Purpose

This document contains instructions on how to add patches released between specifics dates to a Patch Group using PowerShell and the API feature.

Overview

Basic Instructions:

     1. Download AddPatchesToPatchGroupUsingDateRange.zip from this document. (download link)

     2. Extract the contents of the .zip file to a folder on the console server.

     3. Read Disclaimer.txt.

     4. Open PowerShell as an administrator.

     5. Change directory to the extracted location.

     6. Execute the following to get help. This will provide parameters and instructions on how to use the PowerShell script.

Get-Help .\AddPatchesToPatchGroupUsingDateRange.ps1 -full

Examples:

Add all patches released between to dates.

.\AddPatchesToPatchGroupUsingDateRange.ps1 "Test" "1/1/2018" "1/31/2018" "ServerName\SQLInstance" "MyDatabase"

Add all patches released within the last 30 days.

.\AddPatchesToPatchGroupUsingDateRange.ps1 "Test" ((Get-Date).AddDays(-30)) (Get-Date) "ServerName\SQLInstance" "MyDatabase"

Add security and non-security patches released within the last 30 days

.\AddPatchesToPatchGroupUsingDateRange.ps1 "Test" ((Get-Date).AddDays(-30)) (Get-Date) "ServerName\SQLInstance" "MyDatabase" "0, 1, 4"

Add .net and Java patches released within the last 30 days

.\AddPatchesToPatchGroupUsingDateRange.ps1 "Test" ((Get-Date).AddDays(-30)) (Get-Date) "ServerName\SQLInstance" "MyDatabase" -productList ".net|Java"

Add all patches except .net and Java released within the last 30 days

.\AddPatchesToPatchGroupUsingDateRange.ps1 "Test" ((Get-Date).AddDays(-30)) (Get-Date) "ServerName\SQLInstance" "MyDatabase" -productList ".net|Java" -excludeProductList

Additional Information

API Quick Start Guide

Affect Product

Ivanti Patch for Windows Servers

Purpose

As of January 3rd 2018, Microsoft is now requiring a registry key to be added to machines for addressing compatibility issues with a small number of anti-virus software products.

More information on this can be found here: Important information on detection logic for the Intel 'Meltdown' security vulnerability

Description

1.  Download and extract the attached zip here to get the batch file used for adding the registry key.

2.  Create a new Patch Scan Template that scans for only Custom Actions. (this will allow you run this against machine with no missing patches)

3.  Create a new Deployment Template.

4.  Name the template. Ex: Intel Meltdown Registry Key

4.  Click on Post-deploy Reboot. Change the reboot option to 'Never reboot after deployment'.

5. Click on Custom Actions. Click 'New'. A prompt to save the template will be presented. Click 'Save'.

6. The first action will push the batch file. Ensure that step 3 states 'Push File', and then select the batch file from the local machine. Click 'Save' when completed.

7. Click 'New' once more. Change Step 3 to 'After All Patches' and use the following command in Step 4: Call %pathtofixes%addregkey.bat

8. Click 'Save' twice to finish creating the Deployment Template.

9. Use the new Scan Template to scan your target machines.

10. Once the scan is completed, click 'View Results'

11. The results will offer our nullpatch.exe for deployment. Proceed by right-clicking the patch and clicking 'Deploy all missing patches'.

12. Select the new Deployment Template created earlier. Click 'Deploy' to start the deployment.

13. Open regedit to validate the registry key was added.

Additional Information

How To: Perform a Custom Action Complete Tutorial with Custom Actions

Affected Product(s)

Shavlik Protect 9.2

Ivanti Patch for Windows Servers 9.3

Purpose

The following is a sample integration script for the Ivanti Patch for Windows Servers API integration with the Qualys vulnerability scanner.

If you use a vulnerability scanner to identify weaknesses in your network, the scanner may detect hundreds or even thousands of issues on your machines. At first this might seem a bit overwhelming, but what’s likely happening is that the vulnerability scanner is simply producing a lot of noise. The scanner is assessing for CVEs (Common Vulnerabilities and Exposures) explicitly.  In reality a software update will often include many CVEs.  A patch can also be superseded or replaced by a newer update.  What this tends to cause is the Vulnerability Assessment reflecting hundreds of vulnerabilities that can be resolved by updating just a few software titles on a system.

To address this, you can use the API to::

• Make calls to the vulnerability scanner
• Extract the vulnerability list (consisting of CVEs)
• Import those CVEs into a Ivanti Patch for Windows Servers patch group via the Patch Group API
• Perform patch scans and deployments using that patch group
• The patch engine will take into account any superseded patches and will identify the handful of patches that are required to bring the target system into compliance. If you rerun the vulnerability scanner after deploying the patches, the vulnerability count should be greatly reduced.

Overview

• The script and supporting files can be downloaded from here: QualysToPatch_API.zip
  • Extract the contents to it's own folder on C:\. For example C:\QualysToPatch_API
• The copy tool curl is required for this to work. You can download this tool from here: curl 7.56.1
  • Extract the contents of the CAB files to it's own folder on C:\. For example: C:\curl

1. Edit the variables in the UpdateLocalQualysFiles.bat. This batch file is used to download data files directly from the Qualys content servers.

a. SET CURLPATH=C:\curl\curl.exe - Set the location of your curl.exe.

b. SET LOCALDATA="C:\QualysToPatch_API\Qualys" - Set the location of your Qualys scripts.

c. SET PLATFORM=qualysapi.qg3.apps.qualys.com - Specify host you were assigned when you setup your Qualys account.

d. SET USER="user:pass" - Set a username and password for your Qualys account.

2. Run UpdateLocalQualysFiles.bat to get the latest data from Qualys.  This will download the data files directly from the Qualys content servers and place them in the location specified in the batch file.

3. Run the script: (Scan)

    > . .\QualysToIvanti.ps1

    > QualysToIvanti -machinesXmlFile C:\QualysToPatch_API\hosts.xml -qualysKbXmlFile C:\QualysToPatch_API\qualyskb.xml -ScanTemplate 'Demo' -DeployTemplate 'Agent Standard' -PatchGroupName 'Demo' -MachineGroupName 'Demo' -ScanName 'Qualys-Ivanti demo' -DeployMissingPatches $False

4. You can choose not to perform a scan and update a Patch Group in Patch for Windows Servers.

    > . .\QualysToIvantiPatchGroup.ps1

    > QualysToIvantiPatchGroup -machinesXmlFile "C:\QualysToPatch_API\hosts.xml" -qualysKbXmlFile "C:\QualysToPatch_API\qualyskb.xml" -PatchGroupName 'Demo'

Description

This document will provide a workaround for a crash when navigating to View > Machines in Protect.

Symptoms

When navigating to View > Machines, the Protect Console crashes with an unexpected error. The following generic pop-up will appear:

You can verify the issue by looking in the ST.Protect.managed.UserName@ProtectServer.log where you will see the specific error  This will help you identify the unsupported language culture:

Crash from main UI thread ---> System.InvalidOperationException: Crash from main UI thread ---> System.Globalization.CultureNotFoundException: Culture is not supported.

Parameter name: culture

2073 (0x0819) is an invalid culture identifier.

Cause

One or more of your scanned machines have an unsupported language culture. .Net Framework installed on the Protect Console is unable to verify the language culture of these machine(s) in when opening View > Machines.  In this specific example, the hex value 0x0819 indicates a Moldova language culture.

Parameter name: culture

2073 (0x0819) is an invalid culture identifier.

 

Here is a list of languages with their Hex and Decimal value:  Language Culture Code Table

Resolution

• Download and install the latest .Net Framework language pack for the highest level .Net Framework installed on the Protect server.
• If installing the latest .Net Framework language pack doesn't correct the issue, the workaround for this issues would be to remove the machine(s) in question directly from the database via script.  The remainder of the document will walk you through the workaround.

Identifying the Language Culture

1. You will need to identify the hex value of unsupported language culture from the ST.Protect.managed.UserName@ProtectServer.log.
2. The log is located in the C:\ProgramData\LANDESK\Shavlik Protect\Logs folder on the Protect server.
3. Open the log with your favorite text editor and search for:  is an invalid culture identifier  This will give you the hex value for the next step, for example:

2073 (0x0819) is an invalid culture identifier.

Identifying the machine(s) with the affected language culture

     4. Once you have the hex value for the language culture, you will need to identify machine(s) with this language culture by running this SQL query against the Protect database:

SELECT Domain, Name, * FROM [ManagedMachines] WHERE language = Hex value from logs

Example of output listing machines with specific language culture:

Removing the affected machines via SQL Script

Script Download

1. Extract DeleteMachineView.zip on the server you will be performing the query from.
2. Open SQL Server Management Studio and connect to the Protect database.
3. Backup the Protect database
4. Open DeleteMachineView.sql into a query window.
5. Read disclaimer at the top of the script.
6. Select the Protect database to run the query against.

    7. The next step is to replace the following with the domain\machine or workgroup\machine name values from above.

FROM:

SET @machineDomain = 'Enter Domain or Workgroup Name'    SET @machineName = 'Enter Machine Name'

TO:

SET @machineDomain = 'WORKGROUP'    SET @machineName = 'VM-2K16-64-EN'

  8. Execute the script to delete specified machine.  Repeat this process for all affect machines.

  9. Attempt to open Shavlik Protect.

Contact Support is there are any error when running the script. Save the results and messages from the script output to a text file before closing the script window.

Affected Product(s)

Shavlik Protect 9.x

Purpose

When running the Shavlik Protect console in a secure environment without Internet access, it is necessary to download the latest Shavlik Data Files and supported patches from a machine that has Internet access and then transfer the files to the disconnected Protect Console machine.  We are providing a PowerShell script that downloads the Data Files and supported patches for you.

Instructions

The ability to use this script to download patches is only available in Shavlik Protect 9.2.5119 or later. You can confirm the version in Help > About Shavlik.  The installer can be found here: http://www.shavlik.com/support/protect/downloads/

In order to use the PowerShell script, the internet-connected machine must contain the following:

• Windows PowerShell 4.0 or later.
• Microsoft .NET Framework 4.0 or later.
• The PowerShell script .\DownloadDisconnectedData.ps1: DownloadDisconnectedData.zip
  

Download Only Datafiles using Powershell

1. Create a folder on the internet connected machine on C:\. (this example will use C:\Data)
2. Download and extract the PowerShell script (DownloadDisconnectedData.ps1) attached to this document to C:\Data.
3. Open Powershell and navigate to C:\Data.
4. Run the following command replacing C:\Data with whatever output directory you have chosen in step 1:

The major/minor version argument has a two-digit value. Use the value corresponding to your version:

• Protect 9.2: 92
• Protect 9.3: 93

.\DownloadDisconnectedData.ps1 -outdir "C:\Data" -product "Protect" -version 92

    5. Move the downloaded datafiles from C:\Data to C:\ProgramData\LANDESK\Shavlik Protect\Console\DataFiles on the offline Protect console. Overwrite any duplicate files when prompted.

    6. Run Help > Refresh Files in the console. If you are in an offline environment, you will see errors downloading files which is to be expected, but this will also update the database with the newest definitions which is necessary.

Download Datafiles and Patches using Powershell

How to create the list of patches to download:

1. Create a folder on the internet connected machine on C:\. (this example will use C:\Data)
   
2. Scan machines on your disconnected network. (The scan result will provide the list of patches to be downloaded)
   
3. View the scan results after the scan completes.  Use the link on step 6 from the Operations Monitor or View > Results > Today's Items.
4. Highlight and then right-click on the Patch Missing in the middle pane and choose Export Download Package…
   1. You can also choose specific patches using the CTRL-click or Shift-click method after expanding the missing patches list.

     5. Give the .CSV a name and save to your desktop. (we will be using Patches.csv in this example)

     6. Save this .CSV file to the folder you create in step #1.

To use the PowerShell script:

1. Move the DownloadDisconnectedData.zip to the folder you created on the internet connected machine on C:\.
   
2. Extract the PowerShell script (DownloadDisconnectedData.ps1).
3. Open a Windows Command Prompt with Run as administrator privileges.
4. Change to the directory that contains the PowerShell script.
5. Read Disclaimer.txt.
6. Start PowerShell by typing ‘PowerShell’.
7. Use the PowerShell script to download the desired files. Please see the Powershell script information section below for information on how to do this.
8. Move the downloaded datafiles from the downloaded location specified to C:\ProgramData\LANDESK\Shavlik Protect\Console\DataFiles on the offline Protect console. Overwrite any duplicate files when prompted.
9. Move the downloaded patches from the downloaded location to your console's patch repository which can be located in Tools > Options > Downloads.
10. Run Help > Refresh Files in the console. If you are in an offline environment, you will see errors downloading files which is to be expected, but this will also update the database with the newest definitions which is necessary.

Powershell script information:

The major/minor version argument has a two-digit value. Use the value corresponding to your version:

• Protect 9.2: 92
• Protect 9.3: 93 

• In this example, a folder was created here: C:\Data.
• We will be downloading Protect 9.2 content data.
• The exported port patch list is called Patches.csv located in C:\Data.

.\DownloadDisconnectedData.ps1 -outdir "C:\Data" -product "Protect" -version 92 -downloadPackageInputFilePath "C:\Data\Patches.csv"

• The content data files will be located here: C:\Data\DataFiles.
  • These need to be moved to the C:\ProgramData\LANDESK\Shavlik Protect\Console\DataFiles on the offline Protect console.
    
• The patches will be located here: C:\Data\Patches.
  • These need to be moved to theC:\ProgramData\LANDESK\Shavlik Protect\Console\Patches. on the offline Protect console.
    
  • Verify location of the Patches folder through Tools > Operations > Downloads > Patch Download Directory.

Addition Information

How To: Manually Updating Patch Data Files for Shavlik Protect

• The Content Team created a partner.manifest.xml where customers can see the SHA1 and SHA2 hashes for all downloadable Shavlik Protect content files. This list can be used to compare hashes of local files on disk to those contained in the manifest.
  • http://xml.shavlik.com/data/protect/v9/92hash/manifest/partner.manifest.cab

Affected Product(s)

Ivanti Patch for Windows Servers 9.3

Shavlik Protect 9.X

Overview

These documents provides information about the End of Life policy for legacy Shavlik products, VMware branded versions of the same product lines and legacy Shavlik and HEAT OEM products that are now a part of the Ivanti family. The Ivanti Product Support Policy applies to the products released under the Shavlik or HEAT brand name. The Shavlik Product Support Policy applies to the products released under the Shavlik and VMware brand names. All dates presented in this document are in the ISO developed international format. This format uses a numerical date system as follows: YYYY-MM-DD where YYYY is the year, MM the month and DD the day. The information contained herein is believed to be accurate as of the date of publication, but updates and revisions may be posted periodically and without notice.

Legacy Shavlik products, VMware branded versions of the same product lines:

End of Life Information for Products Powered by Shavlik

Legacy Shavlik and HEAT OEM products that are now a part of the Ivanti family:

End-of-Life Information for OEM Products Powered by Shavlik and HEAT

Symptoms

• Cannot open the Protect application
• In Protect, you see the message:
  You have not been granted access, please see the system administrator to configure your role.
  
• You see this message even if you are the only administrator for the Protect application

Purpose

This article provides information to regain access to the Protect console if you have set your own user account to a no access level with the Role-Based Administration function. 

Cause

This issue occurs because of an incorrect configuration within Protect's Role Based Administration features. These features are configured in underManage>User Role Assignment.

Resolution

Download and run the attached SQL Script against your database.
This script will remove all entries from the dbo.RoleUsers table.

How to run a SQL Query against your Protect database

You can also copy the text into the query manually:

Alternative Resolution

To resolve this issue:

1. Ensure that SQL Server Management Studio corresponding to your SQL version is installed.
   To download SQL Server Management Studio for Express editions, see:
   • SQL Server 2005 – http://www.microsoft.com/download/en/details.aspx?id=8961
   • SQL Server 2008 – http://www.microsoft.com/download/en/details.aspx?id=7593
   • SQL Server 2008 R2 – http://www.microsoft.com/download/en/details.aspx?id=22985
   • SQL Server 2012: http://www.microsoft.com/en-us/download/details.aspx?id=35579
2. Open SQL Server Management Studio and log in to the SQL server where the Protect database resides.
3. Expand Databases.
4. Expand your Protect database.
5. Expand Tables.
6. Locate the table dbo.RoleUsers.
7. Right-click the dbo.RoleUsers table and click Open Table.
   Note: In some versions, you may have to use the Select top 1000 Rows option.
8. Delete any rows in the table by a right-click on the row and Delete.
   Note: Ensure not to delete the table.
9. You should now be able to open the Protect application.

Affected Product(s)

• Shavlik Protect 9.x
• vCenter Protect 8.x

Hello,

After making patches on a company's computers we want to display a personalized message before restarting. Ivanti patch management and security management applications for SCCM, only displays a window that we cannot customize before planning a restart.

So we created an.EXE file that we deploy through custom actions after deployment. The.EXE file starts on the target machine since we can see the "message" process in the computer processes, however the EXE is not displayed it is just executed.

In summary, we can't modify ivanti' "SafeReboot" window, and notdisplay a new window from an EXE that we deploy from custom actions.

Have you a idea for this issue ?

Thanks in advance for your help. Have a nice day.

Baptiste

I am deploying 1709 and notice if I schedule a deployment to copy the file to the machine and deploy it later that evening it will not deploy and in the Logs it says "action canceled by user" which is not true  No one touched the machine or canceled it.

Also if I stage a patch to a machine and do not deploy it and then the next day I tell it to deploy the patch it markes the old one as a .old file and redeployed the patch.

Hi!

When we upgraded from Windows 10 1507 to 1709 we used a batch file in a custom action (after reboot) to change the default wallaper file. That way all users got our custom wallpaper at first logon.

We are now trying to do the same thing when upgrading from 1709 to 1803, but the batch file that changes the wallpaper is not run until a user is logging on, and at that time the user have already gotten Windows default wallpaper. Is this by design? Shouldn't the batch file be run during reboot, before users can logon?

Custom Actions:

Push File: <filepath>\ChangeWallaper.bat

Push File: <filepath>\img0.jpg (our custom wallpaper file)

After reboot: call %PATHTOFIXES%ChangeWallpaper.bat

All files are pushed out correctly and the batch file works, but it is just executed at the wrong time.

The last 5 lines in STDeploy.log before user logon:

2018-05-25T12:41:59.2986567Z 1bd4 I STPackageDeployer.cpp:478 Launching SafeReboot. deployerSpecifiedRebootRequired=true

2018-05-25T12:41:59.2986567Z 1bd4 I STPackageDeployer.cpp:390 SafeReboot command line: '"C:\windows\ProPatches\Installation\InstallationSandbox#2018-05-25-T-12-09-18\SafeReboot.exe" -o 8 -requestor 1 -power 4'

2018-05-25T12:41:59.4393167Z 1bd4 S DeployExeStates.cpp:409 Leaving STDeploy::CInitialExecutionPackageDeploy::DoStatefulRemediateActions.

2018-05-25T12:41:59.4393167Z 1bd4 I STDeploy.cpp:365 Current remediation phase completed. Process exit code: 3010.

2018-05-25T12:41:59.4393167Z 1bd4 S STDeploy.cpp:257 Leaving wmain.

And the first 5 lines after user logon:

2018-05-25T14:36:40.5522428Z 0fd8 S STDeploy.cpp:257 Entering wmain.

2018-05-25T14:36:40.6710626Z 0fd8 I STDeploy.cpp:262 'C:\windows\ProPatches\Installation\InstallationSandbox#2018-05-25-T-12-09-18\STDeploy.exe' is starting, version: 9.3.2708.0.

2018-05-25T14:36:40.8110531Z 0fd8 V DeployContext.cpp:259 STDeploy.exe command line args: 'package="C:\windows\ProPatches\Installation\InstallationSandbox#2018-05-25-T-12-09-18\deployPackage-16946.zip" "relaunchSandbox=C:\windows\ProPatches\Installation\InstallationSandbox#2018-05-25-T-12-09-18" "relaunchReason=afterPostDeploymentReboot=1"'

2018-05-25T14:36:40.8110531Z 0fd8 S DeployExeStates.cpp:344 Entering STDeploy::CExtendedCmdLineHandlingPackageDeploy::ProcessExtendedCmdLineArguments.

2018-05-25T14:36:40.8804006Z 0fd8 S DeployExeStates.cpp:344 Leaving STDeploy::CExtendedCmdLineHandlingPackageDeploy::ProcessExtendedCmdLineArguments.

After a while the batch file is executed.

2018-05-25T14:37:22.7928924Z 0fd8 I ChildProcess.cpp:114 Started C:\WINDOWS\sysnative\cmd.exe /U /Q /D /V:ON /C "call %PATHTOFIXES%ChangeWallpaper.bat"

Purpose

The purpose of this document is to outline the issues surrounding FileZilla updates particularly related to the downloading of the patch files from the vendor.

Cause

Changes from the vendor, Filezilla, has caused downloads of the updates not from a Web browser to fail with an error 403 authentication error. From review, the cause is the lack of user token authentication as updates downloaded through Patch for Windows are done on behalf of a user or system account, not as the actual user.

Resolution

The current workaround to this issue can be found in this document: How To: Supply and Deploy Patches That Can Not Be Downloaded

Affected Product

Patch for Windows Servers 9.3

I realize this is probably more of a Microsoft issue, but has anyone else noticed dramatically slower deployment of patches to Server 2016 servers compared to 2008 R2/2012 R2?

We are seeing patching take almost an hour to deploy when with older versions it was 10-15 minutes.  Windows update is disabled and turning off A/V results in no change.  It's similar to complaints found in the technet forums:

what's with the really slow windows updates on 2016?

-Keith

Disclaimer

Please read this disclaimer before using this tool:  LANDESK Share IT Disclaimer

Description

We created a GUI tool to simplify diagnostic scanning to troubleshoot patch scan issues.

The DPDTrace GUI interface requires .Net 2.0 or greater to work.

How to use the DPDTrace GUI

1. Download the latest version of the DPDTrace GUI. Download Link
2. Extract the DPDTrace.zip to the desktop of the machine you will scan from.  This can be on a server remote to the target machine or on the target machine itself.  Support may specify where to scan from depending on the issue being diagnosed.
3. Open the DPDTrace GUI by double-clicking DPDTraceGUI.exe from the extracted folder.

     4. Choose Local to scan the local machine. The IP address or the Machine Name of the local machine will automatically populate.

     5. Choose Remote to scan a remote machine. You will need to provide a valid Machine Name or IP Address to scan.

     6. Enter a username with administrator access to the target machine.

          a. The format must be DomainName\UserName or MachineName\UserName depending on how you are authenticating to the target machine.

     7. Enter a valid Password. You can choose to un-check the Hide option if you wish to see your password for troubleshooting purposes.

Protect Version: (Protect Customers)

     8. Choose the Protect scan engine version to be used during the scan.

          a. The GUI defaults to 9.2.5112 and 9.3.4510, it is OK to leave the default selection and often a good idea since it provides cross engine version data..

OEM Version: (OEM partners)

     9. Choose the OEM scan engine version to be used during the scan.

Patch Type:

     10. Choose Patch Type to be used during the scan.

          a. We highly suggest leaving the defaults of Security Patches and Non-Security Patches selected unless a support tech requests a change.

     11. Click Run to start the scan.

     12. You will see Command Prompt popups and popups for the Rename HF.Log utility during the scan process.  Do not close either these.

     13. All popup windows will close and a new popup will occur once the scan is complete.  Click OK.

     14. The scan diagnostic is complete and all of the trace logs, scan outputs and registry exports have been zipped to this folder:  C:\Users\UserName\Desktop\DPDTrace\SendToSupport

          a. The zip file will be named HFCLi_YearMonthDay.zip

     15. Provide this zip files to support!  If you have any issues attaching this zip to the case, please let the support tech know so they can provide you with more options.

Additional Information

A command line DPDTrace tool can be used by customers who cannot run this GUI version:  DPDTrace command line logging tool used for patch detection issues

Purpose

This document will provide information about how to obtain information about Ivanti Patch for Windows XML updates (patch definitions) and Ivanti Patch for SCCM updates (catalog updates).

Description

Ivanti Patch for Windows Servers

The Ivanti content team will provide patch definition updates at least every Tuesday and Thursday (provided there are new patches to be included). However, there are a few easy sources that can be used to see when new XML updates (patch definitions) are released.

1) Subscribe to the "Patch for Windows Content Notifications" stream using the method outlined here.

2) Patch Data Information Blog Page: https://protect7.shavlik.com/

This web page displays all patch definitions released by the Shavlik content team for the Protect application.

3) Patch Data Information RSS Feed: https://protect7.shavlik.com/     

All the same information as protect7.shavlik.com in an RSS feed.

4) Patch Data Information Twitter: ivanti XML (@ShavlikXML) | Twitter

This Twitter account is updated every time an XML release is put out. This is a good alternative to receiving email notifications, depending upon your preferences.

Ivanti Patch for SCCM

The Ivanti content team will provide catalog updates at least every Wednesday and Friday (provided there are new patches to be included).  These sources can help you stay up to date with those catalog updates.

1) Subscribe to the "Patch for SCCM Content Notifications" stream using the method outlined here.

2) Patch Data Information Blog Page:https://protectupdate.shavlik.com/

Affected Products

Ivanti Patch for Windows Servers 9.3.x

Shavlik Protect 9.2.x

Ivanti Patch for SCCM

Symptoms

When running the Database Setup Tool to connect to a database, you receive an error that you are not able to connect.  In C:\ProgramData\LANDESK\Shavlik Protect\Logs\ST.DatabaseConfiguration.log, you find an error like the following:

ConnectionValidator.cs:395|Failed to authenticate to the SQL Server.: ConnectionException: Unable to connect to SQL Server 'DOMAIN\SQLSERVER'

SqlError message: 'A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: SQL Network Interfaces, error: 28 - Server doesn't support requested protocol)'

Cause

TCP/IP protocols are disabled for the target SQL Server

Resolution

1. Launch SQL Server Configuration Manager
2. Expand "SQL Server Network Configuration" in the left pane
3. Select the SQL instance you are trying to connect to
   
4. Double-click TCP/IP in the right pane to bring up the TCP/IP Properties
   
5. Change "Enabled" to Yes
6. Restart the service for the SQL instance
7. Re-launch the Database Setup Tool and try your connection again

You should be able to successfully connect now.

Affected Products

Ivanti Patch for Windows Servers

Ivanti Security Controls

Purpose

The purpose of this document is to provide the necessary steps to schedule automatic definition downloads.

Resolution

1. From within the Console select Tools > Options.

2. Within the Options window, navigate to the Downloads tab and the 'Scheduled automatic downloads' pane and click the 'Add' button.

3. The scheduler window will now allow you to select the frequency/schedule of your automatic download. When finished, click 'Save'.

4. The scheduled download task will now appear within the 'Scheduled automatic downloads' pane.

Affected Product(s)

Ivanti Patch for Windows 9.x

Shavlik Protect 9.x

Hello,

I’m trying to move my Ivanti console from one server (W2K8R2 STD) to another server (W2K16STD) but I always get the same error : Object reference not set to an instance of an object

Steps I did :

• Attached/detached my DB from SQL2005 to SQL2016 - SP1 – CU5 (13.0.4451.0)
• Changed the DB location with “Database setup tool” to this new SQL server

on the old server : (UserID with Admin rights on the server)

• Upgrade my Shavlik console from 9.1.xxx to IvantiPatchForServers_9.3.4510
• Backup Core settings
• Backup User settings

on the new server : (The same userid)

• Installed IvantiPatchForServers_9.3.4510
• The installation also installed SQL Express
• Created a local DB for the new installation of Ivanti Console
• Copied the Backup files from the old server to the new server
• Tried to Restore the Core settings but it always fails with the same error

This is the output of the logfiles located at C:\ProgramData\LANDESK\Shavlik Protect\Logs

Logs attached.

Logs consolidated for data migration - Nick Evans

I've been doing some test pushes of the IVA18-002 tool using 9.3.0 build 4510 and came across an issue.

The tracker never gets the final updates, so it still says "Deployment opearation executing", even though the patch progress is executed.

I think there's either a timing or order of operations issue..

Dplyevts.log shows some successful updates as the files are pushed, job schedule, started, but it fails at the end.

STdeploy.log shows the file clean up, which happens before the last update to track is supposed to be sent.

(snips below)

So is this a bug? (e.g. the order got changed?) or just a timing thing because its one small patch???

Logs consolidated for data migration - Nick Evans

Logs Attached.

Logs consolidated for data migration by Nick Evans

Hi all, I'm after some help please.
Ran a deployment to our SQL servers on Friday the 20th, all of them ran fine but one of them decided to install patches and vmware tools at 15:00 instead of 03:00, which as you can imagine didn't go down too well.

Contend of CSTDeploy.log file on the day shown below:

Logs attached.

Logs consolidated for data migration by Nick Evans