Contents x
    How to use Templates
    • 02 Jun 2025
    • 4 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Contents

    How to use Templates

    • Updated on 02 Jun 2025
    • 4 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Article summary

    What is a Template?

    You can think of a Template as a security compliance checklist. By regularly comparing your devices to the requirements in a Template, you can detect and remediate issues to reduce compliance drift.

    You can create and customize as many Templates as you need. Some sets of devices have different compliance requirements, checked at different intervals.

    When a Template detects an issue, the issue is assigned a score to indicate the potential risk caused by the issue. Depending on how you configure the Template, it can also automatically remediate issues.

    What kinds of issues can ControlUp for Compliance detect and remediate?

    ControlUp for Compliance Templates detect issues from the following categories:

    • Misconfiguration - Checks device operating system settings to make sure they meet industry recommendations and best practices. ControlUp can remediate these issues by adjusting device settings (such as changing registry values).
    • Compliance - Checks if antivirus and other security control software is installed and working correctly. The compliance category includes these subcategories:
      • Security Checks - Performs tests to ensure that your security control software is configured correctly. For example, a security check can simulate real threats such as a malware download which should be blocked by your security controls if they are working correctly. It is important that you inform your security team before performing these security checks so they are aware that the simulated threats are coming from ControlUp. Learn more about security checks.
      • Security Controls - Checks if components from security control vendors are installed and running on your devices. For example, ControlUp can report an issue if the CrowdStrike agent isn't installed and active on your devices.
    • Common Vulnerabilities and Exposures (CVEs) - Checks if your devices are affected by CVEs. The CVE system is a public list of known security flaws.
    • Patches - Checks for missing patches for common applications. ControlUp reports an issue if a device has the application installed, but isn't running the latest version. ControlUp remediates the issue by installing the latest version. When viewing the application in ControlUp, you can see the latest version and a link to the vendor's website for more information. Note that when ControlUp patches an application, the application closes on the end user's device to complete the patch. Patches are downloaded from our CDN (optionally, you can download directly from the application vendor) to C:\ProgramData\ControlUp\CU4C\data\patches and then deleted after they have been successfully installed.
      Secure DX Apps view showing the latest version for Mircosoft Edge.
    • OS Patches - Checks if specific OS patches (Microsoft KBs) are installed. ControlUp remediates the issue by installing the selected patch.

    The catalog of available issues is sourced from multiple public and private databases such as Mitre and NVD. ControlUp syncs with these databases multiple times per day so your organization can stay protected against the latest security risks.

    Remediating issues

    After a Template detects an issue, you'll see it reported in the ControlUp dashboards. It's important that you take action to fix these issues. There are a few ways to do this:

    • Automatically: When configuring a Template, you can enable automatic remediation. In this case, ControlUp automatically remediates detected issues by adjusting device settings, installing application patches, or installing OS patches. Note that not every detectable issue can be remediated by ControlUp.
    • Manually using ControlUp: If you don't configure a Template to automatically remediate detected issues, you can manually initiate the remediation action from ControlUp. A manually initiated remedation action is called a Job.
    • Using another method or tool: Some issues must be fixed using another method or tool. Even if you don't use ControlUp to perform the remediation, you can still use ControlUp to track the remediation and ensure it was successful. The next time the Template runs and scans your devices, it checks if the issue is still present. The issue remains reported until all affected devices have been successfully remediated.

    When a Template detects a security issue, it remains reported until the Template has confirmed that the issue is no longer present:

    • If ControlUp performs the remediation (using either a Template or a Job), then it immediately runs a secondary check to confirm that the remediation was successful.
    • If you use another method or tool to fix the issue, the Template checks again for the issue the next time it runs. If the issue is no longer detected, it confirms that the remediation was successful.

    Scan and remediate your own custom issues

    Your organization might have unique compliance requirements that aren't covered by ControlUp's built-in catalog of issues. You can customize issue detection and remediation capabilities using your own scripts.

    For example, if your devices run a custom program, you can create a Custom Issue to ensure that the program is installed and configured correctly. Or, let's say that ControlUp doesn't have a remediation available for a certain issue, but you are aware of a workaround to fix the problem. In this case, you can add a custom remediation to the issue to apply the workaround when the issue is detected.

    For more details, visit Custom Issues.

    Was this article helpful?
    What's Next