Scenario

As needed LANDESK Software will release a Service Pack to add new features to the product or resolve defects that have been discovered.
As part of the Service Pack release a vulnerability definition will be included that will allow LANDESK Patch and Compliance Manager to detect and repair your Management Suite Consoles and Clients.

Instructions

Important Note: The Service Pack must be manually installed on the Core Server prior to following the instructions below.

It is necessary to download LANDESK Updates content within Patch Manager, to obtain the newest product definitions.

Ensure that LANDESK 9.6 SPx Software updates is selected in the Download Updates tool within Patch and Compliance Manager

1. Click on the Download Updates button within Patch and Compliance Manager.
   
2. Ensure that Windows | Software Updates | LANDESK 9.6 SPx Software Updates in the Definition Types column on the left is selected.
3. Click Schedule Download and schedule the download to take place immediately or at a future time if so desired.

Creating a Security Scan task to detect the need to install the Service Pack:

1. From a LANDESK Management Suite Console select Tools | Security and Compliance | Agent Settings.
2. ExpandMy Settings or Public Settings as desired.
3. Right click on Distribution and Patch and select New
4. From the Distribution and Patch Settings screen change the Name to "LANDesk Updates only".
   1. From the Menu on the left select Patch Only Settings | Scan Options
   2. Ensure sure that only LANDESK Updates is selected.
5. Click Save.
6. Click the Create a Task Icon (second icon from left on Agent Settingstoolbar) and select Security Scan.
7. From the Create security scan task screen.
   1. Change the Task Name to "Scan for LANDESK Updates".
   2. Under Task type check Push, Policy, or Policy Supported Push as desired.
   3. Under Distribution and Patch Settings select LANDESK Updates only.
   4. Click Save
8. This creates a scheduled task called Scan for LANDESK Updates.
9. Add computers from network view by doing one of the following.
   1. Drag and drop the computers into the task.
   2. Copy and paste the computers into the task.
   3. Create a Query representing the computers you with to scan and Drag the Query onto the task.
10. Once you have populated the task with computers Right Click on the task and hover over Start Nowclick All Devices.
11. The time for this task to complete will depend on the number of computers that have been added to the task.

Creating a Repair Task to install the Service Pack task

1. From the LANDESK Console go to Tools | Security and Compliance | Patch and compliance.
2. Change Type to LANDesk Updates.
3. Under Patch and Compliance expand LANDESK Updates.
4. Click the Scan folder.
5. Locate the Service pack name, it will typically start with "LD9xSPx" and the description will be "Service Pack X for LDMS 9.x"
6. Right click on the Service Pack and select Download Associated patches.
   1. Click on Show All associated Patches
   2. Select the Client and console.zip files
   3. Right Clickclient and console patches and choose Download Patch.
7. Once patch is downloadedRight Click on the Service pack and select Repair.
8. From the Patch and Compliance - repair taskwindow:
   1. Change the Name to "Repair <name of service pack>".
   2. Under Task Settings select the desired method for the run-time options for the task (Policy Supported Push, Policy, Push, Frequency,Additional Push Options, and Download Options)
   3. Click Save, this will open the Scheduled Tasks window.
   4. Select computers to repair option of your choice.
   5. Under Agent Settingsselect the Distribution and Patch setting called "LANDesk Updates Only."
9. This will create a Scheduled task with the name chosen in step 8a.
10. Add targets.   This can be a variety of methods: Drag and drop single computers, drag a group of computers, or drag an LDAP query to the task.
11. When you are ready to begin repairing the patch Right-click on the Task and choose Start Now.

Additional Information

About LANDESK Distribution and Patch settings

Getting Started with Patch Manager in LDMS 9.6

If you need to deploy multiple patches you can use this article in conjunction with the following to repair all the patches at the same time.

How to use Custom groups to quickly bring a computer up to date.

Description

When we use patch manager to deploy patch to client machines, we can set patch to be autofix. Autofix fails and does not attempt to repair again on client machines.

Cause

The autofix is set to attempt 1 times before giving up by default. The reason we limit the retries is to prevent reboot loops or blue screen loops. It's very rare, but I'd rather have a high retry count than an indefinite one.

Resolution

1. Right click the patch definition and select 'Autofix - Autofix settings...' to open Autofix tab. Set Autofix retry count.

2. Go to the Patch and Compliance to set the global autofix default settings

Click the 'Configure Settings' on menu and select 'Core settings...'

Set the autofix retry count.

See also How to use autofix in Security and Compliance Manager and About Autofix and Scan by Scope changes in LDMS 9.6

Issue

Why are the Scanned and Detected column numbers not updating or are not correct in the Patch and Compliance window?

Cause

A "Gather Historical Information" task has not been run on the core.

Resolution

Schedule a "Gather Historical Information" task from Patch and Compliance.

1. Go to Tools | Security and Compliance | Patch and Compliance

2. Click the "Create a Task" icon drop down arrow.

3.  Choose Gather Historical Data

4. The Gather Historical Information window will open. You can Create a task name, and configure the scheduled days information is kept as well as the information used in running reports. You can also set up a reminder to run this task within a certain amount of days.

5. Create Task and run it, or you can hit Gather Now which will run immediately.

It is important that this task be run regularly to collect the data. For performance reasons the data is not gathered dynamically, as done in previous versions. This has increased performance in patching machines, and decreased information stored within the database tables.

Issue:

Patches failing to download with the message "Skipping old or disabled patch" and the rule is not disabled.

Cause:

The vulnerability publish date is older than the number of days specified in the setting "Also delete patches for undetected rules in definitions published more than xxx days ago" on the Patch Location tab of the Download Updates window and this option is enabled and the patch is not currently detected on any computers.

Solution:

If the patch is ever detected on a client then the patch can be downloaded.

Unchecking the option "Also delete patches for undetected rules in definitions published more than xxx days ago" on the Patch Location tab of the Download Updates window will allow the patch to be downloaded.

Hello,

As usual, we had here our monthly 'Post Patch Tuesday' meeting to discuss the new patches released by Microsoft, prior to deploying them using LANDESK Patch & Compliance.

As usual, we had some parties mentioning issues with some of the new patches.  In particular:

• KB2889923  (Lync > Skype for Business)
• KB2889853  (Fix for above)
• KB2990214  (Update for Windows Update "Allows the update to later versions of Windows")

I have been asked to not deploy these patches.  Well, it seems I can't deploy these patches even if I wanted to - the Vulnerabilities haven't been downloaded from LANDESK.

This has happened in previous months also.

My question is:      Why are some patches - which are available in WSUS - not available through LANDESK?  (Is there a criterion that is applied?)

Any info on this would be gratefully received.

Thanks,

I am an old WSUS server guy and we recently switched to managing Microsoft patching with LANDesk.

I have a few questions if anyone would be so kind to enlighten me.

*Is there a way of managing or preventing endpoints from rebooting before downloading and installing all patches?

SUS would usually warn the client that a certain percentage of updates are downloading before asking to apply updates.

*especially with Office patches there are multiple language patches being shown and detected shows that in needs those as well as the english patches.

Will i need to install all that show clients "detected" as being needed? or is just installing the Intl versions sufficient and I should ignore the others?

thank you, forgive the newbie questions.

Microsoft has ended support for Windows XP

LANDESK Software continues to support Windows XP as an LDMS client.

Supported Platforms and Compatibility Matrix for LANDESK Management Suite

The Microsoft Extended Hotfix Support Datasheet states the following:

──────────────────────────────────────────────────────────────────────────────

Article: Extended Hotfix Support Program

The Extended Support phase is the second phase of the Microsoft Support Lifecycle Policy. During this phase, security hotfixes are available free of charge; however, non-security hotfixes, warranty support, Software Assurance problem resolution support, and the ability to request design changes are not available.

The Extended Hotfix Support program provides customers with the opportunity to receive non-security hotfixes through the end of the Extended Support phase of the Microsoft Support Lifecycle.

──────────────────────────────────────────────────────────────────────────────

The following Microsoft article gives general information about the Windows XP end of life policy: Support for Windows XP has ended

In addition Microsoft has made a decision to extend to extend their Anti-malware support for Windows XP even further:

Microsoft Malware Protection Center - Support for XP

LANDESK Windows XP Extended Patch Program

Customers must meet the following requirements

• Own LANDESK Patch Manager
• Purchase extended Windows XP Support from Microsoft

LANDESK Deliverables to customers

LANDesk will provide the following to the customer:

• Content for each Windows XP SP3 patch the customer delivers to LANDESK.
• Upon receiving the required patches and bulletins, LANDESK will provide the customer with Windows XP patch content that can be imported into their Security and Compliance tool in LANDESK Management Suite.

Windows XP Patch Support Guidelines

The following applies to publicly released patches for Microsoft Windows XP:

Patches for bulletins related to security:

• Patch content will be released on the same cadence and supported release schedule as non-EOL Microsoft security bulletins (MS15-XX).

Patches for bulletins that are not related to security:

Creating a Custom Blocked Application

The steps below outline the steps for configuring Application Blocking in LDMS 9.5 Important: This only applies if you are going to block applications on every device in your system or use different configurations for your groups. If you anticipate needing to separate systems and block applications only on some devices or need to block different applications for different groups, please skip to “Blocking Applications Using Custom Groups.”

1. Click on Tools | Security and Compliance | Patch and Compliance
2. Change the type to Blocked Applications
   
3. Under Blocked Applications (All items) right-click the Block folder and select Add File.
4. Enter the file name that you would like to block, enter a Title, and enter any other desired information in the other sections.
   Important: Blocked applications will block any executable with the name you enter.  Creating a file with the name "setup.exe" with the intent of blocking a specific install will block any install that uses the name "setup.exe"

Ensure that the Vulnerability Scanner includes the Blocked Applications type
Make sure that in theDistribution and Patch Settingshave theBlocked Applicationsdefinition type selected.

1. Open theSecurity and Compliancetool group
2. Select theAgentSettingstool
3. Double-click the Distribution and Patch setting that you would like to edit.
4. Under Patch-Only settings and Scan Options ensure that under Type you have the checkmark next to  Blocked Applications checked.
   This will cause the Security and Compliance scanner to include Blocked Applications in the type of content that it will scan for.

Blocking applications using Custom Groups
There are times when blocking the application for everyone in your environment may not be desired. For example, some Administrators choose to block Windows Media Player from the majority of their production users, but choose to allow other employees in the company to have access to the Windows Media Player. The steps below will outline the process of blocking an application or group of applications for a particular client computer or group of computers, but still allow the other devices in the network to run those same applications without having to change the agent configuration.

1. Click on Tools | Securitiy and Compliance | Patch and Compliance
2. Change the type to Blocked Applications
   
3. Create the applications you need blocked, or use the pre-defined list that comes down in LANDESK Content when downloading definitions in the Windows | Security | Applications to Block group within the Download Updates tool.

Create and populate Custom Group(s)

1. Within the left-hand pane of the Patch and Compliance tool, expand the tree to show Groups | Custom Groups | My Custom Groups or Public Custom Groups
2. Right-click My Custom Groups or Public Custom Groups and select New Group
3. Give the new group a descriptive name and press Enter
4. At this point you can create sub-folders under this newly created group.  Reasons for this may vary.  One reason may be that you want to set the Distribution and Patch settings for distinct folders of Blocked Applications restrictions.
5. Location the applications that you wish to block in the Block folder under Blocked Applications (All Items) at the top of the left-hand pane.
   If the application you are trying to block is not in the Block folder it will not be blocked.The application may exist in the Do Not Block or Unassigned folder.  If the application does exist in one of those folders, drag it to the Block folder in order for it to be blocked. If the application does not exist in any of the folders you can right-click the Block folder and select the Add File option.

Configure Distribution and Patch Settings to include the Blocked Applications type and focus on your custom group
If necessary you can create a new Distribution and Patch settings that includes scanning for and enforcing the Blocked Applications type.

1. Open theSecurity and Compliancetool group
2. Select theAgentSettingstool
3. Under My Agent Settings or Public Agent Settings right-click the Distribution and Patch setting group and select New.
4. Under Patch-Only settings and Scan Options ensure that under Type you have the checkmark next to Blocked Applications checked.
5. Then you can select either All Blocked Apps or Only Apps in Group and browse to your custom group.
   This will cause the Security and Compliance scanner to include Blocked Applications in the type of content that it will scan for and in the group you have created.

Unblocking an Application Using Custom Groups.Once a scan has been run on a client to block an application, that application will continue to be blocked until another scan is run on the client that does not have that application listed as an application that should be blocked. This is applies to a scheduled push or a policy. If the task was scheduled as a push you will have to reschedule the task after you have removed the definition from the group folder or the blocked folder. If the task was scheduled as a policy and you want to stopping blocking the application for everyone in that group simply remove the definition and the next time the policy syncs it will not be blocked. Deleting the policy will still leave the applications blocked.Scheduling the Security Scan to Block Applications

1. Go back to Patch and Compliance and click on the Create task (Calendar with clock) icon and select Security scan from the drop down menu.
2. Select the option to Create a scheduled task.
3. Give the task an appropriate name.
4. Under the Agent Settings section in the left-hand pane, select the Distribution and Patch setting you just created.
5. Select any other options you wish to select in these dialogs
6. Click Save to save the task.  At this point the Scheduled Tasks tool will open.
7. Locate the devices that you wish to block the application on and drag them to the task.
8. Start the task.

     Helpful Tip: Create a query for the group of computers you would like to have the application blocked for and schedule it as a policy. As you add computers they will get the blocked apps and when you add apps they will get updated on the next policy sync. Also if your target machine already has blocked      applications and you set it to scan against a different set, the new set will remove all of the old settings.

When trying to download updates, I get errors like this one:

Attempting to download 1 patches

Failed to download file windows6.1-kb3079904-x64.msu

Connection to http://download.microsoft.com/download/1/5/7/15796587-cdc1-4586-97e9-299409682dc4/windows6.1-kb3079904-x64.msu failed. The request was aborted: The operation has timed out.

Proxy settings: Not using a proxy server.

Trying alternative source at patch.landesk.com

Failed to download file windows6.1-kb3079904-x64.msu

File https://patch.landesk.com/LDPM8/ldvul.php?KEYWORD=filename&FILENAME=patches/windows6.1-kb3079904-x64.msu does not exist

I have a question about the Activity view not updating dynamically under Security activity.

We are in the process of upgrading Landesk 9.0 to 9.6 and I've been using this view (Security activity -> Activity) to monitor the agent updates to 9.6. It has been working good showing me if the AV portion has been updated. It appears now, though, the activity is about 5 days late. Has anyone experienced this issue?

When I go to Security and Compliance -> Security Activity -> LANDesk Antivirus - Activity, I don't see the latest activity any more. For today, the latest I see is activity for 7/16/2015. In the beginning after the migration started I was seeing all activity dynamically and up to date. Not sure what to make of this but it is annoying that I can't see up to date activity. Has anyone seen this issue before?

Through the last round of endpoint patching we noticed Windows Update showed the most recent .NET framework update as "Important" .   Yet in scanning using LANDesk, the vulnerability is not detected nor are we allowed to patch.  

This is being noted by our CSO as our policy is to patch all Critical, High and Important patches.  

My questions are:   Why is this not being detected?   Why is there not a patch available to update?

• • How often does LANDESK release 3rd Party vulnerability content?
  • Where does the LANDESK patch executable content come from?
  • What vendor sites are used for downloading patches?
  • How can I see what download paths patches are coming from?
  • What is LANDESK’s Process for downloading Content through Security and Patch Manager?
  • What process does the LANDESK Core Server follow when downloading Patch Content?
  • Does LANDESK mirror ALL patches specified in vulnerability content?

How often does LANDESK release 3rd Party vulnerability content?

The patch content team has a monitor tool that monitors all 3rd party content twice a day.

When it finds an update for the 3rd party the patch content team is notified and work begins on the definition content.

Typically release of the content definition will be within 24 hours of the group receiving the notification.

If the update is not critical it may take more time if they are released on a weekend or on a public holiday.

Where does the LANDESK patch executable content come from?

LANDESK downloads the patches it deploys from the vendors’ web sites.

What vendor sites are used for downloading patches?

This list can be updated  daily (depending on vendor and patch availability)

The following article details the complete list, and is accurate to the date on the filename of the .XLS file:

http://community.LANDESK.com/support/docs/DOC-1594

How can I see what download paths patches are coming from?

A current detailed list of URL's can be obtained by running a simple database query:

select url from patch"

The following article details the complete list of URL's, and is accurate to the date on the filename of the .XLS file:

http://community.LANDESK.com/support/docs/DOC-9638

Most of the patches are downloaded with HTTP:// with a small number coming from FTP://

What is LANDESK’s Process for downloading Content through Security and Patch Manager?

• LANDESK receives notification of a Patch

• LANDESK will download the patches from the application vendor’s site.

• LANDESK does not validate or test patches published by a third party vendor. It is the responsibility of the third party vendor to maintain the validity of the patches published on their websites.

• LANDESK hashes the "official" patch made available by the vendor.

• The file hash is to ensure that the patch downloaded from the vendor is the same file provided for remediation. This insures that the patch is authentic and has not been modified for malicious reasons or otherwise.

• LANDESK creates vulnerability information including detection, install and uninstall commands, and the patch download location.

• The Vulnerability Information is published to the Secure LANDESK content server.

What process does the LANDESK Core Server follow when downloading Patch Content?

• Vaminer.exe connects to the selected secure LANDESK content server (West coast, East Coast, EMEA).
• Connection to secure site is verified through a secure certificate.
• Vulnerability definition information is downloaded directly from Content servers e.g. patch.LANDESK.com.
• Patches are downloaded directly from the vendor’s site (with redundancy falling back to the LANDESK content servers for certain patches – (see the next question for more details) provided that the file's hash matches the hash created when LANDESK created the content.

Does LANDESK mirror ALL patches specified in vulnerability content?

Most if not all Microsoft patches are hosted on the LANDESK content servers. There are some Mac patches that are also hosted, usually large file downloads. The hosting of these patches provides a limited backup of the most accessed patches from these two main vendors. Some patch content cannot be legally hosted on the patch content servers and require they be downloaded directly from the vendor's web site (Example: Java patches and other Manual Download patches). These files, however, are still hashed in the LANDESK vulnerability definition to provide the same level of file authenticity as files hosted on the content server.

This video shows you how to get started with Application Blocking.

If this video has helped you please like or leave a comment, Thank you.

Does LANDesk create a log file for the Disable Replaced Rules tool in Patch and Compliance?

I know that it has details in the tool, but I haven't found a way to copy/export that information. I was wondering if anyone knew if a log file was created when this tool runs. I am using LANDesk Management Suite 9.6.

Thanks.

I am new to LandDesk (nice to meet you!!), and I have been diligently watching the videos and doing the recommended reading.

I am having trouble creating a baseline of patches from a barebones Win7 SP1 x64 install.  I have scanned against all available critical and Important updates.  After that I have hunted down patches that were marked as N/A in Landesk but marked as important in Windows Update.

I am left with Windows Update alerting me to 13 patches.  The patches have been scanned in LanDesk and were not detected and/or already installed on the system.  I verified most were already installed on Windows up running Quick and Easy Way to List All the Windows Updates Installed on Your System | Gizmo's Freeware

I have also checked the detection logic in LanDesk and validated the detection to be true on the target machine.

I checked the detection rules for replaced rules, and in most cases those replacements were also scanned/passed or there are no replacements.

To focus on a specific example, MS15-092_MSU.

1.  In the definition affected product is Win7 x64 with KB 2670838.  This KB2670838 is already installed on the target, so affected product passes.

2.  custom script detection logic...  The only piece I could not validate because I do not understand how it works

3.  Detecting the Patch Registry Setting.  The Key already exists on the target, so the patch is already detected.

4.  There are no replacements for this definition in Landesk

5.  There are no pre-requisites for this definition in Landesk

6.  Windows Update reports MS15-092 is still needed, but Landesk says MS15-092 passes.

Is it normal to have some of these already installed updates still being detected by Windows Update?  Is it possible to achieve 100% patch on a barebones machine which was updated by Landesk, and validated through Windows Update?

Thanks,

-Lee

we are trying to measure the number of servers that are patched at the moment for a particular vulnerability but for some reason there is no trending data for the particular vulnerability and the status doesn't match the history.  I have attached a few screenshots for reference.

Anyone have any ideas?

We recently did a side by side migration to 9.6 SP2 from 9.5 SP3.   Everything went swimmingly as I basically followed this document.   I now need to get patch management functioning properly on the 9.6 core.   Since I used CoreDataMigration.exe, 9.6 SP2 came up with \\old95score\ldlogon\patch set in the patch location tab.  Obviously this is no good, and I've carved out new space on the 9.6 core for patches at the root of a drive (i.e. U:\patch\).   My question is two fold:

Is it recommended to just copy all the data from the 95 folder to the new folder and update the path, or let everything download again?

Does this new patch folder need to be shared out?  I ask because there's a lot of shares on the old core (see image), but not really sure if that's really relevant now or not.

This article describes how to change the default Distribution and Patch settings.

Distribution and Patch Settings

How to locate and modify the Distribution and Patch Settings:

1. Open the LANDESK Management Suite console on either the core server or on a remote console.
2. Select Tools | Security and Compliance | Agent Settings
3. Under Agent Settings  you will select "Distribution and Patch" under "My agent settings" or "Public agent settings" depending on whether you want to create the setting for only you to Manage or if you want it to be accessible to others with the correct RBA rights.
4. Either modify an existing setting in the right hand pane, or right-click the right-hand pane and select "New"

Changes made to a setting that is already set as the default will automatically take affect on the computers next Security Scan. This is the simplest way to globally update your agents with new Settings.

If you would like to change a specific computer or a group of computers settings you will have to create a new setting and then push that change out.

After creating a new Setting you can use a "Change Settings" task to change the default settings on computers.

Change Settings Task

1. Open the LANDESK Management Suite console on either the core server or on a remote console.
2. Select Tools | Security and Compliance | Agent Settings
3. Click Create a Task and select Change Settings.
   
4. Give the task a name and select whether you want it to be a Scheduled Task or a policy.
5. Click on "Keep agent's current settings" to bring up a drop down menu of available settings.
6. Select the new setting.
   
7. Click "Save".
8. Add computers to the task and run it.