Has anyone run into issues patching Dell Latitude BIOS or drivers with patch manager? We are looking to start patching Dell Latitude BIOS and possibly drivers, as well. Do you see any downside to using Ivanti patch manager? I'm a little wary patching the BIOS or firmware because the computer needs to restart. How Ivanti know the patch is complete?

We are running Ivanti 2017.3.

Overview

Starting with the April 11th 2017 Patch Tuesday, Microsoft no longer uses a traditional naming format for Security Bulletins. To help our customer's, we created our own naming format as follows:

The new Security Bulletin mappings our products will be using: MS[YY]-[MM]-[PP(P)]

• MS = Microsoft
• YY = Year
• MM = Month Released
• PP =  Product

Here are examples from Patch Tuesday December 12, 2017:

• MS17-12-OFF
  • All Office patches
• MS17-11-O365
  • Security Only Updates for Office 365
• MS17-12-IE
  • All IE patches
• MS17-12-AFP
  • All Microsoft released Flash patches
• MS17-12-W10
  • All Windows 10 patches, rollups and Deltas
• MS17-12-2K8
  • All Vista and 2008 patches
• MS17-12-SO7
  • Security Only Update for Windows 7 and Server 2008 R2
• MS17-12-SO8
  • Security Only Update for Server 2012
• MS17-12-SO81
  • Security Only Update for Windows 8.1 and Server 2012 R2
• MS17-12-MR7
  • Monthly Rollup for Windows 7 and Server 2008 R2 (this is the rollup that includes non-security fixes)
• MS17-12-MR8
  • Monthly Rollup for Server 2012 (this is the rollup that includes non-security fixes)
• MS17-12-MR81
  • Monthly Rollup for Windows 8.1 and Server 2012 R2 (this is the rollup that includes non-security fixes)
• MS17-12-SLV
  • All Microsoft Silverlight patches
• MS17-12-2K3
  • All Server 2003 patches for the customers that subscribe to them (Extended support)
• MS17-12-XPE
  • All Microsoft XP Embedded patches

.NET Patches will follow a slightly different naming scheme:

• MS[YY]-[MM]-[TT][PP]-[KB]
  • YY = Year
  • MM = Month
  • TT = Type (Security Only or Monthly Rollup)
  • PP = Product (.NET)
  • KB = Parent KB
• MS17-12-SONET-1234567
  • Security only patches associated with that parent KB
  • Security patch type
• MS17-12-MRNET-1234567
  • Monthly Rollup associated with that parent KB
  • Non-Security patch type

Non-security .NET Patches also have a slightly different naming scheme:

• MSNS[YY]-[MM]-[TT][PP]-[KB]
  • YY = Year
  • MM = Month
  • TT = Type (Quality Preview or Quality Rollup)
  • PP = Product (.NET)
  • KB = Parent KB
• MSNS17-12-QPNET-1234567
  • Quality Preview patches associated with that parent KB
  • Non-Security patch type
• MSNS17-12-QRNET-1234567
  • Quality Rollup associated with that parent KB
  • Non-Security patch type

Additional Information

Additional Naming Conventions

• QP = Quality Preview
• NS = Non-Security

Microsoft released the following article for FAQ on the changes made: Security Updates Guide dashboard and API:

Q: Why is the security bulletin ID number (e.g. MS16-XXX) not included in the new Security Update Guide?

A: The way Microsoft documents security updates is changing. The previous model used security bulletin webpages and included security bulletin ID numbers (e.g. MS16-XXX) as a pivot point. This form of security update documentation, including bulletin ID numbers, is being retired and replaced with the Security Update Guide. Instead of bulletin IDs, the new guide pivots on vulnerability ID numbers and KB Article ID numbers.

We are looking at installing Microsoft updates on our servers.  Looking for advice or process.

Thanks

Hi!

When will the Critical Patch for Firefox 58.0.1 be available through Patch Manager?
It's now 3 days out and still not in Patch Manager.

thx

Regards

I may be missing something obvious here but I don't see any patch definitions for Skype version 8 when downloading the latest patch content in Patch Manager. Previous patches for Skype had IDs of the form SKYPEvA.B.C.D; the latest version I currently see is 7.40.0.103.

Skype 8 is supported as per https://www.ivanti.com/support/supported-products, is there a reason Patch Manager would not be picking up these patches? The definition types we download are attached.

Hi,

Got "Result: Unable to get vulnerability definitions from core" in security/compliance scan

I want to make sure my core is pulling the last patch and compliance definitions from Ivanti. For instance, my core has the latest Java version as 8.152 but java.com shows 8.161. I am hoping for some kind of a portal at Ivanti to see what they have so I can compare it to what I have. My core is on version 2016.3.5.

This MAY be an instant NO but been tasked with creating a few preferred servers and replicators. Replicator and Preferred Server will be on the same device.

These preferred servers/replicators will be connected to VERY slow internet connections due to being in small shops. Therefore the challenge is to replicate 20-30GB worth of from our main source to these new preferred servers.

One idea we came up with was to install the IEM Agent onto each of the replicators, then it becomes a managed device. Take a hard drive with has a copy of the source folder from our source server, plug it into each replicator/preferred server and paste the content into the appropriate folders (sdmcache etc).

Would this be possible?

Gathering historical information isn't working properly. Not pulling old data into the core to create reports.

brand new core, brand new operating system. Why isn't it pulling all this information down.

Overview

Microsoft has released an out of band Critical Update KB4078130 to disable mitigation against CVE-2017-5715.

MSNS18-01-4078130 / KB4078130 is a Critical Non-Security Patch that will disable the fix for variant 2 for stability issues.  The machine must reboot after installing the patch for it to apply on the system.

Additional Information

To enable the fix again you may reinstall the patch for your OS that remediates CVE-2017-5715

Note: Clicking on a photo will enlarge it.

This document will go over what to look for and do if you think you have a patch that is detecting incorrectly on your devices.  Incorrect detections can happen if the detection logic is incorrect and still reports as needed but the patch has already been installed, is not applicable to the system or other issues.  In this document, you’ll learn what to look for in the vulscan logs which are required to submit the incorrect patch detection for review.

This document assumes you know how to find individual patches, create a patch group and move patches to it in the console and create a repair task on a specific patch or group of patches in the console.  It also assumes you have an understanding of repair tasks and how to add target devices to them and run the task.

Prep the Client

As of January 2018 all new content created uses the new patching engine.  Additional logs are needed as well as the vulscan log to troubleshoot the false detection.

Diagnostic Tool

^Updated The "Get debug logs and zip (patch)" feature is only available in 2017.3 and newer product versions.

To retrieve logging remotely access the Diagnostic tool and select the Logs | Client option to view client-side logs. An additional option "Get debug logs and zip (patch)" is present for debug logging for all Next Gen definitions. This will only function if the Distribution and Patch agent setting has Enable security scan debug trace logselected.

To enable debug trace logs for versions 9.6 - 2017.1 run the following cmd locally on the endpoint or distribute a script to the desired device:

vulscan /enableDpdTrace=true /showui

The showui switch is optional.

This will generate additional logging in the Programdata\Landesk\DebugLog folder consisting of the following (2) files:

PatchManifestSyncSDK.log

PatchScanSDKDpdTrace.log

When the repair job finishes you will need the following files to give to support in a zip file:

C:\Programdata\landesk\log\Vulscan.log  (Make sure it is the correct one, see below)

C:\Programdata\landesk\log\stdeploy.log

C:\Programdata\landesk\log\stdeployercore.log

C:\Programdata\Landesk\DebugLog\PatchManifestSyncSDK.log

C:\Programdata\Landesk\DebugLog\PatchScanSDKDpdTrace.log

Run a Repair Task

Running a repair task for the specific patch(es) gives supports the best information.  The vulscan logs only showing one patch or two processing will show them detecting and installing and are more concise and easier to look over to find details.  General vulscan logs are not Ideal as many only show the patch detecting but not installing and have a lot of unneeded information.  Running a specific repair task with patches having the issue will provide the best logs.

You can create a repair task by going to Tools > Security and Compliance > Patch and Compliance.  Click the Scan folder and find your patch.  When you find the patch having the issue right click it and from the menu that appears click Repair.  If you have a patch group or several patches you can do the same and create a repair task for several patches at the same time.

The Repair task dialog will open.  Most settings you can leave as a defaults.  You can add a target device at this time as well.  If you have a maintenance window on your clients, be sure to check Ignore Maintenance Window if specified so the patch tries to install as well as scan in this repair task.

Once you have a target in your task run it and wait for it to complete.

Vulscan Log

The full vulscan log, created as a result of running the task, is needed for us to determine the issue of the false detection.  This log is located on the target devices in the C:\programdata\Landesk\Log folder. They are named vulscan.log.  Older logs have a number in the name.   The correct log file will have a line at the top with the task ID in the name as shown in the example.  This information changes with each task.

Thu, 26 Oct 2017 14:59:37 Command line: /policyfile="C:\ProgramData\LANDesk\Policies\CP.2353.RunNow._iOiXj4cedTDG&#474FOGYMztt+mWNQ=.xml"
Thu, 26 Oct 2017 14:59:37 client policy file: C:\ProgramData\LANDesk\Policies\CP.2353.RunNow._iOiXj4cedTDG&#474FOGYMztt+mWNQ=.xml
Thu, 26 Oct 2017 14:59:37 Reading policy parameters
Thu, 26 Oct 2017 14:59:37 scan=0
Thu, 26 Oct 2017 14:59:37 scanFilter=INTL_4049179_MSU;INTL_3089023_MSU
Thu, 26 Oct 2017 14:59:37 fixnow=True
Thu, 26 Oct 2017 14:59:37    maintEnable=False

Once you have found the correct vulscan log. Doing a search in the log file for the all capitals case sensitive “DETECTED” will yield the detection of the patch and the reason.  In our example case it show the file version is out dated and that is the reason the patch is needed.

Thu, 26 Oct 2017 14:59:45 VUL: '3089023_MSU' (windows8.1-kb3089023-x64.msu) DETECTED.  Reason 'File C:\Windows\System32\flashplayerapp.exe version is less than the minimum version specified.'.  Expected '18.0.0.232'.  Found '11.3.300.265'.  Patch required 'windows8.1-kb3089023-x64.msu'.
Thu, 26 Oct 2017 14:59:45    Patch is NOT installed

You can see in the example the patch was detected as needed due to a file being at a lower version than in the patch.  Now scroll down to the bottom of the log file.  You’ll see a “Patch Installation” header and below that you will find details of what happened when the device attempted to install the patch. In our example the patch returned the error code 2149842967 converted to a hex value that gives a result of  0x80240017 Looking on the list of WUSA codes the patch returned a “Not Applicable”.

Thu, 26 Oct 2017 15:03:21 Command Interpreter running
Thu, 26 Oct 2017 15:03:21 Setting current directory: C:\Program Files (x86)\LANDesk\LDClient\
Thu, 26 Oct 2017 15:03:21 Executing C:\Windows\system32\wusa.exe "C:\Program Files (x86)\LANDesk\LDClient\sdmcache\windows8.1-kb3089023-x64.msu" /quiet /norestart
Thu, 26 Oct 2017 15:03:23 Exit Code: -2145124329 (0x80240017)
Thu, 26 Oct 2017 15:03:23 Error: "C:\Windows\system32\wusa.exe" returned failure exit code (2149842967)
Thu, 26 Oct 2017 15:03:23 ERROR(EXECUTEFILE) Failed to run command - 80004005
Thu, 26 Oct 2017 15:03:23 DownloadPatch ERROR: Failed to run commands (80004005).
Thu, 26 Oct 2017 15:03:23 Last status: Failed
Thu, 26 Oct 2017 15:03:23 Stopping wuauserv service.
Thu, 26 Oct 2017 15:03:23 Stop service wuauserv
Thu, 26 Oct 2017 15:03:25 Successfully controlled the service.
Thu, 26 Oct 2017 15:03:25 DeferredReportAction: name 'windows8.1-kb3089023-x64.msu', code '1', type '-1', status 'Error: "C:\Windows\system32\wusa.exe" returned failure exit code (2149842967)'
Thu, 26 Oct 2017 15:03:25 Running post-install/uninstall script
Thu, 26 Oct 2017 15:03:25 RunPatches completed.  1 processed.  0 installed. 1 failures.  Thu, 26 Oct 2017 15:03:25 Sending previous action history to core

STdeployercore.log

In addition the STdeployercore.log will also show the patch being installed and the error code for the Next Gen definitions:

2018-01-26T21:15:53.2279239Z 134c I DeploymentPackageReader.cpp:783 Deploy package 'C:\ProgramData\LANDesk\timber\sandboxes\InstallationSandbox#2018-01-26-T-21-15-15\0001c460-0000-0000-0000-000000000000.zip' successfully opened unsigned for package IO
2018-01-26T21:15:53.2279239Z 134c I Authenticode.cpp:134 Verifying signature of C:\Program Files (x86)\LANDesk\LDClient\sdmcache\windows6.1-kb4056894-x64_tw1158080.msu with CWinTrustVerifier
2018-01-26T21:15:54.2534266Z 134c V UnScriptedInstallation.cpp:30 Executing (C:\Program Files (x86)\LANDesk\LDClient\sdmcache\windows6.1-kb4056894-x64_tw1158080.msu /quiet /norestart), nShow: true.
2018-01-26T21:19:19.4406288Z 134c V ChildProcess.cpp:140 Process handle 00000408 returned '3010'.

Windows Update(WUSA) Error Codes

Windows Update Agent Result Codes

Manually Testing the Patch

It is best practice that you download the patch to the device and manually run in in the GUI.  The patch should display a message giving the same reason for not installing in a dialog. Once you have verified why the patch will not install manually, contact support and be sure to upload the vulscan log from the repair task to the case.

Detection Issues That Support Likely Will Not be able to Resolve

Certain false detection issues can occur that support will likely be unable to troubleshoot or resolve.  The most likely of these is with our powershell scripts running on Windows 7 devices. The example from another vulscan log below shows a script error when trying to run on a device.

Mon, 23 Oct 2017 14:58:48 File OSVERSION version within specified
Mon, 23 Oct 2017 14:58:48 Prod Windows 7 Service Pack 1 (ID:WIN7SP1) verified OSVERSION, found: 6.1.7601.1
Mon, 23 Oct 2017 14:58:48 Prod Windows 7 Service Pack 1 (ID:WIN7SP1) verified C:\Windows\explorer.exe, found: C:\Windows\explorer.exe
Mon, 23 Oct 2017 14:58:48 Running detection script
Mon, 23 Oct 2017 14:58:48 Content filename: 'RollupFixB201710.ps1'
Mon, 23 Oct 2017 14:58:48 Writing script content to file 'C:\Windows\TEMP\RollupFixB201710.ps1' starting at line 5
Mon, 23 Oct 2017 14:58:48 Launching external script processor: <powershell.exe>
Mon, 23 Oct 2017 14:58:48 args: <-executionpolicy bypass C:\Windows\TEMP\RollupFixB201710.ps1>
Mon, 23 Oct 2017 14:58:48 External timeout: 60
Mon, 23 Oct 2017 14:58:48 Called CreateProcess: "powershell.exe"
Mon, 23 Oct 2017 14:58:48 Error 2 launching application <powershell.exe>
Mon, 23 Oct 2017 14:58:48 4041681_MSU detected
Mon, 23 Oct 2017 14:58:48 VUL: '4041681_MSU' (windows6.1-kb4041681-x86.msu) DETECTED. Reason 'Unexpected error in custom script source. See agent log for details'. Expected ''. Found ''. Patch required 'windows6.1-kb4041681-x86.msu'.

Mon, 23 Oct 2017 14:58:48 Patch is NOT installed
Mon, 23 Oct 2017 14:58:48 Last status: Done

You can see from the log that the script attempted to run but got a 'Unexpected error in custom script source. See agent log for details' error. In all cases where we cannot get a proper detection from our scripts Ivanti errs on the side of caution and will throw a DETECTED and will try and install the patch just to be safe.

Issues that arise from script errors are difficult to impossible for us to troubleshoot.  The likely cause is a security setting or Antivirus/Malware program that prevents the script from running.  GPOs and powershell policies can also interfere if they are enabled in the customers environment. Since issues like this are impossible to replicate in our teat labs and are unique to the customers environment, the customer is advised to do some troubleshooting and see if security settings and restrictions can be lowered on a test device to try and get the script to run properly before contacting support.

Does anybody use this definition types? What is your experience with them? By contrast of others patches, it looks for me that there is no replacement logics included so old sp..... are not replaced.

Regards

Ivan

找不到最新的Adobe reader 和 flash player 补丁和升级包

As the Enterprise Ivanti Endpoint Manager Administrator of a large company that has had over 15 Core Servers with over 12,000 systems and over 20 other Ivanti tech's to support I have found "how should I patch" to come up often at my location as well as on this forum.

Like Windows, there are 3 or more ways to do most anything in Ivanti Endpoint Manager patching being one of those, and I have re-written the way I advocate our techs patch in Ivanti from the way I recommended a few years back and thought I would post it here for other to use as needed. It is not the only way, nor am I saying it is the best way.

Please keep in mind that this is a basic method, simple and effective.  I did not go into Auto-Fix, some of our advanced tech's use it, others don't.  I wanted something a newbie could pick up, read and begin patching in a very short amount of time.

Picking what patches to patch can be a political nightmare depending on your companies policies.  Ours went from 12 groups doing it all differently, some patching critical's only, some not patching, others patching everything possible to a reduced number of groups that all now have a "baseline" that is set from up above that is pretty in-depth and aggressive deadlines to have them patched by.

In short, we patch all security related items with few exceptions that are patchable via Ivanti and we do it aggressively as you must nowadays in this world of exploits.

If you are not patching, I strongly suggest you start.

Attached is the method I recommend, it uses two tasks, one a "Push" the other a straight "Policy".  Why not a "Policy Support Push" you ask?  We were doing that but are finding that some systems will stick in the "active" bin of the scheduled tasks for some reason (being researched) and thus the task will not become a policy.  If you restart the task, some of those systems will clear, but then others will stick... and so on.

It goes over creating a group of patches, creating the tasks, targeting the systems and scheduling the deployment.

I look forward to your feedback and I hope this helps some of you.

Information

Microsoft released KB4058702 late the night of 1/3/18 (out of band) to address an Intel CPU firmware vulnerability.  The patches released will be added to our patch definition update to be released later today, 1/4/18.

List of patches from Microsoft:

https://www.catalog.update.microsoft.com/Search.aspx?q=2018-01

Additional Information

Important information on detection logic for the Intel 'Meltdown' security vulnerability

Current definitions in Patch and Compliance referencing Support for the Intel 'Meltdown' Security Vulnerability

This document serves to be a reference to demonstrate the following:

Overview of the Meltdown and Spectre vulnerabilities

For a further overview of both the Meltdown and Spectre vulnerabilities please see the following Ivanti Blog Post:

Meltdown - CVE Notice # CVE-2017-5754                 More information from the National Vulnerability Database: NVD - CVE-2017-5754

Spectre Variant 1 - CVE Notice # CVE-2017-5753    More information from the National Vulnerability Database: NVD - CVE-2017-5753

Spectre Variant 1 - CVE Notice # CVE-2017-5715    More information from the National Vulnerability Database: NVD - CVE-2017-5715

These CVE and NVD entries contain lists of advisories, solutions, and tools regarding these vulnerabilities. CVE is a reference method for publicly known IT vulnerabilities and exposures.

Meltdown and Spectre are vulnerabilities that affect various computer processors including Intel x86 processors and some ARM-based processors.  Due to this, we will cover how to mitigate this through the features of Ivanti EPM.  Meltdown affects a very large range of computers, cell phones, tablets, etc.  Thus this touches some of the systems that you manage with Ivanti EPM.  (Examples are servers, desktops, cell phones and other mobile devices)  In January of 2018, it was disclosed along with another exploit called "Spectre" with which it shares some but not all characteristics.  Meltdown patches may introduce some amount of performance loss, however, it is not as high as initially reported.   On January 18th, 2018 unwanted reboots and other stability issues were reported due to patches applied for the mitigation of these vulnerabilities.  Due to this newer updates have been released.   All updates will be addressed later in the document underneath the OS Updates section.

OS Updates

Windows Updates

This section describes available Patch and Compliance definitions that can be delivered through the EPM Patch and Compliance tool.

^New 01/29/2018  Important update for all operating systems

Microsoft has released an emergency out of band update that disables the mitigation for Spectre variant 2.  This was due to the fact that Intel's new microcode can cause higher than expected reboots that can result in data loss or corruption. 

Ivanti Patch News Bulletin: A tool to disable Mitigation against Spectre (KB4078130) has been released by Microsoft. 29/Jan/2018

Microsoft news about this patch release: https://support.microsoft.com/en-us/help/4078130/update-to-disable-mitigation-against-spectre-variant-2

This update adds two registry settings that “manually disable mitigation against Spectre Variant 2”:

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 1 /f

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 1 /f

The installation of this latest patch is optional, however, caution should be taken.  If the prior Spectre mitigation patches caused instability, you will want to install this patch (within definition MSNS18-01-4078130_INTL) in order to return to better system stability.

Windows 10

Windows 8.1 and Server 2012

Windows 7 and Server 2008

macOS and iOS updates

Apple included mitigations for macOS 10.13.2 and iOS 11.2 released in December.  It has since followed up with additional mitigations with the just-released Apple macOS Supplemental Update: About speculative execution vulnerabilities in ARM-based and Intel CPUs - Apple Support

Browser Vulnerabilities

BIOS, firmware and driver updates

Ivanti EPM Patch and Compliance provides content for several vendor's BIOS and driver updates.  It is recommended to follow the advice of the vendor and to update your systems accordingly.

As a convenience we offer some links to vendor websites relating to this issue:

Dell: Meltdown and Spectre Vulnerabilities | Dell US

HP: HPSBHF03573 rev. 7 - Side-Channel Analysis Method | HP® Customer Support

Lenovo: Reading Privileged Memory with a Side Channel

Antivirus software and possible compatibility issues with OS patches

See the following article for information specific regarding antivirus compatibility including Ivanti Antivirus: About Antivirus products and the Meltdown and Spectre security vulnerabilities

For the latest information regarding the Meltdown and Spectre vulnerabilities see this article: A comprehensive guide to the Meltdown and Spectre vulnerabilities

Affected patches:

How to Scan and/or Repair against a custom group

Additional Information

Due to to possible BSOD issues that may occur when installing this update on system with out of date AV software, we will be adding a detection prerequisite as Windows Update does:

Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat"

Value="cadca5fe-87d3-4b96-b7fb-a231484277cc"

Type="REG_DWORD”

If key does not exist you will be offered the detection only version of this patch.

This means that the associated patch for a system will not be remediated unless the Registry key is present. This mirrors how the patches are handled by Microsoft. Full details regarding the offering of the patch, and options if the Registry key is missing, are located in the Microsoft article here: https://support.microsoft.com/en-us/help/4072699/important-information-regarding-the-windows-security-updates-released

An Example of the detection only definition being returned will contain "DETECT" in the definition name and under Patch Required it will say: No repair action specified There is also no patch information provided

An Example of the definition where the regkey is detected and you will be able to remediate

Support for the Intel 'Meltdown' security vulnerability KB4058702

Important information on detection logic for the Intel 'Meltdown' security vulnerability

This document illustrates the files, registry, settings and other information necessary to effectively troubleshoot a vulnerability scan.

In addition, this document walks through the steps that a basic Patch and Compliance scan (otherwise known as a vulnerability scan) takes.

This article will not describe every single step that the Vulnerability Scanner takes, but those steps where a failure can occur.

For the purposes of this document a simple scan is performed by running the following at the client command line:

vulscan /scan=0 /showui

This command tells the vulnerability scanner to scan Windows vulnerabilities (type 0) and to show a user interface.

The name "LDMS2016" and "LDMS2016_v###" will be seen throughout this document.   This refers to the Core Server name of "LDMS2016" which is the name of the core server that the author had when creating the document.

Settings

The settings that control how the vulnerability scanner will behave are stored in the Distribution and Patch Settings within the Agent Settings tool.

These settings control behaviors such as user input options, Cloud Services Appliances patch options, scanner CPU utilization, etc.

These settings are stored in the Ivanti EPM Database in the AgentSettings table and physically on the core server in the

\Program Files\LANDESK\ManagementSuite\ldlogon\AgentBehaviors folder.  The Distribution and Patch Settings are stored in the AgentBehavior_(Corename)_v###.xml file within this folder.

                                                                            Example

Product Licensing

The categories available to scan and repair are controlled by the Product license that has been purchased and activated on the core server.

The following graphic shows the categories available within the Download Updates function within the Patch and Compliance tool for those with a license for all categories.

Click for full size

Registry Keys

Core

HLKM\Software\LANDESK\ManagementSuite\PatchManagement\WebServiceMaxThreads

This key does not exist by default and should only be created with an understanding of how this key works and the full ramifications of creating this key and changing the default value.  This changes the number of default threads

This key is documented here: https://community.landesk.com/docs/DOC-36027#jive_content_id_Increasing_the_Number_of_Web_Process_to_Database_Threads

Client

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\landesk\managementsuite\WinClient\Vulscan

This registry key contains the following information:

Note: The populated "Data' entries are provided as an example.  Yours will differ.

Gathering information for Ivanti Support

The vulnerability scan log files are located in the C:\ProgramData\LANDESK\log folder.

When in doubt just .ZIP up the entire folder and send it.

Otherwise, the following logs should be gathered:

• vulscan*.log
• statusdlg*.log

It is very useful to turn on Xtrace with the following enabled from the registry key prior to duplicating the problem and gathering logs:

From HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\landesk\managementsuite\LogOptions:

How To: Enable XTrace Diagnostic Logging for the Ivanti Core and Clients

Tips and Tricks

Vulscan can be used as a shortcut to open various folders.  The following should be run on the client command line:

Vulscan e - Open the folder where Vulscan resides

Vulscan c - Open the LDClient folder,

Vulscan log - Open the ProgramData\LANDESK\Log folder

Issue: Cannot open vulscan logs folder from the command line using "vulscan e"

Ivanti Patch and Compliance (vulnerability) Scan Process Flow

It is important to note that the following must all be able to take place:  Client contact to core through IIS and several web services.  Core contact to Database Server  Core Contact to client  Correct permissions on core ManagementSuite\Incoming directory and \ManagementSuite\LDLOGON\VulnerabilityData and VulscanResults folders.

Note that issues can come and go during a vulscan.  This would indicate intermittent issues.  Most of the time this occurs when the server or database has connectivity issues or are too overwhelmed to respond to requests.

I'm having some problems forcing repair of windows patches.  I was looking through the logs when I saw this steady stream of the following errors on my schedpkgupdate.exe file.  I need to change the domain name companyA.org to companyB.com.  The server has already been joined to the new domain for some time.  Does anyone know where to edit the name that it's trying to use to find that file?

When will this patch be available in Patch Manager. Our Security Team is anxious to get this out to the masses. If it will not be available soon I will need to create a software distribution task to deploy.