Application Updates
Application update configurations manage third-party software on your endpoints using integrated package manager support. Define which applications should be installed or updated, and TridentStack Control handles discovery, installation, and version management across your fleet.
How it works
TridentStack Control integrates with package managers on your endpoints to install and update third-party applications. The platform maintains a catalog of available packages synced from public repositories. When you add an application to a configuration, TridentStack Control ensures the correct version is installed on every targeted endpoint and keeps it updated according to your settings.
The application update workflow is separate from system update policies. System updates handle OS-level patches (KB articles, security updates), while application updates handle third-party software (browsers, runtimes, utilities, developer tools).
Application updates are supported on all Windows versions, including Windows Server 2016 and older. On systems without a native package manager, TridentStack Control uses direct installer downloads from the synced catalog to install and update applications.
Creating a configuration
- Navigate to Update Management > Application Updates in the left sidebar.
- Click Create Configuration.
- Enter a name and description for the configuration. Choose a name that reflects the group of applications it manages (for example, "Developer Tools", "Security Software", or "Standard Desktop Apps").
- Save the configuration.
The configuration is now created but empty. The next step is to add applications to it.
Adding applications
From the configuration detail page, click Add Application. This opens the package catalog browser.
Search the catalog
Type an application name or package ID in the search bar. The catalog returns matching packages with their publisher, description, and available versions. Results are pulled from the synced package repository and stay current as new versions are published upstream.
Select a package
Click a package from the search results to select it. The detail panel shows:
- Package name and publisher
- Available versions (latest and historical)
- Package ID (the canonical identifier used by the package manager)
- Description and homepage link
Configure version
Choose how the application version is managed:
| Option | Behavior |
|---|---|
| Latest | Always install the newest available version. When a new version appears in the catalog, the agent upgrades automatically on its next check-in. |
| Pinned version | Install a specific version and do not upgrade beyond it. Useful for applications that require version compatibility with other software. |
All installations run silently in the background with no user interaction. Applications are installed machine-wide by the system service, not per-user. All users on the endpoint have access to the installed application.
Adding from agent software inventory
You can also add applications to an application update policy directly from an agent's detail page. Navigate to Agents > Endpoints, select an agent, and open the Software Inventory tab. Right-click any installed application (or use the context menu) to add it to an existing application update policy. This is a convenient way to build policies based on software that is already deployed in your environment.
Managing applications in a configuration
The configuration detail page lists all applications that have been added. For each application you can:
- Edit version settings - Switch between latest and pinned, or change the pinned version number
- Remove - Remove the application from the configuration (this does not uninstall it from endpoints)
- Check deployment status - See which agents have the correct version, which need updates, and which have failed
Deployment status
Each application in a configuration shows its per-agent status:
| Status | Meaning |
|---|---|
| Installed | The correct version is installed on the endpoint |
| Update Available | A newer version exists and will be installed on the next check-in |
| Not Installed | The application has not been installed yet (pending first check-in or download) |
| Failed | Installation was attempted but failed. Click the status to see error details. |
Targeting
Like system update policies, application configurations are targeted to agents by tag or individual assignment. When you assign a configuration to a tag, any agent with that tag receives the configuration's applications.
If an agent is targeted by multiple configurations that include the same application, the most recent configuration takes precedence for version settings.
Group related applications into the same configuration. For example, create a "Developer Tools" configuration with your IDE, version control client, and runtime environments. Create a separate "Security Software" configuration for antivirus and VPN clients. This keeps your configurations organized and makes it easy to assign the right software bundles to the right teams.
Dismissing updates
You can dismiss a pending application update on a specific agent to remove it from that agent's update list. Dismissals are per-agent and do not affect other endpoints.
To dismiss an update, navigate to an agent's detail page (Agents > Endpoints, then select an agent). In the available applications section, hover over an application row to reveal the dismiss icon. Click it to open a dialog with the following fields:
| Field | Required | Description |
|---|---|---|
| Reason | Yes | Select from: OS Incompatible, Not Applicable, or Other |
| Note | No | Optional explanation, up to 500 characters |
After dismissing, the update disappears from the agent's pending list. A collapsible "N dismissed updates" section appears at the bottom of the applications list, showing each dismissed app with its name, target version, and reason.
To restore a dismissed update, expand the dismissed updates section and click Restore next to the application. It immediately returns to the pending list.
Use the notes field to document why an update was dismissed. This helps other administrators understand the decision when reviewing the agent later.
Dismissal is done per-agent from the agent detail page, not from the Application Update Configurations page. Configurations define which applications are targeted across your fleet. Dismissal manages exceptions for individual endpoints.
OS compatibility
TridentStack Control automatically checks each application version's minimum OS requirements against the agent's reported operating system version. Only versions compatible with the agent's OS appear as available updates.
If an application's latest version requires a newer OS than the agent has, it does not appear in the agent's pending update list. No configuration is required. The platform handles compatibility filtering automatically based on the metadata in the application catalog.
Install time estimates
TridentStack Control displays estimated installation times next to applications in the catalog browser and on each agent's available updates list. Estimates appear as approximate durations (for example, "~5 min" or "~2h 15m").
How estimates work
Estimates are calculated from historical installation durations recorded across your fleet. Each successful installation contributes a data point. New tenants start with catalog-based estimates, and accuracy improves as more installations are recorded in your environment.
When enough data exists from endpoints with similar hardware profiles (CPU, memory, and disk characteristics), estimates are tailored to that hardware class. Otherwise, the estimate uses tenant-wide averages.
Viewing estimate details
Click the info icon next to any estimate to see a detailed breakdown:
| Field | Description |
|---|---|
| Confidence | High (hardware-matched with 5+ recorded installs), Moderate (3+ installs), or Low (fewer than 3 installs) |
| Source | Whether the estimate comes from similar hardware or tenant-wide data |
| Installs recorded | Number of successful installations used to calculate the estimate |
| Median | The middle value across all recorded durations |
| Average | The mean duration |
| 95th percentile | The duration at which 95% of installs completed, useful for conservative planning |
When selecting multiple applications to install, the confirmation dialog shows an aggregated estimated total install time across all selected applications.
Estimates use the median duration rather than the average to avoid skew from occasional outliers. For conservative planning (for example, sizing a maintenance window), check the 95th percentile in the detail popover.
Install Stats
The Install Stats column appears in the application catalog browser and on each agent's pending application updates list. It shows fleet-wide installation success metrics for each application, helping you identify problematic packages before deploying them.
What Install Stats show
Hover over or click the Install Stats badge on any application to see:
| Field | Description |
|---|---|
| Total deployments | Number of times this application has been installed or updated across all endpoints |
| Success rate | Percentage of installations that completed successfully, color-coded: green (95%+), amber (80-94%), red (below 80%) |
| Confidence | Data quality indicator based on deployment count: High (50+), Moderate (10-49), or Limited (fewer than 10) |
| Common errors | Top 3 most frequent error codes from failed installations, with occurrence counts |
How Install Stats are populated
Install Stats are computed from actual installation outcomes recorded by the TridentStack Control agent. Every successful or failed application install reports its result back to the platform. These results are aggregated periodically (approximately every 15 minutes) into the stats displayed in the UI.
New tenants will see empty Install Stats ("--") initially. Stats appear only after applications have been installed on at least one endpoint in your environment. As your fleet installs more applications, the data becomes richer and more informative.