Unable to run Patch scan after 9.6 SP1 upgrade

February 26, 2015, 11:17 am

≫ Next: Windows Patch required for 2 servers fails; manual installation shows not needed

≪ Previous: Microsoft .NET Framework 4.5.2

I recently created a new APP and SQL server (both Server 2012) to test LDMS 9.6 Sp1 (Side-by-side with production 9.5 SP3 servers).

I restored our current running 9.5 Sp3 Database to the test SQL server, and installed LDMS 9.6 SP1 to the app server, upgrading the database without issue.

I re-created all agents and and settings, and deployed a new 9.6 SP1 agent to a 2008 R2 test server. The server can run inventory scans, and I can Inspect it fine, but running a Security/Patch scan fails, "No response from core", and unable to Parse information "Cannot interpret data"

Has anyone else ran into this issue?

Please advise

Thank you!

↧

Windows Patch required for 2 servers fails; manual installation shows not needed

February 26, 2015, 8:41 am

≫ Next: Does LDMS 9.5 SP2 support .NET Framework 4.5.2??

≪ Previous: Unable to run Patch scan after 9.6 SP1 upgrade

We are recently new to LANDesk 9.6.

I have two Windows Server 2012 servers that show they need patch 3008242_MSU. I have scheduled the patch on three occasions and it fails with Error code 412.

I remoted to each server and copied the patch from LANDesk to the servers and tried manually run it. I get "Windows Update Standalone Installer: The update is not applicable to your computer."

I remoted to each server and looked through all the installed updates for KB3008242. I thought if I found it I could uninstall it and try again. However, it is not listed on either machine.

What do you think I should do next?

↧

Does LDMS 9.5 SP2 support .NET Framework 4.5.2??

March 2, 2015, 9:41 pm

≫ Next: stop a patch from installing on a few servers

≪ Previous: Windows Patch required for 2 servers fails; manual installation shows not needed

I recently updated the Core Server with .NET Framework 4.5.2. I didn't notice any problems until I tried to run Patches on a Test Group. In the test group; there are 10 machines, each of the machines seem to fail downloading the patch from the server. It hasn't had problems in the past. We sent out patches to a set of 300 Servers, and the patches downloaded fine and we had a 96% success rate. I'm not positive that is has to do with .NET update, it just so happens that it was updated after the patches were sent out to the Servers. If there is any other ideas as to why it's failing, please point me in a direction. We're trying to send out any patches that the machines are missing... I saw some posts about a similar issue in 9.5 SP2 that there was a beta patch and a fix in 9.5 sp3. I'm not sure that is the answer, I just know that in other environments that I've been in, .NET updates was a culprit in a lot of "Weird" issues.

Let me know your thoughts; please!!

Thanks,

Kevin

↧

stop a patch from installing on a few servers

March 3, 2015, 11:36 am

≫ Next: Compliancescan stop Windows Update Service

≪ Previous: Does LDMS 9.5 SP2 support .NET Framework 4.5.2??

I have a patch that I want to install on 99% of my servers but it can not be installed on the last 1%, is there an easy way to block this patch from just these 10 to 20 servers? We use a custom patch group for all our servers and did not want to have to create a separate patch group just for these servers.

↧

Compliancescan stop Windows Update Service

March 3, 2015, 6:23 am

≫ Next: Vulscan Switches for Windows Agents

≪ Previous: stop a patch from installing on a few servers

Hey guys,

i have a little problem with windows update in my company.

The patch and compliancescan stop the windows update service.

At the moment we deploy our windows updates over a WSUS Server.

Version: 9.6 SP1

How can I disable these phenomenon?

Sorry for the short description, but I'm just sitting in a train with my phone.

Thanks.

↧

Vulscan Switches for Windows Agents

December 28, 2007, 8:39 am

≫ Next: Patching 101 - A simple, effective method of patching

≪ Previous: Compliancescan stop Windows Update Service

Items in brackets are optional, and the | symbol means "or":

General	Repair	Reboot
/AgentBehavior=AgentBehaviorID	/Repair Group=GroupID \| Vulnerability=VulnerabilityID \| Vulnerability=All	/Reboot
/ShowUI	/Fix	/RebootIfNeeded
/AllowUserCancelScan	/RemovePatch=Unique patch name	/RebootAction= [always \| never]
/AutoCloseTimeout=Seconds	/RepairPrompt=Message	/RebootMessage=Message
/Scan=X, where X is the type	/AllowUserCancelRepair	/AllowUserCancelReboot
/Group=GroupID	/AutoRepairTimeout=Seconds to wait \| -1 (-1 mean to use "Default")	/AutoRebootTimeout=Seconds to wait \| -1
/Autofix=True or False	/DefaultRepairTimeoutAction=start \| close	/DefaultRebootTimeoutAction=reboot \| close \| snooze
	/StageOnly	/SnoozeCount=Number of snoozes
	/Local	/SnoozeCount=Number of snoozes
	/PeerDownload	/SnoozeInterval=Seconds to snooze
	/NoPeer
	/SadBandwidth=(% of bandwidth to use)
	/IgnorePendingFileRename

NOTE: For LANDESK Management Suite 9.6, the reboot behaviors must be referenced instead of direct command line switches. In other words, the /ob:RebootBehavior=<BehaviorIDName_vXXX>;

where the "BehaviorIDName_vXXX" contains the Core name and a version number.

MSI	VB Testing	Disable
/OriginalMSILocation=Path	/scriptrepair=filename	/NoElevate
/Username=Username	/scriptdetect=filename	/NoSleep
/Password=Password	/customVarfile=filename	/NoSync
		/NoUpdate
		/NoXML
		/NoRepair

Data Files	Antivirus	Endpoint Security
/Dump	/removeoldav	/installhips
/Data	/removeav	/removehips
/O=Filename (including full path)	/installav	/changesettings (download new settings made)
/Log=Filename (including full path)	/z=filename	/installeps
/Coreserver=server name	/fixnow
/Reset - Deletes client side settings and files	/changesettings
/Clear or /ClearScanStatus - Clears scan results for client at core	av

Running "vulscan e", "vulscan l", "vulscan c", "vulscan av" or "vulscan log (in LDMS 9.6 SP1) does the following:

Vulscan Directory	Vulscan log directory	LDClient Directory	Antivirus
e - Opens the Vulscan Directory	l - Opens the current vulscan log	c - opens the LDClient Directory	AV - opens the LANDeskAV folder

LANDESK Logs (9.6 SP1)
log - Opens the logs directory (includes Vulscan logs)

**Vulnerability definition types for use with the /scan= switch:**

Number	Type
0	Vulnerabilities
1	Spyware
2	Security Threats
3	LANDesk Updates
4	Custom Definitions
5	Blocked Apps
7	Drivers
8	Antivirus

Vulscan switches used for content replication

/replicate– triggers vulscan to do a content replication.

/changesettings with a /replicationbehavior=default tells vulscan which behavior to use. Default means compute the behavior guid based on the computer idn. For example, if my computer idn is 1234, then I will try to download a behavior called “ReplicationBehavior_Replicator_1234.xml”. Vulscan will now consider itself a “replicator” and will try to update its copy of a replicationBehavior any time it runs, creating any local scheduler jobs as necessary.

/changesettings /replicationbehavior=-2 will disable vulscan as a replicator, removing any local scheduler tasks regarding replication and causing vulscan to no longer attempt to get the latest replication behavior file.

/settingsIndex=NNN– you’ll see this commandline used by the local scheduler when it launches vulscan. This tells vulscan which group of settings to use to control its behavior as specified in the console’s UI. For each scheduled replication event that you specify, there will be a new “settingsIndex”.

/duration=NNN– The maximum duration that vulscan should do replication, in minutes. This will appear in the replication behavior file and not typically on the command line, but in the file you’ll see something like “Duration_0”, or “Duration_1”, etc. The value after the underscore is the settings index number. When vulscan applies settings found in the behavior file and it sees that its settingsIndex value has been set, then it looks for any variables in the behavior file that end with an underscore and that number (such as “Duration_0”). It strips off the underscore and number and sets the value internally. Therefore, anything you see in the behavior file that ends in the underscore can be passed on the commandline (and therefore take precedence over the behavior file settings).

Many of the _NNN settings that are in the behavior file are regarding the local scheduler task that should be created. So vulscan only interprets those values when creating the local scheduled task that will later launch itself to do replication.

↧

Patching 101 - A simple, effective method of patching

September 10, 2009, 10:16 am

≫ Next: Management Suite 9.5 Question on Java Vulnerabilities

≪ Previous: Vulscan Switches for Windows Agents

As the Enterprise LANDesk Administrator of a large company that has had over 15 Core Servers with over 12,000 systems and over 20 other LANDesk tech's to support I have found "how should I patch" to come up often at my location as well as on this forum.

Like Windows, there are 3 or more ways to do most anything in LANDesk, patching being one of those, and I have re-written the way I advocate our techs patch in LANDesk from the way I recommended a few years back and thought I would post it here for other to use as needed. It is not the only way, nor am I saying it is the best way.

Please keep in mind that this is a basic method, simple and effective. I did not go into Auto-Fix, some of our advanced tech's use it, others don't. I wanted something a newbie could pickup, read and begin patching in a very short amount of time.

Picking what patches to patch can be a political nightmare depending on your companies polices. Ours went from 12 groups doing it all differently, some patching critical's only, some not patching, others patching everything possible to a reduced number of groups that all now have a "baseline" that is set from up above that is pretty in-depth and aggressive deadlines to have them patched by.

In short, we patch all security related items with few exceptions that are patchable via LANDesk and we do it aggressivley as you must now days in this world of exploits.

If you are not patching, I strongly suggest you start.

Attached is the method I recommend, it uses two tasks, one a "Push" the other a straight "Policy". Why not a "Policy Support Push" you ask? We were doing that but are finding that some systems will stick in the "active" bin of the scheduled tasks for some reason (being researched) and thus the task will not become a policy. If you restart the task, some of those systems will clear, but then others will stick... and so on.

It goes over creating a group of patches, creating the tasks, targeting the systems and scheduling the deployment.

I look forward to your feedback and I hope this helps some of you.

↧

Management Suite 9.5 Question on Java Vulnerabilities

March 5, 2015, 2:44 pm

≫ Next: Autofix downloading patch question..

≪ Previous: Patching 101 - A simple, effective method of patching

Hello,

I'm new to the Management Suite and have some questions about Java patches.

I've been successful in using the definitions for Java and deploying the patches for the vulnerabilities labeled as Manual_Upgrade. I have not had success with the ones simply labeled Manual.

As an example; Vulnerability ID – JREJDKv8U31_Manual when installed on my systems will not actually install the new version of Java. However, if I use Vulnerability ID – JREJDKv8U31_Manual_Upgrade, I get a successful installation of the new version of Java when run through the Patch and Compliance Scan.

Does each new version of Java get released with the Manual_Upgrade definition?

I read the latest Patch News Bulletin for Java 8U40 and noticed there is only the Manual option available. https://community.landesk.com/support/docs/DOC-34234

Does the Manual_Upgrade option typically get released at a later date?

I downloaded the latest definitions this morning and also did not see it.

Thank you

↧

Autofix downloading patch question..

March 10, 2015, 3:41 am

≫ Next: Patch & Not Update .Net/IIS etc

≪ Previous: Management Suite 9.5 Question on Java Vulnerabilities

Hi. I'm hoping someone will be able to complete a piece of the puzzle for me.

I would like to auto patch (Autofix) machines with a new version of software as it is released.

EXAMPLE - SKYPE

I have autofix enabled on agents (which has been tested and is working).

I have configured a "Definition group" as follows;

To this point the process is working.

LANDesk identifies a new version of Skype has been released. This defination is then placed into the Compliance folder and set to Autofix

THE ISSUE - ( I think )

I am then required to download the patch before it can be applied to my Autofix scope?

The Detection rule states that the patch "Dowloaded" is No.

QUESTION:

Is there a way to get LANDesk to Download the patch automatically?

I have logged a call with LANDesk support, who said it was possible but we would need to go do a LANDesk professional as it is not a simple task????

I thought it maybe in "Download updates", however Skype is not reference there at all.

SO.. I'm stuck with an Autofix process that require a Patch to be manually downloaded. I'm confused ..

Interesting if I select a older version (as test) and select "Autofix" I get the following;

... So why cannot this be automated????????

Guys & Gals... If anyone can help me with this, I will forever greatful.

All the best

Adam.

↧

Patch & Not Update .Net/IIS etc

March 10, 2015, 4:29 am

≫ Next: Java Timezone Updater - 1.4.10 (ID JDKDSTv1.4.11)not working

≪ Previous: Autofix downloading patch question..

Hi All, You guys have helped me out massively before and im hoping you can again! My Company has decided to roll out LANDesk patching to all our servers now that the desktops are complete BUT they have requested that we only apply patches and not updates to the applications running on the servers e.g. .Net 3.5 needs to be patched but cant be upgraded to 4.0 or 4.5.... I cant see any options in the scan & repair agent settings to set this as having a specific patch folder for each servers with all their different requirements is unmanagable so im hoping you can confirm whether this is infact possible with LANDesk?

Thanks i advance

Tony

p.s were running LDMS 9.5

↧

Java Timezone Updater - 1.4.10 (ID JDKDSTv1.4.11)not working

February 12, 2015, 9:31 am

≫ Next: How do you run "Scan and Repair" setting's pre-/post- scripts as a specific user?

≪ Previous: Patch & Not Update .Net/IIS etc

JDKDSTv1.4.11_Manual has a title of Java SE Timezone Updater - 1.4.10 (version tzdata2014i). Note that the ID and title contain different version numbers.

Downloading the 1.4.11 timezone updater from java and installing it in the manner specified in the patch description doesn't result in the patch recognizing the files.

↧

How do you run "Scan and Repair" setting's pre-/post- scripts as a specific user?

March 10, 2015, 4:32 pm

≫ Next: What Agent settings are maintained when selected during a scheduled task?

≪ Previous: Java Timezone Updater - 1.4.10 (ID JDKDSTv1.4.11)not working

I have set every local LANDesk agent to run as a specified user.

MSI information has a specified user

LANDesk Core Scheduler service has a specified user

The pre/post script still runs as SYSTEM account

Reason: The pre script is accessing a database and running shutdown commands. These commands need to run in the context of a user account that has rights to the DB. Adding this to the Scan and Repair setting would bring the server back online as soon as vulscan is finished with the required patches.

POC: Running the script via distribution (Account set in distribution package) works perfect

↧

What Agent settings are maintained when selected during a scheduled task?

March 10, 2015, 12:31 pm

≫ Next: Stop scanning for XP vulnerabilities and only scan for Win7

≪ Previous: How do you run "Scan and Repair" setting's pre-/post- scripts as a specific user?

I want to use the pre- and post- script sections of the scan and repair section:

When I schedule a custom group and select the Agent setting the pre- and post- are not launched..... even though it is specified in the alternate config

Am I going about this wrong?

↧

Stop scanning for XP vulnerabilities and only scan for Win7

March 12, 2015, 8:04 am

≫ Next: Patching and Licensing Question

≪ Previous: What Agent settings are maintained when selected during a scheduled task?

We would like to remove all XP patches and just scan for Win7 updates? Is there an easy way to do this? I know there will be times when the updates applies to multiple OS's.

↧

Patching and Licensing Question

March 12, 2015, 10:30 am

≫ Next: Error during vulnerability scan: "Failed to apply compliance settings"

≪ Previous: Stop scanning for XP vulnerabilities and only scan for Win7

We recently renewed our landesk subscription and since doing so endpoints don't appear to be detecting any missing patches. A couple of months prior to renewing we upgraded from 9.5 to 9.6. I'm attaching a screenshot of the product licensing screen. I'm wandering if I'm licensed correctly or not and if this is the issue with my endpoints not detecting missing patches. Can anyone tell based on the attachment if I'm good as far as licensing goes?

↧

Error during vulnerability scan: "Failed to apply compliance settings"

March 9, 2015, 2:13 am

≫ Next: Issue: Cannot open vulscan logs folder from command line using "vulscan e"

≪ Previous: Patching and Licensing Question

Issue

"Failed to apply compliance settings" during vulnerability scan.

Steps to reproduce issue

Right click on the device to run compliance scan, it gives error "unable to get compliance settings from core"
Error in vulscan log:

Loaded 0 custom variables from C:\ProgramData\vulScan\CustomVariables.CoreServerHostName.ini
Last status: Could not find compliance settings
Error: No compliance behavior specified, unable to perform compliance scan
Failed to apply compliance settings
Last status: Failed

Resolution

In agent settings, create a new compliance settings, and run change settings task to deploy the settings to client machine.

↧

Issue: Cannot open vulscan logs folder from command line using "vulscan e"

March 9, 2015, 2:05 am

≫ Next: Java SE 6 Update 91 x64 binaries in patch folder, but still showing as "not downloaded" - ideas?

≪ Previous: Error during vulnerability scan: "Failed to apply compliance settings"

This document applies to LDMS 9.0, 9.5 , and 9.6

Issue

Cannot open vulscan logs folder via command line "vulscan e",

It may exhibit one of the symptoms below:

When trying to open the vulscan logs folder manually via "vulscan e", it shows the error "Failed to shell execute an explore on C:\program File\LANDesk\LDCilent\vulScan\ Error 31"
When running security scan on the client machine, it fails with "Failed to apply compliance settings"
Vulscan folder is created under ...\landesk\LDclient folder

Resolution

Check if the registry entry exists, if not, manually add it to the registry.

32bit machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Shell Folders

64bit machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Shell Folders
common appdata = vulscan

↧

Java SE 6 Update 91 x64 binaries in patch folder, but still showing as "not downloaded" - ideas?

January 27, 2015, 12:48 pm

≫ Next: Unable to download or install .MSU patches through Patch Manager.

≪ Previous: Issue: Cannot open vulscan logs folder from command line using "vulscan e"

I downloaded Oracle Patch 9553040 from My Oracle Support (patch filename is p9553040_160_MSWIN-x86-64.zip). I extracted the two executables (jdk-6u91-windows-x64.exe and jre-6u91-windows-x64.exe) to the patch folder (right-click to"Open patch folder..."). They still show up as not downloaded. This worked just fine for the 32-bit binaries (ending in -i586.exe instead of -x64.exe). Any ideas what might be the issue?

Thanks,

Charles

↧

Unable to download or install .MSU patches through Patch Manager.

February 19, 2010, 11:25 am

≫ Next: Patch Management via powershell script

≪ Previous: Java SE 6 Update 91 x64 binaries in patch folder, but still showing as "not downloaded" - ideas?

Problem:

Unable to download or install .MSU patches to my Windows 7, 8, 8.1, 2008 and 2012 clients.

The vulscan log file may show the following excerpt:

Downloading http://landeskcoreserv/ldlogon/patch/windows6.1-kb978251-x64._W-Skw.msu Fri, 02 Apr 2010 14:16:03 Performing TCP connection with a timeout of -1 milliseconds
Fri, 02 Apr 2010 14:16:04 Connect failed (10061) in ConnectToValidAddress (127.0.0.1:7360)
Failed to download http://landeskcoreserver/ldlogon/patch/windows6.1-kb978251-x64._W-Skw.msu. Error code 5
Last status: Failed: Could not download http://landeskcoreserver/ldlogon/patch/windows6.1-kb978251-x64._W-Skw.msu

Cause:

Unable to download the patch: The most common problem is a MIME type extension problem.

Unable to install Patch: The most common cause for this is The "Windows Update" service has been stopped or disabled.

MSU patches are processed using the Windows Update Stand-alone Installer (wusa.exe). The Windows Update Stand-alone Installer uses the Windows Update Agent API to install update packages. Information about this process can be located here.

Resolution:

Unable to download the patch:

Windows 2003 server:

On the core server, launch Internet information Services Manager.
Navigate to the Default Web Site and right click on it. choose Properties.
Click the HTTP Headers tab and click MIME Types.
Click New and enter "MSU" for the file extensions and type in "application/octet-stream" for the MIME type.
Restart IIS by running "iisreset" from the run command.

Windows 2008 Server:

On the Core server, Launch Internet Information Services Manager.
Navigate to the Default Web Site and click on it.
From the middle panel local the MIME Types and double click on it.
Click Add and enter "MSU" for the file extensions and type in "application/octet-stream" for the MIME type.
Restart IIS by running "iisreset" from the run command.

Unable to install Patch:

On the Client Machine make sure that the "Windows Update" service is running.

In environments where you do not want your end users to have the option to use windows update you can use the following GPO setting to disable access to windows update but leave the service running.

Under Computer Configuration | Policies | Administrative templates | Windows Components | Windows Update. Locate the Configure Automatic Updates and "Disable" it.

On the client this setting translates to the "Never Check for updates (Not Recommended)".

The following GPO can be used to disable the Windows Update service. This needs to be enabled for patching to work.

Computer Configuration | Policies | Windows Settings | Security Settings | System Services. Locate Windows Update, it need to be "Not Defined" or "Enabled"

↧

Patch Management via powershell script

March 9, 2015, 6:55 am

≫ Next: Windows Patch installs Life Essentials with components

≪ Previous: Unable to download or install .MSU patches through Patch Manager.

Hi,

Is there any power shell script available by which i can query the list of updates available, trigger updates and perform patch management ? I am new to LanDesk.

↧