Does anyone know of an easy way to stop one approved update, which happens to ba a Java update, rolling out to just one of our PC's?
We go through a pilot testing phase with our pathcing and one of our testers has an issue where he needs an older version of Java.
The update is fine for everyone else but I need to work out how to stop this one PC from getting hte new update.
Anyone any thoughts?
Rob
There is no way (that I can see) to no have patching turned on in an agent config.
We have devices that need to be unmanaged and not get updates like the rest of the enterprise. I'd rather not have to 'just remember' what 20 PCs shouldn't get the patch pushes we do.
Hello All,
I am having a problem with a big percentage of our servers being patched with Landesk. When the Landesk client issues a reboot (if required for patching), when the server comes back up, we get "The previous system shutdown was unexpected" messages.
Anybody else noticing this problem? Core is 9.5 SP1.
Thanks
Anyone seen anything on this update? Searched LD site - no indication about this yet anywhere. Adobe has released the update already and the exploit is in the wild and being exploited.
Cheers
Has anyone else noticed this? This isn't really specific to LANDesk patching - rather, it appears that the package from Oracle no longer defaults to Patch-in-Place, and it ignores the STATIC=0 parameter as well.
I end up with multiple jre1.8.0_xx directories under the Program Files directory. So far the only way I've found to get it to install properly is by modifying the INSTALLDIR property under the Directory table of the MSI and creating a transform for this. Unfortunately, this doesn't matter for the next time Java needs to update, it once again defaults to a Static installation.
JDKDSTv1.4.11_Manual has a title of Java SE Timezone Updater - 1.4.10 (version tzdata2014i). Note that the ID and title contain different version numbers.
Downloading the 1.4.11 timezone updater from java and installing it in the manner specified in the patch description doesn't result in the patch recognizing the files.
We use Patch and Compliance in lieu of WSUS/SCCM for patching our production desktops and servers. The system works great for the most part. However, does anyone know the answer behind the redundancy in cases like this?
MS15-010_MSU and MS15-009_MSU both have an identical counterparts downloaded. Per this document, the MSU identifies patches that are compatible with Windows 7, 8, and Servers 2K8 and 2012. Awesome! However, does this mean I don't need the other one if I don't have any XP or 2003 in my environment? I can obviously err on the side of caution and throw both of them into my autofix scope, but does that mean BOTH patches will try and install on any given machine?
Good morning all,
Wondering if someone could possibly explain something for me. I have just started with Patch Manager in Landesk 9.6 (No SP), infact just started with LDMS all together.
We have created two Distribution and Patch settings, one for a set of Pilot PC's and the other for Production PC's and look only for definitions relating to Windows 7 and Office 2013.
The Pilot machines are set to scan between 10am and 7pm and then daily install any vulnerabilities that need patching between 9pm and 12am. This seems to be working but noticing on quite a few Pilot PC's when looking at Security and Patch Information that they are showing a huge list of "Failed to download file ......." See below.
I cannot for the life of me work out why they are failing to download, is anyone able to explain this for me?
Thanks
Neil
LANDesk Management Suite 9.5
LANDesk Management Suite 9.6
Last status: Done
ProcessRules: detected compliance=0
Sending scan results to core LDMSCORE
PutResultsAsFile uncompressed length: 2014088
compressed length: 55626
HTTP POST: http://LDMSCORE/incomingdata/postcgi.exe?prefix=vulscanresults\&name=ScanResults_{FC50D599-697B-5143-A3AA-7D4E3F74134A}_03456.vrz
Setting a proxy...
Setting socket timeout to 1000 * 60 * 4
Failed http://LDMSCORE/incomingdata/postcgi.exe?prefix=vulscanresults\&name=ScanResults_{FC50D599-697B-5143-A3AA-7D4E3F74134A}_03456.vrz on server (0), server status: 406.
HTTP Error 406. Giving up.
Last status: Failed: No response from core
Failed to put vulnerability results to core as file: 8DB301B1
Skipping repair step because scan errors occurred.
Exiting with return code 0x8db301b1 (433).
1. Give the IUSR account Full Control permissions to the Managementsuite\Vulscanresults folder on the Core Server.
2. Run IISRESET on the Core Server.
When should new patches show up in patch management. For example I am 2 versions behind for Firefox and 1 for Flash.
I am running a simple batch file
net time /set
and I have successfully ran it on several hundred PC's but I have about 25 PC's that give an error: The client does not support batch file packages
I tried resetting the package hash to no avail....any ideas?
Good morning,
I am configuring the LANDesk Management Suite and all related products in our Company and started about half a year ago gathering experience with LANDesk.
However, I am quite at a loss now while configuring the patch management.
Don't get me wrong, the patch management itself works fine as long as we are talking about machines inside the company network.
But as soon as it comes to the Cloud Services Appliance (CSA) it gets tricky.
When a machine is outside our company network it can not download any patches.
I hope the following lines give you some idea what might be the problem:
vulscan.log
Mon, 16 Feb 2015 13:21:38 Download failed unable to get path, error code: 12 file: http://(Coreserver)/ldlogon/Patch/SkypeBusinessSetup_7.1.32.105.msi
Mon, 16 Feb 2015 13:21:38 Failed to download http://(Coreserver)/ldlogon/Patch/SkypeBusinessSetup_7.1.32.105.msi. Error code 12
Mon, 16 Feb 2015 13:21:38 http://(Coreserver)/ldlogon/Patch/SkypeBusinessSetup_7.1.32.105.msi failed
Mon, 16 Feb 2015 13:21:39 ERROR: function EnableProxyHost is no longer supported
Mon, 16 Feb 2015 13:21:39 Download Failure: Error 80004005 downloading http://(Coreserver)/ldlogon/Patch/SkypeBusinessSetup_7.1.32.105.msi
Mon, 16 Feb 2015 13:21:39 Last status: Fehler: Download from http://(Coreserver)/ldlogon/Patch/SkypeBusinessSetup_7.1.32.105.msi failed.
To avoid communication problems I translated the passages above into english but my choice of words might differ sligthly from the original.
Logfile with unmodified language is attached.
More intresting the patch process always fails with the exact same error as shown above.
No matter if I try http share on our NAS, http share on the core server itself or - just for trying it out - UNC share for remote machines.
Always the same error with all patches.
Testmode from Brokerconfig.exe works fine and ends with success from remote machines.
The certificate on remote machine and core server is correct as well.
Downloading a certificate on a remote machine outside the company works and it seems there is no communication problem between CSA, core server and client computers.
I tried the following to find out which component generates the problem:
Checking firewall policies
Our CSA is within a DMZ so I checked the policies again.
External Firewall
From CSA to any allow HTTP, HTTPS, Ping
From any to CSA* allow HTTP, HTTPS
NAT from external IP to DMZ-IP involved here, all ports are still standard port numbers
LANDesk Cloud Services Appliance
Internal Firewall
From CSA to core server allow HTTP, HTTPS, Ping
From CSA to domain controller allow DNS, Ping
From (internal subnet)* to CSA allow all
*includes all servers and clients
Manual access to web shares
No problem here, I can access the patch directory - may it be locally on the core server or on our NAS - in Firefox and Internet Explorer without any problem.
Downloading works fine as well and the paths are correct.
Executing Brokerconfig.exe
Internal and external use of Brokerconfig.exe did not show any errors.
I can connect to the Core internally and to the CSA remotely without any problems.
Checking the CSA
Core certificate is present.
Two CSA certificates are present under Manage LDMG certificates. Any chance to find out which is the correct one to delete the obsolete certificate?
No blocked client certificates.
Firewall: Enabled. Allowed HTTPS, HTTP, DNS tcp+upd, core server IP. Blocked: None.
Users: No locked service user.
Connection Table: Lots of connections.
This however makes me curious (ignore the blackened spaces).
I installed LANDesk 9.6, so how can agents be on 9.5?
The inventory scan shows up version 9.60.0.124 as common base agent...
I hunt this problem for over a week now but I am really running out of options.
Also I searched a lot in different logfiles but without luck.
Either I do not know what error to look after or there are simply no errors in any other logfiles than vulscan.log about this problem.
softmon.log is not helpful.
I checked everything that I could imagine has something to do with the topic.
However I did not find the source neither a solution.
So I hope to find a helpfull hint or an anwser to our problem here.
If nothing helps I will need to set up a second core with similar configuration by hand since I do not want to copy the maybe existing failure.
That would be pretty time consuming and so I hope you people can help me out with this nasty little problem.
Greetings
Introduction
As we all know, the latest release of Office from Microsoft comes in 2 flavors. A 'rich client' based installation, which is practically the same as running the Setup as in previous versions, and a Click-to-Run setup. The Click-to-Run version basically downloads stand-alone App-V packages of the applications you want to use from the Office Suite. Easy as this may be (and, depending on your licensing scheme, the only option you may have), this provides a challenge for Patch Management, as LANDESK cannot patch within an App-V package.
This document will describe how to easily still use LANDESK to patch Click-to-Run Office365 installations using all LANDESK intelligence. From now on, the use of Office365 will assume the Click-to-Run version.
Configure your Office365 installation
More information about actually deploying Office365 can be found here. During configuration of Office365 setup you can create a XML file that will change certain settings in your Office365 package to fit your environment. This XML can be created using the Office Deployment Tool for Click-to-Run. In this setup, there are 2 important setting for Patch Management. First off, you can set the Office365 installations to Auto-update. This will prevent that users need to manually check for updates. Second, there is a path where the installed Office365 packages will look when Auto-Update is configured. By default this will point to a share. In a configured XML this will look like this:
In a small environment, you can just point the UpdatePath to the location where LANDESK downloads patches. But, in a larger environment, you don't want all devices to connect to a central share, when you have options like Preferred Servers, Bandwidth Usage or the Cloud Services Appliance you want to use. For this reason, change the UpdatePath setting to: %ProgramFiles%\landesk\ldclient\sdmcache (or whatever the location of your sdmchache is)
Using LANDESK
Ideally you have 1 installed rich Office365 installation (Office Professional Plus 2013), although this is not completely necessary.
First, create a query which checks All Devices for Office365 installed.
You can download the Patch definitions in the normal way. If you have the Office Professional Plus 2013, running the vulscan will detect the definitions you need to deploy on the Click-to-Run devices. If not, you need to have a manual monthly process to select from the definitions last month from the Patch and Compliance screen, Vulnerabilities, View by Product --> Office2013 and/or Office2013x64, download the detected/selected patchcontent from the definitions and wait until all replications to Preferred Servers have completed.
Now we can select all Office365/2013 vulnerabilities from this month and create a Repair Task.
Most important, change the settings in Task Settings, so that the task uses Policy based delivery (so it will also work with devices through the CSA) and uses the Pre-Cache option under the Download options. Don't add any targets automatically to the task. Rename the task to cover the content, like 'Office365 Patches December'. Save and add the query you created as target.
Start the task. When the devices check for Policies, they will start this task and download (with all LANDESK intelligence) the selected patch content to the SDMCACHE on the client. From there, it will be picked up by the auto-update of the Office Setup.
So, to summarize
Change the setup XML to use the UpdatePath setting: %ProgramFiles%\landesk\ldclient\sdmcache
Select all Office2013 vulnerabilities for the selected month
Download all their content
Wait for replication tasks until the content is on all Preferred Servers
Create a repair task with Policy/Pre-cache options configured
Target the query you created which queries Office365 installation
Start the task
The devices check for their policies and download the patches to SDMCACHE
The Auto-Update of Office picks the patches up from the local SDMCACHE folder
Thanks
Many thanks to remon.mulders for his brilliant thoughts on this subject!!
This video shows you how to get started with Application Blocking.
If this video has helped you please like or leave a comment, Thank you.
This video will go through some of the basics of creating a distribution and patch agent setting.
This document outlines how to run a Patch Repair task as a specific user. This can be used as a way to apply patches similar to using 'Run as Administrator'.
LDMS Core: 9.6 SP1
Running Patch Repairs tasks as a specific user can only be delegated on the Distribution and Patch setting, not per vulnerability/patch. Because of this, it is recommended to setup a new Agent Setting | Distribution and Patch for use on patches that require the 'run as' option.
Note: For the purposes of this document, the MSI Information | Run as Information is the only relevant option that needs configured. The other options within this setting may be configured specific to your environmental needs.
When this task runs on the client machine, it will run the repair job as the specific user with the rights defined for that user.
Hey All,
Is anyone in the process of rolling out IE11 yet and managed to deploy it via patch and compliance in an efficient way? I'm currently trying to figure out a way to minimise reboots to the end-user. As it stands there are pre-reqs for IE11 (which I've already deployed to the fleet), then you can send out IE11 itself, then the computer needs to scan again and apply some IE11 patches, then it appears to do another set which had dependencies on the previous patches (all with a reboot in between).
My end result is just IE11 with Enterprise mode, so for Win 7 that is IE11 with KB2929437. I'm attempting to not resort to packaging the rollout as vulscan reboot is much better but it's poor service to deliver a browser that isn't fully functional until another scan occurs, followed by more updates being applied (could be up to 3 days).
I already have a couple of ideas, one of which is I'm considering cloning the patch and bundling the two minimum requirements together but thought I'd open the discussion to the community for other opinions.
Thanks,
Stewart
Does not apply to 64bit version of the Linux Agent. The 64bit version can only detect but not remediate vulnerabilities. Check the attached document Patch Manager Support for Linux Unix to check which features are available for your specific platform.
LANDesk customers want a solution that will allow them to remediate Linux vulnerabilities that are discovered on their client machines. This involves being able to determine what dependencies are required to install the packages for the detected Linux vulnerability. The remediation process needs to account for (install) dependencies that are required so that the vulnerability can be remediated completely.
LANDesk has implemented a solution to invoke the Linux vendors’ patching tools which will resolve the patch dependencies. The vendor tool will download and install both the dependencies and the detected vulnerability package. This functionality will be called from the LANDesk vulnerability content section that performs the repair function. By leveraging the Linux vendor’s patching tools, we are able to resolve patch dependency issues.
Please see the attached document for details.
Where to Send Feedback
At LANDesk, we are constantly striving to improve our products and services and hope you find these changes reflective of our ongoing commitment to listen to you—our partners and customers—in providing the best possible solutions to meet your needs now and in the future. Please continue to provide feedback by contacting our local support organization.
Best regards,
LANDesk Product Support
Copyright © 2010 LANDesk Software. All rights reserved. LANDesk is either a registered trademark or trademark of LANDesk Software, Ltd. or its affiliated entities in the United States and/or other countries. Other names or brands may be claimed as the property of others.Information in this document is provided for information purposes only. The information presented here is subject to change without notice. This information is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including any implied warranties and conditions of merchantability or fitness for a particular purpose. LANDesk disclaims any liability with respect to this document and LANDesk has no responsibility or liability for any third party products of any content contained on any site referenced herein. This document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission. For the most current product information, please visit http://www.landesk.com.
Hi,
I am having a weird issue with MS15-015 and MS15-011. LANDesk shows both of these patches and having been installed on my systems but when I audit with MBSA it says it is not installed. I spot checked a few of the systems and Windows update shows it as having successfully installed. However, when I run Windows update it says it still needs the update. According to this:
https://support.microsoft.com/kb/3031432
Update 3004375 is supposed to be installed alongside 3031432 (MS15-015) but it seems the LANDesk definition does not include that.
Is anyone else seeing this issue? Any help would be greatly appreciated.
Thanks,
Brad
Through the last round of endpoint patching we noticed Windows Update showed the most recent .NET framework update as "Important" . Yet in scanning using LANDesk, the vulnerability is not detected nor are we allowed to patch.
This is being noted by our CSO as our policy is to patch all Critical, High and Important patches.
My questions are: Why is this not being detected? Why is there not a patch available to update?