Overview:

Ivanti Patch and Compliance now provides support for Office 365 versions 2013 and 2016.  Patch and Compliance administrators can now scan, detect, and remediate client devices that have Office 365 installed. For Office 365 version 2013, Ivanti leverages the Microsoft Office Deployment Tool to perform the remediation tasks for updating Office 2013 installations. For Office 365 version 2016, Ivanti has developed an Office Com API to perform remediation tasks for updating Office 2016 installations. Ivanti provides a utility (Office365Util.exe) for you to use to download the Office installation data and to check the hash for Office 2016 installation data. When the Office patches are downloaded, Ivanti Endpoint Manager will check the hash on the pertinent files to ensure validity.

High Level Process

1. The Ivanti administrator downloads Office 365 definitions from the Ivanti global servers.
2. Once the Office 365 definitions are downloaded to the core, the Ivanti administrator can scan for those Office 365 vulnerabilities.
3. In order to remediate (apply latest patches) detected vulnerabilities, Ivanti administrator have to manually run, on the core machine, a new tool provided by Ivanti (Office365Util.exe). Using this tool, the Ivanti administrator can choose the Office 365 versions that are relevant to the environment. The Ivanti Office 365 utility will download the patch binaries and the Microsoft Office deployment tool from the Microsoft cloud.
4. Once the patch binaries are downloaded to the core, the Ivanti administrator can apply the patches to all vulnerable endpoints using the standard method of applying patches.

Step 1: Download Content

Customers download the Office 365 vulnerability definitions, the O365Util.dll, and the Office365Util.exe from the Ivanti Global Host Content Server by downloading the latest Microsoft Windows Vulnerabilities.

Download Updates (Microsoft Windows Vulnerabilities)	Updating Definitions (Office365Util.exe/O365Util.dll)

Updating Definitions (MSO365)MSOFFICE 365 (Vul_Defs)	MSO365 (Vul_Defs)

Step 2: Launch Office365Util.exe

Upon successful content download, an Office365Utility folder is created under the LDLogon share and will contain the Office365Util.exe file provided by Ivanti.

\\Core_Server\LDLogon\Office365Utility

This utility will allow you to select the specifics regarding the Office 365 product you are patching. Launch this utility directly from C:\Program Files\LANDesk\ManagementSuite\ldlogon\Office365Utility\ by double-clicking on Office365Utility.exe
(do not try to run it via the network share \\Core_Server\LDLogon\Office365Utility or \\localhost\LDlogon\Office365Utility as you will get an error).

Step 3: Select Options from Office365Util

The view provided below displays the available options inside of the Office365Util application (Ivanti Office 365 Utility for Patch and Compliance):

Platforms	Deployment Tools

Channels	Office 365 (2013) Product List View

In order to successfully patch Office 365, select which Office 365 patch product updates to download in order to support client remediation. After selecting the desired product updates from the Ivanti Office 365 Utility for Patch and Compliance application, click START.

Office 365 Tool

The START action will do (2) things:

1. Create an Office365Tool folder under the LDLogon share and process the Microsoft setup.exe file
   
   

   \\Core_Server\LDLogon\Office365Tool

The contents of this folder will contain the Deployment Tool Type (2016 or 2013) selected during the download and all relative installation data applicable to the options selected in the Ivanti Office 365 Utility for Patch and Compliance
application. The display below will outline the contents of both Deployments Tools (2016 and 2013).

Office365Tool	Deployment Tool Options

2016 Content	2013 Content

   
      2. Create an Office365 folder under the LDLogon\Patch share that contains the patch files(s):

\\Core_Server\LDLogon\Patch\Office365

Patch Location

^Updated Office 365 patching is not designed to take advantage of our download technology. The client device will NOT download o365 patch files from a preferred server or peer device. The files will be retrieved from the default or non-default patch location.

Non-Default Patch Location

This section is only applicable to those who have changed the default download location for patches. After downloading the Office 365 patch updates and installation data with the Ivanti Office 365 tool, the following SOURCE will be in the vulnerability definition:

Office 365 (2016)

 

httpSourcesURL="Core_Server/LDLogon/Patch/Office365/DeploymentToolType/Channel/Architecture"

 

Ex: httpSourcesURL=http://2016E/ldlogon/patch/office365/2016/current/x64

Office 365 (2013)

httpSourcesURL=http://Core_Server/LDLogon/Patch/Office365/DeploymentToolType

 

Ex: httpSourcesURL= http://2016E/ldlogon/patch/office365/2013

In order for the Patch Install Commands in the vulnerability definition to interpret the correct patch location, the Custom Variable will have to be set in every MSO365 vulnerability definition.

To do this open the properties on the definition and select the Custom Variables tab. By default the value specified will resolve to the default patch location.

You will need to explicitly set the value to reflect the location your patches reside.

The Patch Install Commands section of the definition utilizes a script that resolves the Custom Variable.

References

How to change the default Patch Location for Security and Patch Manager

Microsoft Office 2016 Deployment Tool

Microsoft Office 2013 Deployment Tool for Click-to-Run

Does anybody use this definition types? What is your experience with them? By contrast of others patches, it looks for me that there is no replacement logics included so old sp..... are not replaced.

Regards

Ivan

I know that you can use the /group switch when running Vulscan to specify a particular group of patches to install:

vulscan.exe /showui=true /RebootAction=Never /repair /log=c:\ldprovisioning\output.log /group=4200

However, I usually am required to run a /Scan before I run the /Repair. I noticed that when I do it:

vulscan.exe /showui=true /Scan=0 /group=4200

It seems to ignore the /Group flag, and scans for all vulnerabilities in the 'To be scanned' group.

Is there a way I can tell it to just focus on the custom group? It seems to take longer to scan for vulnerabilities than to repair based on my custom group of patches assigned to the specific group of systems.

Hi all,

As the news shown HP device require to update their drivers due to the potential security vulnerability. Was wondering is there any guide or best practice to use patch manager to push drivers update to all HP devices? Is there also a list of Patch Manager on which device model is supported to download and push drivers updates?

Thanks in advance

We have a new server and installed LanDesk V9.6.0.  It is a Dark Core system and has been activated.  I want to try and mimic the old server with version, etc...

So, now we need to install SP2.  Well, when I try to do that it blows up.

Issue:

Security and Patch option is missing when right-clicking computers in the Scheduled Tasks tool in the Console.

Solution:

Install SU2 or newer for 2017.3.

Anyone else having issues getting this to work?

It never seems to launch if its set as a pre repair - i a using powershell 2016.3.

I dont even see the script attempt to be called in the logs. Its completely ignored. Does the script have to be really basic? I have tried a basic script and a complex one none get called.

if this works i have a tonne if usages for it but it just does not.

i cant even see the file being downloaded to the client -

Hello, I want to start off saying I'm very new to LANDesk especially the patch manager portion. After some trial and error I got things up and running the way I want them, Autofix patches that dont require a reboot, and scheduled tasks for patches that do require rebooting. Well there hasn't been much of an issue, there are still a few computers on the network that are randomly being asked to reboot. I'm not pushing out any software and the patches that autofix say that they do not require a reboot. Can someone tell me whats going on? People seem to get frustrated when they are asked to reboot during the middle of the day. Thanks.

Hi

I want to know if we can ask for a Software inclusion in Patch manager ? I would like to patch Greenshot screen capture. But it is not available in Ivanti. Is there a formular to ask for inclusion ? I see Notepad++ is in patch manger, so it is not because it's free software.

Thank you and kind regards

Philippe RITTER

Overview

Ivanti Endpoint Manager's Patch and Compliance vulnerability scanner (vulscan.exe), will attempt to download an additional  30MBs (approx.) of data from the core server (source) when scanning against Next Generation definitions. This file download size can stress environments not configured to accommodate this additional data and could cause latency on the network. To minimize the bandwidth constraints, Ivanti's download functionality is designed to retrieve content from (3) locations; Peer, Preferred Server, Source. This document outlines how to stage the Next Generation binaries which allow your existing endpoints to leverage Ivanti's download capabilities allowing for more efficient file transfers throughout your environment.

Peer Staging

In order for the Next Generation Binaries to exist on the core server, a download of the Next Gen Microsoft Windows Vulnerabilities (beta) definitions must be completed from the Download Updates interface. The required binaries for scanning against Next Generation definitions will reside in ManagementSuite\Ldlogon\Timber.

To control the scanning of all Next Generation definitions, transfer the "Next Gen" definitions to a custom patch group, assign the custom group to an alternate Distribution and Patch agent setting and assign the setting to (1) device per subnet. Once (1) device on the subnet has the necessary binaries to scan against Next Generation definitions, the use of Peer to Peer downloading can be leveraged when the remaining devices need the next generation binaries.

The steps to do so are as follows:

Step 1: Create a custom patch group.

This is accomplished by right-clicking and selecting "New Group" in Patch and Compliance | Groups | My custom groups. Name the group as desired; in the below example the custom group name is "Next Gen".

Step 2: Isolate the Next Gen definitions and add them to the custom patch group.

To do this, perform a search in Patch and Compliance | All Types for keyword "Next Gen". Once filtered, highlight (ctrl+a) these definitions and move them to your custom patch group. To move you can drag and drop the highlighted definitions to the group or right-click copy and paste.

Step 3: Create an alternate Distribution and Patch agent setting

This can be done by right-clicking "New" after navigating to Agent Settings | My Agent Settings | Distribution and Patch

Step 4: Assign the custom group to an alternate Distribution and Patch agent setting

Right-click on the alternate Distribution and Patch agent settings and select properties. From this view select Patch-only settings | Scan Options. In the "Scan for" section select Group and associate your custom group for scanning and save. This will restrict the vulnerability scanner's view to the definitions residing in this group. Any device assigned this setting will only be able to scan definitions from this custom group.

Step 5: Assign the alternate Distribution and Patch agent settings to a device

This new setting configured to scan against only Next Gen definitions has to be assigned to (1) device per subnet. This will allow the vulnerability scanner to download the next generation binaries to the endpoint. Once these binaries reside on (1) device in the subnet, all remaining devices will be able to pull the files from a peer negating the need to traverse the network to the source.

To do this select "Create a task" and choose "Change Settings" under Agent Settings.

This will present you with a Patch and Compliance - Change Settings task interface. Choose the alternate agent setting previously configured to scan against "Next Gen" definitions and select save. Upon saving, a change settings task will be created for you to target the desired subnets throughout your environment.

Preferred Server Staging

The same approach taken with Peer can be done with a Preferred Server on the same subnet as your endpoints. You are less likely to have (1) Preferred Server per subnet so it is recommended to use the functionality available through Content Replication to transfer for the Next Generation binaries from the source to a preferred server.

The following documentation outlines How to use Ivanti EPM Content Replication

References

About Distribution and Patch Bandwidth Throttling (Advanced)

How to troubleshoot Download Failures in Software Distribution (Advanced) 

I have been trying to test upgrading our Windows 10 machines from 1607 to 1703. Our laptops are McAfee encrypted, and McAfee's documentation recommends either calling the setup.exe of the 1703 upgrade with the switch "/ReflectDrivers “C:\Program Files\McAfee\Endpoint Encryption\OSUpgrade”" or with a config file that is located in "C:\Users\Default\AppData\Local\Microsoft\Windows\WSUS".

I have tried adding the config file to the location above and then running the update through a LanDesk security scan, but it does not work properly, so I have two questions:

1. Is there a different location that LanDesk checks for config files for updates other than the path specified above? That one looks like is might be specific to computers receiving updates from a WSUS server.

2. Is there a way to send an update through LanDesk that is an .iso (like the 1703 update) with a command line switch like the one mentioned above?

The only other option I have is to send a powershell script to install the update, which would be sent as a distribution package instead of a patch. I would really like to stay away from this method if at all possible.

Any recommendation, when installing Ivanti Patch Manager and will be using MS SQL Database... What kind of CAL do we need for the SQL and how many?

Hello.

I'm trying to download associated patches in Patch Management.  I can download the patches for Microsoft but not for other vendors (like Apple, Adobe, Google, Mozilla, etc.).  I have the role for Patch Management in EndPoint.  The other person who does the patches with me has admin rights in EndPoint.  He's able to download them without any issues.  Do I need additional rights on the core server or in EndPoint to allow me to download non-Microsoft patches?

Overview

Starting with the April 11th 2017 Patch Tuesday, Microsoft no longer uses a traditional naming format for Security Bulletins. To help our customer's, we created our own naming format as follows:

The new Security Bulletin mappings our products will be using: MS[YY]-[MM]-[PP(P)]

• MS = Microsoft
• YY = Year
• MM = Month Released
• PP =  Product

Here are examples from Patch Tuesday December 12, 2017:

• MS17-12-OFF
  • All Office patches
• MS17-11-O365
  • Security Only Updates for Office 365
• MS17-12-IE
  • All IE patches
• MS17-12-AFP
  • All Microsoft released Flash patches
• MS17-12-W10
  • All Windows 10 patches, rollups and Deltas
• MS17-12-2K8
  • All Vista and 2008 patches
• MS17-12-SO7
  • Security Only Update for Windows 7 and Server 2008 R2
• MS17-12-SO8
  • Security Only Update for Server 2012
• MS17-12-SO81
  • Security Only Update for Windows 8.1 and Server 2012 R2
• MS17-12-MR7
  • Monthly Rollup for Windows 7 and Server 2008 R2 (this is the rollup that includes non-security fixes)
• MS17-12-MR8
  • Monthly Rollup for Server 2012 (this is the rollup that includes non-security fixes)
• MS17-12-MR81
  • Monthly Rollup for Windows 8.1 and Server 2012 R2 (this is the rollup that includes non-security fixes)
• MS17-12-SLV
  • All Microsoft Silverlight patches
• MS17-12-2K3
  • All Server 2003 patches for the customers that subscribe to them (Extended support)
• MS17-12-XPE
  • All Microsoft XP Embedded patches

.NET Patches will follow a slightly different naming scheme:

• MS[YY]-[MM]-[TT][PP]-[KB]
  • YY = Year
  • MM = Month
  • TT = Type (Security Only or Monthly Rollup)
  • PP = Product (.NET)
  • KB = Parent KB
• MS17-12-SONET-1234567
  • Security only patches associated with that parent KB
  • Security patch type
• MS17-12-MRNET-1234567
  • Monthly Rollup associated with that parent KB
  • Non-Security patch type

Non-security .NET Patches also have a slightly different naming scheme:

• MSNS[YY]-[MM]-[TT][PP]-[KB]
  • YY = Year
  • MM = Month
  • TT = Type (Quality Preview or Quality Rollup)
  • PP = Product (.NET)
  • KB = Parent KB
• MSNS17-12-QPNET-1234567
  • Quality Preview patches associated with that parent KB
  • Non-Security patch type
• MSNS17-12-QRNET-1234567
  • Quality Rollup associated with that parent KB
  • Non-Security patch type

Additional Information

Additional Naming Conventions

• QP = Quality Preview
• NS = Non-Security

Microsoft released the following article for FAQ on the changes made: Security Updates Guide dashboard and API:

Q: Why is the security bulletin ID number (e.g. MS16-XXX) not included in the new Security Update Guide?

A: The way Microsoft documents security updates is changing. The previous model used security bulletin webpages and included security bulletin ID numbers (e.g. MS16-XXX) as a pivot point. This form of security update documentation, including bulletin ID numbers, is being retired and replaced with the Security Update Guide. Instead of bulletin IDs, the new guide pivots on vulnerability ID numbers and KB Article ID numbers.

Hi there,

I'm trying to set a role so the users cannot move patches into various groups/scan folders.  I've set the Security section all disabled, but these users can still move patches to different folders.

Has anyone encountered this as well?  We're running 9.6 SP3.

Thanks.  Mareesa

Interested to know that seeing as we are using ivanti to patch all our PC's and Servers this issue mentioned below will NOT affect our machines?

It's Patch Blues-day: Bad October Windows updates trigger BSODs • The Register

We have today suddenly had a few machines get a BSOD!  (I haven't seen one of these for ages)

Looking in the Security and Patch information for thee machines they all have an entry which I have never seen before in the Patch history tab.

Anyone seen this before?  it looks odd as it doe not have the normal format of the entry starting with a date and time and not a cert key or other icon.

Not sure if I should be worried or not!

Hi All,

I am seeing a number of devices that are failing to install the Oct Win7 monthly update.  For a couple of them, I remediated by selecting the patch ID for the device and selecting Clear install status.  However, instead of having to do this on a one by one basis, is there a way to create a task that I can drop a number of devices into to clean the install status for them?  I think there is a way to do this via SQL cmds but would rather prefer a console method.

Thanks

Is this possible? I plan to use certmgr.exe to install the cert, The problem now is the script need to be run as administrator unless I change localMachine to currentUser.

The command is:

certmgr.exe -add -c certName.cer -s -r localMachine root

Looks like is a service pack but when i open that it says it is a manual download