I have seen this multiple times, but it is getting a little too time consuming to keep tracking this down.  I'd like to understand why you the patch management folks continually check the wrong box.

LANDESK Patch News Bulletin: Microsoft has Released KB3020369 Which Fixes a WMF 4.0 Issue 14-MAY-2015

Clearly states that it is for Windows 2008 R2 with the RODC Role running.  Why then do i have 100's of Windows 7 machines with this patch failing?  Well maybe this is the answer.

With incorrect settings that blatant, it's going to be difficult to use this product to keep my environment secure.  It's not only detecting on devices it doesn't affect, it is not being detected on devices it does affect.

Can someone from Ivanti answer this question, and maybe put some QA in place since this is not the first time i have had to battle this.

How to troubleshoot Core Server patch content download issues

This document details common patch content download issues and the troubleshooting steps involved in troubleshooting and resolving the issue.

Log Locations

Patch content download activity

• \Program Files\LANDESK\ManagementSuite\log\console.exe.log
• \Program Files\LANDESK\ManagementSuite\log\vaminer.log
• \Program Files\LANDESK\ManagementSuite\log\vaminer.details.log

Antivirus content (pattern files) downloads

• \Program Files\LANDESK\ManagementSuite\log\getbases.exe.log
• \Program Files\LANDESK\ManagementSuite\log\updatevirusdefinitions.exe.log

Cannot connect to Ivanti Patch Content servers and/or vendor patch download locations

Patch Content Servers - DNS Resolution

There are three different patch content servers, DNS on the core server must be able to resolve these hostnames.

• US West Coast (patch.LANDESK.com)
• US East Coast (patchec.LANDESK.com)
• EMEA (patchemea.LANDESK.com)

DNS on the core server must be able to resolve these hostnames.  In addition, the Ivanti core server will contact the following addresses:

• community.LANDESK.com
• cswebtools.LANDESK.com
• license.LANDESK.com
• Various vendor patch URL's as detailed in this article.

Ivanti Antivirus URL's used

If using Ivanti Antivirus, the following URL's will be used for pattern file downloads:

• http://downloads.kaspersky-labs.com/
• http://downloads[1-9].kaspersky-labs.coms
• http://dnl-[01-19].geo.kaspersky.com/

Open Ports

The following ports need to be allowed to the core server:

• Port 80 (for access to patch download URL's)
• Port 21 (for access to patch downloads from FTP sources)
• Port 443 (for secure HTTPS access to the patch content servers)

Proxy Configuration recommendations

Check the proxy configuration and credentials within the Proxy tab of the Download Updates section of the Patch and Compliance tool.

• Is it set to use a proxy server?
• Does your environment require a proxy server?
• Is the proxy server address correct? (Can the core server reach the IP, server name or FQDN?)
• Is the port correct for what the proxy server is configured to use?
• Is this an HTTP based proxy?
• Does it require login credentials?

If it does require login credentials which format does it require?

- DOMAIN\username

    - username

- username@domain.com

Vulnerability content category not showing up in the Download Updates window

The following steps should be followed:

1. From the Start menu on the core server go to All Programs --> Ivanti --> and run "Core Server Activation"
2. Within the "Activate Ivanti Core Server" utility click on "Licenses"
3. Compare the licenses listed with your licensing agreement.  Are any expired?  Do you have all of the licenses you expect to have?
4. Reactivate the core server by clicking on "Activate"

If anything is missing, incorrect (such as product version is wrong), or shows as expired you should reactivate your core server.

From within the Core Server Activation Tool, make sure the Contact Name and Password are correct and click "Activate".

If you have reactivated and the information still does not appear correct, contact Ivanti Support to investigate further.  If either is expired, contact your Sales Representative or the Licensing Queue at Ivanti Support for further assistance.  This can be done through the Self Service Portal or via Telephone.

A screenshot of the Licensing screen from the Core Activation Utility would be advised to give to Ivanti Support.

A particular vendor's updates fail to download - Likely Proxy configuration required

If a particular vendor's updates fail to download (for example Adobe, Java, etc), this is most likely due to a proxy or other internet appliance configuration.

The proxy or Internet appliance must be configured to allow the core server access to various vendor download sites, both on HTTP and FTP.

For a complete list of the URL's used by Ivanti patch content, consult this article.

How to exclude scanning of patches from a certain vendor

For patches that are already in the Scan folder that are from the vendor you wish to exclude:

1. In the "Find" section put in the name of the vendor you wish to exclude and then under "In column" select "Vendor"
2. Select all of the vendor patches that show as a result of the search, and then drag them into the "Do Not Scan" folder.

To automatically assign the unwanted vendor patches to the "Do not scan" folder as they are downloaded:

1. Click the "Download updates" tool. (Yellow diamond with black down arrow).
2. Under "Definition Grouping" click the "Definition group settings" button. 
   
   The definition grouping option is not available in SP2 or earlier, it is a feature added with the Patch Manager component patch
   
3. Click "New" to define a new filter.
4. Select "Vulnerability" under "Definition Type" and "Any" under "Severity"
5. Under "Comparison" select "Vendor" and "equals" and put in the vendor name you wish to exclude.

Patch storage folder resetting back to defaults

See articlePatch Download Settings - custom settings reverted back to original options

How to change the default patch download location

See the article How to change the default Patch Location for Security and Patch Manager?

How long will it take for Ivanti to release new vulnerability definitions?

Security patch updates are generally available within a 48-hour window.

Error "Hash for patch does not match with host. Discarding." when downloading content

See article Error when downloading content "Hash for patch does not match with host. Discarding."

Error: "Waiting for file lock" when downloading patch content

When this error occurs, there is likely another update process that is still taking place, possibly from a scheduled task, or a previous download process has hung.

Another possible cause is another user logged into the core server using Remote Desktop in a separate session.

Typically closing and reopening the Management Suite console will resolve this error.

If a Remote Desktop session is not being used or is being used in an Admin Session, and the Core Server has been rebooted and the error still does not go away, it is possible that there is a lock entry in the database that needs to be cleared.

Within SQL Management Studio, connect to the Management Suite database, open the Query Tool, and do the following:

select * from PatchSettings where Name like '%LOCK.UpdVulnLock%'

If entries, as pictured below, are returned, those rows should be deleted:

In order to delete the rows, run the following query:

delete from patchsettings where Name like '%LOCK.UpdVulnLock%'

Error: "Object does not match the specified SHA-256" hash

When trying to download updates for definitions through Patch and Compliance Manager all patches and of the following errors is given:

"Object does not match the specified SHA-256 hash" or "Signature is not valid, failed to download platform information"

To resolve this, uncheck the box "Verify definition signatures/hashes before downloading" on the Content tab of the Download Updates window.

Error: "You have not specified a site from which to download updates" when downloading updates in Patch Manager

See article Error: "You have not specified a site from which to download updates" when downloading updates in Patch Manager

Description

Normally this issue happens when we switch to new patch engine.

When you check the vulscan.log, you can find the error as below message

Tue, 27 Mar 2018 10:13:59 Command Interpreter running

Tue, 27 Mar 2018 10:13:59 Unable to create object TimberWrapper. Error: ActiveX component can't create object (429)

Tue, 27 Mar 2018 10:13:59 ReportRepairResult returned failure: Failed to initialize scan engine

Tue, 27 Mar 2018 10:13:59 Message returned from repair script was Failed to initialize scan engine

Tue, 27 Mar 2018 10:13:59 ERROR(RunVbScript) Failed to run command  - 80004005

Tue, 27 Mar 2018 10:13:59 DownloadPatch ERROR: Failed to run commands (80004005).

Reason

The folder as below is not available on the core server, normally this issue happens on dark server.

Resolution

Copy the folder and files under Timber folder from Light core to Dark core

Vulnerabilty scans are failing with Status marked as detected because pre-req check failed.  I checked for the timber folder and it did not get created, how do we get that folder created?

I don't know why but I am not able to find the new vulnerability definition which target Windows kernel update for CVE-2018-1038. Could you please tell me if someone was able to download this vulnerability definition?

Issue

When attempting to patch there are a large about of detections of vulnerabilities that are not applicable to the client machine. When scanning, these definitions are flagged as detected for reason "Pre-req Check failed." This can cause numerous failures, bloated detected definition results, and incorrect logging.

Symptoms

To know whether or not you are getting a Pre-req check failure there are a few symptoms you can look for in order to know if this is the cause of your patch failures. This issue only occurs with Next Gen vulnerabilities.

1. Scan Failed returns

One of the first symptoms most customers notice is an abundance of "Scan Failed, Failed to start scan" returns in their clients patching history. These returns are an indication that the core server received a failure to start the scan during Vulcan. This is due to important files not being in the proper location during the scan, more on that later.

2. Bloated "All Detected" patches list

The second symptom that can point to a Pre-req check failed is the bloated "All Detected" folder in the Patch and Security. This is normally filled with a large amount of detection of either previously undetected or not applicable vulnerabilities. Since there was a failure during the scan for these vulnerabilities they will be flagged as detected and will show up in this folder. When selecting one of your definitions you will see the reason for detection as "Pre-Req Check Failed."

3. Ivanti folders on the root of C:\

The final Symptom of this issue is the presence of two Ivanti folders that are being placed in the root of C:\.  "vulScan" and "LANDesk" will appear in the root of C:\ instead of the locations "ProgramData" and "Program Files(x86)" respectively. This is caused by them not being properly configured to the proper locations.

Resolution

This issue can be easily resolved by correcting the registry key where the vulScan folder should be properly located. Open Regedit and locate the following key

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Shell Folders

Here you will find the CommonAppData key. If you are experiencing this issue it is caused by this key being blank. Simply add "C:\ProgramData" without the quotes then run a scan. This should allow for a proper scan and the vulScan and LANDesk folders will properly update in their designated locations. You are free to delete the folders on the C:\ root without any impact on the product.

Many of our devices are failing with the result of Attempt to logon as specified user failed.  Ideas on what could be causing this?  Thanks for your help.

Hello,

I am tying to install BIOS updates for the Spectre/Meltdown vulnerabilities, and so far the console says the client is processing the request but in reality the client is just sitting idle and not processing anything.

I've built Distribution packages using the extracted EXE from the Patch supplied by HP and all I get is dead air.

Has anyone else deployed BIOS Patches?  Any suggestions?

Thanks,

Matt

We want to stop Windows 10 from downloading and installing updates off the Microsoft site.  We used to do this with group policy in the Windows 7 days but this seems to be disabled or doesn't work now.  How are other folks handling this?  We only want to patch using Ivanti.

Overview

Starting with the April 11th 2017 Patch Tuesday, Microsoft no longer uses a traditional naming format for Security Bulletins. To help our customer's, we created our own naming format as follows:

The new Security Bulletin mappings our products will be using: MS[YY]-[MM]-[PP]-[KB]

• MS = Microsoft
• YY = Year
• MM = Month Released
• PP =  Product
• Followed by the KB number

Here are some examples:

• MS18-03-OFF-3114416_INTL
  • All Office patches
• MS18-03-IE-4089187_INTL
  • All IE patches
• MS18-03-AFP-4088785_INTL
  • All Microsoft released Flash patches
• MS18-03-W10-KB4088776_INTL
  • All Windows 10 patches, rollups and Deltas

• MS18-03-SO7-4088878_INTL
  • Security Only Update for Windows 7 and Server 2008 R2
• MS18-03-SO8-4088880_INTL
  • Security Only Update for Server 2012
• MS18-03-SO81-4088879_INTL
  • Security Only Update for Windows 8.1 and Server 2012 R2
• MS18-03-MR7-4088875_INTL
  • Monthly Rollup for Windows 7 and Server 2008 R2 (this is the rollup that includes non-security fixes)
• MS18-17-MR8-4088877_INTL
  • Monthly Rollup for Server 2012 (this is the rollup that includes non-security fixes)
• MS18-03-MR81-4088876_INTL
  • Monthly Rollup for Windows 8.1 and Server 2012 R2 (this is the rollup that includes non-security fixes)

.NET Patches will follow a slightly different naming scheme:

• MS[YY]-[MM]-[TT][PP]-[KB]
  • YY = Year
  • MM = Month
  • TT = Type (Security Only or Monthly Rollup)
  • PP = Product (.NET)
  • KB = Parent KB
• MS17-12-SONET-1234567
  • Security only patches associated with that parent KB
  • Security patch type
• MS17-12-MRNET-1234567
  • Monthly Rollup associated with that parent KB
  • Non-Security patch type

Non-security .NET Patches also have a slightly different naming scheme:

• MSNS[YY]-[MM]-[TT][PP]-[KB]
  • YY = Year
  • MM = Month
  • TT = Type (Quality Preview or Quality Rollup)
  • PP = Product (.NET)
  • KB = Parent KB
• MSNS17-12-QPNET-1234567
  • Quality Preview patches associated with that parent KB
  • Non-Security patch type
• MSNS17-12-QRNET-1234567
  • Quality Rollup associated with that parent KB
  • Non-Security patch type

Additional Information

Additional Naming Conventions

• QP = Quality Preview
• NS = Non-Security

Microsoft released the following article for FAQ on the changes made: Security Updates Guide dashboard and API:

Q: Why is the security bulletin ID number (e.g. MS16-XXX) not included in the new Security Update Guide?

A: The way Microsoft documents security updates is changing. The previous model used security bulletin webpages and included security bulletin ID numbers (e.g. MS16-XXX) as a pivot point. This form of security update documentation, including bulletin ID numbers, is being retired and replaced with the Security Update Guide. Instead of bulletin IDs, the new guide pivots on vulnerability ID numbers and KB Article ID numbers.

Hi

I've been struggling to deploy any Citrix patches beyond version 4.8. The patch definitions (in my mind) appear to be wrong or the downloads do not work.

Does anyone have any idea what we are supposed to do with the latest Citrix patch definition that came through last night?

It is not downloadable and gives no information in the description as to whether this is a manual download or not.

Presumably I have to find the same version from Citrix manually, in which case, do I then have to rename the file?

Many thanks for any help you can offer!

Ivanti customers want a solution that will allow them to remediate Linux vulnerabilities that are discovered on their client machines. This involves being able to determine what dependencies are required to install the packages for the detected Linux vulnerability. The remediation process needs to account for (install) dependencies that are required so that the vulnerability can be remediated completely.

Ivanti  has implemented a solution to invoke the Linux vendors’ patching tools which will resolve the patch dependencies. The vendor tool will download and install both the dependencies and the detected vulnerability package. This functionality will be called from the Ivanti vulnerability content section that performs the repair function. By leveraging the Linux vendor’s patching tools, we are able to resolve patch dependency issues.

Please see the attached document for details.

I need to install KB3212646 x64 on a large group of PC's as it has several binary's we need.  We are unable to install future monthly roll-ups until we successfully install kb3212646  When I attempt to push it out it shows successful, yet when I go into the logs I find the following:

Thu, 05 Apr 2018 08:12:10 Current Definition ID: 3212646v2_MSU

Thu, 05 Apr 2018 08:12:10 Checking vulnerability 3212646v2_MSU, rule index 0 ('windows6.1-kb3212646-x64.msU')

Thu, 05 Apr 2018 08:12:10 File OSVERSION version (6.1.7601.1)

Thu, 05 Apr 2018 08:12:10 File OSVERSION version within specified

Thu, 05 Apr 2018 08:12:10 Prod Windows Server 2008 R2 x64 Service Pack 1 (ID:WIN2K8R2X64SP1) verified OSVERSION, found: 6.1.7601.1

Thu, 05 Apr 2018 08:12:10 File C:\Windows\system32\kerberos.dll version (6.1.7601.24059)

Thu, 05 Apr 2018 08:12:10 File C:\Windows\system32\kerberos.dll version within specified

Thu, 05 Apr 2018 08:12:10 Running detection script

Thu, 05 Apr 2018 08:12:10 Checking this file: C:\Windows\System32\kerberos.dll's Version is: 6.1.7601.24059

Thu, 05 Apr 2018 08:12:10 Patch version already higher then this one.

Thu, 05 Apr 2018 08:12:10 VUL: '3212646v2_MSU' (windows6.1-kb3212646-x64.msu) not detected.  File/OS version(s) verified

Thu, 05 Apr 2018 08:12:10    Patch is NOT installed

Thu, 05 Apr 2018 08:12:10 Checking vulnerability 3212646v2_MSU, rule index 1 ('windows6.1-kb3212646-x86.msu')

Thu, 05 Apr 2018 08:12:10      No affected platforms were found.

Thu, 05 Apr 2018 08:12:12 Last status: Done

Looking at the detection logic under Files, Landesk is looking for min version 6.1.7601.23642.  I have attempted to clone the task and remove the detection files but will either get the same message or a "the patch is already installed" message.  Looking directly at the computer, KB3212646 is not showing as installed.  When we install the patch manually, it succeeds without issue.

Anyone have any thoughts to a way around this?

Thank you!

-Alex

How To:

How to create Definition download settings in Download Updates

There are many different reasons a customer would benefit by utilizing Definition download settings. In this example, we will be using the following scenario:

I want the devices in my environment to only scan Microsoft vulnerabilities.

Step by Step:

1. In Patch and Compliance, click on the Download updates icon

2. Click on Definition download settings...

3. Click New

4. In the Filter tab, under Definition type and severity, choose Vulnerability and Any

5. Under Comparison, choose Vendor, choose Contains, type in Microsoft

6. Click on the Scan tab

7. Check the box for Assign scan status

8. Check the box for Disable any rules this definition replaces

9. Change Global scan status to Scan (global)

10. In this scenario, I do not want my devices to Autofix, so I am leaving that tab untouched

11. I am also not utilizing the Groups and Tags tab in this scenario

12. Same for the Rollout projects tab

13. Click OK

14. You will now see the Definition download setting you have just created

15. Click Close

16. Since I only want my devices to scan for Microsoft vulnerabilities, I want all other definitions to be put in Unassigned so that my devices will not scan for them. Under Definition grouping, change Set new definition scan status to Unassigned

17. Click Apply

Now that you have made these changes, you will need to create a Scheduled download task. If you already have one, delete it as it will not contain the changes you just made.

18. After you have clicked Apply, click on Schedule download

19. In this window you can review your download settings. Notice how there is now information in the Patch and definition settings box

20. Click OK

21. This creates a Scheduled task. Click on Schedule task and specify when you would like Download updates to run. In this case, I would like my core to download updates every day at 6am

22. You will now see a recurring task in Scheduled tasks for 'Download patch content'

**When this task runs, the new definition download setting will take effect. Any definitions that have been downloaded before this will not be affected by the definition download setting you just created.**

Overview:

Ivanti Patch and Compliance now provides support for Office 365 versions 2013 and 2016.  Patch and Compliance administrators can now scan, detect, and remediate client devices that have Office 365 installed. For Office 365 version 2013, Ivanti leverages the Microsoft Office Deployment Tool to perform the remediation tasks for updating Office 2013 installations. For Office 365 version 2016, Ivanti has developed an Office Com API to perform remediation tasks for updating Office 2016 installations. Ivanti provides a utility (Office365Util.exe) for you to use to download the Office installation data and to check the hash for Office 2016 installation data. When the Office patches are downloaded, Ivanti Endpoint Manager will check the hash on the pertinent files to ensure validity.

High Level Process

1. The Ivanti administrator downloads Office 365 definitions from the Ivanti global servers.
2. Once the Office 365 definitions are downloaded to the core, the Ivanti administrator can scan for those Office 365 vulnerabilities.
3. In order to remediate (apply latest patches) detected vulnerabilities, Ivanti administrator have to manually run, on the core machine, a new tool provided by Ivanti (Office365Util.exe). Using this tool, the Ivanti administrator can choose the Office 365 versions that are relevant to the environment. The Ivanti Office 365 utility will download the patch binaries and the Microsoft Office deployment tool from the Microsoft cloud.
4. Once the patch binaries are downloaded to the core, the Ivanti administrator can apply the patches to all vulnerable endpoints using the standard method of applying patches.

Step 1: Download Content

Customers download the Office 365 vulnerability definitions, the O365Util.dll, and the Office365Util.exe from the Ivanti Global Host Content Server by downloading the latest Microsoft Windows Vulnerabilities.

Download Updates (Microsoft Windows Vulnerabilities)	Updating Definitions (Office365Util.exe/O365Util.dll)

Updating Definitions (MSO365)MSOFFICE 365 (Vul_Defs)	MSO365 (Vul_Defs)

Step 2: Launch Office365Util.exe

Upon successful content download, an Office365Utility folder is created under the LDLogon share and will contain the Office365Util.exe file provided by Ivanti.

\\Core_Server\LDLogon\Office365Utility

This utility will allow you to select the specifics regarding the Office 365 product you are patching. Launch this utility directly from C:\Program Files\LANDesk\ManagementSuite\ldlogon\Office365Utility\ by double-clicking on Office365Utility.exe
(do not try to run it via the network share \\Core_Server\LDLogon\Office365Utility or \\localhost\LDlogon\Office365Utility as you will get an error).

Step 3: Select Options from Office365Util

The view provided below displays the available options inside of the Office365Util application (Ivanti Office 365 Utility for Patch and Compliance):

Platforms	Deployment Tools

Channels	Office 365 (2013) Product List View

In order to successfully patch Office 365, select which Office 365 patch product updates to download in order to support client remediation. After selecting the desired product updates from the Ivanti Office 365 Utility for Patch and Compliance application, click START.

Office 365 Tool

The START action will do (2) things:

1. Create an Office365Tool folder under the LDLogon share and process the Microsoft setup.exe file
   
   

   \\Core_Server\LDLogon\Office365Tool

The contents of this folder will contain the Deployment Tool Type (2016 or 2013) selected during the download and all relative installation data applicable to the options selected in the Ivanti Office 365 Utility for Patch and Compliance
application. The display below will outline the contents of both Deployments Tools (2016 and 2013).

Office365Tool	Deployment Tool Options

2016 Content	2013 Content

   
      2. Create an Office365 folder under the LDLogon\Patch share that contains the patch files(s):

\\Core_Server\LDLogon\Patch\Office365

Patch Location

^Updated Office 365 patching is not designed to take advantage of our download technology. The client device will NOT download o365 patch files from a preferred server or peer device. The files will be retrieved from the default or non-default patch location.

Non-Default Patch Location

This section is only applicable to those who have changed the default download location for patches. After downloading the Office 365 patch updates and installation data with the Ivanti Office 365 tool, the following SOURCE will be in the vulnerability definition:

Office 365 (2016)

 

httpSourcesURL="Core_Server/LDLogon/Patch/Office365/DeploymentToolType/Channel/Architecture"

 

Ex: httpSourcesURL=http://2016E/ldlogon/patch/office365/2016/current/x64

Office 365 (2013)

httpSourcesURL=http://Core_Server/LDLogon/Patch/Office365/DeploymentToolType

 

Ex: httpSourcesURL= http://2016E/ldlogon/patch/office365/2013

In order for the Patch Install Commands in the vulnerability definition to interpret the correct patch location, the Custom Variable will have to be set in every MSO365 vulnerability definition.

To do this open the properties on the definition and select the Custom Variables tab. By default the value specified will resolve to the default patch location.

You will need to explicitly set the value to reflect the location your patches reside.

The Patch Install Commands section of the definition utilizes a script that resolves the Custom Variable.

References

How to change the default Patch Location for Security and Patch Manager

Microsoft Office 2016 Deployment Tool

Microsoft Office 2013 Deployment Tool for Click-to-Run

Hello community,

recently we started to test the Ivanti Patch for Windows solution for our company and I got stuck during the registration process of an agent via command prompt.

I can install the agent manually, with the "STPlatformUpdater.exe" => double click > choose "...connection to the console" > fill out the form > choose the policy > and the installation/registration is done, everything is fine so far.

Now I'm trying to accomplish the same task over the command prompt. To do that, I used the following guides:

for the installation: Installing Agents Using A Manual Installation S...|Shavlik User Community

for the registration: Installing an Agent with No Policy Using a Manu...|Shavlik User Community

So I started the installation with the example form the first link. Customized the values and inserted the command.

     STPlatformUpdater.exe /wi:"/qn /l*v install.log SERVERURI=https://XXX.XX.XX.XX:3121 POLICY=AgentPolicy_MyPolicy AUTHENTICATIONTYPE=PASSPHRASE PASSPHRASE=mysecret"

The agent got installed like
described in the guide and I moved forward to the registration part.

Here again I used the
example, customized the values, inserted the command BUT nothing happened.

     STAgentManagement.exe-register -p silent=true -p authType=SharedPassphrase -p passphrase=mysecret -p serverURI="https://XXX.XX.XX.XX:3121" -p policy="AgentPolicy_MyPolicy"

In the log files I got no notification or error message, only:

     Agent Registration Operation Log.

     Created Freitag, 6. April 2018 11:47:42

I tried to change some of arguments in the command, executed the "STAgentManagement.exe" with the "-register" command only and tested some other commands (-list; -status, -monitor...) to see whether I get any result at all.

Most of the commands got executed but showed a plank list or "no tusk" notifications.

Now the question... what did I do wrong?

btw.

I checked the connection from console to agent and reverse - fine

I checked the name-resolution from both sides - fine too

And like I mention before, the manual installation/registration-process works fine as well

Thanks in advance for any advice.

This article describes the content verification feature within Ivanti Patch and Compliance Manager

Content verification can be enabled to cause the Ivanti EPM Core server to add in a hash checking feature when downloading content from the Ivanti EPM Patch Content servers.

The content verification feature applies to the content only, it does not apply to individual patch files themselves.   The patch file hash information is contained within the definition information and is verified as part of the patch installation process.

Content verification is only available for the following content types:

• Microsoft Windows Vulnerabilities
• Microsoft Windows Security Threats
• LANDesk Updates

Note: When content verification is enabled, but content types other than the types mentioned above are downloaded (Apple Macintosh definitions, for example), errors may be thrown.

Example of errors for content types that do not support Content Verification:

(Signature is not valid)

(Failed to download platform information)

The resolution to this error is almost ALWAYS the connection to the internet. 

• The core ideally should be allowed directly through any proxy.  If a proxy must be in place the information should be filled out in the Proxy Settings tab within Download Updates.
• If there are still failures the Proxy information should be added to the Internet Explorer proxy option.   (Internet Options --> Connections tab --> Lan Settings --> Proxy Server

Content verification can be enabled within the Download Updates tool under the Content Tab:

Verify definition signatures/hashes before downloading

NOTE: When checked, any definitions that do not have a valid SHA256 hash will not be downloaded. Also, any lists of definitions that do not have a valid signature will not be processed. The download progress form will show any download failures due to invalid/missing signatures or hashes.

EPM version 2017.3 Verification - Verify definition signatures/hashes before downloading option is enabled by default and it cannot be disabled.

EPM version 2017.3 Management Console > Tools > Security and Compliance > Patch and compliance > Download updates > tab Content > Verification

Verify definition signatures/hashes before downloading

NOTE: When checked, any definitions that do not have a valid SHA256 hash will not be downloaded. Also, any lists of definitions that do not have a valid signature will not be processed. The download progress form will show any download failures due to invalid/missing signatures or hashes.

An error can occur of "Signature is not valid" if the core server cannot validate the certificate chain correctly.  One cause of this is a failure to connect to the internet and the certificate servers properly.

(Signature is not valid)

(Failed to download platform information)

The resolution to this error is almost ALWAYS the connection to the internet.

• The core ideally should be allowed directly through any proxy.  If a proxy must be in place the information should be filled out in the Proxy Settings tab within Download Updates.
• If there are still failures the Proxy information should be added to the Internet Explorer proxy option.   (Internet Options --> Connections tab --> Lan Settings --> Proxy Server

I am seeing some strange issues with the March 6th MS Office 2016 patches. We have multiple computers showing that the patches are getting installed 3-4 times. When looking at the installed updates on Windows 10 it shows that the MS Office patches are installed 3 or more times on the same computer. If I go into Security and Patch Information it shows that the patches were only installed once. I haven't seen this issue before and was wondering if anybody else is having the same issue? If not is there something that I should be looking for when these patches are installing? We are currently on EPM 2017.3 SU1.

Here is a pic of 3 different updates being installed 3 times on the same computer on the same day.

Here is a pic of the same computers Security and Patch info for those patches

Any recommendation, when installing Ivanti Patch Manager and will be using MS SQL Database... What kind of CAL do we need for the SQL and how many?