Description

This article describes how to scan and/or repair based on a custom group that has been created in Security and Compliance Manager

Resolution

In Patch and Compliance Manager, there is the option to create a custom group.

To create a new group:

1. Open the Security and Compliance tool group on the Core Server or Remote Console
2. Go to the Patch and Compliance tool.
3. Expand the "Groups" node in the left hand pane.
4. Right-click on either "My Groups" or "Public Groups" and select "New".
   

Once you have created a new group, you can drag and drop definitions to the group as you desire. Then, in the Distribution and Patch Settings, you can set the job to scan for GROUP as opposed to TYPES, and point it to your custom group.

Once you have scanned against this, you can then REPAIR the entire custom group at once by right-clicking the group in Patch and Compliance Manager, and selecting repair.

To create a repair task open Security and Compliance Manager and follow the steps below.

1. Right click the custom group desired
2. Choose "Repair".
3. Set up the desired options (i.e. scheduled task, stage and repair, policy, etc...)
4. Click "OK" to create the task
5. Now drag the machines or query desired into the repair task created (note; the number of all devices will not reflect the results of the query until the task is started.)
6. You can also right click the scheduled task and choose properties to adjust the behavior and scheduling of the task.

For more information about Security and Compliance Manager, please refer to the Best Known Methods located here:Getting Started with Patch Manager in LDMS 9.6Best Known Methods Security and Patch Manager

LANDESK Security and Compliance Landing Page

Important Notices

• About LANDESK support program for Windows XP patch content

Initial Install and Configuration

• LANDESK Management Suite 9.6 patch & compliance documentation
• Getting Started with Patch Manager in LDMS 9.6
• Patch Manager- Strategic and Tactical Implementation Guide.pdf
• Achieving Security Maturity
• LANDESK Security and Compliance Manager - List of URL sources for downloaded patches
• How to change the Default Distribution and Patch Settings
• How to repair vulnerabilities using a staging task (install from local cached file instead of core)
• How to manage superceded patches in Security and Compliance Manager
• How to use Custom Groups and Blocked Applications.
• How to schedule a Security Scan
• How to Scan and/or Repair against a custom group

Patch content information

• How to request new content be added to Patch and Compliance Manager
• How to report LANDESK Patch Manager vulnerability detection problems to technical support
• How to troubleshoot Core Server patch content download issues
• LANDESK Patch Content severity levels
• Products and Applications available through LANDESK Security and Compliance content delivery
• LANDESK Security and Compliance Manager - Microsoft Superceded Patch Report

Additional Options and Information

• Uninstalling Patches through Patch Manager
• How to change the default Patch Location for Security and Patch Manager?
• LANDesk Patch Content severity levels
• Vulscan Switches for Windows Agents
• About LANDESK Patch Manager Scan and Repair Settings
• About the Vulnerability scan and repair logs
  
  

Videos

• [Tech Brief Recording]  Best Practices using LANDESK Patch Manager
• Creating a distribution and patch agent setting video tutorial
• Download Updates Tool Video Tutorial
• Application Blocking Video Tutorial
  
• Video: How to use the Disable Replaced Rules tool in Security and Compliance Manager
• Video: Learning - Using Patch Manager to Patch HP Devices
• Video:E-Learning - Security Suite 9 Fundamentals
• Video:E-Learning - LANDESK Security Suite Fundamentals
• Video:E-Learning - Patch Management Overview
• Video:E-Learning - Patch Manager Overview
• Video:E-Learning - Patch & Compliance Scan & Repair Settings
• Video:E-Learning - Patch & Compliance Architecture
• Video:E-Learning - Patch & Compliance Overview and Download

Troubleshooting this Component

• How to troubleshoot Core Server patch content download issues
• Troubleshooting detection problems in LANDESK
• Troubleshooting Client Reboot Issues
• Common Troubleshooting Steps For Patch Manager

NOTE: This is not a full list of documents and issues. You can continue to search the rest of the Community, or narrow your search to this area.

Issue

Patch installation files with an error "1314" when attempting to launch the application

Vulscan.log will show the following:

       2744 Error 1314 launching application <"filename">
       2744 ERROR(EXECUTEFILE) Failed to run command  - 80070522
       2744 DownloadPatch ERROR: Failed to run commands (80004005).

Cause

Error 1314 is a Windows error meaning "A required privilege is not held by the client"

Incorrect or invalid credentials are configured in the Run As section of the "MSI Information" section of the Distribution and Patch settings:

Resolution

Description

This article illustrates how to create a custom vulnerability definition in Security and Compliance Manager.  Creating custom definitions is not part of the regular support that LANDESK offers, so this Community article will serve the purpose of assisting customers in creating these definitions.

In LANDESK Security and Compliance Manager the ability to create a "user defined" vulnerability definition provides an extremely flexible and powerful tool that can be used to implement and maintain computers in your environment.

Create Custom vulnerability definitions (and detection rules) to scan managed devices for any operating system, application, single file, registry condition, or use custom VBScript for various conditions to have the client be detected in order to implement various solutions.

Possible implementations

Implementations of the custom vulnerabilities are almost limitless. It can be used to update any application on managed devices. It can be used to apply any single file executable to a managed device based on detection rules defined by the LANDESK administrator.

The following step-by-step example shows how to create a custom vulnerability to update or install a fictitious "in-house" application.

Assumptions

The administrator should be able to install the LANDESK Management Suite Core Server and clients.  The core and managed devices should be configured with the latest LDMS version and service pack.

Creating a Custom Vulnerability Definition

Vulnerability Definition Help Page

We willl now create the custom vulnerability to detect a condition.  In this case we will use "File Detection" logic to look for a minimum allowed version of "SuperSpecialInHouseApplication.dll".

1. From the Management Console on the Core Server or a Remote console open the Security and Compliance tool group.
2. Open the Patch and Compliance tool and click on the Create Custom Definition icon. (Green circle with + in the middle)
   
3. The following window will open which shows the General information for your Custom Definition:
   
4. Enter an ID, Title, Severity, and Notes.  This will show up in your Custom Definitions list in the following way:
   

Detection Rules

1. Under Detection Rules click Add to add detection rules.
   Detection Rule Help
   

   Detection rules define the conditions that will cause the computer to be deemed "vulnerable" or simply needing an update, configuration change, installation of an application, etc.
   Sometimes multiple detection rules are necessary to install patches, make configuration changes, based on conditions.
   A common use of multiple detection rules is when you have separate patches for 32-bit patches and 64-bit patches.

The following Properties for Rule # window will appear.

Give the rule a name, title, and comments as depicted below:

Vulnerability definitions are processed from the top down, and the following detection checks are taken:

Selecting Affected Platforms

Affected Platforms Help Guide

The scanner checks to see if the client is running an affected platform (in this case as defined by the user).
This is the operating system that is running on the client computer.  It is possible to differentiate between 32-bit and 64-bit versions of the Operating Systems, Etc.
The following is an example of the Platform pick-list:

If the client computer is not running an affected operating system all other detection criteria is ignored and the computer is not deemed "vulnerable" as it has not met the first detection criteria.
It the client computer is running an affected operating system (platform) the scanning will continue to "Affected Products".

Creating a custom Affected Product

Affected Products Help

The "Affected Products" check is to see if the Product exists on the client computer.  This is a top level criteria, and will typically check for the mere existence of a file or registry key associated to the product.  Sometimes a VBScript is used.
If writing a custom definition for a product that is already in the LANDESK database, you can simply click "Configure" and select that product.
Otherwise, in our case of writing a custom definition for "Super Special In-House Application" we will create a new Product based on file detection of "SuperSpecialIn-HouseApplication.exe".

1. Click "Configure" in the Properties for Rule # properties window.
2. Click Add and file in the ID, Name, Vendor, and Version information (as applicable)
   
   Creating a custom product or selecting an already existing products adds another level of detection making other detection processes later in these steps more flexible.
   For example, if the scanner doesn't detect that Super Special In-House Application is installed it will leave the detection process.
3. Move down to the "Files" section of the Detection logic and enter SuperSpecialIn-HouseApplication.exe (or of course your filename you are concerned with).
4. Enter in a range for the Minimum Version the file has to be and the Maximum version.  In this case we will enter 0.0.0.0 for Minimum version, and 99.99.99.99 so that any version found will be applicable.
5. Click OK to save the newly created Custom Product.
6. Now that the Product has been created, it will need to be included in the Rule.  Select the new  Product from the bottom pane of the Select Affected Products window and then click on Include to move it to the Affected Products pane.
7. Click OK.

Query Filter

Now move down to the Query Filter section.  All detection fields are optional.  Typically the Query Filter pane is used to include or exclude clients from the detection based on LANDESK queries.
An existing query can be selected or a new query created.  For our example we will not use a Query Filter.

Files Detection Logic

Files used for detection help

Registry settings used for detection help

Custom script detection help

1. Move to the Files pane. 
   Our example will use "File Version" for detection.  However, there are various methods of detection that exist file Files detection:
   
2. Since SuperSpecialIn-House.dll is used in our detection process, and our new file is version 1.5, we will check to see if anything older than 1.5.0.0 exists.  Note that the top of the window says "Detection will occur if any of these conditions are not met".
   Several different criteria can be added (stacked up) in the File detection section.  If any one condition is not met, the computer will be deemed vulnerable.  However, typically only one criteria will be added here.
3. For path you can enter in a static directory and filename (C:\Program Files (x86)\SuperSpecialIn-HouseApplication.dll) or use variables.  In order to use variables, right click the FILEPATH entry and you will be presented with variables that can be used.
   
4. In Min version enter "1.5.0.0".  This will indicate that if the scanner sees any version of the .DLL that is earlier than 1.5.0.0 (the version of the .DLL in the update to be installed) the computer will be deemed vulnerable.
   Note: For our example we will not use the Registry Settings detection or the Custom Script detection, however if any combination of detection criteria for all three detection types are not met, the computer will be deemed vulnerable.
   Additional important note: There is an important difference between "File must exist", "File must NOT exist" and "File may exist".  "Must" means that the file needs to exist, if it does not exist the computer is deemed vulnerable.  This is important, because if you have not defined a product and are simply using detection criteria, the fact that a file does not exist will cause the computer to be detected to be vulnerable, even if an affected product is not installed.  "May" means that if the file does not exist, that is fine - detection will not happen and the computer will not be deemed vulnerable.  However if the file DOES exist, the detection criteria must be met, in our case the file must be at version 1.5.0.0 or higher or detection will occur.

Patch Information

Patch Information Help

There are three options available regarding Patch Information:

1. "Repairing this issue requires downloading a patch" is used when you want to install a patch, an upgrade file, or an application.
2. "This issue can be repaired without downloading a patch" is used when you intend to use scripting, additions/changes to the registry, copying files, starting or stopping a service, etc to "repair" the computer.
3. "This issue cannot be repaired by Security and Compliance Manager" is used when you simply want to use detection only and do not plan to patch, upgrade or otherwise configure the client.

For our example we will use the "This issue requires downloading a patch".

1. Select "This issue requires downloading a patch"
2. If you have a source to download from, enter the FTP or HTTP address into the "Manufacturer's patch URL:" section.
3. Select "Auto-downloadable" and set it to "Yes".  If the patch is not downloadable, the patch file will need to be placed in the default patch location.  (Also see this document: How to change the default Patch Location for Security and Patch Manager?)
4. Each file that is installed by Patch Manager must be given a unique filename when it is downloaded.  This filename can differ from the original filename that existed on the source for the download.  Enter in a unique filename or the existing filename if manually copying the file into the default patch location rather than downloading from an FTP or HTTP source.
5. Once the file is in place, you will need to generate a hash for the file to ensure that it is secure and cannot be replaced with another file surreptitiously. 
   To do so, click the Calculate Hashes button and you should see the red X's above turn to a green checkmark, you will also see the "File Size" line populated with the file size.
6. If your application requires a reboot, enter the appropriate choice in the "Requires Reboot" section.
7. If your application can be installed silently select the appropriate choice in the "Silent Install" section.
   (Note: These fields are used for purely informational purposes.  The "Patch Install" section of the rule controls the silent switches, and the Distribution and Patch Settings control the reboot options.

Detecting the Patch

Various criteria can be used to detect whether the patch is installed.  Both File Detection and Registry Detection can be used.  This detection criteria is the opposite of the detection criteria to detect vulnerability.  Note that this section says "The patch will be detected if all these conditions are met, along with all registry and script conditions".    The Detection Logic sections says if the criteria is NOT met.  This is an important distinction.  Due to this, the exact same criteria can possibly be used both in the Detection Logic section and in the Detecting the Patch section.

Patch Installation and Removal

Patch Install and Uninstall Help

Stop Processes

If processes need stopped prior to your install, update or configuration change, you can list the process name as it would appear in Task Manager in windows.  Several entries can exist.

This will cause any of these processes to be "killed" (stopped) prior to the patch install actions.

Additional files

This will allow you to specify additional files that will be downloaded to the client along with the main file that is listed under the Patch Information section.    Enter the HTTP and/or UNC path, then click the blue arrow to browse to that location and then select the file(s) you wish to include from the "Available      files" listing. After adding the files you will be presented with options to hash the files.

Patch Install Commands

Various combinations of actions can be added to the Patch Install commands section:

   
These actions will be run in the order that they are listed.  You can re-arrange them with the Move Up and Move Down buttons after they are entered.

As in other areas of the Rule properties, variables can be used, this is typically displayed by right clicking an appropriate field such as "Path".

Patch Uninstall Commands

Path uninstall commands are the same as the Patch Install commands.  A combination of actions can be defined to uninstall a patch, undo a configuration change, etc.

Tips and Tricks

In order to see examples of vulnerability definitions and rules, you can right-click any existing definition (custom or not) and select "Clone".   This will create a duplicate of the definition that will show up in the Custom Vulnerabilities category and can be edited.

This is a great way to learn how to create detection logic and installation commands.

How can I push a large patch out to my different locations and force the clients at those locations to use a local cached copy and not download the file from the core?

You can use the staging task which is part of a repair task to first push the patch to a specific number of computers. Then push the repair task to all of the computers with the "Download patch only from local peers" option selected.

The following assumes that a full vulnerability scan has been run on the clients you wish to stage the patches to.

1. Open the LANDesk Management Suite Console
2. Go to Tools | Security and Compliance | Patch and Compliance
3. Changed the selected types in the top left to "All Types" if you wish to view all detected vulnerabilities in any category, or select another type if you are only staging and repairing for a particular vulnerability type.
4. Click on the Detected folder
5. Right click on the definitions you wish to deploy the patches for.
6. Select Download associated patches.
   
7. Make sure that you have the patch(es) downloaded.
8. Close the window
9. Rick click on the vulnerability definition you wish to repair.
10. Select Repair.
    
11. Select Task Settings in the left-hand pane.
12. Select the "Pre-cache (download for a future task or portal initiated action" radio button.
13. Select the Agent Settings option in the left-hand pane.
14. Select the Distribution and Patch setting you wish to edit from the drop-down and select "Edit"
    
15. Select "Network Settings" in the left-hand pane.
    
16. If you wish to allow the computer to download from it's local cache or peers, only check the "Attempt Peer Download" option  (Recommended)
    If you wish to allow download from cache, local peers, and/or preferred server, select both "Attempt Peer Download" and "Attempt Preferred Server"

Note: By default a patch that is pre-cached by the method above will only stay in the SDMCache on the local machine for a default of 7 days. If you would like the patch(es) to remain in the SDMCache folder for a longer period of time do the following:

Clients can use their own cache to install files, or their cache is used in the peer-download concept to supply the patches to other computers on the same subnet, thus saving bandwidth and traffic back to the preferred server and/or source.

Change Client Cache (SDMCACHE) Retention Period

1. Open the "Agent Settings" tool under the "Configuration" tool group.
2. Select "Client connectivity" under the groups of settings.
3. Double-click an existing setting to edit, or right-click select "New" to create a new setting.
4. Click the "Download" section in the left-hand pane.
   
5. Set the "Number of days to stay in the client Cache" option to the desired amount.
6. Click OK

Note: Ensure that the computers added to the pre-cache task are vulnerable for the patches included in the task, otherwise the pre-cache process will not work correctly.

Getting started with Patch Manager in LANDESK® Management Suite 9.5

For LDMS 9.6 please see: Getting Started with Patch Manager in LDMS 9.6

INTRODUCTION

This article is deprecated.

For the latest information on this topic, please see the following article:

How to create a Custom Vulnerability Definition in Security and Compliance Manager

For overall Custom Definition information please see this article: How to create a Custom Vulnerability Definition in Security and Compliance Manager

Description:

How to create a Custom Definition in Security and Patch Manager that will check for the presence of a registry setting and make a change if detected.

Example:

In our example we will be detecting for a registry setting that controls the LANDESK Remote Control security type (HKLM\SOFTWARE\Intel\LANDESK\WUSER32 | Security Type)

1. In the 32 bit console go to Tools | Security | Security and Patch Manager
2. Change the Type drop down menu to Custom Definitions

1. Click the button "Create Custom Definition"
2. Enter a definition ID and Title
3. Click the button labeled Add

1. Click on Affected Platforms and select the operating systems that will be scanned for the definition

1. Under Detection Logic click on Registry Settings and click Add
2. NOTE: The detection logic will detect vulnerable if the registry setting here is different from what is listed on the machine.
3. Enter registry key information
4. NOTE: HKLM has already been entered and represents HKEY_Local_Machine. Detection can only take place under HKLM.
5. After entering the registry setting click the button Update to commit the change
7. Click on "Patch Information"
8. Change the drop down to "This issue can be repaired without downloading a patch"
10. Under Detecting the Patch click on Registry Settings and click Add
11. Enter the registry setting that will be changed to so you can detect when the change has occurred on a device (Don't forget to click the button labeled Update when you are finished entering the key)
13. Click on Patch Install Commands
14. Click the button labeled Add
15. Select "Write a value to the registry"
16. Click OK
18. Double click the value column by Key and enter the full key path (ie: HKEY_Local_Machine\System\...)
19. Enter the value name
20. Enter the value data that you want to write
22. Click OK
23. Click OK
24. Run a security\compliance scan on a computer then verify that the detected column has detected that the computer has detected as vulnerable
25. To execute the custom definition and make the change to the registry create a repair task from the custom definition or set the definition to auto-fix

For general information about Custom Definitions please see the following article: How to create a Custom Vulnerability Definition in Security and Compliance Manager

Versions effected: LDMS 9.5 and newer

Problem:

You wish to create some custom definitions for the security and patch component but the unique filename field will not allow you to use special characters preventing you using subfolders as you could in previous versions of LDMS.

For example Characters such as' / , & \' etc.

Solution:

This option has not been taken away from the LDMS console but now the subfolders are organised differently. I created this article to document the new method of using sub folders when creating sub folders for custom definitions.

To activate the subfolders for the patches and your custom definitions you must first tick the box 'Group patches in subfolders by language and vendor' in the download updates window under the 'Patch Location' tab:

Once this is done, download patch definitions as you normally would, but now you will notice they have been arranged by language and vendor, as indicated by the tick box shown above.

Notice that there is a folder structure under your patch repository organised by language, in this case INTL, and vendor, in this case Microsoft.

This location is indicated by these options and defined properties in the patch definition itself:

The language in this definition is INTL which indicates the first sub-folder under your patch repository and the vendor is 'Microsoft' which indicates the sub-folder under the language. These are fixed properties in the default definitions and cannot be overridden.

However custom definitions can have customized vendors. It is a good idea to label your custom vendor as something that can be easily identified as being a custom variable so that they can be backed up separately.

Creating the custom defitnion with a custom Vendor:

To utilise tha subfolder under your main patch location, create or edit a custom definition.

On the first tab under 'General' you will notice that the vendor field will be blank.  In this example I have changed the Vendor to "custom".

Now every detection rule will look for patches, if needed under the folder structure 'Patch repository > INTL > custom > 'name of patch'

For Example, the custompatch.exe is defined under the detection rule, Rule 1:

To test if the patch has been located and will correctly before deploying, press the 'Generate MD5 Hash' button . This will locate the patch and create a MD5 hash number for the patch, it will produce a "File does not exist" error if it cannot find it.

Issue

Additional file in custom patch is not downloaded to same directory as patch.  This causes a problem with the patch install.

Cause

This is working as designed, the utility in the background that is moving the file by default moves everything to the SDMcache\"same destination" folder as the source subdirectories.

Resolution

1. Go into the patch definition and in the properties for the rule add an additional Patch Install Command. Add an Execute a program command
   
2. Make the path point to c:\windows\system32\cmd.exe
3. Next change the args to: /c xcopy "%SDMCACHE%\ldlogon\patch\yourfilename" "%SDMCACHE%"
   
4. Next move the new execute command to the top of the list (assuming you have others).
5. Save the rule. This will move the additional file to the SDMCache folder and it should work.

Question:

What do the different icons next to the vulnerability definitions mean?

Answer:

Below are the different icons that can be associated with a vulnerability definition and what they mean.

LDMS 8.x icon          LDMS 9 icon	Vulnerability is in the Compliance folder. If you have a compliance scan configured it will scan for this. The Vulnerability is also in the Scan folder.  This is used on conjunction with the Network Access Control portion of the product to establish a baseline to scan targets for compliance.
	Vulnerability is in the Do Not Scan folder. Computers will make no attempt to scan for this Vulnerability. Generally this is where you would but Vulnerabilities that have been replaced by newer Vulnerabilities, or are for platforms you don't support.
	Vulnerability is in the Unassigned folder.  Computer will make no attempt to scan for this Vulnerability. Generally this is where you put Vulnerabilities you are undecided about. Or are waiting on approval before starting deployment of the Vulnerability.
	Vulnerability is in the Scan folder. The computer will scan for this when they do a security scan.

Issue

The following error occurs when running the Vulnerability Scanner (vulscan) as a limited user:

"Client user does not have administrator rights to run vulscan error"

Vulscan run as an administrative user runs successfully.

Resolution

A fix for this issue is available in the latest service pack for LDMS 9.6.

Fix # 178968 Vulscan UI reports failure to connect to the pipe of the current vulscan with error "Current users does not have administrative rights"

Otherwise, ensure that the LANDESK Management Agent shows up in Services  If it does not show up, go through the following steps

1. From the command prompt, run the following command:

32-Bit clients:

runas /user:(admin user) "C:\Program Files\LANDesk\Shared Files\residentagent.exe /register"

64-Bit clients:

runas /user:(admin user) "C:\Program Files (x86)\LANDesk\Shared Files\residentagent.exe /register"

2. Enter password.

3. Ensure that the service exists in the Services applet.

4. Start the service by running the following command:

5. Next start the service by running this command.

runas /user:(admin user) "net start cba8"

6. It will prompt you for your password again.

I am trying to update windows patch released on 12/5/2015 but few of the KB's are not getting installed giving error like C:\Windows\System32\wusa.exe returned failure exit code (2147746132) / failed to launch C:\windows\system32\wusa.exe error code 0x80070013 and other same with different error code.

I tried manual installation of the same but no joy, even rebooting the machine didn't turned it successful. Below are the attached errors when installing and troubleshooting the patch manually.

Please help me on this as its the issue with many of my devices, but it same patch worked on few devices.

Thanks,
Praveen

Creating a Custom Blocked Application

The steps below outline the steps for configuring Application Blocking in LDMS 9.5 Important: This only applies if you are going to block applications on every device in your system or use different configurations for your groups. If you anticipate needing to separate systems and block applications only on some devices or need to block different applications for different groups, please skip to “Blocking Applications Using Custom Groups.”

1. Click on Tools | Securitiy and Compliance | Patch and Compliance
2. Change the type to Blocked Applications
   
3. Under Blocked Applications (All items) right-click the Block folder and select Add File.
4. Enter the file name that you would like to block, enter a Title, and enter any other desired information in the other sections.
   Important: Blocked applications will block any executable with the name you enter.  Creating a file with the name "setup.exe" with the intent of blocking a specific install will block any install that uses the name "setup.exe"

Ensure that the Vulnerability Scanner includes the Blocked Applications typeMake sure that in theDistribution and Patch Settingshave theBlocked Applicationsdefinition type selected.

1. Open theSecurity and Compliancetool group
2. Select theAgentSettingstool
3. Double-click the Distribution and Patch setting that you would like to edit.
4. Under Patch-Only settings and Scan Options ensure that under Type you have the checkmark next to  Blocked Applications checked.
   This will cause the Security and Compliance scanner to include Blocked Applications in the type of content that it will scan for.

Blocking applications using Custom Groups
There are times when blocking the application for everyone in your environment may not be desired. For example, some Administrators choose to block Windows Media Player from the majority of their production users, but choose to allow other employees in the company to have access to the Windows Media Player. The steps below will outline the process of blocking an application or group of applications for a particular client computer or group of computers, but still allow the other devices in the network to run those same applications without having to change the agent configuration.

1. Click on Tools | Securitiy and Compliance | Patch and Compliance
2. Change the type to Blocked Applications
   
3. Create the applications you need blocked, or use the pre-defined list that comes down in LANDESK Content when downloading definitions in the Windows | Security | Applications to Block group within the Download Updates tool.

Create and populate Custom Group(s)

1. Within the left-hand pane of the Patch and Compliance tool, expand the tree to show Groups | Custom Groups | My Custom Groups or Public Custom Groups
2. Right-click My Custom Groups or Public Custom Groups and select New Group
3. Give the new group a descriptive name and press Enter
4. At this point you can create sub-folders under this newly created group.  Reasons for this may vary.  One reason may be that you want to set the Distribution and Patch settings for distinct folders of Blocked Applications restrictions.
5. Location the applications that you wish to block in the Block folder under Blocked Applications (All Items) at the top of the left-hand pane.
   If the application you are trying to block is not in the Block folder it will not be blocked.The application may exist in the Do Not Block or Unassigned folder.  If the application does exist in one of those folders, drag it to the Block folder in order for it to be blocked. If the application does not exist in any of the folders you can right-click the Block folder and select the Add File option.

Configure Distribution and Patch Settings to include the Blocked Applications type and focus on your custom group
If necessary you can create a new Distribution and Patch settings that includes scanning for and enforcing the Blocked Applications type.

1. Open theSecurity and Compliancetool group
2. Select theAgentSettingstool
3. Under My Agent Settings or Public Agent Settings right-click the Distribution and Patch setting group and select New.
4. Under Patch-Only settings and Scan Options ensure that under Type you have the checkmark next to Blocked Applications checked.
5. Then you can select either All Blocked Apps or Only Apps in Group and browse to your custom group.
   This will cause the Security and Compliance scanner to include Blocked Applications in the type of content that it will scan for and in the group you have created.

Unblocking an Application Using Custom Groups.Once a scan has been run on a client to block an application, that application will continue to be blocked until another scan is run on the client that does not have that application listed as an application that should be blocked. This is applies to a scheduled push or a policy. If the task was scheduled as a push you will have to reschedule the task after you have removed the definition from the group folder or the blocked folder. If the task was scheduled as a policy and you want to stopping blocking the application for everyone in that group simply remove the definition and the next time the policy syncs it will not be blocked. Deleting the policy will still leave the applications blocked.Scheduling the Security Scan to Block Applications

1. Go back to Patch and Compliance and click on the Create task (Calendar with clock) icon and select Security scan from the drop down menu.
2. Select the option to Create a scheduled task.
3. Give the task an appropriate name.
4. Under the Agent Settings section in the left-hand pane, select the Distribution and Patch setting you just created.
5. Select any other options you wish to select in these dialogs
6. Click Save to save the task.  At this point the Scheduled Tasks tool will open.
7. Locate the devices that you wish to block the application on and drag them to the task.
8. Start the task.

     Helpful Tip: Create a query for the group of computers you would like to have the application blocked for and schedule it as a policy. As you add computers they will get the blocked apps and when you add apps they will get updated on the next policy sync. Also if your target machine already has blocked      applications and you set it to scan against a different set, the new set will remove all of the old settings.

Issue

Patching of multiple MS Patches (e.g. after a fresh Windows installation from CD) with LANDesk Patch Manager can take longer than doing the same via Windows Update.

This is due to the fact that LANDESK Patch and Compliance Manager runs each patch separately and they may each create a restore point.

Resolution

You can use the Pre- and Post-Repair script within the LANDESK Distribution and Patch settings to duplicate the behavior of WSUS, by calling the PowerShell cmdlet «Disable-ComputerRestore -drive "C:\"» before each Repair Task and «Enable-ComputerRestore -drive "C:\"» after each Repair Task (http://technet.microsoft.com/library/hh849754.aspx).

Warning:Disabling restore point creation is done at customer's own risk.  A restore point may allow easy recovery in the situation where a patch causes system failure or instability.

Issue

You have selected specific languages to download but the Patch Manager is downloading certain patches in every languages.

Cause

Some specific patches the require multiple languages for the patch detection logic.

Many customers will install the language Office products on another language OS.  For example, installing English Office 2013 on Chinese OS client.

Secondly, there is the situation when the customers install the Office product, like English Office 2013, it will install some other language components, like Spanish Proofing tool and French Proofing tool. For handling the above two scenarios, we have to let the customers download all-languages definitions for the Office products.

Scenario

As needed LANDESK Software will release a Service Pack to add new features to the product or resolve defects that have been discovered.
As part of the Service Pack release a vulnerability definition will be included that will allow LANDESK Patch and Compliance Manager to detect and repair your Management Suite Consoles and Clients.

Instructions

Important Note: The Service Pack must be manually installed on the Core Server prior to following the instructions below.

It is necessary to download LANDESK Updates content within Patch Manager, to obtain the newest product definitions.

Ensure that LANDESK 9.6 SPx Software updates is selected in the Download Updates tool within Patch and Compliance Manager

1. Click on the Download Updates button within Patch and Compliance Manager.
   
2. Ensure that Windows | Software Updates | LANDESK 9.6 SPx Software Updates in the Definition Types column on the left is selected.
3. Click Schedule Download and schedule the download to take place immediately or at a future time if so desired.

Creating a Security Scan task to detect the need to install the Service Pack:

1. From a LANDESK Management Suite Console select Tools | Security and Compliance | Agent Settings.
2. ExpandMy Settings or Public Settings as desired.
3. Right click on Distribution and Patch and select New
4. From the Distribution and Patch Settings screen change the Name to "LANDesk Updates only".
   1. From the Menu on the left select Patch Only Settings | Scan Options
   2. Ensure sure that only LANDESK Updates is selected.
5. Click Save.
6. Click the Create a Task Icon (second icon from left on Agent Settingstoolbar) and select Security Scan.
7. From the Create security scan task screen.
   1. Change the Task Name to "Scan for LANDESK Updates".
   2. Under Task type check Push, Policy, or Policy Supported Push as desired.
   3. Under Distribution and Patch Settings select LANDESK Updates only.
   4. Click Save
8. This creates a scheduled task called Scan for LANDESK Updates.
9. Add computers from network view by doing one of the following.
   1. Drag and drop the computers into the task.
   2. Copy and paste the computers into the task.
   3. Create a Query representing the computers you with to scan and Drag the Query onto the task.
10. Once you have populated the task with computers Right Click on the task and hover over Start Nowclick All Devices.
11. The time for this task to complete will depend on the number of computers that have been added to the task.

Creating a Repair Task to install the Service Pack task

1. From the LANDESK Console go to Tools | Security and Compliance | Patch and compliance.
2. Change Type to LANDesk Updates.
3. Under Patch and Compliance expand LANDESK Updates.
4. Click the Scan folder.
5. Locate the Service pack name, it will typically start with "LD9xSPx" and the description will be "Service Pack X for LDMS 9.x"
6. Right click on the Service Pack and select Download Associated patches.
   1. Click on Show All associated Patches
   2. Select the Client and console.zip files
   3. Right Clickclient and console patches and choose Download Patch.
7. Once patch is downloadedRight Click on the Service pack and select Repair.
8. From the Patch and Compliance - repair taskwindow:
   1. Change the Name to "Repair <name of service pack>".
   2. Under Task Settings select the desired method for the run-time options for the task (Policy Supported Push, Policy, Push, Frequency,Additional Push Options, and Download Options)
   3. Click Save, this will open the Scheduled Tasks window.
   4. Select computers to repair option of your choice.
   5. Under Agent Settingsselect the Distribution and Patch setting called "LANDesk Updates Only."
9. This will create a Scheduled task with the name chosen in step 8a.
10. Add targets.   This can be a variety of methods: Drag and drop single computers, drag a group of computers, or drag an LDAP query to the task.
11. When you are ready to begin repairing the patch Right-click on the Task and choose Start Now.

Additional Information

About LANDESK Distribution and Patch settings

Getting Started with Patch Manager in LDMS 9.6

If you need to deploy multiple patches you can use this article in conjunction with the following to repair all the patches at the same time.

How to use Custom groups to quickly bring a computer up to date.

LANDESK Patch and Compliance Manager uses an auto update feature in order to make sure that all vulnerability scanning files are up to date with the core server. This ensures compatibility between the files and the latest definitions as well as compatibility with the files on the core.

Vulscan Self Update

When vulscan runs, it will initialize the needed files, then contact the core server to check for any updated files. If it finds updated files it will download them, stop any running LANDESK services as needed, replace the files and then start any LANDESK services. This process varies slightly depending on files that are updated.

Agent files

Vulscan checks for the following agent files and executables and updates them as needed:

• vulscan.exe
• vulscan.dll
• vulscan.sig
• xxxVULSCAN.dll where xxx is the 3 letter language prefix such as enu or ptb
• softmon.exe
• ldavhlpr.dll
• vbscript.v55
• sendtaskstatus.exe
• av.key
• ldav.key
• rollinglog.dll
• ldreboot.exe
• ldreboot.dll
• localsch.exe
• ltapi.dll
• LDSystemEventCatcher.dll

Settings

Vulscan will update all settings with the latest version of the CURRENT INSTALLED SETTING on the client. This includes:

Again, this will only update the settings that are currently set or installed on the client machine. This WILL NOT update the client files (exes, dlls, etc) for all of the above components, only the settings.

Important Note: It is important to know which settings are on the client machines whenever modifying settings. If you are working with some settings, testing or adjusting, any machines that run vulscan, scheduled or otherwise, will update. The currently installed settings can be found in the inventory record of the device under Computer - LANDESK Management - Component

Preventing Auto Update

The /noupdate switch can be used to prevent vulscan from updating files. This switch must be added to any scheduled task, policy, or locally scheduled task in order to completely prevent updating the client.

Right Click Scanning

If you right click on a device and select "Security and Compliance scan now" the client WILL NOT update.