EPA scan classification types on Windows client


Endpoint Analysis is intended to analyze the user device against pre-determined compliance criteria and does not enforce or validate the security of end-user devices. It is recommended to use endpoint security systems to protect devices from local admin attacks.

The following new classification types are added to the EPA scan for missing patches. The EPA scan fails if the client has any of the following missing patches.

  • Application
  • Connectors
  • CriticalUpdates
  • DefinitionUpdates
  • DeveloperKits
  • FeaturePacks
  • Guidance
  • SecurityUpdates
  • ServicePacks
  • Tools
  • UpdateRollups
  • Updates


  • Earlier, the EPA scans for missing patches were done on the severity levels; Critical, Important, Moderate, and Low on the Windows client.

  • If you are using Citrix Secure Access for Windows and above, the scan CLIENT.SYSTEM('WIN-UPDATE_SCAN-TIME') is limited to client machines that have the automatic updates enabled. If the automatic updates are disabled, this scan returns a different outcome.

Configure the EPA scan classification types by using the GUI

  1. Navigate to NetScaler Gateway > Policies > Preauthentication.
  2. Create a new preauthentication policy or edit an existing policy.
  3. Click the OPSWAT EPA Editor link.
  4. In Expression Editor, select Windows > Windows Update.
  5. In Shouldn’t have missing patch of following windows update classification type, select the classification type for the missing patches.
  6. Click OK.

    EPA scan classification types

Customers can upgrade to the OPSWAT version 4.3.2744.0s to use these options.


EPA scan classification types on Windows client