Hello,
is there an estimate, when the IVANTI Advanced Patchmanagement supports Windows 10 1809?
At the Moment, it's not implemented, isn't it? On my new Dell 5591 with Windows 10 Enterprice 1809 (17763.1) Release I got the following security risk overview:
Best regards
Christian
This document will help you identify and correct a Patch for SCCM crash caused by missing prerequisite C++ x86 install.
This can be identified by looking in the Application event log:
Application: Microsoft.ConfigurationManagement.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.DllNotFoundException
at ST.Engines.NativeMethods.IsDigitallySignedBy(System.String, ST.Engines.Crypto.Signers, Boolean ByRef)
at ST.Engines.Crypto.SignatureVerifier.IsSignedBy(System.String, ST.Engines.Crypto.Signers)
at ST.Engines.Catalog.SingleFileDownload.HandleCompletedFile(System.Object, System.ComponentModel.AsyncCompletedEventArgs)
at ST.Engines.Catalog.SingleFileDownload.ClientDownloadFileCompleted(System.Object, System.ComponentModel.AsyncCompletedEventArgs)
at System.Net.WebClient.OnDownloadFileCompleted(System.ComponentModel.AsyncCompletedEventArgs)
at System.Net.WebClient.DownloadFileOperationCompleted(System.Object)
at System.Threading.QueueUserWorkItemCallback.WaitCallback_Context(System.Object)
at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
at System.Threading.QueueUserWorkItemCallback.System.Threading.IThreadPoolWorkItem.ExecuteWorkItem()
at System.Threading.ThreadPoolWorkQueue.Dispatch()
at System.Threading._ThreadPoolWaitCallback.PerformWaitCallback()
Install Microsoft Software C++ 2015 Redistributable (x86) - 14.0.24215.
Patch for SCCM 2.3.x
Patch for SCCM 2.4.x
I'm fairly new to administering Ivanti so please bear with me -- I'm coming into a scenario where the server is configured for offline management. I've been working on getting the console configured to point to itself as a distribution server and deploy agents, however I can't find a clear direction on how to configure it to point to 2 separate locations for the datafiles and the patch files. The patch folder has been moved to a separate drive, and I have updated such in Tools > Options > Downloads > Patch download directory. When I push out a new agent, 1 of 2 things happens based on how I have it configured for the distribution server path: either it is unable to download all of the manifest/asset/patch metadata files, or it is unable to download the patch files. I cannot seem to find a way to tell it, "The manifest files are in X directory and the patch files are in Y directory." I've tried changing the other settings for Definition download source and Patch and Service Pack download source to custom UNC paths and to the distribution server, as well as changing the path for the Client connection in the distribution server settings.
Hi,
I've been working alot with the Ivanti PowerShell API and one of the things I just can't get to work is stopping a deployment using the call Stop-PatchDeploy.
Stop-PatchDeploy -Uid XXXX
It just does nothing. Is there any restrictions on this? i.e can you only stop a deployment if it's in a certain state? I can Cancel the deployment via the GUI at any point?
Hope someone can help.
Thanks,
Max
The following is a sample integration script for the Ivanti Patch for Windows Servers API integration with the BeyondTrust vulnerability scanner.
If you use a vulnerability scanner to identify weaknesses in your network, the scanner may detect hundreds or even thousands of issues on your machines. At first this might seem a bit overwhelming, but what’s likely happening is that the vulnerability scanner is simply producing a lot of noise. The scanner is assessing for CVEs (Common Vulnerabilities and Exposures) explicitly. In reality a software update will often include many CVEs. A patch can also be superseded or replaced by a newer update. What this tends to cause is the Vulnerability Assessment reflecting hundreds of vulnerabilities that can be resolved by updating just a few software titles on a system.
To address this, you can use the API to:
Please note:
Environment confirmation steps:
1. Ensure the BeyondInsight console is set up correctly
a. Go to the Configure tab
b. Go to the API Registration tab
c. Make sure the current IPv4 address/range is in the Source Addresses list.
d. Click Update
2. Edit the $Authorization variable at the top of the BeyondInsightToPatch.ps1 file to include your BeyondInsight authorization connection string as specified in the BeyondInsight API documentation.
a. http://<yourBIhost>/eEye.RetinaCS.Server/Flex/Help/BeyondInsightAndPasswordSafeAPIUserGuide.pdf
b. Use the example style text from the Authorization Header section of the API guide. Only include the text to the right of "Authorization="
Example: PS-Auth key=XXXXXXXX...XXXX; runas=demo;
How to invoke the script - BeyondInsightToPatch.ps1
1. Open PowerShell
2. Run BeyondInsightToPatch.ps1 or invoke it with the following mandatory parameters:
3. BeyondInsightToPatch -BtHostOrIpAddress '127.0.0.1' -SmartRuleId 10001 -ScanTemplate 'Demo' -DeployTemplate 'Agent Standard' -PatchGroupName 'Demo' -MachineGroupName 'Demo' -ScanName 'BT-Ivanti demo' -DeployMissingPatches $False
a. BtHostOrIpAddress should be the current IPv4 address of the console VM. I've configured BI to allow 127.0.0.1
b. SmartRuleId should be the smart asset group defined by BeyondInsight.
I. 1 is the system group of All Assets
II. 2 is the system group of All Workstations.
c. DeployMissingPatches set to $True will actually download and deploy the patches to the machines in $MachineGroupName
4. If/when you see yellow warning messages like "WARNING: Cve item was not found: CVE-YYYY-NNNN", don't worry.
a. It means we don't have that CVE in our (Ivanti Patch for Windows Servers content)
b. The patch for the vulnerability may be in our content, but under a different CVE. We add all CVEs for all vulnerabilities to the Patch Group.
5. Open Patch for Windows Servers and view the full results of the patch scan/deployment. You'll see the scan result by $ScanName, date, and source of API in the left navigator.
Within Tools > Operation > Downloads you see that "Specific Distribution Server" is grayed out under Definition download source, and you do have distribution sever(s) configured in this Protect console already.
1) You do not have a Distribution Server configured, or;
2) Your Distribution Servers are set up with at least one scheduled automatic synchronization tasks.
(Distribution Servers set up with automatic synchronization cannot be used a definition download source.)
1) Ensure that you have at least one Distribution Server configured within Tools > Operations > Distribution Servers.
2) Ensure that the Distribution Server you intend to use as a definition download source is not configured for any Scheduled automatic synchronization under Tools > Operations > Distribution Servers.
Be aware that if you are intending to use a Distribution Server (share) as a definition download source - this share must be getting new data copied into it from a separate console that has an internet connection.
Refer to the following documentation for more information:
Help: Configuring Distribution Servers
Shavlik Protect 9.x
Hi All wondering if anyone has came across this issue, (Support case raised)
Ivanti Product Fully Licensed:
Licensed Capabilities
--------------------
Maintenance and Data Subscription expires: 24/06/2019 01:00
## ISSUE ##
This is a New installation of Ivanti Patch for windows,
Once installed I was able to add 2 ESXI Vcenters, populate machine groups with discovered machines.
Came back a week later to add internet proxy details so I could start testing deployment and patching levels of the estate and I am met with:
I then removed one of the hosts and re-added and I get
Credentials have been confirmed to be valid and working,
Successful Connection from Ivanti VM to Host via SSH:
Can Ping the hosts successfully:
Can telnet (443) from Ivanti VM to hosts:
I have also completed a successful Refresh of all files.
Again the Credentials being used have already successfully added these hosts to Ivanti last week, and I can log in with these credentials to full admin level.
I have been unable to find any details of this issue anywhere else which has been successfully resolved.
Thanks Malachy
Hi All,
We are using Shavlik Protect:
Ivanti Patch for Windows® Servers Standard (ST.Protect.exe): 9.3.4510.0
I need a detailed summary report for audit purposes and I have found a couple of reports that if combined will give me the information needed. However here are my setbacks:
1. When generating Deployment Status by machine report I have almost all the info, but if I export it to excel or .cvs format I get numbers instead of designated names - for example Vendor severity is no longer low, moderate, etc, but rather 2,3,4...
2. Naming of the columns are not clear: smachID; smachNotFoundReasonErrorNum; smachServerType; and see 1. While in PDF or original format all is "human" readable;
I have found the following document describing some of the queries used for generating reports:
https://help.ivanti.com/sh/help/en_US/PWS/92/rv-prt-9-2.pdf
However it seems a bit outdated and I was wondering if there is a updated version.
Ultimately what I'm looking for are the following columns:
| Full Nodename(server | OS Class | System Status | System Type | Technical Owner | Bulletin | Patch Name | Vendor Severity | Priority | Patch Installed | Patch Compliance | Exception Reason | Date Release | Date Due | Date Installed |
| Server123 | Windows | VPC (in prod) | server | VPC\some.name | MSNS18-05-4091664_V3 | Q4091664 | Medium | High | Yes | yes | some date | some date | some date |
Note: I don't have access to SQL and I'm combining .cvs files into one detailed excel file.
The columns in red are missing or at least I can't find the naming convention in the .cvs files
Thank you in advance.
Kind regards,
Ivelin
Hello,
I come from an SCCM background and like the fact that the SCCM agent uses BITS (Background Intelligent File Transfer) to download content from SCM infrastructure. This is very useful when clients disconnect from the corporate network halfway through a download, e.g. laptops.
What does Ivanti Patch for Windows use.
Is it BITS or some alternative, e.g. SMB.
Thanks
When I patch endpoints, and the pop-up with Safe Reboot appears, it ends with the line "This action was initiated by (my name)", and I would like to change "my name" to some thing else.
Is that possible?
To help identify what is blocking the upgrade of Windows 10 when deploying with Shavlik Protect 9.2.x or Ivanti Patch for Windows Servers (PWS) 9.3+
Symptoms
When you attempt to deploy a Windows 10 build upgrade using Protect/PWS, the deployment fails with error 2147483647
This may indicate something is preventing the installation of the upgrade, such as incompatible software or an application blocking the process from proceeding
Method 1
1. Try executing the upgrade manually so that you can receive interactive prompts from the installer to identify what might be causing the issue. The example below shows the installer failing because of certain installed software being out of date, but because our process runs installers silently as the local System account, you would not see what was stopping the installation.
2. In an elevated command prompt, run the command:
fltmc filters
You should see a list like this:
This identifies possible filters that could be blocking the ISO from mounting properly (possibly antivirus, encryption software, etc.), and you will need to temporarily disable anything that is interfering to deploy the upgrade through Protect/PWS
Method 2
1) Load the ISO
2) Open an admin command prompt
3) Navigate to the Drive the ISO created
4) Run the command "SETUP.EXE /Auto Upgrade /NoReboot /DynamicUpdate Disable /Compat ScanOnly"
Doing this will create an output that you can use to determine the cause of the failure without having to actually deploy the product manually.
See this doc for more info about deploying Windows 10 Build Upgrades with Protect/PWS:
Windows 10 Build Upgrade Deployment Support in Protect 9.2+ and Patch for Windows Server 9.3+
Shavlik Protect 9.2.x
Ivanti Patch for Windows Servers 9.3+
The purpose of this document is to show what scripts are available in the standard licensing versus what is available in the advanced licensing.
How to: Execute an ITScript using Ivanti Patch for Windows
Custom Action, Custom Patch, and ITScript Information and Troubleshooting
Custom ITScripts can only be imported with either an Advanced license or a specific ITScripts licensing add-on for Standard licenses
Shavlik Protect 9.2
Ivanti Patch for Windows Servers 9.3
The purpose of this document is to outline the issues surrounding FileZilla updates particularly related to the downloading of the patch files from the vendor.
Changes from the vendor, Filezilla, has caused downloads of the updates not from a Web browser to fail with an error 403 authentication error. From review, the cause is the lack of user token authentication as updates downloaded through Patch for SCCM are done on behalf of a user or system account, not as the actual user. Additional findings have shown the direct download links to also reroute to the main Filezilla site versus downloading the actual installer.
The current workaround to this issue can be found in this document: Publish Manually Downloaded Products in Patch for SCCM
Ivanti Patch for SCCM 2.4
Purpose
The purpose of this document is to show how to perform a patch uninstall on multiple systems in Ivanti Patch for Windows
Below is an example of how to set up the uninstall of one patch for multiple machines when using Shavlik Protect. This example is using agentless scan and deployment features.
1) Scan any systems you wish to remove a patch from.
Generally it's best to ensure you run a new scan so you have the most current assessment result available.
2) View the scan result.
You can also get to a scan result if you already have one by clicking the left drop down menu, and choose 'Results'.
3) In the scan result:
1. Choose the machines you want to uninstall a patch from in the upper (Machines) pane. You can use CTRL + click or CTRL+Shift to select highlight multiple machines.
2. In the lower pane, select any patch you wish to uninstall. Patches with an orange U and 'Yes' in the 'Uninstallable' column can be uninstalled. You can see how many machines currently have the patch installed viewing the 'Affected Machine Count' column.
3. Right click on the highlighted patch, and choose 'Uninstall Select'.
Note: Only one patch can be uninstalled from each system on a single deployment, and a reboot is required to complete the uninstall process.
4) You'll be prompted with the 'Deployment Configuration' window.
You can use an existing deployment template, or create a new one. For patch uninstall it's recommended to use a deployment template that has a post-deployment reboot enabled since the uninstall process will require a reboot to complete. You can also change the time of the deployment to take place immediately (default), scheduled at a certain date/time, or perform the uninstall at the target system's next reboot.
Under 'Patches to be deployed by machine' you can see a list of which machines will have the uninstall performed and whatever patch will be uninstalled from each system.
More information about uninstalling patches can be found here:
Help Guide - Uninstall Patches
Microsoft Documentation - Removing Patches
Ivanti Patch for Windows Server 9.3
Overview
These instructions will help you enable All logging (verbose logging) then those collect logs and supporting information to help Support troubleshoot issues on your console and remote clients.
Instructions
Ivanti Patch for Windows Servers (PWS) 9.X Console Logging:
1. Open the Patch for Windows GUI and navigate to Tools > Options > Logging and change logging to All for both user interface and services.
a. If you are unable to set logging via the GUI see this doc: http://community.shavlik.com/docs/DOC-22938
2. Close the console GUI.
3. Stop the 'Ivanti Patch for Windows Servers Console Service' service.
4. Delete the contents of C:\ProgramData\LANDesk\Shavlik Protect\Logs on your console.
a. If troubleshooting agentless deployment or scheduling, delete the contents of C:\Windows\ProPatches\Logs on your target machine as well.
5. Start the 'Ivanti Patch for Windows Servers Console Service' service and open the Patch for Windows GUI.
6. Attempt to reproduce the issue. Please document steps to reproduce. Screenshots are very helpful.
7. Collect the logs from the Logs folder(s) from steps 4 (please zip).
a. Include applicable screenshots.
b. [Deployment issues only] On the target system, zip a copy of the entire C:\Windows\ProPatches folder and its contents (exclude the Patches sub-folder).
8. Zip everything together and attach to the case on the support portal.
Shavlik Protect - Ivanti Patch for Windows Servers Agent Logging:
1. You will need to set your agent's logging level to All by opening the Agent Policy assigned to the machine you are gathering logs from. The option is in the General tab.
2. If not already set, change the logging level to ‘All’ then Save and update Agents. Choose to update agents if prompted again.
a. If Patch for Windows fails to update the agent, you will need to perform an Agent Check-in from the agent GUI on the target machine or wait for the scheduled check-in.
3. Remote to the agent client machine, close the agent GUI and stop the services:
a. The services start with Ivanti or ST.
4. Delete the contents of theC:\ProgramData\LANDesk\Shavlik Protect\Logs folder on the agent client machine.
5. Start services that start with Ivanti or ST.
6. Attempt to reproduce the issue. Please document steps to reproduce. Screenshots are very helpful.
7. Take applicable screenshots of errors or information relevant to the issue.
a. Collect the logs from step 4.
b. Collect the screenshots.
8. Zip everything together and attach to the case on the support portal.
Ivanti Patch for Windows Servers Deployment Logging: (the information collected here is specific to agentless deployments)
1. Navigate to the target machine with the deployment issues.
2. Stop all services that start with Ivanti or ST.
3. Attempt to reproduce the issue. Please document steps to reproduce. Screenshots are very helpful.
4. Delete the patches from C:\Windows\ProPatches\Patches.
5. Zip the entire C:\Windows\ProPatches folder.
a. Include applicable screenshots.
6. Zip everything together and attach to the case on the support portal.
Ivanti Patch for Windows Servers install issues:
Ivanti Patch for Windows Servers 9.3+
This document provides a list of required URL addresses for Shavlik Protect and Ivanti Patch for Windows Servers to allow:
The following URLs may be used to download updates and must allowed through firewalls, proxies and web filters:
Affected Product
Ivanti Patch for Windows Servers
Our agents are attempting to deploy several MS Office patches despite the fact that they are considered already installed. The patches are as follow:
KB3191923
KB4011142
KB4011036
KB4011219
KB4011572
KB4011568
KB3213542
KB4011563
KB4011568
Launching the patches manually informs me the updates are installed. Please advise.
Thank you,
This is a list of Microsoft Security Patches that are not supported by Shavlik. The patch and the reasoning is listed below.
Microsoft Word 2010
Microsoft Live Meeting Console 2007
.NET Language Packs
I am using Patch for Windows. In Console, under View/Machine, I created a new Smart Filter. The rule is 'Path' 'contains' 'X'. But it did not find my machine groups having 'X' in its path. It seems the rule 'Path' did not work.
The purpose of this document is to go over what to do when the deployment tracker fails to update beyond Scheduled.
2016-10-06T21:01:35.1775494Z 0b78 I DeploymentPackageReader.cpp:782 Deploy package 'C:\Windows\ProPatches\Installation\InstallationSandbox#2016-10-06-T-21-00-54\deployPackage-2855.zip' successfully opened unsigned for package IO
2016-10-06T21:02:38.2639494Z 0b78 I Authenticode.cpp:134 Verifying signature of C:\Windows\ProPatches\Patches\Windows6.1-KB2544893-x64.msu with CWinTrustVerifier
2016-10-06T21:02:38.3263494Z 0b78 V UnScriptedInstallation.cpp:29 Executing (C:\Windows\ProPatches\Patches\Windows6.1-KB2544893-x64.msu /quiet /norestart), nShow: true.
2016-10-06T21:02:47.7895494Z 0b78 V ChildProcess.cpp:140 Process handle 000004FC returned '0'.
1. Ensure that port 3121 is not being blocked in your network. Perform a telnet command from the target machine(s) to your Protect console machine's IP or FQDN address.
telnet {console IP/FQDN} 3121
If Telnet is not installed, you will see the following:
To Enable Telnet:
If the port is blocked, you will see a similar error:
If at this point you see the port fail to connect, you will need to make sure that 3121 is enabled in your network before attempting to deploy again.
If the port is not blocked, you should see a blank command prompt:
2. Once you have confirmed that port 3121 is able to connect, check to ensure that your Deployment Template being used has 'Send Tracker Status' enabled:
3. Confirm that either TLS 1.0 is enabled between the console and the problem client machine or TLS 1.2 is properly configured
Disabling TLS 1.0 may causes issues with Patch for Windows Servers.
Enabling TLS 1.2 for Ivanti Patch for Windows Servers
4. Verify that you 'Console Alias Editor' has all of the following located within it:
Tools > Console Alias Editor
Once updated, test your deployment again. If the device is able to properly connect, the tracker status will updated as expected.
If after updating the 'Console Alias Editor' the deployment status is still showing 'Scheduled', you will find in the dplyevts.log file on the target machine something similar to the following:
PingBack.cpp:63 Sending data to 'https://PROTECT-92-5119:3121/ST/Console/Deployment/Tracker/V92' failed: 12002.
If you find something similar to the above, you will need to uninstall the scheduler service from the machine(s).
Protect 9.2:
Manage > Scheduled Remote Tasks
Find device(s) being deployed to, right click the machine and select 'Refresh Selected':
Device will be shown as 'Online':
Once online, right click the device again, go to Scheduler service > Uninstall:
Patch for Windows Servers 9.3:
View > Machines
Find the device affected using the search window
Highlight machine > Right-click > View scheduled tasks
Click Uninstall to remove the scheduler service.
NOTE: To validate scheduler is uninstalled, go to C:\Windows\ProPatches and if you don't see a folder named Scheduler, the service was uninstalled.
Test another deployment to your target machine(s). During this deployment, the Scheduler service will reinstall and should update the deployment tracker to show the deployment operation executing.
Shavlik Protect 9.2.x
Ivanti Patch for Windows Servers 9.3.x