5.5.0 RC Dashboard - Patching in Rings, MSP Flash Onboarding & AI Scripting

1. “Keep Agent UI running on screen lock” 
2. MSP Onboarding Wizard
3. Wingman AI Scripting
4. Patching in rings
5. Lock specific OS version
6. Reporting Mode Indicator ("R") for process executions
7. Full Process Path Added to PEDM Email Alerts
8. Product Modules Overview -Improved Navigation
9.  Lock GP Assignment claim for improved governance control

Heimdal Dashboard & Agent

• “Keep Agent UI running on screen lock” option (Windows GPs)

We’ve introduced a new option (check box) “Keep Agent UI running on screen lock” - available under Endpoint Settings -> Windows GPs -> General -> General Management -> Agent Settings section of the Heimdal Dashboard.

By default, the option is disabled and the current behavior remains unchanged: the Heimdal Agent restarts on session lock, logout or reconnect, ensuring a fresh instance is always launched.

When enabled, the Agent process is preserved across session lock and disconnect scenarios, meaning the same instance continues running in the background. As a result, the UI will not automatically relaunch on screen unlock, and in multi-user environments, secondary users will not see or automatically start the Agent UI (manual launch required).
 

Note: this behavior does not apply to Sign out actions, as the Windows session is fully terminated, the Agent will be restarted on next login regardless of this setting.

• MSP Onboarding Wizard

The MSP Onboarding Wizard capability streamlines the initial setup process for Resellers by enabling seamless integration between Microsoft Entra (Azure AD) and Heimdal. By automating the discovery and creation of Corp customers directly from CSP sub-tenants, the feature significantly reduces onboarding effort, speeds up time to value and minimizes manual configuration. Combined with a guided onboarding flow and a dedicated management interface, it provides a more structured, scalable, and efficient way to onboard and manage customers from a centralized experience.

The feature is available if:

• Dashboard account type is Reseller or Distributor Manager;
• the customer (Reseller/Distributor Reseller) has the Monthly Billing licensing option enabled;
• the user account has the "Manage Customer Settings" permission claim enabled.

The feature consists of two core components: a guided Onboarding Wizard and a dedicated MSP Onboarding Tab. 

The Onboarding Wizard provides a structured, step-by-step flow that walks Resellers through enabling the Reseller Master Group Policy, configuring the Azure connection and completing the initial customer synchronization. 

Complementing this, the MSP Onboarding Tab serves as a persistent management interface within the Heimdal Dashboard, allowing Resellers to manage their Azure connection, browse available CSP sub-tenants and create new Corp customers directly from a centralized location.

Below are a few illustrative screenshots showcasing the Onboarding Wizard flow.

The MSP Onboarding Tab (Guide -> MSP Onboarding) is available only after a Tenant ID is saved.

Note: Client ID and Secret Value do not persist and must be re entered each time the tab is accessed.

Through the MSP Onboarding Tab, Heimdal Dashboard users can access and manage their customer landscape via a centralized Customer List, composed of two main views:

• the Heimdal Customers Grid — a consolidated overview of all Corp customers currently associated with the Reseller within Heimdal,

and

• the Azure Customers Grid — a list of CSP sub‑tenants/ contracts retrieved via Microsoft Graph API from the Reseller’s Entra tenant, enabling direct mapping and onboarding of new customers into Heimdal.

MSP Onboarding Wizard – Functional Details

Onboarding Wizard

• Starts automatically on first login after account creation or after feature release for existing Resellers.
• Considered complete only when “Done” is pressed at Step 12.
• The “X” (close) action triggers a confirmation modal and, once confirmed, permanently dismisses the wizard.
•  A dismissed wizard does not restart on next login and can only be relaunched via “Launch Onboarding Wizard” from the MSP Onboarding Tab.
• Skip is available on Steps 2 and 3 and redirects directly to Step 9.
• Back returns to the previous step.

Session behavior

• Mid-flow, same session -> resumes from the current step.
• Browser restart -> resumes from Step 1.
• Wizard dismissed (X + confirmation) -> does not restart on login.
• Wizard completed (“Done” pressed) -> does not restart on login.

Note:

• If the View Endpoint Settings claim is disabled -> Steps 2–8 are skipped; flow jumps from Step 1 to Step 9.
• If the Edit Endpoint Settings claim is disabled -> clicking Next on Step 2 redirects directly to Step 9.

MSP Onboarding Tab

• Visible only after a Tenant ID is configured in Guide -> Customer Settings -> Login Setup -> Azure Login.
•  “Launch Onboarding Wizard” redirects to Home and restarts the wizard.
• Client ID and Secret Value are not persisted — they must be re-entered each session.
• “See customer list” remains disabled until both credentials are entered.

Heimdal Customers Grid

• Displays all Corp customers associated with the Reseller.
• Columns include: Name, Customer Type, Created Date, SPLA, Active Licenses, Total Licenses, Churn Score.
• Supports search (by Name) and sorting (Name, Customer Type, Created Date, Active Licenses, Total Licenses, Churn Score).
•  Includes full pagination support.

Azure Customers Grid

•  Displays CSP sub-tenants retrieved from the Reseller’s Entra tenant via Microsoft Graph API.
• Columns include: Name, Tenant ID, Action (Create Customer).
• Supports search (by Name) only; results are pre-sorted alphabetically (no manual sorting).
• Uses infinite scroll (no pagination controls).
•  “Create customer” is disabled if: 
  o    The customer already exists in Heimdal, or
  o    The Tenant ID is already associated.

Note: in case the  “View customers” claim is disabled, both Heimdal and Azure Customer grids are not visible.

Customer Creation

• Name — pre-filled from Azure data and editable; cannot contain /, , or +.
• Total Licenses — required field (minimum 1); highlighted in red if not populated.
• Email — required field; highlighted in red if empty.
• Details — optional field.
• Monthly Billing — enabled by default; can be disabled.
• Licensing options not available to the “parent” Reseller are displayed as greyed out.
• Email Security 365 and ATP are mutually exclusive; selecting one will automatically deselect the other.
• TAC and TAC UI & M365 User Security require MXDR licensing option to be enabled first; enabling MXDR automatically enables TAC, which becomes locked.
• opt in Reseller Master GP — allows distribution of the Reseller Master GP to the new customer; requires “Reseller Master GP Distribution” to be enabled for the Reseller under Endpoint Settings -> Windows GP.
• On creation — a Heimdal licensing key is automatically generated with a 1-year validity.

Overall, MSP Flash Onboarding significantly simplifies the onboarding process for Resellers, enabling customer creation in just a few minutes while reducing manual effort across multi-customer environments. 

By combining automated Azure tenant integration with a guided setup experience and centralized customer management, the feature ensures a faster, more consistent onboarding flow, helping MSPs scale operations more efficiently and bringing customers into Heimdal with minimal friction.

• Unified Management-> Client Management -> Scripting - Wingman AI Scripting

Wingman AI Scripting simplifies script creation by allowing administrators to generate PowerShell or Batch scripts using natural language prompts, removing the need for manual scripting from scratch. 

By describing the intended outcome in plain language, users can quickly generate scripts that can then be reviewed, customized, and deployed across their environment, significantly accelerating operational workflows while lowering the barrier for less experienced users.

Scripts generated through the platform integrate seamlessly with the existing scripting framework, meaning they can be executed directly on managed endpoints via the Heimdal Agent, assigned to Group Policies, scheduled for recurring execution, and enhanced through reusable variables. 

This enables consistent and scalable automation of administrative tasks, from simple operational actions to more advanced configuration changes.

The feature currently supports both PowerShell (.ps1) and Batch (.bat) scripting, with the selected script type guiding the generated syntax and structure. 

Scripts are created directly within the Scripts module by entering a plain-language request (e.g., restarting services, mapping drives), after which the AI generates the corresponding script in the editor for further refinement before deployment.

As part of the workflow, administrators retain full control and visibility over the generated output. While the AI accelerates script creation, all scripts should be carefully reviewed and validated prior to production use, especially when performing actions that impact services, system configurations, or security settings.

Note: Generated scripts should always be reviewed before deployment. Particular care is recommended for scripts affecting services, registry settings, installed software, or security configurations. Sensitive data (e.g., credentials) should not be embedded directly in scripts.

Overall, Wingman AI Scripting enables faster, more consistent automation across environments by combining AI-assisted generation with existing deployment and management capabilities, helping IT teams reduce manual effort, standardize execution, and respond more quickly to operational needs.

Heimdal Patch & Asset Management

• 3rd Party patch management & OS Updates (Windows) – Patching in rings

We’re introducing Patching in Rings, a new capability designed to give you significantly more control over how updates are rolled out across your environment — now available for both 3rd Party Patch Management and Windows OS Updates.

With this approach, updates can be staged and delivered progressively across defined groups of endpoints, allowing for controlled validation, earlier issue detection, and reduced operational risk before wider deployment.

 In addition, Rings enable more granular visibility into patch status and behavior across each rollout phase, helping you fine-tune deployment strategies and improve reporting accuracy.

Update Rings provides visibility into how Windows OS updates and supported third-party applications/ software are distributed across Group Policies (GPs) and endpoints.

This feature introduces dedicated views that allow dashboard users to quickly identify:

• which Group Policies are responsible for deploying a specific update or application.
• the configured deployment delay for each Group Policy.
• installation coverage statistics across endpoints.
• whether an application or update is eligible.

Operating System Updates (Windows OS)

A new Update Rings tab is available in the detailed view (Update Details/ post clicking on a certain Windows Update) of each Windows Update.

The tab displays all Group Policies that are configured to deploy the selected update, together with deployment delay information, installation statistics and eligible endpoints.

The following columns are available in the Update Rings view:

• Group Policy – name of the policy defining the deployment behavior for the select Window update.
• Delay - value reflecting either the “Delay update installation (days)” setting or a “per category” delay configured in Group Policy (the per category delay overrides the general delay). Windows Updates are installed after the specified number of days from their official release date.
•  Delay Source – indicates whether the delay is defined at category level or inherited from the general (Group Policy) delay.
• Installed Endpoints - number of endpoints where the Windows Update has been successfully installed within the selected Group Policy
• Eligible Endpoints - number of endpoints within the selected Group Policy scope that are eligible for the Windows Update (in Available, Pending, or Installed status).
• Total Endpoints - total number of endpoints associated with the selected Group Policy.
• Install Percentage (%) - percentage of eligible endpoints where the Windows Update has been successfully installed.

3rd Party Patch Management (Windows OS)

The Update Rings functionality is available across the vast majority of the 3rd Party Patch Management views, including:

• Standard Patch Management views ("Current Status", "Latest Patch", "Currently Outdated", "Historically Outdated", "Up to date") including Stats view
• Assets View (Stacked and Non-Stacked) including Stats view
• Active Clients -> "Assets" tab views
• Active Clients -> "3rd Party Patch Management" tab
• Infinity Management -> Software Asset Management -> Click on Application name -> Discovered Assets view.

For Heimdal supported/ managed applications, the application name becomes clickable and redirects the user to a dedicated Application Details (specifics) modal, where 2 new views are available: Details and Update Rings.

The Details view offers a concise, centralized overview of key application metadata, including software name, latest available version, publisher and release date.

The Update Rings view contains a grid having the following columns:

• Group Policy – name of the GP defining the deployment behavior for the select 3rd party supported app.
•  Install Version – version of the application configured for deployment via the selected Group Policy.
• Delay – delay defined for the application in the Manage Applications table of the selected Group Policy.
• Updated Endpoints – number of endpoints with the application up to date (within the selected Group Policy)
• Eligible Endpoints – number of endpoints within the selected Group Policy scope that match the deployment criteria and are eligible to receive the application update.
• Total Endpoints - total number of endpoints associated with the selected Group Policy.
• Update Percentage (%) – percentage of eligible endpoints where the third party application has been successfully updated.
• Push Install Enabled – indicates whether the “Push Install” setting is enabled for the application in the Manage Applications section of the selected Group Policy.

The brand-new 3rd Party Patch Management Application Details modal introduces a set of streamlined in-context actions that allow you to manage application deployment directly from the rollout view. 

From here, you can add or remove applications to/ from one or multiple Group Policies, with full control over whether Install and/ or Keep up to Date behaviors are enabled or disabled — the configuration being applied exactly as selected, without overriding existing version selections unless required.

In addition, you can directly enqueue applications for uninstall, with support for global or custom policy settings, version targeting, and precise matching logic (e.g., exact, lower, higher or all versions). 

These actions are now consistently available across other areas (e.g., Assets and Active Clients), ensuring a unified management experience and allowing you to quickly adjust deployment scope, rollout behavior, and remediation actions without leaving the broader Update Rings context.

Both Update Rings views (Windows Updates and 3rd Party Patch Management) support relevant column sorting and searching, enabling quick filtering, comparison and deeper analysis of rollout status across deployments.

By combining granular rollout control with enhanced visibility and actionable insights, Update Rings enable you to better assess deployment impact at each stage, reduce uncertainty, and react early to potential issues. 

Overall, this results in a more predictable, controlled, and transparent patching process — minimizing unexpected impact while giving you the flexibility to align update rollouts with your operational and business priorities.

• OS Updates (Windows) - Lock specific OS version

Lock Specific OS Version provides precise control over Windows feature update rollouts by allowing endpoints to be kept on a defined OS version. This ensures version consistency across the environment while preventing unintended upgrades, helping organizations better plan, validate, and manage major OS transitions. 

By aligning upgrade timing with internal readiness and testing cycles, the feature reduces operational risk and brings greater predictability to how and when OS changes are introduced.

When enabled, devices assigned to the Windows Updates GP remain on the selected Windows release and do not upgrade to newer versions until the policy is updated or removed.

This behavior mirrors Microsoft’s Select the target Feature Update version policy setting, enabling organizations to maintain version consistency, tightly control upgrade rollouts, and reduce the operational risk associated with major OS transitions.

A new checkbox (default disabled), “Lock specific OS version,” is available within the Endpoint Settings -> Patch & Assets -> Operating System Updates, Install Settings area of the Heimdal Dashboard.
When enabled:

• an Operating System selector (drop-down) becomes available.
•  an OS Version drop-down is unlocked.
•  Dashboard users can define the target Windows product and feature update version that managed devices should remain on.

Note: only supported Windows OS families and versions (e.g., Windows 10, Windows 11, Windows Server 2016/2019/2022) are eligible for configuration via this setting. Additionally, if “Windows Update reporting only” is enabled or the Windows Updates module is disabled, the Heimdal Agent restores the original Windows Update configuration on the endpoint and removes any OS Version Lock settings.

Other improvements & fixes

• App Control -  Display Reporting Mode Indicator ("R") for process executions

To improve visibility and consistency with Zero Trust and REP Endpoint, Application Control product (dashboard) grids now display an “R” indicator next to process names for executions analyzed when the Ruleset Mode is in “Reporting only”, regardless of their resulting status. This allows administrators to quickly identify processes that were evaluated in a non-enforcement context.

Hovering over the icon provides additional context via a tooltip: “This process has been analyzed by Application Control in Reporting mode”, ensuring clearer interpretation of execution behavior during monitoring and validation scenarios.

• PEDM -  Full Process Path Added to PEDM Email Alerts

PEDM email alerts for file elevation requests (both auto – mode and approval via dashboard) now include the full process path, displayed directly below the process name, providing administrators with additional context for faster analysis and more informed decision-making.

• Product Modules Overview -  Improved Navigation

To improve usability when working with large datasets, the Group Policies Product Modules Overview modal now supports a freeze panes behavior on the first column. This ensures that the Group Policy column remains visible during horizontal scrolling, allowing for easier navigation, better context retention and more efficient analysis across extended views.

• Accounts -> Access Control - Lock GP Assignment claim for improved governance control

To strengthen compliance and prevent unintended configuration GP changes, a new “Lock GP assignment” claim has been introduced within the Manage Windows / macOS / Linux Endpoint Settings claim categories. 

When enabled, these ACLs restrict users from modifying any elements that could impact the assignment or behavior of existing Group Policies - including creation, deletion, or changes to assignment-related settings such as AD/ Entra ID groups, priority, machine type, IP ranges and manual assignment. 

Note: this claim requires the Specific access device settings (Windows/ macOS/ Linux) permission to be enabled in order to take effect.