Vulscan Return codes

Description

What do the codes returned at the bottom of a vulscan.log mean?  "Exiting with return code 0x8db301b0"

Resolution

0xdb3 and 0x8db3 are the facility codes for the vulscan.exe agent.  If the the facility code starts with 8 after the 0x, then there was an error.  If it just starts with db3, then it's a success code.

The final 2 or 3 digits are hex values for the following decimal return codes.

IDS_PATCH_CLIENT_ALREADY_RUNNING 401

IDS_PATCH_SCAN_ONLY_COMPLETE 402

IDS_PATCH_SCAN_AND_REPAIR_COMPLETE 403

IDS_PATCH_CANT_GET_VUL_DATA 404

IDS_PATCH_NO_PATCHES_AVAILABLE 405

IDS_PATCH_CANT_RESOLVE_DEVICEID 406

IDS_PATCH_NOTHING_TO_REMOVE 407

IDS_PATCH_CANT_GET_REMOVE_INFO 408

IDS_PATCH_FAILED_DOWNLOAD 409

IDS_PATCH_COMMANDS_FAILED 410

IDS_PATCH_REMOVE_SUCCEEDED 411

IDS_PATCH_ALL_PATCHES_FAILED 412

IDS_PATCH_SOME_PATCHES_FAILED 413

IDS_PATCH_ALL_PATCHES_INSTALLED 414

IDS_PATCH_REMOVE_VULSCAN_SUCCEEDED 415

IDS_PATCH_REMOVE_VULSCAN_FAILED 416

IDS_PATCH_INSTALL_VULSCAN_SUCCEEDED 417

IDS_PATCH_FAILED_TO_ELEV_RIGHTS 418

IDS_PATCH_INVALID_COMMANDLINE 419

IDS_PATCH_CLEAR_SCAN_SUCCESSFUL 420

IDS_PATCH_RESET_SUCCESSFUL 421

IDS_PATCH_RESET_FAILED 422

IDS_PATCH_REBOOT_SUCCEEDED 423

IDS_PATCH_USER_CANCELLED 424

IDS_PATCH_SCRIPT_INIT_FAILURE 425

IDS_PATCH_FAILED_REGISTER_MSXML3        426

IDS_PATCH_USER_CANCELLED_ACTION 427

IDS_PATCH_USER_DEFERRED_ACTION 428

IDS_PATCH_ALL_STAGING_FAILED 429

IDS_PATCH_SOME_STAGING_FAILED 430

IDS_PATCH_ALL_PATCHES_STAGED 431

IDS_PATCH_CANT_GET_AGENT_BEHAVIOR 432

IDS_PATCH_SEND_RESULTS_FAILED 433

IDS_PATCH_SPYWARE_INIT_FAILED 434

IDS_PATCH_USER_CANCELLED_REBOOT 435

IDS_PATCH_USER_DEFERRED_REBOOT 436

IDS_PATCH_NOT_REBOOTED_YET 437

IDS_PATCH_UNKNOWN_PLATFORM 438

IDS_PATCH_UPDATE_SUCCEEDED 439

IDS_PATCH_UPDATE_FAILED 440

IDS_PATCH_CHANGESETTINGS_SUCCEEDED      441

IDS_PATCH_CANT_GET_AV_BEHAVIOR 442

IDS_PATCH_CANT_GET_CV_BEHAVIOR 443

IDS_PATCH_RUN_INVALID_ARGS 444

IDS_PATCH_RUN_COMPLETED 445

IDS_PATCH_RUN_FAILED 446

IDS_PATCH_INSTALL_LDAV_SUCCEEDED        447

IDS_PATCH_INSTALL_LDAV_FAILED 448

IDS_PATCH_REMOVE_OLD_AV_SUCCEEDED 449

IDS_PATCH_REMOVE_OLD_AV_FAILED 450

IDS_PATCH_CANT_GET_COMPLIANCE_BEHAVIOR  451

IDS_PATCH_AGENT_NOT_MINIMUM_VER 452

IDS_PATCH_REMOVE_LDAV_SUCCEEDED       453

IDS_PATCH_REMOVE_LDAV_FAILED 454

IDS_PATCH_INSTALL_HIPS_SUCCEEDED        455

IDS_PATCH_INSTALL_HIPS_FAILED 456

IDS_PATCH_REMOVE_HIPS_SUCCEEDED       457

IDS_PATCH_REMOVE_HIPS_FAILED 458

IDS_PATCH_CANT_GET_HIPS_BEHAVIOR        459

IDS_PATCH_INCOMPATIBLE_AV         500

IDS_PATCH_AV_XPSP2_NOT_FOUND 461

IDS_PATCH_AV_INSTALL_FAILED 462

IDS_PATCH_CANT_APPLY_FIREWALL_BEHAVIOR 463

IDS_PATCH_WAITING_FOR_USER_REBOOT 464

IDS_PATCH_DEFERRED 465

IDS_PATCH_FAILED_TO_DEFER 466

IDS_PATCH_NOT_ALL_PATCHES_SCANNED 467

IDS_PATCH_CANNOT_LOGON_USER 468

IDS_PATCH_CANT_GET_DCM_BEHAVIOR 469

IDS_PATCH_CANT_GET_CCM_BEHAVIOR 470

IDS_PATCH_CANT_GET_LDF_BEHAVIOR 471

IDS_PATCH_AV_W2K3SP2_NOT_FOUND 472

IDS_PATCH_INSTALL_LDAV_PENDING 473

IDS_PATCH_INSTALL_UDINSTALLER_FAILED    474

IDS_PATCH_REBOOT_COMMAND 475

IDS_PATCH_CANT_GET_REPLICATION_BEHAVIOR 476

IDS_PATCH_WAITING_FOR_REBOOT 477

IDS_PATCH_AV_PLATFORM_NOT_SUPPORTED 478

IDS_PATCH_AV_CANT_LAUNCH_SETUP 479

IDS_PATCH_AV_CANT_REMOVE_LEGACYAV       480

IDS_PATCH_AV_CANT_LAUNCH_UNINSTALL 481

IDS_PATCH_AV_SETUP_DOES_NOT_EXIST       482

IDS_PATCH_AV_CANT_CREATE_SETUPINI       483

IDS_PATCH_AV_KAVSETUP_FAILED 484

IDS_PATCH_AV_KAVSETUP_ALREADY_INSTALLED 485

IDS_PATCH_KAV_ALREADY_INSTALLED_REBOOT_PENDING 486

IDS_PATCH_AV_CANT_REMOVE_OLD_KAV        487

IDS_PATCH_AV_INSTALL_TASK_PENDING       488

IDS_PATCH_FAILED_WRITE_FILTER                  489

IDS_PATCH_PREREPAIR_FAILED                     490

IDS_PATCH_NOT_MAINT_WINDOW                     491

IDS_PATCH_APPLY_TRUSTED_FILES_FAILED    492

IDS_PATCH_BAD_OR_MISSING_POLICY_FILE    493

IDS_PATCH_FILE_INVALID_HASH                           494

IDS_PATCH_FAILED_APPLY_MAC_POWER        495

IDS_PATCH_REBOOT_NOT_NEEDED                           496

IDS_PATCH_CANT_REMOVE_AGENT_BEHAVIOR    497

IDS_PATCH_AV_CANT_INITIALIZE_KES     498

IDS_PATCH_REBOOT_NOT_ALLOWED                   499

IDS_PATCH_INCOMPATIBLE_AV                      500

IDS_PATCH_REBOOT_IGNORED_WSCFG32        502

IDS_PATCH_FAILED_WRITE_FILTER                  489

IDS_PATCH_PREREPAIR_FAILED                     490

IDS_PATCH_NOT_MAINT_WINDOW                     491

IDS_PATCH_APPLY_TRUSTED_FILES_FAILED    492

IDS_PATCH_BAD_OR_MISSING_POLICY_FILE    493

IDS_PATCH_FILE_INVALID_HASH                           494

IDS_PATCH_FAILED_APPLY_MAC_POWER        495

IDS_PATCH_REBOOT_NOT_NEEDED                           496

IDS_PATCH_CANT_REMOVE_AGENT_BEHAVIOR    497

IDS_PATCH_AV_CANT_INITIALIZE_KES     498

IDS_PATCH_REBOOT_NOT_ALLOWED                   499

IDS_PATCH_INCOMPATIBLE_AV                      500

IDS_PATCH_REBOOT_IGNORED_WSCFG32        502

I thought I would share a Custom Definition I created that identifies Mac OS X systems for which FileVault 2 is NOT enabled. I named it "MAC-FileVault2_Disabled_DetectOnly" for clarity. I chose "Mac OS X" and "Mac OS X Server" as the Affected Platforms. Perhaps I could also use an "Affected Product" to limit the search to OS X "Lion" or later, but as we don't deploy anything older (and LDMS hasn't supported earlier versions for some time now), we're pretty safe to assume that anything out there will have FV2 instead of the original FV.

The single Detection Rule, which I call "FileVault 2 Disabled" is a Custom Script:

#!/bin/bash

#ISMAC=TRUE

#set -x

declare -i detected=0

Reason=[QUOT]FileVault is Off.[QUOT]

Expected=[QUOT]FileVault is On.[QUOT]

Found=[QUOT]Filevault is disabled.[QUOT]

fdesetupstatus=`/usr/bin/fdesetup status`

if [ [QUOT]$fdesetupstatus[QUOT] == [QUOT]$Reason[QUOT] ]; then

  detected=1

fi

echo [QUOT]Detected:$detected[QUOT]

if [ [QUOT]$detected[QUOT] == [QUOT]1[QUOT] ]; then

  echo [QUOT]Reason:$Reason[QUOT]

  echo [QUOT]Expected:$Expected[QUOT]

  echo [QUOT]Found: $Found[QUOT]

fi

exit 0

It's basically just looking at the output of /usr/bin/fdesetup status and if it finds "FileVault is Off.," it reports the vulnerability is detected.

Hey All,

Is anyone in the process of rolling out IE11 yet and managed to deploy it via patch and compliance in an efficient way? I'm currently trying to figure out a way to minimise reboots to the end-user.  As it stands there are pre-reqs for IE11 (which I've already deployed to the fleet), then you can send out IE11 itself, then the computer needs to scan again and apply some IE11 patches, then it appears to do another set which had dependencies on the previous patches (all with a reboot in between).

My end result is just IE11 with Enterprise mode, so for Win 7 that is IE11 with KB2929437.  I'm attempting to not resort to packaging the rollout as vulscan reboot is much better but it's poor service to deliver a browser that isn't fully functional until another scan occurs, followed by more updates being applied (could be up to 3 days).

I already have a couple of ideas, one of which is I'm considering cloning the patch and bundling the two minimum requirements together but thought I'd open the discussion to the community for other opinions.

Thanks,

Stewart

Recently I had a problem with a client not complying with the reboot settings that it was supposed to be getting.  I called LANDesk Support and we started digging through the vulscan and ldreboot logs in the c:\programdata\LANDesk\Log folder.  It appeared to be using the correct reboot settings according to the log.  We decided to run vulscan.exe /reset from the command prompt.  This cleared the agent settings xml files.  I ran a security scan and the computer pulled the correct agent setting files from the core.  I verified this by checking the sdmcache and they were there.  We double checked that the settings were there by running a reboot repair and selecting "Act as if reboot is always needed."

I will be setting up a task to reset the settings in vulscan and a task to test the reboot settings in case this issue comes up again.

Thank You LANDesk support for your help.

I am looking at scanning machines for driver updates in LANDesk so if we run into a situation where we need to update one we can create a task and push that driver out on an as needed basis.  Within Patch and Compliance I downloaded the definitions for "Lenovo Think Client Driver Updates" but it appears that the newest definitions are from 8/25/14.  Did something change to where LANDesk is no longer supplying Lenovo Driver updates or could I be missing something?

We are running LANDesk 9.6 SP1.

Issue

When attempting to uninstall a patch through LDMS, the task fails with error:

Return Code: 407

Result: No uninstall instructions. Patch is not installed.

Cause

LDMS does not recognize this particular patch as being installed on the client.

• The specific patch is not installed.
• The patch is installed, but LANDESK does not have an inventory record of it.

Resolution

The patch must be listed as Installed for the client, in order to try and Uninstall it.

• Right click the device that is failing, and choose Security and Patch Information

• In the Security and Patch Information window click Installed Patches
  • If the patch is not listed within Installed patches, vulscan will not attempt to uninstall the patch on the client.
    

Vulscan.log will show the patch list being downloaded for the client, and indicate an uninstall is not necessary.

Thu, 30 Apr 2015 12:48:10 Removing patch: windows8.1-kb3045999-x64.msu

Thu, 30 Apr 2015 12:48:10 Getting list of patches

Thu, 30 Apr 2015 12:48:11 Last status: Done.  No uninstall needed

Verify the patch is installed on the Client

• Open add/remove programs, click View installed updates
  

• Verify the patch is listed as installed.

• If the patch is not listed as installed, it will not be found as Installed on the client by LDMS.
• If the patch is on the client, but not within LDMS, vulscan needs to scan the machine for the specific vulnerability
  • Run a Security and Patch scan against the client that includes the specific vulnerability.
  • Vulscan.log will indicate it has been found as installed

Thu, 30 Apr 2015 12:52:08 Checking vulnerability MS15-038_MSU, rule index 10 ('windows8.1-kb3045999-x64.MSU')

Thu, 30 Apr 2015 12:52:08 Running detection script

Thu, 30 Apr 2015 12:52:09 The patch already installed, exit the Scan process.

• After vulscan detects the patch as installed, verify the Security and Patch Information shows the patch as installed.

• If Security and Patch Information lists the patch as Installed, but the error persists, verify the patch scheduled to be uninstalled matches the patch listed in Security and Patch Information.
  • Example: Windows8.1-kb3045999-x64.msu is listed as installed. Scheduling removal of Windows6.0-kb3045999-x64.msu will cause the failure.

After deploying an updated agent configuration to some Windows systems, I get the following UAC prompt:

Why is this?  I'm not even sure which logs would help; there's also nothing apparent in Event Viewer.

Hello,

it looks like the new published Adobe Acrobat Reader DC patches

LANDESK Patch News Bulletin: Adobe has Released Acrobat Reader DC for Windows 07-MAY-2015

have a wrong "date published" setting in their definition in Patch Manager (LD 9.0/9.6).

In Patch Manager you won't find them in list of 7th May, you will find them in list of 7th April...

BR

Axel

Hi,

I am writing a custom definition to upgrade software but am having issues with power shell running something.  I am getting:

Command Interpreter running

Content filename: 'FsecureUninstall.ps1'

Writing script content to file 'C:\Windows\TEMP\FsecureUninstall.ps1' starting at line 5

Launching external script processor: <powershell.exe>

args: <-executionpolicy bypass C:\Windows\TEMP\FsecureUninstall.ps1>

External timeout: 60

returned: 259

Stdout:

Message returned from repair script was External application 'powershell.exe' returned 259 and provided no message

ERROR(RunVbScript) Failed to run command  - 80004005

DownloadPatch ERROR: Failed to run commands (80004005).

Last status: Failed

The powershell script is very simple:

EXTERNAL APPLICATION

exe=powershell.exe

args=-executionpolicy bypass %filename%

filename=FsecureUninstall.ps1

(Start-Process -FilePath "C:\Program Files (x86)\LANDesk\LDClient\sdmcache\ldlogon\patch\FsecureUninstallTool\UninstallationTool.exe" -ArgumentList "--noreboot --NOGUI" -Wait -Passthru -NoNewWindow)

It works on some hosts but not others.  I can't find anything on the (presumed error code) 259.  Anyone know if this is a LANDesk thing or a powershell thing?

Thanks,

Brad

Hello,

last published Adobe patch definition was LANDESK Patch News Bulletin: Adobe has Released one Update Reader MUI Version 11.0.10 10-DEC-2014

I found this information LANDESK Patch News Bulletin: Adobe has Released Acrobat Reader DC for Windows 07-MAY-2015 only.

(The patch definition contain a little pubishing date bug, s. my question about Publishing date wrong for new Adobe Acrobat Reader DC Patches?)

If you try to update Adobe Reader 11.0.10 manually, it'll download patch 11.0.11!

On Adobe FTP site, you will find version 11.0.11 from 08 May 2015... ftp://ftp.adobe.com/pub/adobe/reader/win/11.x/11.0.11/misc/  too!

Does this patch will be published by LANDesk too? Publishing Adobe Acrobat Reader DC is NO alternative in our environment for the next time!

BR

Axel

What is Patch Supercedence?

Patch supercedence is when a newer patch completely replaces an older patch.  It is usually the best practice to only apply the latest patches rather than all of the patches.  This is mostly due to the time needed to scan for older patches, install, reboot, and re-scan if you were to install all the patches.

Why scanning only for the latest patches is a good thing

It is much quicker and easier to only apply the latest patch that will contain all the fixes in the replaced patches.  In tests, disabling replaced rules has cut the scan time in half.  Another benefit is that you will have fewer patch install failures if you only install the latest patch.  Many Microsoft patches will fail to install if there has been a newer patch installed.

Viewing replaced patch definition rules

To view which patches have been replaced or replace other patches:

• In the LDMS Console go to Tools - Security and Compliance - Patch and Compliance
• Expand Scan
• Click on Replaced

The Replaced group shows patches that have been replaced by a newer patch.

You will see which patch replaces it by looking at the "Replaced by" column.

It is also possible that the replaced patch itself had replaced a previous patch.  You will see that by looking at the "Replaces" column.

For example, in the above screenshot the patch 2661254v2 replaces patch 2661254 and all of it's rules are replaced by MS13-095.

You can move all of these rules to the "Do Not Scan" group and this would be the as effective as disabling the individual rules inside these patch definitions.

Partial Replaced patch definition rules

It's also possible that only some of the rules in a definition have been replaced.

To view the partially replaced patches, click on the "Partially replaced" group

In the above screenshot you will see that the "Replaced by" column now says "Some:" instead of "All".  This indicates that only some of the rules in the definition have been replaced.

Viewing rules inside a patch definition

If we double-click MS14-035 it will open and we can view the rules inside the patch definition.

Here we can see the three rules have not been replaced and six rules have been replaced by MS14-037.

Until all the rules are replaced it would be best to leave the patch definition for MS14-035 in the scan group.

Manually Disabling replaced rules

There are two ways to manually disable replaced rules.

First, you can open a definition and right-click on the replaced rule and disable it.

Right-click on the replaced rule and click "Disable Scan"

This will change the Icon on the rule to a red cross on it.

You can also multi-select the rules and disable them all at once.

Using the Disable replaced rules tool

The other way to manually disable rules is to use the disabled replaced rules tool.

Click on the icon highlighted in red.

This brings up the Disable replaced rules tool as seen in the above screenshot on the right.

You can either select patch definitions or have the tool run against all rules.

Video: How to use the Disable Replaced Rules tool in Security and Compliance Manager

Automatically replacing disabled rules

It is also possible to disable all replaced rules when a new patch definition is downloaded.

Click on the Download Updates icon from the Patch and Compliance toolbar.

From the Download updates tool, click the "Definition group settings" button.

This will open up the Definition group settings tool.

Click on New.

Set the Definition Type to Vulnerabilities

Set Severity to Any

Leave Comparison at None

Under Action, check Set status to Scan

Check "Disable any rules this definition replaces"

Click OK.

This rule will cause any replaced rules to be disabled when their replacement is downloaded.  This way the replaced rules are automatically handled and only the latest patch definitions are used.

I'm converting us from WSUS to LDMS Patch Management. I've read all about best practices and we've been patching for a few months now but I want to get more aggressive with the move to PM. How have you handled 'turning off' WSUS?

Concerns:

• We can't just shut off the WSUS server, we do still use it for XP patching.
• I don't want users to be able to update there own machines through Windows Updates.

Here's what we've done so far. Two different GPOs

• GPO that sets WSUS location for computers currently points to local WSUS and "Turns off access to all Windows Updates features"
• GPO that 'turns off' WSUS. "Turns off access to all Windows Update features", "Configure Automatic Updates" is disabled, and on the user side "Remove access to use all Windows Update features"

Any cautions or advice?

Issue

IIS is either not functioning or running slow.

Cause

Several situations can be the cause.  Typically traffic to the WSVulnerability web service is the culprit.

Try browsing from a client to http://yourcoreservername/wsvulnerabilitycore/vulcore.asmx

• Database is not keeping up with requests.
• Core server is overwhelmed due to excessive traffic often caused by too many various tasks being run at once.
  • Check the schedule for Inventory, Security and Patch Scan, Frequent Security and Patch Scan, Etc.
• An errant client or clients are spamming the core with information.  The VDIR hits by IP query in Log Parser can be quite helpful to identify any outliers that are causing high IIS traffic.

Resolution

Look in Task Manager on the Core Server, see which W3WP process(es) are causing high cpu and or memory usage.   Turn on "Command Line" in Task Manager by right clicking a column and selecting "Select columns".

Troubleshoot with the following links:

Download Log Parser from Microsoft and Log Parser Studio.

Log Parser will install.

Log Parser studio you will just unzip to a directory.    I suggest you pin LPS.EXE to your taskbar and use it for regular IIS troubleshooting.

There are a series of IIS queries that can be quite helpful.

How to Analyze IIS logs using Log Parser and Log Parser Studio

Turn off friendly error messages in Internet Options if using Internet Explorer and browsing to the core.   This will give the HTTP error code you may be experiencing.

Environment:

LDMS 9.6+

How to:

Before LDMS 9.6, you would create a staged repair when creating the repair task by checking a specific box.  In 9.6 this is slightly changed and requires a few additional steps.

Step by Step:

1) Begin by creating a repair task.  In the task settings section, make sure "Pre-cache" is selected (instead of "Download and execute").  This task, when run, will load the patch into the sdmcache of the client but not run the patch.

2) Create another repair task using the same group of patches.  This time, you are going to leave them "Download and execute" selected.  This task, when run, will run the patches already loaded into the sdmcache of the client.  If any downloads were missed in the first patch, an attempt to re-download them will be made.

3) Schedule both tasks ensuring the first task to run is the "Pre-cache" task.

Dears,

I have discovered that Redhat patching download has to be done manually and copied to the patch folder, I haven't tested yet but just read

Now, is there any workaround to let the landesk do this task instead of keep downloading the patches to the patch folder and importing the Red hat license or certs???

Description

What do the codes returned at the bottom of a Security and compliance scan log (vulscan.log) or in the Scheduled Task results mean?

Resolution

You can translate the error codes by finding out where the code originates from.  The rightmost 16 bits of the error value (the low word) contains the error code; the leftmost 16 bits (the high word) are commonly used to indicate the component generating the error.

We will use "Exiting with return code 0x8db301b0" as an example.  In this case, 0x8db3 indicates Vulscan as the source, and 301b0 translates to "432".

0xdb3 or 0x8db3 denote a LANDESK Patch Manager facility code.  These can relate to any of the tasks that Vulscan performs, and also relate to results from LANDESK Antivirus or LANDESK Endpoint Security.

0xdb0 and 0x8db0 are LANDESK Antivirus return codes

Codes that start with a different 4-5 digit prefix are going to be from another area of the product, another product, or will be direct Windows error codes.  Codes starting with "C0000..." are typically Microsoft.

0xdb3xxxx = Informational or Status

0x8db3xxxx = Error occurred

0xdb0xxxx = Antivirus informational or status

0x8db0xxxx = Antivirus Error

To reach the decimal numeric return code to compare to the table below you can use the Windows Calculator in "Programmer" mode by doing the following steps:

1. Open Calc.exe
2. Go to View - Programmer (or just hit Alt-3 to go to programmer mode).
3. On the left side click the Hex radio button and enter in the right hand "low bit" value (the hex entry after 0xdb3 or 0x8db3, ignoring the leading zero, so you will have 3 digits, in this example "1b0") then click the radio button on Dec to switch to Decimal.  This will give the 4xx or 5xx resulting error code.

An alternative is to use an Online Hex to Decimal Converter.

Community Articles with details and troubleshooting steps regarding these possible error codes will continue to be created.

This document assumes that you are getting started with patching, or that you are redesigning your patch processes at a high level.  Before applying any patches you should familiarize yourself with the LANDesk patching process and capabilities.  Here are several related documents to help you get started:

LANDESK Management Suite 9.5 patch & compliance documentation

LANDESK Management Suite 9.6 patch & compliance documentation

Patch Manager- Strategic and Tactical Implementation Guide

Due to varying requirements and computing environments your patching process needs to be tailored to your environment and needs.  This document serves to provide a general guideline for setting up baseline patching.  Your individual needs may vary. 

A baseline patch group will include minimal patch definitions that apply to computers and applications in your environment.  By design it applies to newly imaged computers containing your baseline production applications and serves to bring them up to a minimal standard of compliance before being released to your production environment.  Patches in this group are tested against baseline computers in your environment and are known to be safe to apply without unintended consequences.  

Here are the steps to get started:

• Build baseline computers with your standard OS image and all production applications installed. You should have baseline computers for all your major OS versions. These can be virtual machines, or physical.
• Download all applicable patch content and move all definitions to the scan folder. Ensure autofix, do not scan, and unassigned folders are empty. Create a custom group for Baseline Patch Definitions.
• Run a security scan on your baseline computers. This will detect what patches are required for these computers and applications but will not install any patches.
• Once completed view the Security and Patch Information for your baseline computers. Select every definition in "All Detected" and drag it to your Baseline Patch Definitions custom group.
• Look through this group and remove definitions (if any) which you know will break things in your environment. You can search by vendor, or any other column that is useful. Move any bad definitions to Do Not Scan and delete them from your custom group.
• Determine whether to apply patches for vendor products such as Adobe, Firefox, Chrome etc.  Move definitions which you will not apply to Do Not Scan and delete them from your custom group.
  
• Look at all patches marked "Manual" and determine if they are needed in your environment. If so, manually download the patches from the vendor. If not, move to Do Not Scan and delete the definition from your custom group.
• Right-click the Baseline Patch Definitions group and select Repair. Create a repair task for this custom group, ensuring you have downloaded all patch files as needed, including manual patches that you want to apply.
• Run this task on your baseline computers using Agent Settings that allow reboot.  This will take some time and possibly several reboots as several hundred patches will likely be installed.
• Investigate and remediate any failed patches, and ensure that no patches have caused unintended consequences for your baseline machines. Ensure none of your production applications have broken due to patches.  Move on only after you have validated that all patches are safe for your baseline computers.
• Move all definitions in your Scan folder back into the unassigned folder. Then, click on your Baseline Patch Definitions group, select all definitions and move them back to the scan folder. This assures you are only scanning against definitions that you have tested and which are needed to establish your baseline (so far).
• In the Download Updates window, check the box to "Put new definitions in 'unassigned' group" so that newly downloaded patches are not automatically set to scan.  You may change this later as you design and implement your continuing patch processes.

Your Baseline Patch Definition group is now complete and you are prepared to start baseline patching for newly imaged computers, or to catch up unpatched computers in your environment.  You can run baseline patches during OS provisioning by adding a Patch System action to your template.  This video provides more information on this action:

How to use the LANDESK OS Provisioning "Patch System" action

You will want to design your production patching process according to your needs.  You will need to investigate the remaining definitions in the "unassigned" folder and determine whether to scan and repair them or move them to Do Not Scan.  As you design your continuing patch process, make effective use of additional custom groups and Definition group settings to reduce your management workload.

Before applying baseline patches to your production environment you should apply them to a larger patch pilot group for further testing, and to eliminate any potential patch issues that would affect your users or break applications.  It is vital to be aware of your environmental needs and make educated determinations regarding which patches you apply and the potential consequences of them all. 

I am trying to update windows patch released on 12/5/2015 but few of the KB's are not getting installed giving error like C:\Windows\System32\wusa.exe returned failure exit code (2147746132) / failed to launch C:\windows\system32\wusa.exe error code 0x80070013 and other same with different error code.

I tried manual installation of the same but no joy, even rebooting the machine didn't turned it successful. Below are the attached errors when installing and troubleshooting the patch manually.

Please help me on this as its the issue with many of my devices, but it same patch worked on few devices.

Thanks,
Praveen

Hi,

It seems the detection logic for this patch is off.  When doing a scan of a host vulscan reports that it is not needed:

   Patch is NOT installed

Checking vulnerability MS15-012_MUI_ENU, rule index 2 ('proofloc2010-kb2956073-fullfile-x86-glb-ENU.exe')

Running detection script

created the hlpr instance ok

isInstallable=False

VUL: 'MS15-012_MUI_ENU' (proofloc2010-kb2956073-fullfile-x86-glb.exe) not detected.  Patch proofloc2010-kb2956073-fullfile-x86-glb.exe is not required.

However, doing an MBSA scan says it is needed.  In addition, running the patch manually allows it to be installed.

Thanks,

Brad

Hello All,

I am having a problem with a big percentage of our servers being patched with Landesk. When the Landesk client issues a reboot (if required for patching), when the server comes back up, we get "The previous system shutdown was unexpected" messages.

Anybody else noticing this problem? Core is 9.5 SP1.

Thanks