• • Issue
  • Cause
  • Resolution
    • Unable to download the patch:
      • Windows 2003 server:
      • Windows 2008 Server:
    • Unable to install Patch:
      • Use Group Policy to disable End User configuration of Windows Update
      • LANDESK Security and Compliance Manager can be used to control the Windows Update service

Issue

Unable to download or install .MSU patches to my Windows 7, 8, 8.1, 2008 and 2012 clients.

The vulscan log file may show the following excerpt:

Downloading http://landeskcoreserv/ldlogon/patch/windows6.1-kb978251-x64._W-Skw.msu Fri, 02 Apr 2010 14:16:03 Performing TCP connection with a timeout of -1 milliseconds
Fri, 02 Apr 2010 14:16:04 Connect failed (10061) in ConnectToValidAddress (127.0.0.1:7360)
Failed to download http://landeskcoreserver/ldlogon/patch/windows6.1-kb978251-x64._W-Skw.msu. Error code 5
Last status: Failed: Could not download http://landeskcoreserver/ldlogon/patch/windows6.1-kb978251-x64._W-Skw.msu

Cause

Unable to download the patch: The most common problem is a MIME type extension problem.

Unable to install Patch: The most common cause for this is The "Windows Update" service has been stopped or disabled.

MSU patches are processed using the Windows Update Stand-alone Installer (wusa.exe).  The Windows Update Stand-alone Installer uses the Windows Update Agent API to install update packages. Information about this process can be located here.

Resolution

Unable to download the patch:

Windows 2003 server:

1. On the core server, launch Internet information Services Manager.

2. Navigate to the Default Web Site and right click on it. choose Properties.

3. Click the HTTP Headers tab and click MIME Types.

4. Click New and enter  "MSU" for the file extensions and type in "application/octet-stream" for the MIME type.

5. Restart IIS by running "iisreset" from the run command.

Windows 2008 Server:

1. On the Core server, Launch Internet Information Services Manager.
2. Navigate to the Default Web Site and click on it.
3. From the middle panel local the MIME Types and double click on it.

4. Click Add and enter  "MSU" for the file extensions and type in "application/octet-stream" for the MIME type.

5. Restart IIS by running "iisreset" from the run command.

Unable to install Patch:

On the Client Machine make sure that the "Windows Update" service is running.

In environments where you do not want your end users to have the option to use windows update you can use the following GPO setting to disable access to windows update but leave the service running.

Use Group Policy to disable End User configuration of Windows Update

Under Computer Configuration | Policies | Administrative templates | Windows Components | Windows Update. Locate the Configure Automatic Updates and "Disable" it.

On the client this setting translates to the "Never Check for updates (Not Recommended)".

The following GPO can be used to disable the Windows Update service. This needs to be enabled for patching to work.

Computer Configuration | Policies | Windows Settings | Security Settings | System Services. Locate Windows Update, it need to be "Not Defined" or "Enabled"

LANDESK Security and Compliance Manager can be used to control the Windows Update service

How to utilize LANDesk to Disable/Enable Windows Automatic Updates

Environment

LANDesk Management Suite 9.5

LANDesk Management Suite 9.6

Error Message in Vulscan.log

Last status: Done
ProcessRules: detected compliance=0
Sending scan results to core LDMSCORE
PutResultsAsFile uncompressed length: 2014088
compressed length: 55626
HTTP POST: http://LDMSCORE/incomingdata/postcgi.exe?prefix=vulscanresults\&name=ScanResults_{FC50D599-697B-5143-A3AA-7D4E3F74134A}_03456.vrz
Setting a proxy...
Setting socket timeout to 1000 * 60 * 4
Failed http://LDMSCORE/incomingdata/postcgi.exe?prefix=vulscanresults\&name=ScanResults_{FC50D599-697B-5143-A3AA-7D4E3F74134A}_03456.vrz on server (0), server status: 406.
HTTP Error 406.  Giving up.
Last status: Failed: No response from core
Failed to put vulnerability results to core as file: 8DB301B1
Skipping repair step because scan errors occurred.
Exiting with return code 0x8db301b1 (433).

Solution / Workaround

1. Give the IUSR account Full Control permissions to the Managementsuite\Vulscanresults folder on the Core Server.
2. Run IISRESET on the Core Server.

We do not have any Windows 8 machines on our network. All desktops are Windows 7.

We have some new servers with Server 2012 on them.

I am showing patch 3025417_MSU as being needed on my Server 2012 machines. This patch is an update for Windows Defender. The odd thing is that you cannot put Windows Defender on a server.

I'm curious why its detecting my servers and wants to be installed. I did try it on one and it failed. I tried to manually install it and it says 'does not apply to this system.'

Target: Windows 2008 Standard - SP1

When patch is manually run it says SP1 is required. (No pending reboot flag)

Anyone else seen this?

Security and Compliance for LANDESK Management Suite

• This is a list of highly recommended documents for increasing overall knowledge of this component.  The articles listed below are applicable to LANDesk Management Suite 9.0 and 9.5.  There are links now added for 9.6. 
• You can also browse or search content in this place for additional advice.

Important Notices

• Post EOL Windows XP Patch Content

Initial Install and Configuration

• LANDesk Management Suite 9.5 patch & compliance documentation
• Getting Started with Patch Manager in LDMS 9.6
• Getting started with Patch Manager in LANDesk® Management Suite 9.0 and 9.5
• Patch Manager- Strategic and Tactical Implementation Guide
• Achieving Security Maturity
• How to change the Default Scan and Repair settings on a client.
• How to repair vulnerabilities using a staging task (install from local cached file instead of core)
• How to manage replaced (superceded) patches in Security and Compliance Manager
• Maintaining Patch Content for a 9.5, 9.5 SP1, 9.0 SP3 and 9.0 SP4 Core Server
• LANDesk Patch Manager Content FAQ
• How to use Custom Groups and Blocked Applications.
• How to schedule a Security Scan
• Best Known Method for Application Blocking in LDMS 9.0 and 9.5
• How to create a custom Blocked Application

Additional Options and Information

• Uninstalling Patches through Patch Manager
• How to determine what Security and Patch Settings are applied to an agent
• What do the Patch Manager Icons Mean?
• How to change the default Patch Location for Security and Patch Manager?
• LANDesk Patch Content severity levels
• Vulscan Switches for Windows Agents
• How to report LANDESK Patch Manager vulnerability detection problems to technical support
• What types of definitions/content can I download with Patch Manager and Security Suite subscriptions?
• All about LANDesk Patch Manager Scan and Repair Settings
• Vulscan.exe Logging Information in LDMS 9

Videos:

• Video: Using the Replaced Rules Tool LDMS 9.6
• Video:E-Learning - Security Suite 9 Fundamentals
• Video:E-Learning - LANDesk Security Suite Fundamentals
• Video:E-Learning - Patch Management Overview
• Video:E-Learning - Patch Manager Overview
• Video:E-Learning - Patch & Compliance Scan & Repair Settings
• Video:E-Learning - Patch & Compliance Architecture
• Video:E-Learning - Patch & Compliance Overview and Download

Troubleshooting this Component

• Troubleshooting core server patch content download issues
• Troubleshooting detection problems in LANDesk
• Vulnerability types missing from the download updates window.
• LANDesk Patch Manager is not installing all of the patches that show up in Windows Update.
• Scanned and Detected numbers are not updating or are incorrect in Patch Manager
• Troubleshooting Client Reboot Issues
• Common Troubleshooting Steps For Patch Manager
• Error: "Cannot complete the requested action. The device must be rebooted first." when running vulnerability repair job

Notice: Any E-Learning content is available by default to Members who have a minimum support agreement at Professional level.

NOTE: This article is not a comprehensive list of documents and issues. You can continue to search the rest of the community or the portion specific to LANDesk Patch Manager if this page hasn't helped.

In Patch and Compliance if you Right Click on a detected vulnerability and choose Affected computers the Column Set shows a Reboot Needed with a value of 1 or 0 (zero). Does anyone know if this value is getting pulled from inventory? If so does anyone know where it is located? I would like to create a query showing what machines I have that need to be rebooted. This is in LDMS 9.5 SP2

Issue

Cannot open vulscan logs folder via command line "vulscan e".

Computer exhibits one of the symptoms below:

• When trying to open the vulscan logs folder manually via "vulscan e", it shows the following error:
  

  "Failed to shell execute an explore on C:\Program Files\LANDesk\LDClient\vulScan\ Error 31"

• When running a security scan on the client machine, it fails with the following error:
  

  "Failed to apply compliance settings"

• A "Vulscan" directory exists under the \Program Files\LANDESK\LDClient folder (or 64-bit equivalent \Program Files (x86\LANDESK\LDClient folder)

Cause

Missing registry key to instruct the vulscan executable where to open the folder

Resolution

The following registry key must exist:

32bit client:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Shell Folders

64bit client:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Shell Folders

common appdata = vulscan

If this key does not exist, manually add it to the registry.

Issue

Running a "Patch and compliance scan now" by right-clicking a device in the Management Console the following error:

Unable to get custom variable overrides

Vulscan.log on the client shows the following error message:

          Applying scan and repair settings

            Done

          Failed to load custom variable overrides

            Failed

Solution

1. In the Management Console open the "Agent Settings" tool.
2. Expand "All agent settings".
3. Select "Custom variables to override".
4. Click on the "Create Task" Icon.
5. Click "Change Settings".
6. Give the task the name "Remove Custom Variables"
7. Select "Create a scheduled task".
8. Change the settings of Type (Custom variables) to "Remove Settings".
9. Click "OK".
10. Go to the "Scheduled Tasks" tool, add a device and run the task.
11. Run the "Security and Compliance Scan Now" task again.

We have started having an issue with LANDesk patching Chrome.  We do not approve all Chrome patches but for us the issue started with version 38.0.2125.104 and we also had the issue with 38.0.2125.122. On certain computers the patch will install and the end user will be prompted rebooted.  After the reboot the computer then runs a Security scan at log on and it runs the install again and the user is prompted to reboot again so they are endlessly being asked to reboot until they contact the Help Desk.  In LANDesk the patch is showing as if it was installed successfully but apparently the patch definition is not detecting that the patch is installed. I have connected to a few of these computers and if I check Program and Features Chrome is showing up to date but if I open up Chrome is showing out of date.  I can then Run As on Chrome with an Admin account and then Chrome finally reflects the correct "most recent" patch version and it gets the end user out of the endless reboot prompts.  Any help or suggestions would be great.

Here is what Security and Patch looks like for a computer having the issue.

LANDesk 9.5 SP 2

DESCRIPTION

   This requires that your Core Server already has Service Pack 1 installed

   This guide is covers only one of the methods that will allow you to simply deploy Service Pack 1 for 9.6 agents using Security and Compliance Manager (Patch Manager) with the autofix option

In order to deploy Service Pack 1 to clients via Patch Manager target the clients you intend to deploy to, then enable autofix for the SP1 definition on a scope based on your query.

VIDEO

HOW TO

Create your Query

In our example, we will create a Query that targets only the clients that have a specific Agent Configuration, then create a Scope based on this Query:

Download the latest definitions

1. From your Patch and Compliance menu, Download Updates, Updates, and check as described:
   
2. Put the new definition for SP1 within the following Custom Group: Autofix (one or more scopes).  To do so, go to the View by vendor sub menu, select LD-SP96-SP1 and drag and drop it to Autofix (one or more scopes)

Scan your client machines

1. Launch a Security Scan on the client and wait for the installation to be done. It will require a reboot.
2. Check if the update has been done properly by looking at the logs or checking the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\landesk\Managementsuite\WinClient\Patches

Hi, on lDMS 9 SP3 on Patch And Compliance module we have Charts on Vulnerabilities statistics, is possible to export or generate a scheduled report for Chart titled: Computer with the most detection"??

Thanx all

Description

The compliance group’s main role is to provide a baseline scan of security standards your company requires. This scan is primarily accomplished through the use of LANDESK’s Network Access Control. (LANDESK DHCP) During the initial configuration of NAC the Definitions in the compliance folder will be used to help build the NAC Services that will scan computers entering your network.

Only a LANDESK administrator or a user with the Security and Patch Compliance right can add or remove definitions to and from the Compliance group.

The following security content types can be added to the Compliance group to define a compliance security policy:

• Antivirus definitions
• Custom definitions
• Driver update definitions
• LANDESK software update definitions
• Security threat definitions (includes firewall definitions)
• Software update definitions
• Spyware definitions
• Vulnerabilities (OS and application vulnerability definitions)

Note: You can't add blocked application definitions to the Compliance group to define compliance security policies.

To add security definitions to the Compliance group

1. In Security and Patch Manager, select the type of security content you want to add to your compliance security policy from the Type drop-down list, and then drag and drop definitions from the item list into the Compliance group.
2. Or, you can right-click an individual definition or selected group of definitions, and then click Add to compliance group.
3. Make sure any necessary associated patches are downloaded before you publish LANDESK NAC content to posture validation servers and remediation servers. You can right-click a definition, selected group of definitions, or the Compliance group itself, and then click Download associated patches to download the patches necessary to remediate affected devices.

To run a compliance scan that would utilize this folder you would need to create a compliance scan setting to be utilized. Under settings right click on Compliance and choose New to open a new dialog box for your Compliance Scan Settings. U nless specifically selected a agent install will not include a compliance setting.

Environment:

This document has been tested in 9.6.

Error message:

There are multiple error messages associated with this fix:

-IIS

2015-04-03 15:34:20 101.202.10.1 GET /incomingdata/postcgi.exe - 80 - 172.19.1.1 http://infldms/incomingdata/ 403 19 1314 203

-Vulscan.log

Sending scan results to core ldms96core1.fqdn.com

PutResultsAsFile uncompressed length: 803

compressed length: 393

HTTP POST: http://ldms96core1.fqdn.com/incomingdata/postcgi.exe?prefix=vulscanresults\&name=ScanResults_{1AA08831-8A7A-2541-B607-1085BD6A4283}_4.vrz

Setting a proxy...

Setting socket timeout to 1000 * 60 * 4

Failed http://ldms96core1.fqdn.com/incomingdata/postcgi.exe?prefix=vulscanresults\&name=ScanResults_{1AA08831-8A7A-2541-B607-1085BD6A4283}_4.vrz on server (0), server status: 403.

HTTP Error 403. Giving up.

Last status: Failed: No response from core

Failed to put vulnerability results to core as file: 8DB301B1

Failed: No response from core

Skipping repair step because scan errors occurred.

Failed

ClosePipes

Exiting with return code 0x8db301b1 (433).

Problem:

When attempting to run a vulnerability scan, you are getting a 433 return code.  When reviewing the vulscan.log (above), you find that there is a 403 HTTP error.

Cause:

The IIS log above indicates a 403.19 error, which indicates that the configured user for the LDAppMain application pool does not have sufficient privileges to run CGI applications.

Solution / Workaround:

1. On your core server, click Start, click Run, type secpol.msc, and then click OK.

2. In the Local Security Policy Microsoft Management Console (MMC) snap-in, expand Local Policies, and then click User Rights Assignment.

3. In the details pane, right-click Replace a process level token.

4. In the Replace a process level token Properties dialog box, click Add User or Group.

5. In the Select Users or Groups dialog box, type IUSR, click Check Names to verify the account, and then click OK.

6. Perform an IISRESET and attempt a new vulnerability scan.

Through the last round of endpoint patching we noticed Windows Update showed the most recent .NET framework update as "Important" .   Yet in scanning using LANDesk, the vulnerability is not detected nor are we allowed to patch.  

This is being noted by our CSO as our policy is to patch all Critical, High and Important patches.  

My questions are:   Why is this not being detected?   Why is there not a patch available to update?

Problem:

I have several server groups that have different patching levels that are approved. Is there an easy way to bring a new server up to that level.

Solution:

You can use custom groups and a specific Scan and repair setting to bring new computers up to the approved level of patches. Below are the instructions on how to do this.

1. Open the 32bit console.
2. Click on Tools | Security and Compliance | Patch and Compliance
3. Expand Groups
4. Right click on Custom Group and click New Group.
   
5. Give the New Group an appropriate name related to a specific server group.
6. Drag appropriate Vulnerabilities for this server group into the group. 
7. Expand Settings.
8. Right click on "Scan and Repair" and select New...
   
9. Give the new Scan and Repair settings an appropriate name related to a specific server group.
10. Click on Scan Tab.
11. Click Group and Immediately Repair All Detected Items.
    
12. Click the ... button and then select the custom group.
    
13. Click ok.
14. Click the Repair tab.
15. Check Start Repair even if reboot is already pending.
    
16. Make any other changes to the Scan and repair settings as needed.
17. Click ok.
18. Click Create a task then security scan.
    
19. Give the new Security Scan an appropriate name related to a specific server group.
20. Click Create as a policy or Scheduled tasks.
21. Choose the Scan and Repair Setting created in step 9.
    
22. Drag the query representing the computers you want at this level of patching into the task.
23. Start the task according to the schedule that fits your environment.

Once this tasks has run and you make additions to the vulnerability in the group. Restarting the task will not automatically restart the task on all of the computers.

1. Right click on the Scheduled task and choose properties.
2. Click on Schedule task.
3. Choose Start now or Start later.
4. Under Schedule these devices, select All.
   

This will rerun the security scan on all computers and install any additional patches that have been added to the group.

I've installed a test core with 9.6 to test out some of the new features and was trying out the Lenovo driver updates through Patch.

We currently do not have a subscription to Patch, but I was able to download the definitions and associated patches.  I've put the definitions in the Scan folder and have created the repair tasks.

I have an X230 that I installed old version of drivers from the installs pulled down through Lenovo Update Retriever.  The drivers I installed were mostly from 2012.  I set all the drivers for the X230 to repair, but vulscan will scan the definitions, but not detect the drivers as needing updating.

I am new to the patch utility and don't know whether I am doing something wrong in this process, if a subscription is required to do this or if there is something on the machine I am testing that is preventing it from working.

Any advice would be greatly appreciated.

Hello, I apologize for the basic nature of my questions and confusion, but I have been reviewing the manual and documentation and also viewing as many videos as I can find to watch.  However, I'm afraid after 2 weeks, I still have some basic questions and confusion.

We have recently purchased LANDesk 9.6 and I was asked to look into the Patch Management piece.  I've picked up some (very) basic knowledge in my efforts to learn, but have hit a bit of a stumbling block to continue learning and am at a point I need to show my lack of understanding of this product and ask for help.

My understanding is that in the Patch and Compliance area, after you download the updates, they are placed into the "\Unassigned" folder.  Then it is up to me to figure out what to do with them.  To get the vulnerability scan (vulscan.exe) to check if these updates are needed on our workstations, I must copy the desired updates into the "\Scan" folder.  And vulscan.exe will ONLY check the workstations for the updates in this \Scan folder.

I have many questions and items that are confusing to me in LANDesk, but my initial question & confusion is 'Which of the thousands of updates that were downloaded should I copy to the \Scan folder?'  Now I realized the obvious answer is "You dummy, copy the ones you want to scan for!", but that is the problem.  I don't understand how LANDesk is doing this check.  In my mind it should simply check for "Adobe Reader", yet there are numerous 'versions' of Adobe Reader updates that get downloaded and I don't understand why, and more importantly, how these different versions are used.

In a specific example, but questions and confusion is below.  Thank you for any help or pointers that will get this beginner past this initial hurdle.

1. We have thousands of computers and they all have Adobe Reader installed.  There are many updates downloaded that are listed for Adobe Reader and various versions.  Do I ONLY need to copy the very latest Adobe Reader update into the \Scan folder?  (I..e - Adobe Reader 11.0.10)  If I do that and a machine has Adobe Reader 9 or 10, will the fact that I copied just the Reader 11 update show those workstations as needing an update?
2. Also, there are currently 3 different updates that were downloaded for Adobe Reader v11.0.10.  Why, and which one should I copy to the \Scan folder?  (We don't want to be scanning for unnecessary things.)  This occurs with other products too where there are multiple items referencing the same version that were downloaded.  I guess I'm having a mental block as to why LANDesk does this?  I don't want to take a shotgun approach and just put "everything" in the \Scan folder, but how do I know which of the Adobe Reader (or JAVA, Flash Player, etc.) items are truly needed?
3. How does vulscan.exe flag what the 'fix' is?  In other words, I have machines with Adobe Reader v9.  Is LANDesk going to install the most current version as the fix?  (i.e. - LANDesk will tell me the fix for computers with Adobe Reader 9 is to install Adobe Reader 11.0.10.)  Is so, how do we control versioning?  Because we actually have some computers that require a specific version of Adobe Reader 9.  Thus, if LANDesk says those computers are vulnerable, how can you ensure that the 'fix' for those computers is to simply install the latest Adobe Reader 9 version, which is 9.5.5 and do NOT 'fix' them by installing Adobe Reader 11.0.10?
4. And finally, what if a machine did NOT have Adobe Reader installed?  Can I perform an installation of that product via LANDesk Patch Management?
   
   
   Keith Hemmelman

We are pretty new to LANDESK and are trying to get our clients caught up on patching client and we've run across the following behavior.

1. We create a patch group with say 100 patches in them based off of detected patches
2. We then create a repair task from that group (right-click -> repair)
3. To the repair group we add systems based on a scope to the task and release it as a policy supported push

What appears to happen is that one of the PCs in each subnet at the various sites will download from the core all the files in that update group (say 2gb).  For some sites this amount of download traffic is not a problem as there are only 1-2 subnets in the site and they have decent bandwidth, but some other sites were there are larger number of subnets and slower connectivity this is an issue.

I have two questions..

Should the multicast reprenstative only download the 20-30 files that are actually be needed by clients on the subnet?

IF downloading all the files for the group is the expected behavior is there a way to stop that other than disable multicast in the distribution and patch settings?

Paul

LD 9.5 sp3

I have one server that is failing on applying patches via LANDesk.   When using Microsoft Update, all patches apply and the server is clean (verified with our internal Nessus tools).   However 10 recent patches fail and show failed when LANDesk attempts to patch.  The patches are identified through vulscan.

We thought this might be due to IE Enhanced Security Configuration (Server 2008r2) which was turned on by accident, but that makes no difference.

If I browse to the patches on the LANDesk server and attempt to apply, a message shows that the patch is either not needed or does not apply to this server.

Which log file will show me details on why the patches failed.   Anyone else see something like this?   Any suggestions?

Thanks

Hi all,

I'm trying to make a simple custom definition - basically it detects the file version of an executable, and if the version is below minimum it is supposed to run a batch file which replaces the exe.

However, I cannot make this work (this is on 9.6 by the way). No matter what I do I just get a Status of 'Failed' and result 'Failed to download all additional files for a package'. There aren't any additional files!

Here's what I did (cribbed from How to Create Custom Definitions in LANDesk® Management Suite 9.0)

Went to Patch and Compliance, switched to Custom Definitions. Added a new one.

In detection rules, added a new rule. Chose affected platforms (Win 7) and used Files as the detection logic. Chose the file and put the minimum version in. This part seems to work fine as I can later make a query for affected computers and see a list.

Next, under Patch Information I selected 'Repairing this issue requires downloading a patch'. I copied my batch file to \\LDSERVER\ldlogon\patch\INTL\Custom\mybatchfile.bat and then calculated hashes - three green ticks.

I put the same logic as before for 'detecting the patch' (although I also tried without these entries, no difference).

Under patch install commands, I put:

Copy a file FROM \\LDSERVER\ldlogon\patch\INTL\Custom\mybatchfile.bat TO c:\Program Files (x86)\LANDesk\LDClient\sdmcache

then

Execute a file (defaults, i.e. %SDMCACHE%%PATCHFILENAME% )

Saved all of that and then right clicked the definition I made and chose 'Repair' to create a repair task. Basically accepted the defaults on here although I chose custom agent settings.

According to the documentation, the task should now work but no luck. Any ideas anyone? Anyone have this working?

Thanks!