Description:

When trying to download updates for definitions through Patch Manager, the  errors as below is given:

As the verification option is now greyed out and enabled by default, we could not uncheck this verification to ignore this.

Reason：

Can't get to the site http://Cacerts.digicert.com to download the certificate from core server

The website was blocked

Resolution:

Check if Internet Explorer Browser Security setting block the certificate downloading

Check if local network firewall block the target address

In some cases you will be able to download manually but not in a scheduled task. Ensure the scheduler service account has internet access and ability to access the http://Cacerts.digicert.com site.

The following error messages were pulled out of the clients vulscan.log when attempting to patch Office 365.  I followed the document and have the patches in the folder specified.  I can browse to the patch folder in a web browser and see the files on the client.

Sun, 30 Sep 2018 16:16:11 -------------------Patch Installation----------------------

Sun, 30 Sep 2018 16:16:11 BeginWaitForMutex 'Global\vulscan_continue'

Sun, 30 Sep 2018 16:16:11 WaitForMutex 'Global\vulscan_continue' succeeded

Sun, 30 Sep 2018 16:16:11 Getting list of autofix patches

Sun, 30 Sep 2018 16:16:11 HTTP POST: http://LANDESK01.ck.c-k.com:443/WSVulnerabilityCore/VulCore.asmx

Sun, 30 Sep 2018 16:16:11 Setting a proxy...

Sun, 30 Sep 2018 16:16:11 Setting socket timeout to 1000 * 60 * 4

Sun, 30 Sep 2018 16:16:12 Success

Sun, 30 Sep 2018 16:16:12 1 patches were found to run

Sun, 30 Sep 2018 16:16:12 Last status: Done.  1 patches were found

Sun, 30 Sep 2018 16:16:12 No patch download required for *MSO365_MONTHLY_16.0.10730.20102_X64

Sun, 30 Sep 2018 16:16:12 Removing local scheduler maint window task: 893751

Sun, 30 Sep 2018 16:16:12 Checking for other running install/repair actions

Sun, 30 Sep 2018 16:16:12 Last status: Waiting

Sun, 30 Sep 2018 16:16:12 BeginWaitForMutex 'Global\SDClientLockMutex'

Sun, 30 Sep 2018 16:16:12 WaitForMutex 'Global\SDClientLockMutex' succeeded

Sun, 30 Sep 2018 16:16:12 Last status: Done

Sun, 30 Sep 2018 16:16:33 Exit Code: 0 (0x0)

Sun, 30 Sep 2018 16:16:33 Launched desktop instance of vulscan to detect full screen apps.  It returned: 0

Sun, 30 Sep 2018 16:16:33 Running patch *MSO365_MONTHLY_16.0.10730.20102_X64

Sun, 30 Sep 2018 16:16:33 Running pre-install/uninstall script

Sun, 30 Sep 2018 16:16:33 ERROR: Failed to open Patch monitoring info HKLM\Software\LANDesk\ManagementSuite\WinClient\PatchMonitoring (0x2)

Sun, 30 Sep 2018 16:16:33 Patch directory : 'C:\Program Files (x86)\LANDesk\LDClient\sdmcache\'

Sun, 30 Sep 2018 16:16:33 Patch name : '*MSO365_MONTHLY_16.0.10730.20102_X64'

Sun, 30 Sep 2018 16:16:33

Sun, 30 Sep 2018 16:16:33 Command Interpreter running

Sun, 30 Sep 2018 16:16:33 Work Path: C:\Program Files (x86)\LANDesk\LDClient\

Sun, 30 Sep 2018 16:16:33 regsvr file:C:\WINDOWS\system32\regsvr32.exe

Sun, 30 Sep 2018 16:16:33 fullPathDll of DLL file:C:\Program Files (x86)\LANDesk\LDClient\O365Util.dll

Sun, 30 Sep 2018 16:16:33 obtaining core server name LANDESK01.ck.c-k.com from scriptable interface.

Sun, 30 Sep 2018 16:16:33 Core server Name:  LANDESK01.ck.c-k.com

Sun, 30 Sep 2018 16:16:33 Hash File: O365Util.dll

Sun, 30 Sep 2018 16:16:33 In SendRequest: Action = SOAPAction: "http://tempuri.org/GetHashForSingleFile"

Sun, 30 Sep 2018 16:16:33 SendRequest: SOAPAction: "http://tempuri.org/GetHashForSingleFile"

Sun, 30 Sep 2018 16:16:33 Action SOAPAction: "http://tempuri.org/GetHashForSingleFile" failed, socket error: 10054, SOAPCLIENT_ERROR: 5.  Status code: -1, fault string:

Sun, 30 Sep 2018 16:16:33   Retrying in 7 seconds...

Sun, 30 Sep 2018 16:16:36 Last status: Retrying in 4 seconds...

Sun, 30 Sep 2018 16:16:37 Last status: Retrying in 3 seconds...

Sun, 30 Sep 2018 16:16:38 Last status: Retrying in 2 seconds...

Sun, 30 Sep 2018 16:16:39 Last status: Retrying in 1 seconds...

Sun, 30 Sep 2018 16:16:41 Success

Sun, 30 Sep 2018 16:16:41 Work Path: C:\Program Files (x86)\LANDesk\LDClient\

Sun, 30 Sep 2018 16:16:41 GetFileHash: could not find "C:\Program Files (x86)\LANDesk\LDClient\O365Util.dll"

Sun, 30 Sep 2018 16:16:41 obtaining core server name LANDESK01.ck.c-k.com from scriptable interface.

Sun, 30 Sep 2018 16:16:41 About to call DownloadFiles (1 files) with these settings:

Sun, 30 Sep 2018 16:16:41 m_allowedBandwidthWAN: 91

Sun, 30 Sep 2018 16:16:41 m_allowedBandwidthLAN: 91

Sun, 30 Sep 2018 16:16:41 m_discardPeriodSeconds: 604800

Sun, 30 Sep 2018 16:16:41 m_preserveDirectoryStructure: 0

Sun, 30 Sep 2018 16:16:41 m_bUseWanBWForPush: 0

Sun, 30 Sep 2018 16:16:41 m_bSynchronize: 0

Sun, 30 Sep 2018 16:16:41 Allowed download methods(m_downloadControl):

Sun, 30 Sep 2018 16:16:41 Peer

Sun, 30 Sep 2018 16:16:41 Source

Sun, 30 Sep 2018 16:16:41 m_preferredServerControl: AttemptPreferredServer

Sun, 30 Sep 2018 16:16:54 http://LANDESK01.ck.c-k.com/ldlogon/O365Util.dll Done

Sun, 30 Sep 2018 16:16:55 Last status: Done

Sun, 30 Sep 2018 16:16:55 Downloaded  C:\Program Files (x86)\LANDesk\LDClient\O365Util.dll

Sun, 30 Sep 2018 16:16:55 Download the following file successfully: O365Util.dll

Sun, 30 Sep 2018 16:16:55 Called CreateProcess: "C:\WINDOWS\system32\regsvr32.exe"

Sun, 30 Sep 2018 16:16:55 Exit Code for process C:\WINDOWS\system32\regsvr32.exe: 0, (0x0)

Sun, 30 Sep 2018 16:16:55 The result of regsvr32 is:  0

Sun, 30 Sep 2018 16:16:55 Create object of  O365Util

Sun, 30 Sep 2018 16:16:55 created the instance ok : O365Util

Sun, 30 Sep 2018 16:17:07 Register C2RCom returnCode:0

Sun, 30 Sep 2018 16:17:07 Custom Variable URL : http://landesk01.ck.c-k.com/Patch/Office365/2016/Current/x64/

Sun, 30 Sep 2018 16:17:07 Patch Binaries URL : http://landesk01.ck.c-k.com/Patch/Office365/2016/Current/x64/

Sun, 30 Sep 2018 16:17:09 ReportRepairResult returned failure: Failed to execute download and apply actions for installer

Sun, 30 Sep 2018 16:17:09 Failed to execute installer. ReturnCode:5

Sun, 30 Sep 2018 16:17:09 Message returned from repair script was Failed to execute download and apply actions for installer

Sun, 30 Sep 2018 16:17:09 ERROR(RunVbScript) Failed to run command  - 80004005

Sun, 30 Sep 2018 16:17:09 DownloadPatch ERROR: Failed to run commands (80004005).

Sun, 30 Sep 2018 16:17:09 Last status: Failed

Sun, 30 Sep 2018 16:17:09 DeferredReportAction: name '*MSO365_MONTHLY_16.0.10730.20102_X64', code '1', type '-1', status 'Failed to execute download and apply actions for installer'

Sun, 30 Sep 2018 16:17:09 App killer is stopping

Sun, 30 Sep 2018 16:17:09 Running post-install/uninstall script

Sun, 30 Sep 2018 16:17:10 RunPatches completed.  1 processed.  0 installed.  1 failures.

Sun, 30 Sep 2018 16:17:10 Sending previous action history to core

Sun, 30 Sep 2018 16:17:10 HTTP POST: http://LANDESK01.ck.c-k.com:443/WSStatusEvents/EventHandler.asmx

Sun, 30 Sep 2018 16:17:10 Setting a proxy...

Sun, 30 Sep 2018 16:17:10 Setting socket timeout to 1000 * 60 * 4

Sun, 30 Sep 2018 16:17:10 Success

Sun, 30 Sep 2018 16:17:10 Last status: Done

Sun, 30 Sep 2018 16:17:10 Reboot action set to 'never.'  Not rebooting.

Sun, 30 Sep 2018 16:17:10 Reboot and rescan.  Rescan set to false, so doing nothing.

Sun, 30 Sep 2018 16:17:10 ReleaseMutex 'Global\SDClientLockMutex' succeeded. Code: 0

Sun, 30 Sep 2018 16:17:10 No 'continue' tasks

Sun, 30 Sep 2018 16:17:10 ReleaseMutex 'Global\vulscan_scan' succeeded. Code: 0

Sun, 30 Sep 2018 16:17:10 Exiting with return code 0x8db3019c (412).

Sun, 30 Sep 2018 16:17:11 Process is terminating, cleaning scanner...

Hi I'm trying to get event logs from a machine using mBSDK

I get  success return code, however no data,  Please assist, does the log gets stored somewhere?

Issue

Vulscan is executed on the machine, detects threats but does not patch them and seems like it is stuck in a loop.

Not all computers are affected by this, in most cases only selected few show such behaviour.
In some cases the vulscan process may not want to end at all or restart itself - creating a loop.

"Security and Patch Information History" in the Console shows a lot of scans on the machine:

In vulscan.log (found in /programdata/landesk/log/)on the affected machine the below entries can be found (often multiple times):

Cause

Flash Player patch putting down a corrupted REGKEY with no null terminiate on it which results in Vulscan getting stuck in a loop.

Resolution

Manually download and install newest version of Flash Player (install_flash_player_ax.exe - the Internet Explorer version) from Adobe and reboot the affected machine.

After the reboot the machine should correctly scan and install patches.

We are using Ivanti 9.3 version for our patch management, and I need to uninstall scheduler on about 200 machines.

Do I really have to do it one by one? When I select more servers, option for "View Schedules Tasks" is grayed out.

I do hope there is some way to uninstall Scheduler for all of those 200 servers at once ...

Hi All

When creating Definition download filters, how do people go about finding the correct combination of Definition Type, Severity and Comparison rules.

Ideally what i'm looking for is to be able to search the Ivanti definition servers, find updates that i'm interested in, and create rules that match the categories shown in my search.

Real world example: currently we are looking for the correct combination for the Windows Feature updates, e.g 1709, 1803 etc.
Took a stab in the dark and tried the combination, Vulnerability, Service pack, Vendor contains Microsoft, which was correct, however there has to be a better way than taking a stab in the dark.

Thanks

Overview

Occasionally, updates will fail to install through Ivanti Endpoint Manager even though they are being detected correctly. Endpoint Manager users the local system account to install updates and therefore one thing you will want to test is whether or not you can install an update as the Local System account similar to the way we install updates. This document will outline how you can use Micrsoft's Psexec tool to perform this test.

Process

1. Download the psexec.exe from http://live.sysinternals.com/psexec.exe.
2. Unzip the package and save PsExec.exe  to the root of C.
3. On the client machine you are testing the update on, navigate to the directory that you have saved psexec.exe which should be the root of C.
4. Within a command prompt run the following command:   

psexec.exe -i -s cmd.exe .

    5. In the new system command prompt, navigate over to the C:\Program Files (x86)\LANDesk\LDClient\sdmcache driectory then run the problem update.

    6. If any errors or inconsistencies are seen when launching the update we would suggest checking to ensure the SYSTEM account privileges have not been altered. In the event the issue persists we suggest reaching out to Microsoft as they would be the best resource to correct issues regarding the SYSTEM account.

Hello, I read the document "Windows 10 Build Upgrade Deployment Support in Patch for Windows Servers"(https://community.shavlik.com/docs/DOC-24181 ).

I downloaded the tool to create installation media, I followed the steps of the manual but I get the error 0x8007000D - 0x90002 and I can not download .iso file.

Step by Step

1. Download the tool to create installation media of the link https://www.microsoft.com/en-us/software-download/windows10

2. Executed the downloaded tool as administrator.

3. Accepted the terms of the license agreement.

4. Selected the option "Instalation media for another PC".

5. Selected the following: Language: Spanish (Spain) Edition: Windows 10 Architecture: 64 bits (x64).

6. Selected ISO file.

7. Selected the path to save ISO file "Process 0%" appears on the screen but then error 0x8007000D - 0x90002.

Thanks for the help!

Hi,

We are new to the Patch and Compliance components of EPM.

We are testing at the moment.

I have a workstation that has vulnerabilities that need applying/repairing.

I have run the "Security and Patch Information" for my test workstation and selected a critical vulnerability and created a task to "repair" it.

The repair fails with a code 412.

I have checked the vulscan.log for more detail and get the following issues...

Thu, 20 Dec 2018 10:24:39 Command Interpreter running

Thu, 20 Dec 2018 10:24:39 successfully created the TimberWrapper instance

Thu, 20 Dec 2018 10:24:39 uniqueFilename: Windows6.1-KB3020393-x86_tw6631-19554.msu

Thu, 20 Dec 2018 10:24:39 Repairing Patch Guid 54019: {0000d303-0000-0000-0000-000000000000}, Lang: INTL, UniqueFilename: Windows6.1-KB3020393-x86_tw6631-19554.msu

Thu, 20 Dec 2018 10:24:39 Has not been scanned before repair, scanning

Thu, 20 Dec 2018 10:24:39 ScannedMachineResults.Count: 0, already scanned: false

Thu, 20 Dec 2018 10:24:39 ReportReplacedPatchesFlag: true

Thu, 20 Dec 2018 10:24:39 Setting DiagnosticTraceFilter to PatchDetection

Thu, 20 Dec 2018 10:24:39 Clearing patches info

Thu, 20 Dec 2018 10:24:39 Deleting files under C:\Program Files\LANDesk\LDClient\timber\InstalledPatches...

Thu, 20 Dec 2018 10:24:39 Deleting files under C:\Documents and Settings\All Users\Application Data\vulscan\MissingPatches...

Thu, 20 Dec 2018 10:24:39 Starting scan...

Thu, 20 Dec 2018 10:24:39 ERROR: Scan failed, failed to start scan (0xdd7994)

Thu, 20 Dec 2018 10:24:39 Scan failed, setting m_AlreadyScanned to false

Thu, 20 Dec 2018 10:24:39 ERROR: Scan failed. Scan failed, failed to start scan (0xdd7994)

Thu, 20 Dec 2018 10:24:39 ERROR: Repair failed

Thu, 20 Dec 2018 10:24:39 Repair returned: 0x0

Thu, 20 Dec 2018 10:24:39 Repaired: False

Thu, 20 Dec 2018 10:24:39 ReportRepairResult returned failure: Repair failed

Thu, 20 Dec 2018 10:24:39 Message returned from repair script was Repair failed

Thu, 20 Dec 2018 10:24:39 ERROR(RunVbScript) Failed to run command  - 80004005

Thu, 20 Dec 2018 10:24:39 DownloadPatch ERROR: Failed to run commands (80004005).

Thu, 20 Dec 2018 10:24:39 Last status: Failed

Thu, 20 Dec 2018 10:24:39 DeferredReportAction: name 'Windows6.1-KB3020393-x86_tw6631-19554.msu', code '1', type '-1', status 'Repair failed'

Thu, 20 Dec 2018 10:24:39 App killer is stopping

Thu, 20 Dec 2018 10:24:39 Running post-install/uninstall script

Thu, 20 Dec 2018 10:24:39 RunPatches completed.  1 processed.  0 installed.  1 failures.

Thu, 20 Dec 2018 10:24:39 Sending previous action history to core

Any ideas or thoughts as to what the issue could be and potential fix ?

Thanks in advance !

Overview:

Ivanti Patch and Compliance now provides support for Office 365 versions 2013 and 2016.  Patch and Compliance administrators can now scan, detect, and remediate client devices that have Office 365 installed. For Office 365 version 2013, Ivanti leverages the Microsoft Office Deployment Tool to perform the remediation tasks for updating Office 2013 installations. For Office 365 version 2016, Ivanti has developed an Office Com API to perform remediation tasks for updating Office 2016 installations. Ivanti provides a utility (Office365Util.exe) for you to use to download the Office installation data and to check the hash for Office 2016 installation data. When the Office patches are downloaded, Ivanti Endpoint Manager will check the hash on the pertinent files to ensure validity.

High Level Process

1. The Ivanti administrator downloads Office 365 definitions from the Ivanti global servers.
2. Once the Office 365 definitions are downloaded to the core, the Ivanti administrator can scan for those Office 365 vulnerabilities.
3. In order to remediate (apply latest patches) detected vulnerabilities, Ivanti administrator have to manually run, on the core machine, a new tool provided by Ivanti (Office365Util.exe). Using this tool, the Ivanti administrator can choose the Office 365 versions that are relevant to the environment. The Ivanti Office 365 utility will download the patch binaries and the Microsoft Office deployment tool from the Microsoft cloud.
4. Once the patch binaries are downloaded to the core, the Ivanti administrator can apply the patches to all vulnerable endpoints using the standard method of applying patches.

Step 1: Download Content

Customers download the Office 365 vulnerability definitions, the O365Util.dll, and the Office365Util.exe from the Ivanti Global Host Content Server by downloading the latest Microsoft Windows Vulnerabilities.

Download Updates (Microsoft Windows Vulnerabilities)	Updating Definitions (Office365Util.exe/O365Util.dll)

Updating Definitions (MSO365)MSOFFICE 365 (Vul_Defs)	MSO365 (Vul_Defs)

Step 2: Launch Office365Util.exe

Upon successful content download, an Office365Utility folder is created under the LDLogon share and will contain the Office365Util.exe file provided by Ivanti.

\\Core_Server\LDLogon\Office365Utility

This utility will allow you to select the specifics regarding the Office 365 product you are patching. Launch this utility directly from C:\Program Files\LANDesk\ManagementSuite\ldlogon\Office365Utility\ by double-clicking on Office365Utility.exe
(do not try to run it via the network share \\Core_Server\LDLogon\Office365Utility or \\localhost\LDlogon\Office365Utility as you will get an error).

Step 3: Select Options from Office365Util

The view provided below displays the available options inside of the Office365Util application (Ivanti Office 365 Utility for Patch and Compliance):

Platforms	Deployment Tools

Channels	Office 365 (2013) Product List View

In order to successfully patch Office 365, select which Office 365 patch product updates to download in order to support client remediation. After selecting the desired product updates from the Ivanti Office 365 Utility for Patch and Compliance application, click START.

Office 365 Tool

The START action will do (2) things:

1. Create an Office365Tool folder under the LDLogon share and process the Microsoft setup.exe file
   
   

   \\Core_Server\LDLogon\Office365Tool

The contents of this folder will contain the Deployment Tool Type (2016 or 2013) selected during the download and all relative installation data applicable to the options selected in the Ivanti Office 365 Utility for Patch and Compliance
application. The display below will outline the contents of both Deployments Tools (2016 and 2013).

Office365Tool	Deployment Tool Options

2016 Content	2013 Content

   
      2. Create an Office365 folder under the LDLogon\Patch share that contains the patch files(s):

\\Core_Server\LDLogon\Patch\Office365

Patch Location

^Updated Office 365 patching is not designed to take advantage of our download technology. The client device will NOT download o365 patch files from a preferred server or peer device. The files will be retrieved from the default or non-default patch location.

Non-Default Patch Location

This section is only applicable to those who have changed the default download location for patches. After downloading the Office 365 patch updates and installation data with the Ivanti Office 365 tool, the following SOURCE will be in the vulnerability definition:

Office 365 (2016)

 

httpSourcesURL="Core_Server/LDLogon/Patch/Office365/DeploymentToolType/Channel/Architecture"

 

Ex: httpSourcesURL=http://2016E/ldlogon/patch/office365/2016/current/x64

Office 365 (2013)

httpSourcesURL=http://Core_Server/LDLogon/Patch/Office365/DeploymentToolType

 

Ex: httpSourcesURL= http://2016E/ldlogon/patch/office365/2013

In order for the Patch Install Commands in the vulnerability definition to interpret the correct patch location, the Custom Variable will have to be set in every MSO365 vulnerability definition.

To do this, open the properties on the definition and select the Custom Variables tab. By default the value specified will resolve to the default patch location.

You will need to explicitly set the value to reflect the location your patches reside. For instance, if you are desiring to distribute from a location called "Patches" on your network storage server and are updating a 32 bit machine on the Office 365 2016 Deferred (now Semi-Annual) channel, you would put in the following path:

http://nameofmystorageserver/Patches/office365/2016/Deferred/X86

The Patch Install Commands section of the definition utilizes a script that resolves the Custom Variable.

References

How to change the default Patch Location for Security and Patch Manager

Microsoft Office 2016 Deployment Tool

Microsoft Office 2013 Deployment Tool for Click-to-Run

• • Vulscan Switches for Windows Agents
    • Vulscan switches to control scan types
      • Example: "Vulscan /scan=0 /showui" will scan the type "Vulnerabilities" while showing the Ivanti Vulscan UI.
    • General Switches
    • Reboot related operations
    • VBScript related options
    • Disable certain behaviors
    • Manipulate Data Files
    • Ivanti Endpoint Security Related Commands
    • Shortcuts to open folders or logs:
    • Vulscan switches used for content replication

Vulscan Switches for Windows Agents

This document describes the various switches that can be used on the command line to manipulate the vulscan behavior.   It is recommended to use the different available settings (Distribution and Patch Settings, Reboot Settings, etc) to control the Vulscan behavior otherwise unintended consequences may result.

Vulscan switches to control scan types

Number	Type	Description	Example
0	Vulnerabilities	This category is for security-related releases by 3rd-party vendors such as Microsoft,            For a detailed list of available content click here
1	Anti-Spyware	Definitions and engine updates for the Anti-spyware component within Security and Patch Manager (This differs from the Anti-virus component and is based on the Lavasoft engine and targets spyware and adware)
2	Security Threats	This differs from the Vulnerabilities category in that this is not to address vulnerabilities in vendor code, but simply facilitates configuration changes to tighten down security.
3	Ivanti Updates	Ivanti Patches and Service Updates (not including Ivanti Antivirus which is in category 8)
4	Custom Definitions	Custom-user made definitions, including custom definitions that have been imported.    This will also include other definitions that have been cloned.
5	Blocked Apps	Includes both pre-configured content downloaded from Ivanti Content servers, and any custom blocked application content that has been created.  Some of the Summary information in the blocked applications definitions are provided from http://www.sysinfo.org    (Blocked application legal disclaimer) Click graphic for an example of these definitions:
6	Software Updates	Non-Security related updates for Intel, Ivanti, and Lenovo.    (Click graphic for an example)
7	Drivers	This category includes Dell, HII, HP Client, and Lenovo definitions if they have been downloaded as part of the download updates process.
8	Antivirus	Downloads Ivanti Antivirus definitions, and if selected also downloads updates pattern files for both Ivanti Antivirus and 3rd party antivirus products

Example: "Vulscan /scan=0 /showui" will scan the type "Vulnerabilities" while showing the Ivanti Vulscan UI.

General Switches

Reboot related operations

VBScript related options

Disable certain behaviors

Manipulate Data Files

Data Files	Result	Example
/O=Filename (including full path)s	Send vulscan output to a file as specified in the command line rather than back to the server in the form of a SOAP response.  (Click graphic for an example)
/Log=Filename (including full path)	Sends the vulscan log files to a different location than the default as specified.
/Reset	Removes the client side settings and files (leaves log files intact if you want to delete the log files as well you can simply delete the ProgramData\Vulscan directory)
/Clear or /ClearScanStatus	Will clear the scan and repair status for the client on the core server (blanks out the history)

Ivanti Endpoint Security Related Commands

Ivanti Antivirus related commands

Shortcuts to open folders or logs:

Vulscan switches used for content replication

Issue

Gather Historical Information crashes the LANDESK Console.

Gather Historical Information task is failing to run.

Following is in the GatherHistory.Details.Log file in the Managmentsuite\Log folder on the Core Server:

09/18/2014 15:12:18 INFO  13352:SaveTrendInfoForVulnerabilitiesAsync : Critical Exception: System.Data.OleDb.OleDbException (0x80040E31): Query timeout expired   at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method)   at System.Data.OleDb.OleDbCommand.ExecuteNonQuery()   at LANDesk.ManagementSuite.Database.Database.ExecuteNonQueryP(String sql, Int32 timeoutSeconds, Object[] parameters)   at LANDesk.ManagementSuite.Database.Database.ExecuteNonQuery(String sql, Int32 timeoutSeconds, ArrayList oleDbParameters)   at LANDesk.ManagementSuite.Database.Database.ExecuteNonQuery(String sql)   at LANDesk.ManagementSuite.PatchBiz.PatchTrend.SaveTrendInfoForVulnerabilities(Int32 removeOldDataDays)   at LANDesk.ManagementSuite.PatchManagement.ProgressForm. € ()   at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)   at System.Threading.ThreadHelper.ThreadStart() Stack Trace:    at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method)   at System.Data.OleDb.OleDbCommand.ExecuteNonQuery()   at LANDesk.ManagementSuite.Database.Database.ExecuteNonQueryP(String sql, Int32 timeoutSeconds, Object[] parameters)   at LANDesk.ManagementSuite.Database.Database.ExecuteNonQuery(String sql, Int32 timeoutSeconds, ArrayList oleDbParameters)   at LANDesk.ManagementSuite.Database.Database.ExecuteNonQuery(String sql)   at LANDesk.ManagementSuite.PatchBiz.PatchTrend.SaveTrendInfoForVulnerabilities(Int32 removeOldDataDays)   at LANDesk.ManagementSuite.PatchManagement.ProgressForm. € ()   at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)   at System.Threading.ThreadHelper.ThreadStart()   

Solution

1. Close the Ivanti EPM Console.
2. Create the "Query Timeout" registry value (without the quotes) as a 32-bit DWORD in the following registry key on the Core Server:
   
   

9.6 or 2016 Core Server:

HKLM\SOFTWARE\LANDesk\ManagementSuite\WinConsole

Create any registry keys that are missing. Set the value to 10000 decimal.

Disclaimer

Please read this disclaimer before using this tool:  LANDESK Share IT Disclaimer

Description

We created a GUI tool to simplify diagnostic scanning to troubleshoot patch scan issues.

The DPDTrace GUI interface requires .Net 2.0 or greater to work.

How to use the DPDTrace GUI

1. Download the latest version of the DPDTrace GUI. Download Link
2. Extract the DPDTrace.zip to the desktop of the machine you will scan from.  This can be on a server remote to the target machine or on the target machine itself.  Support may specify where to scan from depending on the issue being diagnosed.
3. Open the DPDTrace GUI by double-clicking DPDTraceGUI.exe from the extracted folder.

4. Choose Local to scan the local machine. The IP address or the Machine Name of the local machine will automatically populate.    

5. Choose Remote to scan a remote machine. You will need to provide a valid Machine Name or IP Address to scan.    

6. Enter a username with administrator access to the target machine.        

      a. The format must be DomainName\UserName or MachineName\UserName depending on how you are authenticating to the target machine.    

7. Enter a valid Password. You can choose to un-check the Hide option if you wish to see your password for troubleshooting purposes.

OEM Version: (EPM Customers)

8. Choose the OEM scan engine version  9.3.2644 to be used during the scan.

Patch Type:

9. Choose Patch Type to be used during the scan.

          a. We highly suggest leaving the defaults of Security Patches and Non-Security Patches selected unless a support tech requests a change.

10. Click Run to start the scan.

11. You will see Command Prompt popups and popups for the Rename HF.Log utility during the scan process.  Do not close either these.

12. All popup windows will close and a new popup will occur once the scan is complete.  Click OK.

13. The scan diagnostic is complete and all of the trace logs, scan outputs and registry exports have been zipped to this folder:  C:\Users\UserName\Desktop\DPDTrace\SendToSupport

          a. The zip file will be named HFCLi_YearMonthDay.zip

14. Provide this zip files to support!  If you have any issues attaching this zip to the case, please let the support tech know so they can provide you with more options.

Additional Information

A command line DPDTrace tool can be used by customers who cannot run this GUI version:  DPDTrace command line logging tool used for patch detection issues

I am new to patching and security . I want to setup auto patching of vulnerabilities to about 300 devices in our environment. We currently use WSUS to do that but I want to switch to fulI Landesk patching . My version of Ivanti is 11.0.0.164. We know Microsoft sends out new vulnerability updates on Tuesdays and we are a Win10 shop . I will grateful to get detailed documentation on how to do it and which is the best way .

Thanks

Problem

While attempting to download patches to a remote patch repository you receive the error "Connect attempt failed because credentials conflict with an existing connection" and you are unable to download patch content from the Ivanti servers. You may experience the following logging information in vaminer.details.log:

01/02/2019 10:09:37 INFO 16640:Main Thread : ------------------- Update process started --------------------
01/02/2019 10:09:37 INFO 16640:Main Thread : Verifying access to site US East Coast (https://patchec.landesk.com)
01/02/2019 10:09:38 INFO 16640:Main Thread : Processing Ivanti File Reputation Updates
01/02/2019 10:09:39 INFO 16640:Main Thread : Getting reputation information from Ivanti
01/02/2019 10:09:40 INFO 16640:Main Thread : Downloading trust changes since 1/2/2019 8:37:19 AM
01/02/2019 10:09:42 INFO 16640:Main Thread : Processing Ivanti 10.1.3 Software Updates
01/02/2019 10:09:43 INFO 16640:Main Thread : Comparing English Definitions
01/02/2019 10:09:44 INFO 16640:Main Thread : Comparing Language neutral Definitions
01/02/2019 10:09:44 INFO 16640:Main Thread : Processing Ivanti 10.1.3 Agent Health
01/02/2019 10:09:45 INFO 16640:Main Thread : Comparing English Definitions
01/02/2019 10:09:46 INFO 16640:Main Thread : Comparing Language neutral Definitions
01/02/2019 10:09:46 INFO 16640:Main Thread : Processing Ivanti Data Analytics Updates
01/02/2019 10:09:47 INFO 16640:Main Thread : Downloading files in updates.xml
01/02/2019 10:09:49 INFO 16640:Main Thread : Comparing English Definitions
01/02/2019 10:09:49 INFO 16640:Main Thread : Comparing Language neutral Definitions
01/02/2019 10:09:50 INFO 16640:Main Thread : Processing "Patch cleanup"
01/02/2019 10:09:50 INFO 16640:Main Thread : Connect attempt failed because credentials conflict with an existing connection.
01/02/2019 10:12:03 INFO 16640:Main Thread : Connect attempt failed because credentials conflict with an existing connection.
01/02/2019 10:12:03 INFO 16640:Main Thread : Downloading Patches
01/02/2019 10:12:03 INFO 16640:Main Thread : Attempting to download 9 patches
01/02/2019 10:13:48 INFO 16640:Main Thread : Updating patch downloaded status for 54647 patches
01/02/2019 10:34:09 INFO 16640:Main Thread : Finished downloading patches
01/02/2019 10:34:09 INFO 16640:Main Thread : Completed updating definitions

Cause

This issue is caused by an existing connection already in use on the destination share.

Resolution

This issue can be solved with one of two solutions:

Restart the core server

Restarting the core server will sever any existing connections that may have not properly disconnected after the previous sessions.

Use short name and not FQDN

In your patch location settings use the short name rather than the FQDN in both UNC and WebURL sections of these settings.

Goal

Upgrade the clients to Windows 10 version 1803.

Steps

For our example, we will be installing Windows 10 1803 Professional, but the same steps will apply to all current versions of Windows 10.

Test your ISO outside of Ivanti.

1. Download or otherwise acquire a Windows 1803 ISO for the version of Windows that you are updating (Education, Professional, or Enterprise). In this case we will download Professional version.
2. Run your ISO on a test machine manually to make sure that it will upgrade outside of Ivanti. If your machine will not upgrade when manually running the ISO outside of Ivanti, it will not upgrade through Ivanti when using that same ISO. If you are unable to upgrade the machine outside of Ivanti, you will want to check the following:
   1. Make sure your client machine meets the system prerequisites for the version of Windows 10 you are upgrading to.
   2. Make sure your ISO is not blocked by the local system by going into the ISO properties and selecting to unblock the update if necessary.
   3. Try disabling or temporarily uninstalling your antivirus or application control on the client as that has been known to prevent this type of upgrade on occasion. You can reinstall it after the system is upgraded.
3. Once you are able to upgrade a machine using your ISO outside of Ivanti, place this .ISO into the \ManagementSuite\LDLogon\Patch\ directory on your core server.  If you have changed the patch storage location, place it in the equivalent directories.

   4. Encryption such as BitLocker must be disabled for the deployment to be successful.  The machine must be able to fully reboot on its own to complete the deployment properly.

Find the correct definition for the version you are upgrading to.

1. Open the Ivanti Endpoint Manager Console and go to the Security and Compliance Tool group.
2. Open the Patch and Compliance Tool.
3. Ensure that you have downloaded the latest updates in the Vulnerabilities category.
   
   
   
4. After downloading the vulnerabilities category, select the correct definition for the version that you would like to upgrade to. In my example, I am upgrading to Windows 10 1803 Professional English x64 so  I would select W10V1803PX64_V2:

Prepare your ISO and run a repair task.

1. Double-click the rule that matches the version of Windows you are trying to upgrade.

     Y

    2. Make sure that your .ISO file for the Windows upgrade matches the filename within the rule in the Patch information section under Name exactly.  You can guarantee this, by highlighting, copying, then pasting the file name from the definition into your ISO's file name properties.

    3. Double check your ISO's file name, making sure it still has the .iso extension and that it is not named ".iso.iso" or anything like that.  It must match exactly with the file name in the detection rule above.

    4. Run Download Updates one more time to ensure that the "Downloaded" Yes/No column in the rule is updated to "Yes".  If it does not update, check your storage location and the name of the .ISO to make sure it matches.

    5. Run a scan and repair as usual.

How to block automatic update to the Creators Edition of Windows on client systems

In order to block Windows 10 systems from automatically installing Operating System Upgrades, the following methods may be used:

Group Policy

Computer Configuration / Administrative Templates / Windows Components / Windows Update Policy

Setting: Turn off the upgrade to the latest version of Windows through Windows Update

Registry

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

DWORD value: DisableOSUpgrade = 1

LANDESK Patch and Compliance Definition

The DISABLEWIN10UPGRADE can be sent as a repair job to turn off the Windows 10 auto-updates to newer OS versions.

This definition sets the Registry key listed above.

Hi, need to verify if Ivanti Patch Manager powered by LANDesk can patch Oracle database? Thanks

• • Assumptions
  • Setup of the Windows Share
  • Preferred Server Setup
  • Content Replication
  • Patch Location Changes
  • HTTP Downloads
  • Troubleshooting

Assumptions

This document assumes you already have patching setup and working on your core without preferred servers and know how to configure patch download settings, windows shares and permissions and install and configure IIS on a device if need be.

Setup of the Windows Share

The Preferred Server(Target) will need a windows share setup that clients can access via a UNC path. This location must allow all clients read access and have a mirrored share and file structure that is on the core. For example, if your core patch location to a patch file is:

\\CoreName\Share\patch\Microsoft\Mspatch.msu

That same file must be accessible in with the same share name and path on the preferred server. Example:

\\PreferredServer\Share\patch\Microsoft\Mspatch.msu

The only difference is the server name.  It is recommended you test the remote location from a client that the windows share is functioning, and you can access the share on the client before continuing.

If you plan on using content replication through our product the share will also need an account with permissions that have write access to it.

Preferred Server Setup

In the Ivanti EPM Console, click Tools | Distribution | Content Replication/Preferred Servers.

Click Add to add a new server, or click an existing entry and click Edit.

Enter the server information.

Click Test credentials to make sure the credentials you provided work.

(Optional) If you want to use IP address ranges to limit which clients you want using this server as a preferred server, click on "IP address ranges" enter the IP addresses and click Add.

If you will be writing files to this preferred server as well as reading files from it (for capturing images during provisioning for example), enter credentials with read and modify permissions in the "Write" section of the template.

Click Save.

It is best practice to enter three entries for each preferred server.  One as the short name, example “PreferredServer”.  One as the FQDN of your environment, example “PreferredServer.Domain.com” and one as the IP address of the server, example “10.10.10.10”, as shown in the above photo.

Content Replication

Content replication is covered in the following documents:

How to use Ivanti EPM Content Replication

How to configure the Preferred Server (Target) for Content Replication

How to configure the Source for Ivanti EPM Content Replication

How to configure the Replicator in Ivanti EPM Content Replication

Patch Location Changes

You will need to change the patch location to use UNC in the Download Updates > Patch Location settings.  By default preferred servers will only use UNC so both the UNC and Web URL lines must have the UNC share Information.

HTTP Downloads

If you are planning to have Macs use preferred servers HTTP downloads must be used.  You must setup IIS on the preferred server sharing the files and configure a virtual directory to the patch location.  More on setting this up can be found in these documents:

About IIS Virtual Directories and File Permissions for Patch and Compliance Manager

How to set up Content Replication on a Preferred Server running Windows Server 2012 R2

How to set up a Preferred Server in IIS 10

Troubleshooting

The following documents go over preferred server troubleshooting:

How to debug why my preferred server config isn’t being used (Preferred server doesn't work)

How to Verify the Correct Preferred Servers are Being Used by an Agent

Problem

Error: "Ivanti Application Monitor Service on local computer started and then stopped. Some services stop automatically if they are not in use by other services or programs"

Cause

Application Monitor Service fails if .net is not 4.5.1 or greater on the endpoint.

Resolution

The problem is caused by a mismatch between the .NET version required by the Ivanti Application Monitor service (4.5.1), and the .NET version installed by the Ivanti Agent (4.5).

Most of the time .NET 4.5.1 or greater is already installed (by default on Win 10), but on a Win 7/8 computer the endpoint will need to updated to at least .NET version 4.5.1 for now.

This will be addressed in an upcoming Service Update.

Hi all,

Was hoping someone would be able to help me figure this one out. I am trying to get our desktop patch management off the ground using LANDesk 2016. I've been following this getting started guide: How to get Started with Patch and Compliance Manager

I am up to the section titled "Using a Custom Group to Repair." I follow the steps outlined in the guide which seem to outline the process for creating a task on the patches in your Patch group. However, when I click SAVE on the "Patch and compliance - repair task" window, I get the below error:

I have tried making the name of the Task a single character (1 or A) and I have also tried only putting one patch in the group (thinking it may be trying to concatenate all the names of the patches together?). But still no luck.

I've reviewed the following discussions/articles I've found on the LANDesk site, but didn't see any solutions that would seem to resolve this issue. Any help would be very appreciated. Thank you!

String or binary data would be truncated. The statement has been terminated

"String or binary data would be truncated" when updating the text for a group box or label

Getting error message "String or binary data would be truncated"