changes to the customer account, and in the format “[Device Name or Type], [Day Choice] at [Time Choice], and [Reboot or not]”.

Warning: Patch Management for mobile systems frequently connected to cellular networks should be restricted to predefined times when the user will be connected to standard Wi-Fi or wired networks, by having the machine placed in a separate site with its own Patch Policy or no Patch Policy. 

Scheduling Options

Run Once / Manual Scheduling

Primarily used in the On-Boarding phase of an agreement to bring endpoints into compliance with current approval policies and patch levels. This scheduling option is not intended for regular use and may incur labor charges with excessive use.


Primarily used for workstation, laptop and mobile devices. This scheduling option is frequently coupled with the “Do not reboot” option to permit timely deployment of updates while minimizing the interruption of an end user’s productive hours. (Example: Patch every day at 6am)


Primarily used for static workstations and load balancing purposes in larger organizations. This option allows for the selection of one or more days of the week to apply updates, and can be coupled with any of the reboot options listed below. (Example: Patch every Tuesday and Thursday at 8pm)

Monthly or Quarterly

Primarily used for servers requiring a less frequent deployment cycle. This option permits the deployment of updates with the [First | Second | Third | Forth | Last] and [Day | Sunday | Monday | Tuesday | Wednesday | Thursday | Friday | Saturday | Sunday | Weekday | Weekend Day]. (Example: Patch every month on the 3rd Tuesday)


Not recommended for use except in very specific circumstances. Select the day number of the year [1-365] to be run on that day annually.

Reboot Action

Reboot immediately after update.

If necessary, it will reboot the targeted devices after the policy has run.

Do not reboot after update.

It will stop the targeted devices from rebooting after the patch schedule window.

  • Show Endpoint a reboot reminder every X hour/day; every 1-12 hours/1 day/2 days
  • The reminder will be displayed on the screen until the end user dismisses it
  • The reminder can be dismissed indefinitely
  • Permit a maximum of X dismissals, after which time reminders will persist on screen


Comprehensive reporting is available for MSx Managed Endpoints customers.  Reports provide a variety of information that can help TPx Technicians and customers understand the health and performance of their systems. They are also useful for planning – such as for system lifecycle management (Which machines should we budget for replacement this year?).  A standard set of reports is delivered monthly via email to the customers designated contact(s).  Additional standard reports and data exports are available on demand – Self Service for CORE customers and Self Service or via service request for OPTIMUM customers.


Next Generation Antivirus (NGAV)

MSx Endpoints includes an integrated Next Generation Anti-Virus and anti-malware software (NGAV) for enterprise class endpoint protection designed to help further secure customer endpoints from viruses, malware and other threats.

NGAV Software Overview

MSx will always look to leverage the best and most reliable Next-Gen AV available, currently leveraging Webroot’s SecureAnywhere Endpoint Protection.  Webroot SecureAnywhere is integrated with and managed through the the MSx Endpoints RMM platform. The software is automatically to an endpoint through the RMM agent.  Once deployed, it provides continuous security for that Endpoint.  It also reports back its status and alerts to the RMM platform to enhance live support and reporting capabilities.  Some important characteristics of Webroot SecureAnywhere are:

  1. Its ultra small agent is less than 1MB, takes under 5 seconds to install, and requires only 2MB of hard disk space, while the typical
    antivirus averages over 1GB
  2. As a fully cloud-based solution, malware definitions are in the cloud, not downloaded onto the endpoint, so it’s always up to date
  3. Lightning-fast scans use only 10% of CPU and take around 90 seconds, so they never interfere or slow users’ devices down
  4. The agent doesn’t conflict with existing antivirus
  5. The day to day operational costs of our Next Gen AV are less than those of a traditional antivirus – even if it’s free

Some of the unique benefits of Webroot’s smart Endpoint Protection are:


  • Behavior-based, not signature-based allowing it to address a wider array of attacks, including Zero-Hour attacks.
  • One of its kind, cloud-based, adaptive protection


  • Customer satisfaction rating of over 94%
  • Tiny <1 MB agent designed for minimal footprint​
  • No signature updates
  • Minimal user performance impact
  • All endpoints protected collectively & managed centrally

Collective Protection

  • Any time a Webroot-protected device encounters a threat, all other endpoints are secured in real time​
  • Data from tens of millions of sensors is correlated and analyzed continuously
  • Machine-learning backs highly accurate real-time analysis of URLs, IPs, files, mobile apps, and phishing sites


  • Software’s rollback remediation automatically undoes changes made by malware
  • No need to re-image or wipe devices

NGAV Management Services

TPx technicians monitor and support Webroot directly through the Datto RMM Platform.  During MSx Endpoints onboarding, TPx creates a Security Management Policy which allows us to push out the Webroot software to all supported endpoints and generate alerts and tickets as per the criteria set in our standard monitor policy.  Using the Datto RMM Platform, TPx technicians can install or uninstall Webroot and can include or exclude selected devices from a site’s Security Management Policy.  Technicians can also execute the following Webroot Console Commands right from the Datto RMM Platform.


Webroot reporting is integrated into the standard RMM reports.  The following reports include Webroot information.

  • Executive Summary Report: Summarizes the QTY of devices with Webroot installed and overall status (Up to date, running…)
  • Device Health Summary: Indicates, per device, which devices have Webroot reporting as updated and running and which are reporting an issue
  • Detailed Computer Audit: Indicates, per device, all SW installed on the device
  • Software: Indicates how many devices have a particular SW version loaded on them
  • Installed Software Export:  .csv export showing what devices have particular software installed on them

Was this article helpful?

Related Articles