Description

The vulscan.exe are accumulating. vulscan.exe is adding one each day, there are couple of vulscan.exe process since last computer reboot.

After the security scan is over, the window won't close and there is no any expected 1 minute automatically close message.

Resolution

This is because customer is using the option Require end user input before closing. This can cause multiple vulscan.exe processes running, and no no any expected 1 minute automatically close message.

Using the option Close after timeout can fix this issue. This setting will allow the vulscan process stop automatically after the security scan instead of manually close the security scan page.

Description

Repair task fails with result "One or more definitions in repair request have not yet been scanned."

Return code 467

Cause

Vulnerability being repaired is not in Scan folder. Patch and Compliance Manager will always scan for a patch before installing it to verify that it is needed.

Resolution

Identify which vulnerability is not in the Scan folder.

Once the vulnerability is identified, open the properties of the vulnerability and navigate to the Scan tab.

Set the global scan status to "Scan."

Re-run the repair task.

Problem

When accessing the Properties of some patch definitions, you aren't able to see any patch files available under General tab>Detection rules. Below Detection Rules is an empty box.

While a normal patch definition should look like this one:

Cause

Those problematic definitions are probably incomplete or corrupted.

Solution / Workaround

1. Delete the problematic patch definitions.
   
2. Download them again.

Issue

When accessing the Dashboards in Patch and Compliance and check the "Patch Installed" dashboard, it shows no data at all, even though you have recently run a repair task which had successfully installed patches to the client machines.

Cause

The historical information gathered only included definitions published less than 90 days ago by default, any previously released definition will not be reported on.

Solution / Workaround

1. Go to Patch and Compliance > Create a task > Gather historical information.

2. Set the value of the "Build report data for definitions published less than" to a longer period than the release date of the patch you wanted to report on. 

E.g. The patch I have installed with Patch Manager was released on 2016/7/12, thus I have set this value to "250" days. ( Today's date is 2017/2/6)

3. Select "Save and gather now", wait for the job to finish. 

4. Now data has been imported and is shown on the dashboard.

Ivanti Agent May Continually Prompt to Reboot

• Ivanti Agent May Continually Prompt to Reboot
  • Detecting a Pending Reboot
    • Pending File Rename Operations
    • Vulscan Reboot Registry Key
  • When is Vulscan Allowed to Reboot?
  • Common Causes
    • "Stuck" registry key
    • Continuation
    • User Error

Ivanti EPM uses the vulnerability scanner process (vulscan.exe) to evaluate and conduct necessary reboots.  Vulscan considers your agent settings and references Windows API and two specific registry keys to determine whether or not a Windows device needs a reboot. Having the agent installed on your devices allows them to present a reboot GUI to your end users if a reboot is pending and if your Agent Settings configuration allows.  Depending on your agent settings options and the tasks you are deploying, vulscan may cause the device to prompt for reboots multiple times.

Under some circumstances multiple reboot prompts may appear in short order, even after allowing a reboot.  Distribution and Patch agent settings, along with Reboot settings, are very flexible and can be configured in many different ways.  Sometimes the combination of options chosen causes unexpected behavior.  This document provides an overview of the applicable systems and settings, and discusses some common reasons and configurations that may result in multiple reboots or reboot prompts.

Detecting a Pending Reboot

It is normal expected behavior for vulscan to detect if a reboot is pending.  It does so during every scan job by evaluating the presence of the below registry keys:

Pending File Rename Operations

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager]

"PendingFileRenameOperations"

The vulscan log will contain this text:

Pending file rename data is present.  Reboot is needed.

Vulscan Reboot Registry Key

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\landesk\managementsuite\WinClient\VulscanReboot ]

The vulscan log will contain this text:

Vulscan reboot key exists. Reboot is needed.

When is Vulscan Allowed to Reboot?

Vulscan detects when reboots are pending during any job but will only process a reboot when all of the below conditions are met:

1. One of the above registry keys indicates a reboot is pending
2. Vulscan attempted to install patches (a scan-only job will not trigger reboot processing)
3. The applied agent settings give vulscan permission to reboot the device (vulscan will still process any end user prompts, honor automatic reboot conditions, and honor the automatic reboot window (if configured)).

Common Causes

"Stuck" registry key

The keys mentioned previously are set by the OS or by vulscan.  They are volatile and should be removed when the device reboots.  Under some circumstances (for example if either key is manually set) they aren't removed upon reboot.  This causes vulscan to detect a pending reboot again the next time it runs, although as mentioned previously detecting that a reboot is pending is not enough by itself to cause a reboot to happen.

If you determine that either key is stuck, it's usually sufficient to manually delete the key.  Afterward, it should be volatile when the OS or vulscan next set the key.

You may also find at times that faulty applications constantly re-set the Pending File Rename Operations key.  The key identifies the files in question that are pending and you can use this info to identify the misbehaving application.  You may need to work with the application vendor's support team to identify and solve why it keeps setting reboot keys. 

Continuation

Your distribution and patch settings contain a 'continuation' option:

Continuation allows vulscan to automatically continue a repair task after the computer reboots or other necessary prerequisites are met.  A common situation that triggers continuation is when patching must halt due to a pending reboot, or when some patches fail due to a necessary reboot.  After the reboot occurs, vulscan can automatically continue and may repair additional patches.  If vulscan attempts an install, even if it's due to continuation, it will evaluate your reboot settings and if allowed, may reboot or prompt the user to reboot.  By default Continuation is allowed up to 5 additional repairs.

User Error

It is unfortunately true that many end users don't understand technology as well as we'd like, and sometimes misunderstand or misinterpret what they see and experience.  Our support teams have encountered many of these situations.  One common example is when an end user gets the reboot prompt and chooses to defer.  Sometimes the user will log off or lock their computer, or go home for the day, or otherwise forget that they deferred the reboot.  The prompt later appears again according to agent settings, and the end user assumes that they are being prompted to reboot again, when in reality they never completed the first reboot.

Beyond educating the user there isn't a lot that can be done to fix this.  It is helpful as a first step to determine if\when the computer rebooted and which process was responsible for it.  You can most easily see this by opening event viewer and filtering the Windows Application logs by event ID 6006 and 6008:

In some cases you may find that the computer did not reboot, or did not reboot due to any Ivanti process.

Overview

Ivanti Endpoint Manager’s Patch and Compliance tool now welcomes our Next Generation patch engine. This new architecture enables us to continue optimizing well into the future and is only applicable to the Windows environment. As a preliminary feature, we’re providing the ability to opt-in, allowing for a more controlled introduction of all Next Generation content into your environment. The new patch engine is currently available in the 2017.3 product version.

^Updated We are now offering this feature in ALL supported versions of the product.

Definition Downloads

In the definition download utility, a new definition type exists under Windows | Vulnerabilities | Next Gen Microsoft Windows Vulnerabilities (beta).

This option is not on by default and when selected, all associated Next Gen binaries/vulnerabilities definitions will be downloaded to the core. The binaries (about 30 MB) will be contained in Managementsuite \ Ldlogon \ Timber directory and the definition grouping will be based on your configuration and download filters. Upon definition download, the following can be expected:

Definition Download	Managementsuite \ Ldlogon \ Timber

The Managementsuite \ Ldlogon \ Timber  \ Content folder will contain a WindowsPatchData.zip file and associated Delta zip files. The WindowsPatchData.zip file contains all vulnerability detection rulesand the Delta zip files contain the differences. This content, along with the remaining Next Gen binaries, will be downloaded to the endpoint upon scanning against Next Gen content. The main WindowsPatchData.zip file will only be downloaded once, Deltas are downloaded to the Core if there are differences that aren't in the WindowsPatchData.zip file. Once the endpoint has the main zip file, it will only retrieve the Delta zip files when scanning against Next Gen content.

Upon definition download completion of Next Gen Microsoft Windows Vulnerabilities (beta), filtering for this definition type can be done by using the filter string "Next Gen". Every next-gen definition has the filter string hardcoded in the Summary column.

To isolate these definitions, a custom patch group can be created to house these definitions. If you elect to do so, a manual transfer has to take place. To further isolate which devices scan against this custom group, an alternate Distribution and Patch agent setting can be configured to scan against this group. More information on how to configure this is outlined in How to Scan and /or Repair against a custom group and  How to use Custom Groups to repair groups of computers.

Content Changes

Every Next Gen definition will contain a pre-defined fixed script for Detection and Remediation. The pre-defined detection script will evaluate Registry, File and Script logic to determine if a device is vulnerable to a definition. The detection details have been included at the beginning of the script content. The Files and Registry Settings section will be blank for all Next Gen content.

Sample Next Gen definition (Detection Logic)	Sample Next Gen definition (Repair Logic)

Distribution and Patch Agent Setting

^Updated The "Enable security scan debug trace log" UI feature is only available in 2017.3 and newer product versions. To enable debug trace logs for versions 9.6 - 2017.1 run the following cmd locally on the endpoint or distribute a script to the desired device:

 

vulscan /enableDpdTrace=true /showui (the showui switch is optional).

 

This will generate additional logging in the Programdata\Landesk\DebugLog folder consisting of the following (2) files:

• PatchManifestSyncSDK.log
• PatchScanSDKDpdTrace.log

To enhance the log level for all Next Gen content definitions, the following addition has been made to the Distribution and Patch agent settings:

This feature is only intended for troubleshooting purposes and should not be on in your default agent setting. When troubleshooting a Next Gen content issue, please create an alternate Distribution and Patch agent setting, enable this feature and assign this setting to the device during troubleshooting only.

Diagnostic Tool

^Updated The "Get debug logs and zip (patch)" feature is only available in 2017.3 and newer product versions.

To retrieve logging remotely access the Diagnostic tool and select the Logs | Client option to view client-side logs. An additional option "Get debug logs and zip (patch)" is present for debug logging for all Next Gen definitions. This will only function if the Distribution and Patch agent setting has Enable security scan debug trace log selected.

How Does Scanning and Remediation Work

If the endpoints are on a supported version of the product, the agent does not need to be updated immediately to take advantage of the enhanced patch engine. All devices on an unsupported product version will need to be upgraded. Upon initiation of the vulnerability scanner, the self-update feature will update the necessary vulscan files to ensure compatibility between the files on the client and the latest files on your 2017.3 core. For more on the Self Update feature please reference About Patch Manager Self Update. These binaries must be updated in order for the Next Gen binaries to work with vulscan.exe.

Scanning:

A security scan works the same as before for all current content. Whenever the scanner encounters a definition with Next Gen content it will launch the fixed script contained within the definition and perform the following actions:

 

1. Check for definition scan results in memory.
2. If this is the first Next Gen definition encountered in the current security scan, no scan results will be found on the client and the following will occur:
   1. The client will check if it needs to download any Next Gen binary files from the core (ldlogon/timber) and transfer them to the LDCLient\Timber directory:
      1. The detection rules “WindowsPatchData.zip” file (about 14MB) is updated on the content servers every time new content is added and will be download to the client. If WindowsPatchData.zip already exists on the client, the smaller delta files will be used to update this file to the current version.
      2. Additional Next Gen binary files will be downloaded if the current versions do not already exist on the client:
   2. The Next Gen COM object is then registered on the client to allow Vulscan.exe to interact with the Next Gen scan engine
   3. The Next Gen scan engine then scans for ALL vulnerabilities and stores the scan results “in-memory”. A FULL scan of all vul_defs is only completed if this is the first Next Gen definition encountered in the current security scan.
   4. The script then references the in-memory scan results to determine if the current definition is vulnerable.

 

The security scan continues scanning as usual.  For any remaining Next Gen content definitions in the current security scan, the detection script will return the result of the specified definition from the in-memory scan results.

The Next Gen scanner runs (maximum of once per vulscan instance) it checks for everything and stores that information in memory, but that information is only used by Next Gen definitions. Legacy definitions work the same way they always have.

 

Remediation:

 

1. Patch files (Default location - Ldlogon/Patch) uses the existing download mechanism "lddwnld.dll" to transfer the patch files to the sdmcache directory on the client.
2. The pre-defined remediation script calls the Next Gen SDK with a GUID, Language and a unique file name that’s used for patching.

• A temporary “package” is created during the repair and contained on the client (Programdata\Landesk\Timber\Pkgs) which is used by the Next Gen patch SDK.

 

Logging

The vulscan.log file will continue to serve as the primary log for content detection and remediation, however, several additional logs have been introduced to provide further insight on the activity of the Next Gen content.

• vulscan.log (Programdata\Landesk\Log folder)
• PatchManifestSyncSDK.log (Programdata\Landesk\DebugLog folder)
• PatchScanSDK.log (Programdata\Landesk\DebugLog folder, only created when debug trace logging is disabled)
• PatchScanSDKDpdTrace.log (Programdata\Landesk\DebugLog folder, only created when debug trace logging is enabled)
• STDeploy.log (Programdata\Landesk\Log folder, but only created when repairing)
• TimberDeployEvents.log (Programdata\Landesk\Log folder, only created when repairing)

There are no W10V1709 patch definition for latest creator update installation. Is it still not published or is it problem in our ivanti patch manager?

Thank You

Ivan

So while i am messing with this i wanted to see if anyone has or is doing it.

in 2016 you can start a Task using the following cmd -

"C:\Program Files (x86)\LANDesk\LDClient\PolicySync.exe" -taskid=11

I have tested this against a Task ID we use to patch our baseline - but it did not appear to work - i have some questions about calling the Task ID directly.

1. Will the task still run if the machine is not in the main task on the core? So if you have 10 machines in the Task and teh 11th machine is not will running the policysync.exe -taskID still start that task for the machine the cmd was run on?

So i wanted to just get around this and place the call to the Task in the portal - I made a copy of our baseline patching task - set the task settings to display in portal - and ran the task - I was expecting nothing to run on the machine and the Task to be displayed

in the portal but instead its running vulscan on the machine ( as if it was starting the repair )

Can you even display a repair task in the portal for self service? or will it display after it runs once?

So the task ran and did not display in the portal - is there something special that needs to happen for a repair task to appear in the portal or is it limited to links and Distribution packages only ?

I just tested it running the policysync with taskID on a task that did not have the device in  - it does not add it to that task

We need a way to repair a machine based on a repair group from the cmd line - I could use the MBSDK to do this - where it will create a task add the device ID to the task and immediately start it - as i do this for provisioning but surely with patching / repair there is an easier way?

This is so our desktop techs can scan and repair a machine without the console..

Overview

Ivanti Endpoint Manager's Patch and Compliance vulnerability scanner (vulscan.exe), will attempt to download an additional  30MBs (approx.) of data from the core server (source) when scanning against Next Generation definitions. This file download size can stress environments not configured to accommodate this additional data and could cause latency on the network. To minimize the bandwidth constraints, Ivanti's download functionality is designed to retrieve content from (3) locations; Peer, Preferred Server, Source. This document outlines how stage the Next Generation binaries which allow your existing endpoints to leverage Ivanti's download capabilities allowing for more efficient file transfers throughout your environment.

Peer Staging

In order for the Next Generation Binaries to exist on the core server, a download of the Next Gen Microsoft Windows Vulnerabilities (beta) definitions must be completed from the Download Updates interface. The required binaries for scanning against Next Generation definitions will reside in ManagementSuite\Ldlogon\Timber.

To control the scanning of all Next Generation definitions, transfer the "Next Gen" definitions to a custom patch group, assign the custom group to an alternate Distribution and Patch agent setting and assign the setting to (1) device per subnet. Once (1) device on the subnet has the necessary binaries to scan against Next Generation definitions, the use of Peer to Peer downloading can be leveraged when the remaining devices need the next generation binaries.

The steps to do so are as follows:

Step 1: Create a custom patch group.

This is accomplished by right-clicking and selecting "New Group" in Patch and Compliance | Groups | My custom groups. Name the group as desired; in the below example the custom group name is "Next Gen".

Step 2: Isolate the Next Gen definitions and add them to the custom patch group.

To do this, perform a search in Patch and Compliance | All Types for keyword "Next Gen". Once filtered, highlight (ctrl+a) these definitions and move them to your custom patch group. To move you can drag and drop the highlighted definitions to the group or right-click copy ad paste.

Step 3: Create an alternate Distribution and Patch agent setting

This can be done by right-clicking "New" after navigating to Agent Settings | My Agent Settings | Distribution and Patch

Step 4: Assign the custom group to an alternate Distribution and Patch agent setting

Right-click on the alternate Distribution and Patch agent settings and select properties. From this view select Patch-only settings | Scan Options. In the "Scan for" section select Group and associate your custom group for scanning and save. This will restrict the vulnerability scanner's view to the definitions residing in this group. Any device assigned this setting will only be able to scan definitions apart of this custom group.

Step 5: Assign the alternate Distribution and Patch agent settings to a device

This new setting configured to scan against only Next Gen definitions has to be assigned to (1) device per subnet. This will allow the vulnerability scanner to download the next generation binaries to the endpoint. Once these binaries reside on (1) device in the subnet, all remaining devices will be able pull the files from a peer negating the need to traverse the network to the source.

To do this select "Create a task" and choose "Change Settings" under Agent Settings.

This will present you with a Patch and Compliance - change settings task interface. Choose the alternate agent setting previously configured to scan against "Next Gen" definitions and select save. Upon saving, a change settings task will be created for you to target the desired subnets throughout your environment.

Preferred Server Staging

The same approach taken with Peer can be done with a Preferred Server in the same subnet as your endpoints. You are less likely to have (1) Preferred Server per subnet so it is recommended to use the functionality available through Content Replication to transfer for the Next Generation binaries from the source to a preferred server.

The following documentation outlines How to use Ivanti EPM Content Replication

References

About Distribution and Patch Bandwidth Throttling (Advanced)

How to troubleshoot Download Failures in Software Distribution (Advanced) 

When attempting to run a security scan on any workstation, I am receiving "Failed: Core could not process data". I've attempted to go through some of the help articles I've found online, such as restarting IIS, clearing VulnerabilityData, and a couple other things to no avail. Any help would be much appreciated!

Hi all

We are currently trying to control reboots on our estate using the LD Agent. Below are the settings...

Some users are reporting that their machines are not rebooting on the scheduled days. I think this is due to the deferral option allowing them to set a deferral longer than the gap between reboots.

Question is - If I change the deferral options to 1 hour will this mean that the forced reboot will happen on time? When we first rolled it out it seemed that the deferral options only set how long the prompt would minimize before becoming persistent on screen.

Can anyone clarify how the deferral and prompt are meant to work please?

Thanks in advance

James

Hello all,

   I have downloaded the Next Gen patch definitions.  I am unable to download the associated patch file for any of these.  Most give me this error that the hash "does not match with the host". 

Has anyone else encountered this?

-Pat

Hello,

My company has bought "Ivanti Patch Manger powered by Landesk". I am a little confused as to what features are available with this license. There are features available with a management console like "remote control", "software distribution", "inventory", "reports". Am I licensed to use them? They work from within the console, but am not sure if my license allows me to use them.

Thanks,

Radoslaw Czajkowski

Is there a way to create a task that would have the clients check in one at a time?

The script file I wish to run causes the computers to write into licenses.csv. However, if they all hit at once, then the csv file will be
locked and they can’t write their data.

This may not be possible but thought I would ask.

Thanks

Hello, I want to start off saying I'm very new to LANDesk especially the patch manager portion. After some trial and error I got things up and running the way I want them, Autofix patches that dont require a reboot, and scheduled tasks for patches that do require rebooting. Well there hasn't been much of an issue, there are still a few computers on the network that are randomly being asked to reboot. I'm not pushing out any software and the patches that autofix say that they do not require a reboot. Can someone tell me whats going on? People seem to get frustrated when they are asked to reboot during the middle of the day. Thanks.

This article describes the content verification feature within Ivanti Patch and Compliance Manager

Content verification can be enabled to cause the Ivanti EPM Core server to add in a hash checking feature when downloading content from the Ivanti EPM Patch Content servers.

The content verification feature applies to the content only, it does not apply to individual patch files themselves.   The patch file hash information is contained within the definition information and is verified as part of the patch installation process.

Content verification is only available for the following content types:

• Microsoft Windows Vulnerabilities
• Microsoft Windows Security Threats
• LANDesk Updates

Note: When content verification is enabled, but content types other than the types mentioned above are downloaded (Apple Macintosh definitions, for example), errors may be thrown.

Example of errors for content types that do not support Content Verification:

Even though an error is thrown, the content is still downloaded correctly.

Content verification can be enabled within the Download Updates tool under the Content Tab:

Verify definition signatures/hashes before downloading

NOTE: When checked, any definitions that do not have a valid SHA256 hash will not be downloaded. Also, any lists of definitions that do not have a valid signature will not be processed. The download progress form will show any download failures due to invalid/missing signatures or hashes.

Next Gen Microsoft Windows Vulnerabilities (beta) is not shown in the Patch Manager > Download updates > Windows > Vulnerabilities

To resolve the issue, click on and select "Microsoft Windows Vulnerabilites", click on button "Apply" and click on the button "Download now".

Once the download completes, go back to "Download updates" and the definition type "Next Gen Microsoft Windows Vulnerabilities ( beta ) will be shown.

EPM version 2017.3 Verification - Verify definition signatures/hashes before downloading option is enabled by default and it cannot be disabled.

EPM version 2017.3 Management Console > Tools > Security and Compliance > Patch and compliance > Download updates > tab Content > Verification

Verify definition signatures/hashes before downloading

NOTE: When checked, any definitions that do not have a valid SHA256 hash will not be downloaded. Also, any lists of definitions that do not have a valid signature will not be processed. The download progress form will show any download failures due to invalid/missing signatures or hashes.

This article describes how to use Ivanti Patch and Compliance to upgrade to Windows 10 Anniversary Edition

For information about upgrading to Windows 10 Creators Edition (1703) see How to upgrade to Windows 10 Creators Edition using Ivanti Patch Manager

Windows 10 Anniversary Edition is also known as Windows 10 RS1 or Windows 10 1607.

Goal

Upgrade the clients to Windows 10 version 1607.

Steps

These steps use the Ivanti Patch and Compliance Manager definition called "W10V1607". A prerequisite for installing this version to a client computer is that the target computer must have 2GB of memory or higher.  If the client computer does not have 2GB of memory or higher it will be detected but it will not attempt to install the update.

1. Download or otherwise acquire the Windows 1607 media for the version of Windows that you are updating (Education, Professional, or Enterprise)
   
   This can be done by following the instructions in this link.

* MediaCreationTool.exe from http://go.microsoft.com/fwlink/?LinkId=691209 can create only two editions: Windows 10 Professional or Windows 10 Home. There is no option to download and create editions Windows 10 Enterprise or Windows 10 Education. Also within a Windows 10 ISO file created using the MediaCreationTool.exe there is no ..\sources\install.wim file and the verification of what edition Windows 10 is, cannot be performed using dism.exe -- "dism.exe /get-wiminfo /wimfile:F:\sources\install.wim"

If using a copy from MSDN this is likely an all-in-one image, only the product key changes the version.

1. Place this .ISO into the \ManagementSuite\LDLogon\Patch\ directory on your core server.  If you have changed the patch storage location, place it in the equivalent directories.
2. Open the LANDESK Management Suite Console and go to the Security and Compliance Tool group
3. Open the Patch and Compliance Tool
4. Ensure that you have downloaded the latest updates in the Vulnerabilities category.
   
   
5. After downloading the vulnerabilities category, find the "W10V1607" definition.  This is the definition that we will be using to upgrade Windows.
   
   
   
   
6. Next, examine the properties of the definition by double-clicking it.
   
   

   You will notice that there is a list of rules in the definition.  You need to select the correct rule that matches the version of Windows you are trying to upgrade.

7. Note the following in the description tab of the definition:
   
   
8. Double-click the rule that matches the version of Windows you are trying to upgrade.  Be careful to choose the selectx86 or x64 version.
   
   
   
   
9. You will need to make sure that your .ISO file for the Windows upgrade matches exactly the filename within the rule in the Patch information section under Unique filename.  In order to do this highlight the filename and make sure to go all the way to the end just prior to ".ISO" and then press Ctrl-C to copy the file name except the extension.
10. Right-click and rename your .ISO file from step 1 and paste in the name you just copied from the definition rule.  Make sure it still has the .iso extension and that it is not named ".iso.iso" or anything like that.  It must match exactly with the Unique Filename in the rule.
11. Run Download Updates one more time to ensure that the "Downloaded" Yes/No column in the rule is updated to "Yes".  If it does not update, check your storage location and the name of the .ISO to make sure it matches.
12. Run a scan and repair as usual.

How to block automatic update to the Anniversary Edition of Windows on client systems

In order to block Windows 10 systems from automatically installing Operating System Upgrades, the following methods may be used:

Group Policy

Computer Configuration / Administrative Templates / Windows Components / Windows Update Policy

Setting: Turn off the upgrade to the latest version of Windows through Windows Update

Registry

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

DWORD value: DisableOSUpgrade = 1

Ivanti Patch and Compliance Manager Definition

The DISABLEWIN10UPGRADE can be sent as a repair job to turn off the Windows 10 auto-updates to newer OS versions.

This definition sets the Registry key listed above.