How to set up your Dark Network Core: Step by step

• How to set up your Dark Network Core: Step by step
• Description
• Assumptions
• Process
  • Step one: Prepare both core servers to have accurate data
  • Step two: Prepare the Dark Core folder structure
  • Step three: Retrieve content on the "Light Core"
  • Step four: Copy PatchSources file to patch directory on Source (Light) Core
  • Step five: Prepare the ENU_PatchSourcesXXX.xml on the Dark Core
  • Step to do only if your Dark Core does not have periodic Internet access:
  • If automating the copying of Data from the light core to the dark core:

Description

This document details the procedure for copying definitions from a "light core" (A core that is connected to outside networks) and a "Dark Core" (a core that is not connected to outside networks)  This is often done for security purposes or lack of connectivity.

Assumptions

• The user has a familiarity with Ivanti Endpoint Manager and associated files and functions
• The user has 2 servers, one "Light" and one "Dark" (One with Internet connectivity and one without internet connectivity)
• The user has Ivanti Endpoint Manager installed with default parameters, file and drive locations, etc.

Process

Step one: Prepare both core servers to have accurate data

In order to download a complete set of data to transfer from the light core to the dark core, the database tables related to Patch Manager must be reset.  This must occur on any core server that has previously downloaded patch data, otherwise, a complete set of data will not be downloaded.

This can be done on both core servers by doing the following:

1. On each core server, open a command prompt on the server and change to the C:\Program Files\LANDESK\ManagementSuite folder.
2. Run "CoreDbUtil.exe /patchmanager".
3. Open the process list in Task Manager (right-click the taskbar and select "Task Manager) and watch for CoreDbUtil.exe to drop from the list to make sure it has finished.
   (The log for CoreDBUtil.exe is located in the main log location at \Program Files\LANDESK\ManagementSuite\Log)

Step two: Prepare the Dark Core folder structure

On the Dark Network Core Server, you will need to have a location for the vulnerability XML files and a location for the actual patches themselves to be stored in. For ease of use, we recommend using the already created patch folder structure that is set up when you install Ivanti EPM. By default, patches are stored in the \Program files\LANDESK\ManagementSuite\LDLogon\patch  folder. If a different location is desired this article can be used to set up the alternative location.

If patches have not been downloaded on the dark core previously the patch folder may not have been created and should be manually created.

Step three: Retrieve content on the "Light Core"

1. Within Security and Patch Manager open the Download Updates window and select all of the categories you want to download.
2. In addition select "Download patches for definitions selected above and also the radio button for "for all downloaded definitions" and click "Apply" and then "Close".
   
3. From a Command prompt, change to the LANDESK\ManagementSuite folder.
4. From a Command prompt, type "vaminer /noprompt /copy" and hit enter.  (If scripting this action to run regularly please add the /noui" switch to the vaminer command line switches)

(Vaminer.exe is the executable that runs to download content from the Ivanti patch content servers).

The first time this is run it will take quite a while as it will not only be downloading vulnerability definitions but also all patches.  (Due to this you will need a large amount of storage space on the dark core server).  This will download updates and store them to a to the patch directory.  The default patch directory is \Program Files\LANDESK\ManagementSuite\LDLOGON\patch.

To verify further that this process has completed correctly, in \Program Files\LANDESK\Managementsuite\ldlogon\patch and it's subdirectories you should have .XML files that were generated by the Ivanti Content download to represent your vulnerability definitions.  Do not change the folder structure or files.

Step four: Copy PatchSources file to patch directory on Source (Light) Core

Copy ENU_PatchSourcesXXX*.xml (Where XXX equals the current LDMS version) from \Program Files\LANDESK\ManagementSuite\LDMAIN to \Program Files\LANDESK\ManagementSuite\LDLOGON\PATCH on the source core.  This step is necessary because Vaminer.exe (the program that is downloading the Patch Content) expects that file to be in that location.  Again, this needs to match the version you are running: 9.5 (ENU_PatchSources95.xml), 9.6 (ENU_PatchSource96.xml, 2016.3 (ENU_PatchSources101.xml) and so on.  Modification of the file is not necessary, it just needs to exist in that location.

               (It has been noted that on LDMS 2017.3 SU3 the file has to be renamed from ENU_PatchSources1013.xml to ENU_PatchSources10132.xml)

Step five: Prepare the ENU_PatchSourcesXXX.xml on the Dark Core

In the \Program Files\LANDESK\ManagementSuite\LDMAIN folder there will be several files called ENU_PatchSources and then a numerical ending.  These stand for the current and prior versions of LDMS.   Choose the one that is the latest and matches your version on your core server.

For example: On a 2017.3 Core server you will likely see three ENU_PATCHSOURCESXXX files:

• ENU_PatchSources951.XML
• ENU_PatchSources961.xml
• ENU_PatchSources101.xml
• ENU_PatchSources1013.xml

We would select ENU_PatchSources1013.xml as this corresponds to LDMS 2017.3 and begin editing it.

If your core is not running in the English language you will want to select the XML file that matches your language prefix (ESP, JPN, etc)

Modify the Enu_PatchSourcesXXX.xml as modeled below:

Line #3 in the .XML will contain ‘/LDPM8/ldvul.php?%Credentials%KEYWORD=filename&FILENAME=’.  Replace it with  /ldlogon/Patch (or whatever directory you have defined as your patch storage directory).

Before:

PatchesSrcRelativePath>/LDPM8/ldvul.php?%Credentials%KEYWORD=filename&amp;FILENAME=patches</PatchesSrcRelativePath>
<LDAVRelativePath>/kvirus-8.0/mirror</LDAVRelativePath>
<CVEMoreInfo>http://cve.mitre.org/cgi-bin/cvename.cgi?name=%CVE_ID%</CVEMoreInfo>

After:

<PatchesSrcRelativePath>\LDLOGON\PATCH</PatchesSrcRelativePath>
<LDAVRelativePath>/kvirus-8.0/mirror</LDAVRelativePath>
<CVEMoreInfo>http://cve.mitre.org/cgi-bin/cvename.cgi?name=%CVE_ID%</CVEMoreInfo>

1. Next you will need to change the URL's for each Patch Content Server location.    These will be listed under the <Sites> tag.  Search for <sites> and you will see 3 sites, West Coast, East Coast, and EMEA.
   
   Delete two out of three sites leaving just one site. 
   
   You will change the hostname listed in the <URL> field and then the Description.
   
   

If you are using content that will be manually copied to the core server, put the name of your Dark Core server.  If there will be constant or periodic network connection between your light core and dark core, put the name of your light core here.

In the following section, you will select the definition download category that you want to download to the dark core and you will edit that entry in the .XML.  We will replace the string that normally works with the Ivanti Patch server and replace it with a local path.

The following example is for the vulnerability definition category Windows Vulnerabilities  Again, you will modify the path from the patch server location to a local directory. You also will add the tag <Enabled>true</enabled>.  This is the same as ticking the checkbox next to the vulnerabilities category when bringing up the Download Updates tool.

Search for /LDPM8/ldvul.php?%Credentials%KEYWORD=filename&amp;FILENAME=Windows2 the correct section by searching for "Windows2".  Modify the section within the <URL> tags

The resulting line will be<URL>/LDLOGON/PATCH/Windows2</URL>. 

You also will add the tag <Enabled>true</Enabled>. This is the same as ticking the checkbox next to the vulnerabilities category when bringing up the Download Updates tool.  Without adding the <Enabled> tag you will need to select the categories every time Download Updates is opened.

When renaming these sections per component you wish to download, FILENAME=Windows2 will use the subdirectory name of "Windows2" under the Patch directory after you modify it.  For example, if I wanted to change the source for Ivanti Data Analytics updates, you would search for that category by searching for just that - "LANDESK Data Analytics Updates".

You would then modify the <URL>/LDPM8/ldvul.php?%Credentials%KEYWORD=filename&amp;FILENAME=LDDA</URL> to <URL>/LDLOGON/PATCH/LDDA</URL>.

 

     Before:
     <Source>

                     <URL>/LDPM8/ldvul.php?%Credentials%KEYWORD=filename&amp;FILENAME=LDDA</URL>

                   <Description>LANDESK Data Analytics Updates</Description>

                   <ShowInLDSM>true</ShowInLDSM>

                   <ShowInLSM>true</ShowInLSM>

            </Source>

 

     After:
     <Source>
                        <URL>/LDLOGON/PATCH/LDDA</URL>
                        <Description>LANDESK Data Analytics Updates</Description>
                        <ShowInLDSM>true</ShowInLDSM>
                        <ShowInLSM>true</ShowInLSM>
                        <Enabled>true</Enabled>
            </Source>

Once all of the edits have been made do a "Save as" and save it as "Patchsourcestemp.xml" and mark it as a read-only file.  (Right-click, go to properties and check the box "Read Only")

After you have marked it as read-only, rename it to "patchsources.xml".  Remember, all of this is taking place in the LDMAIN folder.

Step six: Import the vulnerability definitions into the "Dark Core"

1. Now you will need to move the data to the dark core for insertion into the database.   Copy the following to an external hard drive, flash drive, or whatever method you prefer to transfer using.
   • The entire Patch directory and all subdirectories of that folder
   • The entire LDLOGON\Timber folder
   • The following files from the LDLOGON folder, once at first, but the copying procedure should include copying these files if newer files are detected.
     • Office365Utility (folder)
     • LANDESKScan.dll
     • LANDeskScanData.zip
     • mpsyschk.exe
     • O365Util.dll
     • SCSDiscovery_11.1.0.75.exe
       
       
2. These files will need to be copied to the same directories on the dark core server.  If the light core will have access to the dark core this can be done automatically through a file transfer process, automated or otherwise.  The key is to download content on the light core server regularly using the "vaminer /noprompt /noui /copy" switch and then copy the updated data to the Dark Core.
3. When copying the Patch Directory from your Light Core to your Patch Directory on your Dark Network Core, ensure the directories look the same.
4. Run Download Updates on the Dark Core Server, if running via script simply run "VAMINER.EXE" from the main ManagementSuite folder.

Step to do only if your Dark Core does not have periodic Internet access:

You will need to manually export your Security and Compliance Definitions by doing the following:  

1. Create a custom group for the definitions you wish to export.
2. Drag the definitions you wish to export to this custom group.
3. Multi-select all definitions within the group.
4. Right-click and select "Export".  This will save a .LDMS file to the location you choose.
5. Move the .LDMS file to your Dark Core and drop it in the LANDesk\ManagementSuite\exportablequeue directory. 
   Within 2 minutes these should now appear in your Patch and Compliance content.

In addition you will need to copy the necessary detected patches to the Dark Core

If automating the copying of Data from the light core to the dark core:

If you are automating the copying of the vulnerability data from the light core to the dark core, ensure the following steps are taking place:

1. "Vaminer /copy /noprompt /noui" is run on the light core server.
2. All files from the Patch directory, its subdirectories, the LDLOGON\Timber folder and the listed files above in step 6 from the LDLOGON folder are copied to the Patch folder on the dark core.  This can be done using content replication, robocopy or other preferred methods.
3. Vaminer.exe is run on the dark core (without switches).

This should be done on an automated schedule so that these steps take place in sequence and that there is enough time for each step to complete before the next one starts.

Thu, 08 Feb 2018 14:45:40 Action SOAPAction: "http://tempuri.org/ResolveDeviceID" failed, socket error: 0, SOAPCLIENT_ERROR: 5.  Status code: 503, fault string:

Thu, 08 Feb 2018 14:45:40   Retrying in 7 seconds...

Thu, 08 Feb 2018 14:45:43 Last status: Retrying in 4 seconds...

Thu, 08 Feb 2018 14:45:44 Last status: Retrying in 3 seconds...

Thu, 08 Feb 2018 14:45:45 Last status: Retrying in 2 seconds...

Thu, 08 Feb 2018 14:45:46 Last status: Retrying in 1 seconds...

Thu, 08 Feb 2018 14:45:56 Curl INFO: The requested URL returned error: 503 Service Unavailable

ANy help this is the error from vulscan log when runn a replication job.  

Overview

Starting with the April 11th 2017 Patch Tuesday, Microsoft no longer uses a traditional naming format for Security Bulletins. To help our customer's, we created our own naming format as follows:

The new Security Bulletin mappings our products will be using: MS[YY]-[MM]-[PP(P)]

• MS = Microsoft
• YY = Year
• MM = Month Released
• PP =  Product

Here are examples from Patch Tuesday December 12, 2017:

• MS17-12-OFF
  • All Office patches
• MS17-11-O365
  • Security Only Updates for Office 365
• MS17-12-IE
  • All IE patches
• MS17-12-AFP
  • All Microsoft released Flash patches
• MS17-12-W10
  • All Windows 10 patches, rollups and Deltas
• MS17-12-2K8
  • All Vista and 2008 patches
• MS17-12-SO7
  • Security Only Update for Windows 7 and Server 2008 R2
• MS17-12-SO8
  • Security Only Update for Server 2012
• MS17-12-SO81
  • Security Only Update for Windows 8.1 and Server 2012 R2
• MS17-12-MR7
  • Monthly Rollup for Windows 7 and Server 2008 R2 (this is the rollup that includes non-security fixes)
• MS17-12-MR8
  • Monthly Rollup for Server 2012 (this is the rollup that includes non-security fixes)
• MS17-12-MR81
  • Monthly Rollup for Windows 8.1 and Server 2012 R2 (this is the rollup that includes non-security fixes)
• MS17-12-SLV
  • All Microsoft Silverlight patches
• MS17-12-2K3
  • All Server 2003 patches for the customers that subscribe to them (Extended support)
• MS17-12-XPE
  • All Microsoft XP Embedded patches

.NET Patches will follow a slightly different naming scheme:

• MS[YY]-[MM]-[TT][PP]-[KB]
  • YY = Year
  • MM = Month
  • TT = Type (Security Only or Monthly Rollup)
  • PP = Product (.NET)
  • KB = Parent KB
• MS17-12-SONET-1234567
  • Security only patches associated with that parent KB
  • Security patch type
• MS17-12-MRNET-1234567
  • Monthly Rollup associated with that parent KB
  • Non-Security patch type

Non-security .NET Patches also have a slightly different naming scheme:

• MSNS[YY]-[MM]-[TT][PP]-[KB]
  • YY = Year
  • MM = Month
  • TT = Type (Quality Preview or Quality Rollup)
  • PP = Product (.NET)
  • KB = Parent KB
• MSNS17-12-QPNET-1234567
  • Quality Preview patches associated with that parent KB
  • Non-Security patch type
• MSNS17-12-QRNET-1234567
  • Quality Rollup associated with that parent KB
  • Non-Security patch type

Additional Information

Additional Naming Conventions

• QP = Quality Preview
• NS = Non-Security

Microsoft released the following article for FAQ on the changes made: Security Updates Guide dashboard and API:

Q: Why is the security bulletin ID number (e.g. MS16-XXX) not included in the new Security Update Guide?

A: The way Microsoft documents security updates is changing. The previous model used security bulletin webpages and included security bulletin ID numbers (e.g. MS16-XXX) as a pivot point. This form of security update documentation, including bulletin ID numbers, is being retired and replaced with the Security Update Guide. Instead of bulletin IDs, the new guide pivots on vulnerability ID numbers and KB Article ID numbers.

Why is there no Patch for Java JRE8u162?

I can only Patch JDK8-162_INTL

The latest JRE Patch is JRE8u152

Hello,

little question, we've configured in patch manager the patch source site as "Europe", but since some days, no new patch definitions arrived. Download started by automatic task and manually, no error messages, all looks ok.

On one of our other cores, outside of Europe, we have set "US West Coast" and this core downloads a lot of new definitions the whole week...

I've changed the source site on our european cores to "US West Coast" too now and got a lot of new definitions.

Does ivanti has a sync problems between the source sites in the moment?

BR

Axel

We've been getting reports of vulscan.exe running outside of our intended/schedule times, and today I learned about Local Scheduler time creep (Local Scheduler and being aware of time creep ).

This is definitely what we're seeing in our environment.  Our scans are configured via schedule in the agent's Distribution and Patch settings.  The schedule is set for 12:00am, with an additional random delay of an hour.  No other filters are applied.

Screenshot:

Over time, the drift has caused set our start times to move all over the map, and on some devices the scan presents a noticeable slowdown for our staff.  I have been exploring the community to find some examples of good practice that others may be using to address this issue.  I've worked through the command line options for "localsch.exe", and while it seems fairly trivial to run a script periodically to reset the start time, I'm hopeful that a better solution exists.

Ultimately, I would like to have the scan begin at a specific time (12:00am is just an example), and only run at that time.  I understand that forcing a scan into a window may cause some devices to not be scanned within this scheduled scan (due to device being off, etc...), but I have other mechanisms for dealing with that.

How are you accomplishing this in your environment?

My system is detecting this missing: 890830_INTv6.78 (which is calling for Windows Malicious Software Removal Tool - December 12, 2017 (KB890830) v5.55)

It is not available for download because (I assume) the new version is out 5.56

1. Why if the new version is out, is the old one still detected?

2. If the 5.55 can not be downloaded (I look for it) why the 5.56 is not and how to add it?

Best.

This MAY be an instant NO but been tasked with creating a few preferred servers and replicators. Replicator and Preferred Server will be on the same device.

These preferred servers/replicators will be connected to VERY slow internet connections due to being in small shops. Therefore the challenge is to replicate 20-30GB worth of from our main source to these new preferred servers.

One idea we came up with was to install the IEM Agent onto each of the replicators, then it becomes a managed device. Take a hard drive with has a copy of the source folder from our source server, plug it into each replicator/preferred server and paste the content into the appropriate folders (sdmcache etc).

Would this be possible?

Overview

Ourpatchengine allows binary updates through definition downloads. At times it is necessary for us to make changes to some of the binary files to remediate issues.

When changes are made to these binaries and they are published to our patch servers they will automatically be downloaded to the core (during the next content sync initiated by the core). When the client next scans in, it will check to verify what version of these binaries it has compared to the version on the core server. If needed, these binaries will be downloaded to the client automatically using the standard download mechanism (i.e., utilizing the CSA and/or preferred servers if configured).

We only make changes to these files if it is found necessary to correct a critical issue. Below lists the file(s) updated,

the date, and the reason why the change was necessary. We will update the list before every expected change to binaries. However, in some cases more urgent fixes are required, and in such cases we will only be able to post the change to this list a short time before the release

Updated Binaries

Been hunted and I can seem to find a way to replay an Ivanti Protect Patch Tuesday slideshow?  I really just need to go back a month, every month, as meetings on Wednesday tend to collide with the webinar.

I may be missing something obvious here but I don't see any patch definitions for Skype version 8 when downloading the latest patch content in Patch Manager. Previous patches for Skype had IDs of the form SKYPEvA.B.C.D; the latest version I currently see is 7.40.0.103.

Skype 8 is supported as per https://www.ivanti.com/support/supported-products, is there a reason Patch Manager would not be picking up these patches? The definition types we download are attached.

Vulnerabilty scans are failing with Status marked as detected because pre-req check failed.  I checked for the timber folder and it did not get created, how do we get that folder created?

We are looking at installing Microsoft updates on our servers.  Looking for advice or process.

Thanks

Overview

Microsoft has identified a severe compatibility issue with a small number of anti-virus software products.

We highly suggest all customers review these issues here:  https://support.microsoft.com/en-us/help/4072699

Due to to possible BSOD issues that may occur when installing this update on system with out of date AV software, we will be adding a detection prerequisite as Windows Update does:

Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat"

Value="cadca5fe-87d3-4b96-b7fb-a231484277cc"

Type="REG_DWORD”

If key does not exist you will be offered the detection only version of this patch.

This means that the associated patch for a system will not be remediated unless the Registry key is present. This mirrors how the patches are handled by Microsoft. Full details regarding the offering of the patch, and options if the Registry key is missing, are located in the Microsoft article here: https://support.microsoft.com/en-us/help/4072699/important-information-regarding-the-windows-security-updates-released

The patches will be offered for deployment if the key exists.

Affected patches:

• MS18-01-IE Q4056568
• MS18-01-SO7 Q4056897
• MS18-01-SO8 Q4056899
• MS18-01-SO81 Q4056898
• MS18-01-W10 Q4056888, Q4056890, Q4056891, Q4056892, Q4056893

Affected CVEs:

• CVE-2017-5753
• CVE-2017-5715
• CVE-2017-5754

Link to Security bulletin advisory:  https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002

LDMS 2016.3 SU4:

Scheduled backups of our core server are completing but with exception due to the following error:

File access share error "E:\Program Files\LANDesk\ManagementSuite\ldmain\log\MDM.VPPServices.log" (code 32: The process cannot access the file because it is being used by another process)

What is this log for and is there anything that can be done so the file is not in use when a backup occurs?

For the latest information regarding the Meltdown and Spectre vulnerabilities see this article: A comprehensive guide to the Meltdown and Spectre vulnerabilities (regularly updated)

Affected patches:

How to Scan and/or Repair against a custom group

Additional Information

Due to to possible BSOD issues that may occur when installing this update on system with out of date AV software, we will be adding a detection prerequisite as Windows Update does:

Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat"

Value="cadca5fe-87d3-4b96-b7fb-a231484277cc"

Type="REG_DWORD”

If key does not exist you will be offered the detection only version of this patch.

This means that the associated patch for a system will not be remediated unless the Registry key is present. This mirrors how the patches are handled by Microsoft. Full details regarding the offering of the patch, and options if the Registry key is missing, are located in the Microsoft article here: https://support.microsoft.com/en-us/help/4072699/important-information-regarding-the-windows-security-updates-released

An Example of the detection only definition being returned will contain "DETECT" in the definition name and under Patch Required it will say: No repair action specified There is also no patch information provided

An Example of the definition where the regkey is detected and you will be able to remediate

Support for the Intel 'Meltdown' security vulnerability KB4058702

Important information on detection logic for the Intel 'Meltdown' security vulnerability

Set up Definition Filter Rules by Product to Automatically move to a Custom Folder

Note: All images within this document can be viewed full size by clicking on them.

This document will teach you how to setup definition filter rules by affected product in the Download Updates > Definition Download Settings section when downloading future updates.  For this example we will set Google Chrome definition updates to go to a group folder named Chrome in the console.

Open patch and compliance by going to Tools > Security and Compliance > Patch and Compliance.  Next find and double-click a patch who’s future updates you want to set up a rule for, in our case, we used the current Google Chrome patch.

Then double-click a file name in the Detection Rules section.  Then click on Affected Products.

In the Products section make a note of the wording used by the definition.  In our case the word "Chrome" is relevant so we will use that.

Close out of the dialogs and open the Download Updates by clicking on the icon on the Patch and Compliance menu bar.

Once the Download Updates dialog is open click on the Definition download settings… button in the lower right corner.

Once the dialog is open click New on the bottom.

On the Filter tab create the filter by Selecting Vulnerability and Any in the lower tabs.  Then in Comparison Choose Product, contains, and Type out Chrome.  You can be as general or granular here as you want.

Next go to the Groups and Tags tab.  Check the Put Definition in custom group(s) box and click Add.  Then select the group you want to put the definition in.  In our example, it is named Chrome.

Click Ok in all the dialogs to close out of all of them.  You should see the new filter present in the Definition download settings dialog. Any new Chrome updates will be automatically added to then Chrome folder.

If you run a Download Updates now and there were definitions with the word Chrome in the product information.  They would be placed in the Chrome folder.

Overview:

Ivanti Patch and Compliance now provides support for Office 365 versions 2013 and 2016.  Patch and Compliance administrators can now scan, detect, and remediate client devices that have Office 365 installed. For Office 365 version 2013, Ivanti leverages the Microsoft Office Deployment Tool to perform the remediation tasks for updating Office 2013 installations. For Office 365 version 2016, Ivanti has developed an Office Com API to perform remediation tasks for updating Office 2016 installations. Ivanti provides a utility (Office365Util.exe) for you to use to download the Office installation data and to check the hash for Office 2016 installation data. When the Office patches are downloaded, Ivanti Endpoint Manager will check the hash on the pertinent files to ensure validity.

High Level Process

1. The Ivanti administrator downloads Office 365 definitions from the Ivanti global servers.
2. Once the Office 365 definitions are downloaded to the core, the Ivanti administrator can scan for those Office 365 vulnerabilities.
3. In order to remediate (apply latest patches) detected vulnerabilities, Ivanti administrator have to manually run, on the core machine, a new tool provided by Ivanti (Office365Util.exe). Using this tool, the Ivanti administrator can choose the Office 365 versions that are relevant to the environment. The Ivanti Office 365 utility will download the patch binaries and the Microsoft Office deployment tool from the Microsoft cloud.
4. Once the patch binaries are downloaded to the core, the Ivanti administrator can apply the patches to all vulnerable endpoints using the standard method of applying patches.

Step 1: Download Content

Customers download the Office 365 vulnerability definitions, the O365Util.dll, and the Office365Util.exe from the Ivanti Global Host Content Server by downloading the latest Microsoft Windows Vulnerabilities.

Download Updates (Microsoft Windows Vulnerabilities)	Updating Definitions (Office365Util.exe/O365Util.dll)

Updating Definitions (MSO365)MSOFFICE 365 (Vul_Defs)	MSO365 (Vul_Defs)

Step 2: Launch Office365Util.exe

Upon successful content download, an Office365Utility folder is created under the LDLogon share and will contain the Office365Util.exe file provided by Ivanti.

\\Core_Server\LDLogon\Office365Utility

This utility will allow you to select the specifics regarding the Office 365 product you are patching. Launch this utility directly from C:\Program Files\LANDesk\ManagementSuite\ldlogon\Office365Utility\ by double-clicking on Office365Utility.exe
(do not try to run it via the network share \\Core_Server\LDLogon\Office365Utility or \\localhost\LDlogon\Office365Utility as you will get an error).

Step 3: Select Options from Office365Util

The view provided below displays the available options inside of the Office365Util application (Ivanti Office 365 Utility for Patch and Compliance):

Platforms	Deployment Tools

Channels	Office 365 (2013) Product List View

In order to successfully patch Office 365, select which Office 365 patch product updates to download in order to support client remediation. After selecting the desired product updates from the Ivanti Office 365 Utility for Patch and Compliance application, click START.

Office 365 Tool

The START action will do (2) things:

1. Create an Office365Tool folder under the LDLogon share and process the Microsoft setup.exe file
   
   

   \\Core_Server\LDLogon\Office365Tool

The contents of this folder will contain the Deployment Tool Type (2016 or 2013) selected during the download and all relative installation data applicable to the options selected in the Ivanti Office 365 Utility for Patch and Compliance
application. The display below will outline the contents of both Deployments Tools (2016 and 2013).

Office365Tool	Deployment Tool Options

2016 Content	2013 Content

   
      2. Create an Office365 folder under the LDLogon\Patch share that contains the patch files(s):

\\Core_Server\LDLogon\Patch\Office365

Patch Location

^Updated Office 365 patching is not designed to take advantage of our download technology. The client device will NOT download o365 patch files from a preferred server or peer device. The files will be retrieved from the default or non-default patch location.

Non-Default Patch Location

This section is only applicable to those who have changed the default download location for patches. After downloading the Office 365 patch updates and installation data with the Ivanti Office 365 tool, the following SOURCE will be in the vulnerability definition:

Office 365 (2016)

 

httpSourcesURL="Core_Server/LDLogon/Patch/Office365/DeploymentToolType/Channel/Architecture"

 

Ex: httpSourcesURL=http://2016E/ldlogon/patch/office365/2016/current/x64

Office 365 (2013)

httpSourcesURL=http://Core_Server/LDLogon/Patch/Office365/DeploymentToolType

 

Ex: httpSourcesURL= http://2016E/ldlogon/patch/office365/2013

In order for the Patch Install Commands in the vulnerability definition to interpret the correct patch location, the Custom Variable will have to be set in every MSO365 vulnerability definition.

To do this open the properties on the definition and select the Custom Variables tab. By default the value specified will resolve to the default patch location.

You will need to explicitly set the value to reflect the location your patches reside.

The Patch Install Commands section of the definition utilizes a script that resolves the Custom Variable.

References

How to change the default Patch Location for Security and Patch Manager

Microsoft Office 2016 Deployment Tool

Microsoft Office 2013 Deployment Tool for Click-to-Run

Sorry for the newbie question here, but when I search for a Q, KB I see two entries, one expected and the other ending with the letter "D".  All the single letter make it hard to create a meaningful query to search.  The bulletins appear identical so I wonder which to choose.  I am just trying to populate a  Patch Group for February.

Why is there no Patch for Java JRE8u162?

I can only Patch JDK8-162_INTL

The latest JRE Patch is JRE8u152