After deploying an updated agent configuration to some Windows systems, I get the following UAC prompt:

Why is this?  I'm not even sure which logs would help; there's also nothing apparent in Event Viewer.

I thought I would share a Custom Definition I created that identifies Mac OS X systems for which FileVault 2 is NOT enabled. I named it "MAC-FileVault2_Disabled_DetectOnly" for clarity. I chose "Mac OS X" and "Mac OS X Server" as the Affected Platforms. Perhaps I could also use an "Affected Product" to limit the search to OS X "Lion" or later, but as we don't deploy anything older (and LDMS hasn't supported earlier versions for some time now), we're pretty safe to assume that anything out there will have FV2 instead of the original FV.

The single Detection Rule, which I call "FileVault 2 Disabled" is a Custom Script:

#!/bin/bash

#ISMAC=TRUE

#set -x

declare -i detected=0

Reason=[QUOT]FileVault is Off.[QUOT]

Expected=[QUOT]FileVault is On.[QUOT]

Found=[QUOT]Filevault is disabled.[QUOT]

fdesetupstatus=`/usr/bin/fdesetup status`

if [ [QUOT]$fdesetupstatus[QUOT] == [QUOT]$Reason[QUOT] ]; then

  detected=1

fi

echo [QUOT]Detected:$detected[QUOT]

if [ [QUOT]$detected[QUOT] == [QUOT]1[QUOT] ]; then

  echo [QUOT]Reason:$Reason[QUOT]

  echo [QUOT]Expected:$Expected[QUOT]

  echo [QUOT]Found: $Found[QUOT]

fi

exit 0

It's basically just looking at the output of /usr/bin/fdesetup status and if it finds "FileVault is Off.," it reports the vulnerability is detected.

Introduction

As we all know, the latest release of Office from Microsoft comes in 2 flavors. A 'rich client' based installation, which is practically the same as running the Setup as in previous versions, and a Click-to-Run setup. The Click-to-Run version basically downloads stand-alone App-V packages of the applications you want to use from the Office Suite. Easy as this may be (and, depending on your licensing scheme, the only option you may have), this provides a challenge for Patch Management, as LANDESK cannot patch within an App-V package.

This document will describe how to easily still use LANDESK to patch Click-to-Run Office365 installations using all LANDESK intelligence. From now on, the use of Office365 will assume the Click-to-Run version.

Configure your Office365 installation

More information about actually deploying Office365 can be found here. During configuration of Office365 setup you can create a XML file that will change certain settings in your Office365 package to fit your environment. This XML can be created using the Office Deployment Tool for Click-to-Run. In this setup, there are 2 important setting for Patch Management. First off, you can set the Office365 installations to Auto-update. This will prevent that users need to manually check for updates. Second, there is a path where the installed Office365 packages will look when Auto-Update is configured. By default this will point to a share. In a configured XML this will look like this:

In a small environment, you can just point the UpdatePath to the location where LANDESK downloads patches. But, in a larger environment, you don't want all devices to connect to a central share, when you have options like Preferred Servers, Bandwidth Usage or the Cloud Services Appliance you want to use. For this reason, change the UpdatePath setting to: %ProgramFiles%\landesk\ldclient\sdmcache (or whatever the location of your sdmchache is)

Using LANDESK

Ideally you have 1 installed rich Office365 installation (Office Professional Plus 2013), although this is not completely necessary.

First, create a query which checks All Devices for Office365 installed.

You can download the Patch definitions in the normal way. If you have the Office Professional Plus 2013, running the vulscan will detect the definitions you need to deploy on the Click-to-Run devices. If not, you need to have a manual monthly process to select from the definitions last month from the Patch and Compliance screen, Vulnerabilities, View by Product --> Office2013 and/or Office2013x64, download the detected/selected patchcontent from the definitions and wait until all replications to Preferred Servers have completed.

Now we can select all Office365/2013 vulnerabilities from this month and create a Repair Task.

Most important, change the settings in Task Settings, so that the task uses Policy based delivery (so it will also work with devices through the CSA) and uses the Pre-Cache option under the Download options. Don't add any targets automatically to the task. Rename the task to cover the content, like 'Office365 Patches December'. Save and add the query you created as target.

Start the task. When the devices check for Policies, they will start this task and download (with all LANDESK intelligence) the selected patch content to the SDMCACHE on the client. From there, it will be picked up by the auto-update of the Office Setup.

So, to summarize

Change the setup XML to use the UpdatePath setting: %ProgramFiles%\landesk\ldclient\sdmcache

Select all Office2013 vulnerabilities for the selected month

Download all their content

Wait for replication tasks until the content is on all Preferred Servers

Create a repair task with Policy/Pre-cache options configured

Target the query you created which queries Office365 installation

Start the task

The devices check for their policies and download the patches to SDMCACHE

The Auto-Update of Office picks the patches up from the local SDMCACHE folder

Thanks

Many thanks to remon.mulders for his brilliant thoughts on this subject!!

Hi,

I am writing a custom definition to upgrade software but am having issues with power shell running something.  I am getting:

Command Interpreter running

Content filename: 'FsecureUninstall.ps1'

Writing script content to file 'C:\Windows\TEMP\FsecureUninstall.ps1' starting at line 5

Launching external script processor: <powershell.exe>

args: <-executionpolicy bypass C:\Windows\TEMP\FsecureUninstall.ps1>

External timeout: 60

returned: 259

Stdout:

Message returned from repair script was External application 'powershell.exe' returned 259 and provided no message

ERROR(RunVbScript) Failed to run command  - 80004005

DownloadPatch ERROR: Failed to run commands (80004005).

Last status: Failed

The powershell script is very simple:

EXTERNAL APPLICATION

exe=powershell.exe

args=-executionpolicy bypass %filename%

filename=FsecureUninstall.ps1

(Start-Process -FilePath "C:\Program Files (x86)\LANDesk\LDClient\sdmcache\ldlogon\patch\FsecureUninstallTool\UninstallationTool.exe" -ArgumentList "--noreboot --NOGUI" -Wait -Passthru -NoNewWindow)

It works on some hosts but not others.  I can't find anything on the (presumed error code) 259.  Anyone know if this is a LANDesk thing or a powershell thing?

Thanks,

Brad

Applies to LANDESK Management Suite 9.0 SP3, SP4

Issue

• Vulnerabilities keep getting detected on computers and the patch will not install

• Patches are stuck in loop continually trying to install on the clients

• Security Scans (VULSCAN.EXE) takes a long time to run

• How to setup LANDesk to automatically maintain patch content for the Core Server
• How to automate the handling of superseded vulnerabilities

   

Solution

Follow the instructions in the attached document LD90SP3MaintainPatch.

We are moving from Landesk 9.5 to 9.6 SP1.  One of the cool features we liked in 9.5 was the ability to autofix by scope and run a custom scan against a scope with the ability to change the repair options (specifically the snooze and reboot options) to something unique just for that scan.  With the reboot options separated out, it does not appear that I can do that anymore.  Am I missing something or am I back to something like 9.0 push tasks again?

For example, our agent default is 2 hour snooze and 8 hour timeout.  Our initial testing is 30 min snooze and 2 hour timeout. 

Any help is appreciated,

Steve

Hello,

As usual, we had here our monthly 'Post Patch Tuesday' meeting to discuss the new patches released by Microsoft, prior to deploying them using LANDESK Patch & Compliance.

As usual, we had some parties mentioning issues with some of the new patches.  In particular:

• KB2889923  (Lync > Skype for Business)
• KB2889853  (Fix for above)
• KB2990214  (Update for Windows Update "Allows the update to later versions of Windows")

I have been asked to not deploy these patches.  Well, it seems I can't deploy these patches even if I wanted to - the Vulnerabilities haven't been downloaded from LANDESK.

This has happened in previous months also.

My question is:      Why are some patches - which are available in WSUS - not available through LANDESK?  (Is there a criterion that is applied?)

Any info on this would be gratefully received.

Thanks,

I'm wondering how others are putting the Patch and Compliance feature to work in their environment.  We are new to LANDesk and I'm struggling to visualize how best to put it to use.

We have several thousands computers located in multiple offices, in multiple towns spread across out state in two different time zones.  We have tech support teams located in selected geographical areas a handful of towns.  These teams provide support to an entire geographic area in their region.

Currently, to patch products like Flash Player, Reader, etc., we run jobs using a different product.  We very simply use logic in this product such as "If Flash Player exists AND the version is NOT the newest", then install the new Flash player.  Each team is responsible for patching computers in their geographic support area.  They use 'scopes' for the various offices that they support to run these update jobs on.

With LANDesk, it seems to be a more centralized approach for patching.  What I mean is that you do the vulnerability scans on all your computers and there is 'one' master list of all the vulnerabilities found.  Thus, if we were to run a task to patch Flash player, it seems that it would patch all the computers across all support areas.  This in itself isn't necessarily a bad thing, (well for some products), but we don't really have the centralized staff to do all the patching and are wondering how to develop a work flow so each team could continue to patch computers in their own support area.

What I'm kind of stuck on is how to "break out" all the detected computers that need Flash Player updated.  I see you can right click on the vulnerability and select the "Create query for affected computers" for that particular vulnerability, such as Flash Player.  But the query it creates for some reason cannot be edited.  I assume you can create SQL queries in an attempt to 'group' our computers into these "scopes" that we currently use?  And then potentially you can use that query as the group of computers to run the task on?  But this won't work, will it?  If we created a query for all affected computers how do you break that out to run on a 'scope' of comptuers?  Don't we need to edit that query to add additional logic such as 'AND Computer.Name LIKE NY_Computers*"?

I guess I'm wondering what folks general process is and if you have centralized your patching duties or if there is a better solution for our needs. 

I've found something interesting regarding maintenance windows and the regular scheduled vulscan task and how it can, seemingly, blow out a pending continue task for a repair and replace it with a continue task that doesn't seem to do anything.

Here is the scenario:

• Regular scheduled scan set to run once per day and scan all vulnerabilities but not configured to repair.
• High frequency scan set to repair vulnerabilities in a specific custom group, also scheduled to run daily.
• Maintenance window configured for 4 AM - 7 AM.

If the high frequency scan runs after the scheduled scan everything works as expected, all vulnerabilities set to scan are scanned and reported detected as appropriate.  The high frequency scan runs and attempts to repair detected vulnerabilities in specific group however maintenance window prevents actual patch installs and only allows for patch downloads then sets a continue task to defer the repair.  During the maintenance window the continue task fires and patches are installed.

HOWEVER.... if the scheduled scan runs after the high frequency scan the continue task during the maintenance window instead does nothing.  It appears that the scheduled scan is setting a continue task and overwriting the continue task set by the high frequency scan which is causing patches to not install during the maintenance window.

For the moment I've worked around this by setting time restrictions on the two scans so that the repair scan always runs after the regular scan.  The issue I can see with this is that it's very likely this would also impact any scheduled repair tasks from the core that happen to fire after the maintenance window but before the scheduled scan and it doesn't seem like the regular scheduled scan should need to be overwriting the continue task like this since it shouldn't have anything to do during the maintenance window to defer.  This has happened more than once on multiple machines so it doesn't look like a case of the scan wanting to perform a reboot, for example, especially given that the continue task it generates does not reboot or do anything else that would need to run during a maintenance window that I can detect.

DESCRIPTION

     This requires that your Core Server already has Service Pack 1 installed on it

     This guide is only covering one of the methods that will allow us to simply deploy Service Pack 1 for 9.6 agents using Patch Manager and the Autofix option

In order to deploy Service Pack 1 for your clients via Patch Manager, you will have to target the machines that you want to deploy it to, then enable the Autofix for the SP1 definition on a scope based on your query.

VIDEO

HOW TO

Create your Query

In our example, we will create a Query that targets only the machines that have a specific Agent Configuration, then create a Scope based on this Query:

Download the latest definitions

From your Patch and Compliance menu, Download Updates, Updates, and check as described:

Once this is done, we want to put the new definition for SP1 within the following Custom Group: Autofix (one or more scopes)

To do so, go to the View by vendor sub menu, select LD-SP96-SP1 and drag and drop it to Autofix (one or more scopes)

Scan your client machines

Once you have done all of this, you only have to launch a Security Scan on your client machine and wait for the installation to be done. It will require a reboot though.

You can then check if the update has been done properly by looking at the logs or checking the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\landesk\managementsuite\WinClient\Patches

Issue and Symptoms

In LANDESK Patch and Compliance, even though all the Microsoft Windows definition types are selected, the hotfixes released from Microsoft are not available, or there are just a limited selection of them, and they must be manually download.

Cause

Microsoft updates offer packages for general distribution release (GDR) as well as QFE (Quick Fix Engineering) also known as hotfixes, for specific issues.

QFE (Quick Fix Engineering) is a group within Microsoft that produces "hotfixes" - code patches for products that are provided to individual customers when they experience critical problems for which no feasible workaround is available.

Hotfixes are not intended for general installation, since they do not undergo extensive beta testing when they are created. Microsoft targets hotfix support toward enterprise-level customers and designs it to provide an extra level of security for mission-critical software systems.

GDRs are tested to a greater degree than LDRs (Limited Distribution Release). LDR, also known as hotfixes or QFEs, are created when a hardware, BIOS or a software issue is identified that needs a fix in a specific and small subset of customer environments.

These fixes have not been tested for the same length of time for regressions or incompatibilities as what a GDR fix typically goes through. Another key point is LDRs generally contain all the prior fixes from both GDR and LDR while GDR releases do not contain LDR fixes.

A hotfix is to fix a specific issue quickly while Microsoft Update GDRs are created to improve everyone's experience.

The reason why the hotfixes listed are manual definitions is that Microsoft doesn't publish them with a freely downloadable url but they have to be manually downloaded following some manual steps:

Why certain vulnerability definitions require the patch to be manually downloaded?

Solution

Create a Custom Definition to scan your clients for the specific hotfix:

How to create a Custom Definition

As an alternative, you can submit a request to LANDESK support to have the content added:

How to request new content be added to Security and Patch Manager

Additional resources

Patch and Compliance content vulnerability definition title suffixes explained

[Microsoft Technet] Best Practices for Applying Service Packs, Hotfixes and Security Patches

[MSDN] What is the difference between general distribution and limited distribution releases?

This last week we stood up our 9.6sp1 test environment and have been putting a few agents out on production endpoints after completing our testing.   The 9.6 environment is working great.  

At the same time we still have the majority of our endpoints on the 9.6sp3 agents.

Both 9.5 and 9.6 are using the same keys and certs.

We are seeing and have been patching endpoints on 9.6 without issue.

In the 9.5 (legacy) system we are not seeing any new vulnerabilities from this last MS patch release.

Is it not possible to run concurrent systems with shared security?

Is there anything I can do to get me through this month's patching without quickly pusing new 9.6 agents to all endpoints?

Description:

How to create a Custom Definition in Security and Patch Manager that will check for the presence of a registry setting and make a change if detected.

Example:

In our example we will be detecting for a registry setting that controls the LANDesk Remote Control security type (HKLM\SOFTWARE\Intel\LANDesk\WUSER32 | Security Type)

1) In the 32 bit console go to Tools | Security | Security and Patch Manager
2) Change the Type drop down menu to Custom Definitions

3) Click the button "Create Custom Definition"

4) Enter a definition ID and Title
5) Click the button labeled Add

6) Click on Affected Platforms and select the operating systems that will be scanned for the definition

7) Under Detection Logic click on Registry Settings and click Add
NOTE: The detection logic will detect vulnerable if the registry setting here is different from what is listed on the machine.
8) Enter registry key information
NOTE: HKLM has already been entered and represents HKEY_Local_Machine. Detection can only take place under HKLM.
9) After entering the registry setting click the button Update to commit the change

10) Click on "Patch Information"
11) Change the drop down to "This issue can be repaired without downloading a patch"

12) Under Detecting the Patch click on Registry Settings and click Add
13) Enter the registry setting that will be changed to so you can detect when the change has occurred on a device (Don't forget to click the button labeled Update when you are finished entering the key)

14) Click on Patch Install Commands
15) Click the button labeled Add
16) Select "Write a value to the registry"
17) Click OK

18) Double click the value column by Key and enter the full key path (ie: HKEY_Local_Machine\System\...)
19) Enter the value name
20) Enter the value data that you want to write

21) Click OK
22) Click OK
23) Run a security\compliance scan on a computer then verify that the detected column has detected that the computer has detected as vulnerable

24) To execute the custom definition and make the change to the registry create a repair task from the custom definition or set the definition to auto-fix

Hi all,

I'm trying to make a simple custom definition - basically it detects the file version of an executable, and if the version is below minimum it is supposed to run a batch file which replaces the exe.

However, I cannot make this work (this is on 9.6 by the way). No matter what I do I just get a Status of 'Failed' and result 'Failed to download all additional files for a package'. There aren't any additional files!

Here's what I did (cribbed from How to Create Custom Definitions in LANDesk® Management Suite 9.0)

Went to Patch and Compliance, switched to Custom Definitions. Added a new one.

In detection rules, added a new rule. Chose affected platforms (Win 7) and used Files as the detection logic. Chose the file and put the minimum version in. This part seems to work fine as I can later make a query for affected computers and see a list.

Next, under Patch Information I selected 'Repairing this issue requires downloading a patch'. I copied my batch file to \\LDSERVER\ldlogon\patch\INTL\Custom\mybatchfile.bat and then calculated hashes - three green ticks.

I put the same logic as before for 'detecting the patch' (although I also tried without these entries, no difference).

Under patch install commands, I put:

Copy a file FROM \\LDSERVER\ldlogon\patch\INTL\Custom\mybatchfile.bat TO c:\Program Files (x86)\LANDesk\LDClient\sdmcache

then

Execute a file (defaults, i.e. %SDMCACHE%%PATCHFILENAME% )

Saved all of that and then right clicked the definition I made and chose 'Repair' to create a repair task. Basically accepted the defaults on here although I chose custom agent settings.

According to the documentation, the task should now work but no luck. Any ideas anyone? Anyone have this working?

Thanks!

Hi,

It seems the detection logic for this patch is off.  When doing a scan of a host vulscan reports that it is not needed:

   Patch is NOT installed

Checking vulnerability MS15-012_MUI_ENU, rule index 2 ('proofloc2010-kb2956073-fullfile-x86-glb-ENU.exe')

Running detection script

created the hlpr instance ok

isInstallable=False

VUL: 'MS15-012_MUI_ENU' (proofloc2010-kb2956073-fullfile-x86-glb.exe) not detected.  Patch proofloc2010-kb2956073-fullfile-x86-glb.exe is not required.

However, doing an MBSA scan says it is needed.  In addition, running the patch manually allows it to be installed.

Thanks,

Brad

Issue:

Gather Historical Information task is failing to run.

Following is in the GatherHistory.Details.Log file in the Managmentsuite\Log folder on the Core Server:

09/18/2014 15:12:18 INFO  13352:SaveTrendInfoForVulnerabilitiesAsync : Critical Exception: System.Data.OleDb.OleDbException (0x80040E31): Query timeout expired   at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method)   at System.Data.OleDb.OleDbCommand.ExecuteNonQuery()   at LANDesk.ManagementSuite.Database.Database.ExecuteNonQueryP(String sql, Int32 timeoutSeconds, Object[] parameters)   at LANDesk.ManagementSuite.Database.Database.ExecuteNonQuery(String sql, Int32 timeoutSeconds, ArrayList oleDbParameters)   at LANDesk.ManagementSuite.Database.Database.ExecuteNonQuery(String sql)   at LANDesk.ManagementSuite.PatchBiz.PatchTrend.SaveTrendInfoForVulnerabilities(Int32 removeOldDataDays)   at LANDesk.ManagementSuite.PatchManagement.ProgressForm. € ()   at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)   at System.Threading.ThreadHelper.ThreadStart() Stack Trace:    at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method)   at System.Data.OleDb.OleDbCommand.ExecuteNonQuery()   at LANDesk.ManagementSuite.Database.Database.ExecuteNonQueryP(String sql, Int32 timeoutSeconds, Object[] parameters)   at LANDesk.ManagementSuite.Database.Database.ExecuteNonQuery(String sql, Int32 timeoutSeconds, ArrayList oleDbParameters)   at LANDesk.ManagementSuite.Database.Database.ExecuteNonQuery(String sql)   at LANDesk.ManagementSuite.PatchBiz.PatchTrend.SaveTrendInfoForVulnerabilities(Int32 removeOldDataDays)   at LANDesk.ManagementSuite.PatchManagement.ProgressForm. € ()   at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)   at System.Threading.ThreadHelper.ThreadStart()

Solution:

1. Close the LANDESK Console.

2. Create the "Query Timeout" registry value as a 32-bit DWORD in the following registry key on the Core Server:

HKLM\SOFTWARE\LANDesk\ManagementSuite\WinConsole

Create any registry keys that are missing. Set the value to 10000 decimal.

Issue

While creating a repair task you are getting the error message:

Error: - The statement has been terminated. String or binary data would be truncated.

Cause

The current column length in the LANDESK database is the cause for this behavior.

Resolution

This issue (199611) is addressed in 9.6 SP1.

We are new to LANDesk and are running v9.6 SP1.  We're attempting a fairly simple repair task to update the FileZilla program to the most current.  When running the task, it fails on all 401 computers it is attempting to patch.  The error code being displayed is 412, which I looked for info on it and it simply states "All Patches Failed" and doesn't offer any useful information on why it failed.

This seems to be a simple task to run and I believe we have it setup correctly, but apparently we are missing something.  Are there others out there that have ran into this error 412 and are there some known things to look at to correct this problem?

Patch Manager is not installing 3 Windows patches its detecting needed on multiple workstations. Trying to install them manually gives the message "The update is not applicable to your computer" for all 3 patches on 25% of our PCs.  Why?

Another bug?

windows6.1kb2913751x64.msu

windows6.1kb2984981x64.msu

windows6.1kb2994023x64.msu