Hello,

I'm looking for a trick to create a scan template that allows me to exclude a particular service pack.

It is easy to create a scan template that excludes patchs but I can't find a solution to exclude a service pack.

Thank you in advance,

We have multiple patch scan and patch deployment tasks that can be seen on Scheduled Console Tasks -view. Is there a way to add more machines to the task without having to create a new task all over again?

Hello,

I am trying to patch my Windows 2008 R2 server which happens to be the Ivanti Patch server. I am using the same admin credential that I use when I patch other servers which work fine.

I am able to scan for needed patches but when I go to deploy them that's when the error appears.

Thanks,

Paul

We have a daily patch scan task created in "Schduled Console Tasks". Most of the machines are in domain, so patch scan works for domain machines. However the scheduled patch scan task does not work for workgroup machines. I have assigned local account for workgroup machines and manual patch scan works. It seems that Ivanti only allows to run scheduled tasks with only one credential.

How do i schedule a agentless patch scan task for non-domain machines?

I have a problem with viewing the Event History on my Ivanti Patch server - it says:

The Console service is running fine - the server seems to work fine - but gives me that error anyway

I am running version 9.3.0 Build 4510

Any suggestions what can be done to correct this error?

Purpose

This article explains how our detection determines whether the Delta or Cumulative version of updates are offered.

Description

Our detection logic will verify the 'UBR' value from the registry to determine if the Delta or the Cumulative update will be offered.

HKLM" Key="SOFTWARE\Microsoft\Windows NT\CurrentVersion" Value="UBR" (Update Build Revision)

• The Delta is offered if build version equals N-1. (N= Latest Build. Current build being offered minus one version level)
• The full Cumulative update is offered if build version is N-2 or less.

You will only be offered one or the other and never both.

Related Documentation

Windows 10 release information

Affected Product(s)

Ivanti Patch for Windows Servers (all)

Ivanti Security Controls (all)

Purpose

This document provides a link to the Migration Tool User's Guide for Ivanti Patch for Windows Servers.

Information

Ivanti Patch for Windows Servers 9.3 Migration Tool User's Guide

Product(s)

Ivanti Patch for Windows Servers (all versions)

Overview

Oracle has announced changes to ongoing support for Java SE 8 (Standard Edition). This article describes these changes and how Ivanti will continue its support for Java SE 8 in January 2019 and beyond.

In January 2019 Oracle will require those who wish to continue support for Java 8 SE on Servers, Desktops, and Cloud Deployments to subscribe to the new Java SE Subscription offering to continue to receive Java SE 8 updates. This subscription covers all Java 8 SE licensing and support needs. If you cannot migrate applications with dependencies on Java 8 over to Java 10 by then, this is your option to continue to gain security updates until you can transition.

The following End of Public Updates announcement was taken from the Oracle Java SE Support Roadmap.

“End of Public Updates of Java SE 8

Java SE 8 is going through the End of Public Updates process for legacy releases.  Oracle will continue to provide free public updates and auto updates of Java SE 8, until at least the end of December 2020 for Personal Users, and January 2019 for Commercial Users. Personal Users continue to get free Java SE 8 updates from Oracle at java.com (or via auto update), and Commercial Users continue to get free updates to Java SE 8 from OTN for free under the BCL license. Starting with the April 2019 scheduled quarterly critical patch update, Oracle Customers can access updates to Java SE 8 for commercial use from Oracle through My Oracle Support and via corporate auto update where applicable (Visit My.Oracle Support Note 1439822.1 - All Java SE Downloads on MOS– Requires Support Login).

Oracle does not plan to migrate desktops from Java SE 8 to later versions via the auto update feature. This includes the Java Plugin and Java Web Start. Instead of relying on a browser-accessible system JRE, we encourage application developers to use the packaging options introduced with Java SE 9 to repackage and deliver their Java applications as stand-alone applications that include their own custom runtimes.

Current releases remain free and open source for all users from jdk.java.net.”

Ivanti will continue to support Java SE 8, but will do so with what we refer to as “drop-in” support for products who have this functionality.  This means supported Ivanti Patch Management solutions will continue to detect and have logic to update Java SE 8 instances in your environment, but it will be up to the customer to provide the installer and drop it into the patch repository for remediation purposes. This change keeps both Ivanti and our customers in compliance with Oracle’s licensing for Java SE 8.

Additional Information

Please refer to instructions for the Ivanti Patch solution you are using for details on how “drop-in” support works in your product:

• How To: Supply and Deploy Patches That Can Not Be Downloaded

Supported Products

Ivanti Patch for Windows

Ivanti Security Controls (ISeC)

Ivanti Patch for SCCM

Purpose

This document will walk you through on configuring your machine so that it can be scanned using local account credentials.

Symptoms

Although you have the correct local account credentials defined and assigned, scans on your machine fail. Errors include 451 The specified user account requires administrative rights to the target machine, 452 Unable to connect to the remote machine or 5: Access is Denied.

Resolution

• Run regedit and locate the following registry key:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
• With that key highlighted, click Edit > New > DWORD (32-bit) Value
• Type LocalAccountTokenFilterPolicy and then press Enter to name and create the new value
• Double-click the new LocalAccountTokenFilterPolicy value and change the value to 1 and click OK to save it

For more details on disabling UAC remote restrictions, see http://support.microsoft.com/kb/951016

Additional Information

Refer to this portion of the Agentless Patch Scanning Prerequisites.

Affected Versions

Patch for Windows Servers 9.3.x

Ivanti Security Controls (all)

WannaCrypt (also known as WanaCrypt0r 2.0, WanaCry or Wcry) is an encryption-based ransomware attack, that started spreading globally on May 12th.

The malware encrypts files on affected systems using AES and RSA encryption ciphers, meaning hackers can decrypt system files using a unique decryption key.

WannaCrypt changes the computer's wallpaper with messages, asking the victim to download the decryptor from Dropbox and demanding hundreds in bitcoin to get their files back.

Attack vector

WannaCrypt uses multiple attack vectors:

• The primary attack vector is distribution via e-mail. WannaCrypt uses social engineering or phishing techniques, relying on users to open and execute a malicious payload embedded within the e-mail. When opened by the user, the malware will install itself and start encrypting files immediately.
• WannaCrypt will then try to spread within the network or over the internet, using exploit code for vulnerability CVE-2017-0145, which allows remote attackers to execute arbitrary code via crafted packets to an SMBv1 server, aka "Windows SMB Remote Code Execution Vulnerability". This vulnerability is only present in the SMB v1.0 protocol. Microsoft released a patch in March: Microsoft Security Bulletin MS17-010. For more information about this update, see Microsoft Knowledge Base Article 4013389.
• All windows versions from Windows XP to Server 2016 are affected; all of these systems have SMBv1 enabled by default. Windows 10 is not affected. On May 13th, Microsoft released an emergency security patch for unsupported versions of Windows, including Windows XP, Vista, Windows 8, Server 2003 and 2008 Editions.

How to protect against WannaCrypt and other ransomware?

• Keep your system Up-to-date: Shavlik Protect, Shavlik OEM (SDK) and Ivanti Patch for Windows Server, Update the XML to 2.0.2.2723 and deploy MS17-010 and ensure that the most recent bundles have been deployed. This was originally plugged in the March Patch Tuesday release so the following bulletins will resolve the vulnerability.
• Content release 06/13/2017:

  • Updated MS17-010(Q4012598): Added patches for Windows 8, Windows XP and Windows Server 2003, Windows Vista, Windows Server 2008

• If you are using Monthly Rollups - June 2017 Patch Tuesday
  • MS17-06-MR7(Q4019264): Monthly Rollup for Windows 7 and 2008 R2: June 13, 2017
  • MS17-06-MR8(Q4019216): Monthly Rollup for Server 2012: June 13, 2017
  • MS17-06-MR81(Q4019215): Monthly Rollup for Windows 8.1 and 2012 R2: June 13, 2017
  • MS17-06-2K8(Q4018466): Security update for the Windows SMB Information Disclosure Vulnerability in Windows Server 2008: June 13, 2017
• If you are using Security Only Updates or Bundles - March 2017 Patch Tuesday
  • Windows 7 and Server 2008 R2: SB17-002[MS17-010](Q4012212): March 2017 Security Only Quality Update for Windows 7 SP1 and Windows Server 2008 R2 SP1
  • Windows 8.1 and Server 2012 R2: SB17-003[MS17-010](Q4012213): March 2017 Security Only Quality Update for Windows 8.1 and Windows Server 2012 R2
  • Windows Server 2012: SB17-004[MS17-010](Q4012214): March 2017 Security Only Quality Update for Windows Server 2012
• Any of the Security Monthly Quality Rollup for the above Operating Systems from June 2017 and later will also remediate this as is shown below.

Video demonstrating how to patch and report on the Wannacrypt vulnerabitity in Ivanti Patch for Windows Servers (Shavlik Protect). This also works for the Petya vulnerability patches.

• Beware of phishing: never open e-mail attachments from an untrusted sender or click on links within e-mails or documents without checking the source. Ivanti Anti-Virus can also scan incoming e-mail.
• Regularly backup user data: create copies of all user data at regular times to prevent data loss, should a ransomware attack occur.
• Enable Windows firewall: limit the spreading of ransomware within the corporate network by correctly configuring firewalls. Block access to SMB ports over the network and/or the Internet. The protocol operates on TCP ports 137, 139 and 445 and over UDP ports 137 and 138.
• Block legacy protocols such as SMB v1: See the following article on how to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server (Note: Windows XP only supported SMB v1).
• Audit installed software and keep it up to date: malware often uses flaws in outdated software. Keep all installed software up to date, not only on end nodes but also in the data centre. Patch Manager will also detect vulnerabilities in many third-party software, other than the operating system.
• Ivanti free 90 day offer: When a global threat like WannaCrypt comes along, it's up to all of us in cyber security to make sure we shut it down.To help minimize its impact, until June 15, 2017, we're offering a free 90-day license for the best-in-industry patch management solution that's tailored to your system needs.  Register for Ransomware Get Well Quick trial.

Indicators of compromise

WannaCrypt creates the following registry keys:

• HKLM\SOFTWARE\WanaCrypt0r\wd = "<malware working directory>"
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<random string> = "<malware working directory>\tasksche.exe"

It will display a ransom message on the desktop wallpaper, by changing the following registry key:

• HKCU\Control Panel\Desktop\Wallpaper: "<malware working directory>\@WanaDecryptor@.bmp"

Files created in the malware's working directory:

• %SystemRoot%\mssecsvc.exe
• %SystemRoot%\tasksche.exe
• %SystemRoot%\qeriuwjhrf
• b.wnry
• c.wnry
• f.wnry
• r.wnry
• s.wnry
• t.wnry
• u.wnry
• taskdl.exe
• taskse.exe
• 00000000.eky
• 00000000.res
• 00000000.pky
• @WanaDecryptor@.exe
• @Please_Read_Me@.txt
• m.vbs
• @WanaDecryptor@.exe.lnk
• @WanaDecryptor@.bmp
• 274901494632976.bat
• taskdl.exe
• Taskse.exe
• Files with “.wnry” extension
• Files with “.WNCRY” extension

What if I'm compromised?

Once ransomware has encrypted files, there is not much you can do. Sometimes, ransomware has been badly written and it has been possible - by reverse engineering their code - to find a way to decrypt the data.

This does not seem to apply to WannaCrypt and we are unaware of a way to recover encrypted data at this time.

One might ask if paying the ransom will really decrypt the files. Sometimes it will, but there is no guarantee.

When Cryptolocker hit a few years ago, some users reported that they did get their data back after paying the ransom.

More information: Webinars

Live Updates on the Ransomware Attack from Our CISO, Director of Security and Chief Technologist

May 15, 2017 - 9:00 PDT | 12:00 EDT | 17:00 BST | 18:00 CEST

Ivanti Webinar Series

Ransomware Update: New Threats, New Defenses

September 14, 2016

Stephen Brown, Director of Product Management, Ivanti

Passive Protection Against Ransomware

June 01, 2016

Eran Livne, Principal Product Manager, Ivanti

Statement regarding Ivanti's Own Environment

To date, Ivanti has not detected the WannaCrypt malware in our environment.

In advance of the threat, we took the following proactive steps to fortify our environment against these types of threats:

• We verified that our AV is installed, up to date, and active on client devices and servers, both internal and cloud / customer-facing.
• We verified that appropriate patches from Microsoft and third parties are installed and correctly configured in a timely manner.
• Where appropriate, we use Application Control for whitelisting, privilege management, and system monitoring.
• We constantly educate our employees on the risks of phishing, monitoring our incoming emails.
• We leverage third-party tools to actively monitor email for ransomware and other malicious URLs.
• We leverage third-party tools to monitor infestation and proliferation of malware in our internal and customer-facing IT environments.

Since this threat emerged, we have taken the following additional steps:

• We have educated our staff about this particular threat and reinforced the importance of not opening files or clicking on links from unknown sources.
• We have verified that our network infrastructure does not block access to the kill switch URL.
• We have audited our environment against all the above measures.

Ivanti free 90 day offer

When a global threat like WannaCrypt comes along, it's up to all of us in cyber security to make sure we shut it down.To help minimize its impact, until June 15, 2017, we're offering a free 90-day license for the best-in-industry patch management solution that's tailored to your system needs.  Register for Ransomware Get Well Quick trial.

Bookmark this page, we will add updates as they become available. Our patch content teams are currently working to include the emergency security patches in our patch content.

Symptoms

• Patch for Windows upgrade failure.
• Patch for Windows install failure.
• You may see a pop-up error:

Error 1603: A fatal error occurred during installation

Error 1605: This action is only valid for products that are currently installed.

Error 1612: The installation source for this product is not available. Verify that the source exists and that you can access it.

Purpose

Patch for Windows may become corrupt or unstable due to multiple reasons.  Corruption to the Windows Installer, Installer folder or other corruption to the automated uninstall process is a typical root cause. When this occurs a manual uninstall of Patch for Windows is necessary.  This article provides information on manually removing Patch for Windows from a server. This should only be used as a last resort to clean up a broken installation of Patch for Windows.

Resolution

Microsoft provides assistance with the manual uninstall process by providing a Fix it tool.  The link to the tool is: Fix problems that block programs from being installed or removed

How to use the Fix it tool

1. Use the link above to navigate to the Fix it main page.
2. Click on ‘Run Now’ and choose ‘Save File’.
3. Run the EXE that is downloaded and choose ‘Accept’ on the first page.
4. Choose the second option ‘Detect problems and let me select the fixes to apply’.
5. Choose the ‘Uninstalling’ option
6. You will see a list of the installed products on the server.  Choose the product if you see it on the list for instance. ‘Shavlik Protect’.  If you do not see the product on the list then select ‘Not listed’.

If Shavlik Protect, vCenter Protect, Netchk Protect, Patch for Windows is listed:

1. Choose the corresponding name and click ‘Next’.
2. Choose ‘Yes, try uninstall’
3. Verify both options are check-marked and click ‘Next’.
4. You should see a screen that indicates whether the product was uninstalled or not.
5. Click ‘Next’ and the close out of the screen.

If Shavlik Protect, vCenter Protect, or Protect is Not Listed:

1. Choose ‘Not Listed’ and click ‘Next’.
2. Enter the product code for the version of the Product installed and click ‘Next’. (Include the brackets)

          (Product codes are listed below)

1. Verify both options are check-marked and click ‘Next’.
2. You should see a screen where it indicates whether the product was uninstalled or not.
3. Click ‘Next’ and the close out of the screen.

Product GUID codes:

Make sure to use the corresponding GUID for the version of Protect you are attempting to uninstall.

• Protect 7.0.832.0: {C6D1AE7C-DE93-4E93-A916-C4144525C82C}
• Protect 7.0.841.0: {C6D1AE7C-DE93-4E93-A916-C4144525C82C}
• Protect 7.1.410.0: {90047C28-0B1B-4B30-8177-50729907EBF2}
• Protect 7.2.155.0: {9B7F1E45-4C47-4E25-9EAB-098923E4171C}
• Protect 7.5.2716.0: {CEA2D643-08C0-422E-9B27-B58ED9D38D07}
• Protect 7.6.1482.0: {661A3308-5BE2-4E0F-A752-BDDB247DD2DB}
• Protect 7.8.1340.0: {0A4D8D5E-7177-4A45-8A7F-0A5757403F97}
• Protect 7.8.1388.0: {0A4D8D5E-7177-4A45-8A7F-0A5757403F97}
• Protect 7.8.1392.0: {0A4D8D5E-7177-4A45-8A7F-0A5757403F97}
• Protect 8.0.3756.0: {F77AFB04-D13F-48DA-BB99-A5B31B6AAE0B}
• Protect 8.0.3965.1: {5A696B05-9F06-4B3D-83A0-69E848EFAC4A}
• Protect 8.0.4027.2: {5A696B05-9F06-4B3D-83A0-69E848EFAC4A}
• Protect 9.0.1106.0: {8045AD29-C6A4-43F5-9F1F-9560EB09F99A}
• Protect 9.0.1182.0: {070964CB-00B0-4E36-A3F6-A09F76FBD197}
• Protect 9.0.1182.0  {B7F5FF6F-382B-8834-3B85-B6390F7F4DA1}
• Protect 9.1.4334.0: {83593D3F-ADD7-491B-82EC-1A2E6D08C385}
• Protect 9.1.4472.0: {83593D3F-ADD7-491B-82EC-1A2E6D08C385}
• Protect 9.2.4988: {063C2D00-E6D5-6624-4903-4EEB4561AE61}
• Protect 9.2.5046: {063C2D00-E6D5-6624-4903-4EEB4561AE61}
• Protect 9.2.5119: {063C2D00-E6D5-6624-4903-4EEB4561AE61}
• ScriptLogic Patch Authority Ultimate 8.0.3756: {A8210996-CD25-4C8C-A2D7-207635DEDC28}
• ScriptLogic Patch Authority Ultimate 8.0.4027: {86DE6110-3F1C-40EE-98D9-05CD7A4B212F}
• ScriptLogic Patch Authority Ultimate 9.0.1182: {0EAD1B8A-6F58-2304-A817-34C1724CE04C}
• Patch for Windows Servers 9.3 Console: {5240C49D-72A5-4EE6-8687-C1F8DBD849CC}
• Patch for Windows Servers 9.3 Agent: {863EACA4-E689-4284-BEE2-8C5DE09E32BA}
• Patch for Windows Servers 9.3 Agent Patch Engine: {E9C4A462-8F43-4959-A6C6-B63E6D0050BA}
• Patch for Windows Servers 9.3 Agent Asset Engine: {0D593038-F0EF-4F93-8134-2DA47CA016EB}

Delete the relevant certificates. (You will need to reinstall all agents after performing this step)

1. ClickStart>Run, type MMC, and clickOK. The MMC Snap In window opens.
2. ClickFile>Add/Remove Snap-In.
3. Under Available Snap Ins, selectCertificates.
4. ClickAdd.
5. Select theComputer Accountoption and clickNext.
6. Ensure that theLocal Computeroption is selected and then clickFinish.
7. Click OK.  You should now see Certificates listed under Console Root.
8. Expand Certificates.
9. Delete these certificates that are listed as being issued by ST Root Authority:

• Personal\Certificates
• Trusted Root Certification Authorities\Certificates
• Intermediate Certification Authorities\Certificates

   10. Close the MMC window.  At this point, install the latest version of Protect.

If you continue to encounter any install errors, contact Ivanti support: Ivanti Support Portal

If the Fixit tool fails to correct the error, you may need to manually delete an upgrade key located under HKEY_CLASSES_ROOT\Installer\UpgradeCodes in the registry. Then try reinstalling Patch for Windows with the latest installer.

Known Upgrade Codes:  [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B7F5FF6F382B88343B85B6390F7F4DA1]

Additional Information

The Fixit utility is provided by Microsoft. Make sure you read any known issues or guidelines for this tool on Microsoft's site prior to use.

Affected Products

Patch for Windows - All version

Overview

These instructions will help you enable All logging (verbose logging) then those collect logs and supporting information to help Support troubleshoot issues on your console and remote clients.

Instructions

Ivanti Patch for Windows Servers (PWS) 9.X Console Logging:

1. Open the Patch for Windows GUI and navigate to Tools > Options > Logging and change logging to All for both user interface and services.

     a. If you are unable to set logging via the GUI see this doc: http://community.shavlik.com/docs/DOC-22938

2. Close the console GUI.

3. Stop the 'Ivanti Patch for Windows Servers Console Service' service.

4. Delete the contents of C:\ProgramData\LANDesk\Shavlik Protect\Logs on your console.

     a. If troubleshooting agentless deployment or scheduling, delete the contents of C:\Windows\ProPatches\Logs on your target machine as well.

5. Start the 'Ivanti Patch for Windows Servers Console Service' service and open the Patch for Windows GUI.

6. Attempt to reproduce the issue.  Please document steps to reproduce.  Screenshots are very helpful.

7. Collect the logs from the Logs folder(s) from steps 4 (please zip).

     a. Include applicable screenshots.

     b. [Deployment issues only] On the target system, zip a copy of the entire C:\Windows\ProPatches folder and its contents (exclude the Patches sub-folder).

8. Zip everything together and attach to the case on the support portal.

Shavlik Protect - Ivanti Patch for Windows Servers Agent Logging:

1. You will need to set your agent's logging level to All by opening the Agent Policy assigned to the machine you are gathering logs from. The option is in the General tab.

2. If not already set, change the logging level to ‘All’ then Save and update Agents. Choose to update agents if prompted again.

     a. If Patch for Windows fails to update the agent, you will need to perform an Agent Check-in from the agent GUI on the target machine or wait for the scheduled check-in.

3. Remote to the agent client machine, close the agent GUI and stop the services:

     a. The services start with Ivanti or ST.

4. Delete the contents of theC:\ProgramData\LANDesk\Shavlik Protect\Logs folder on the agent client machine.

5. Start services that start with Ivanti or ST.

6. Attempt to reproduce the issue.  Please document steps to reproduce.  Screenshots are very helpful.

7. Take applicable screenshots of errors or information relevant to the issue.

     a.  Collect the logs from step 4.

     b.  Collect the screenshots.

8. Zip everything together and attach to the case on the support portal.

Ivanti Patch for Windows Servers Deployment Logging: (the information collected here is specific to agentless deployments)

1. Navigate to the target machine with the deployment issues.

2. Stop all services that start with Ivanti or ST.

3. Attempt to reproduce the issue.  Please document steps to reproduce.  Screenshots are very helpful.

4. Delete the patches from C:\Windows\ProPatches\Patches.

5.  Zip the entire C:\Windows\ProPatches folder.

     a. Include applicable screenshots.

6. Zip everything together and attach to the case on the support portal.

Ivanti Patch for Windows Servers install issues:

• Where can I find Patch for Windows Console and Agent installation logs?
  

Affected Products

Ivanti Patch for Windows Servers 9.3+

Purpose

This document shows how to find the installation and setup logs for Patch for Windows. These are often requested by Ivanti support when troubleshooting installation failures.

Description

The setup and installation logs for Patch for Windows can be found by doing the following:

• Go to Start > Run (or search) > Type: %temp%
• C:\Users\*your_user*\AppData\Local\Temp

Either option brings you to the same directory. You will need to search the temp directory for the following naming of files. There may be multiple of each depending how many times you have attempted installation. The newest log files would be the best to collect for support.

• ProtectInstall_xxx.log - Patch for Windows install log file.
• ProtectSetup_xxx.log - Patch for Windows install log file.
• STPlatformInstall_xxx.log - Agent installation log file.
• STPlatformUpdater_xxx.log - Additional logging for agent setup/install.

Additional Information

For information on collecting other/additional logging please see the document, How To: Gather console, patch deployment and agent logs for Ivanti Patch for Windows

Affected Products

Patch for Windows 9.3+

Purpose

Many common Patch for Windows scan errors can be corrected by changes to configuration or environment. This article lists the most common scan error messages and provides some guidance on correcting the issue.

Overview

Scan errors can occur when:

• Patch for Windows scan prerequisites have not been met 
• Configuration issues are present in Patch for Windows 
• Environmental issues

Resolution

Affected Products

Patch for Windows 9.3+

Purpose

This document provides information to troubleshoot slow patch scans when using Ivanti Patch for Windows.

Symptoms

There can be a number of causes of slow patch scans. The first thing you should look into is if there have been any recent changes - either to the console system or the network you are on.

Some of the most common causes of slow scans addressed in this article are:

• Insufficient system resources (RAM, CPU, etc.)
• Antivirus scanning- particularly those that perform on-access scans.
• Network/Latency issues (poor latency, scanning over WAN, etc.)
• Database issues - (lack of database maintenance, insufficient SQL server system resources, etc.)

Resolution

Affected Products

Patch for Windows 9.3+

Symptoms

• Scan results fail to import.
• The operations monitor stops at step '5. Wait for results'.
• You see the error "warning: scan still running - incomplete results"
• Logs from C:\ProgramData\LANDESK\Shavlik Protect\Logs contains an error such as:

DB connection issue error " E APAlertEventProducer.Create|Unable to connect to SQL Server 'xxx'. SqlError message: 'Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

Resolution

Here are some things to check and/or try for this issue:

1) Check for previously imported results that are stuck in the arrivals directory. These temporary files can be deleted. They can be found here:

-On Vista/2008/7: C:\ProgramData\LANDesk\Shavlik Protect\Console\Arrivals

-On XP/2003: C:\Documents and Settings\All Users\Application Data\LANDesk\Shavlik Protect\Console\Arrivals

2) If you're using an Express version of SQL, make sure that the database isn't full - 10GB is the limit for SQL Express 2008R2 & newer. 4GB is the limit for older versions of SQL Express. You can use the database maintenance function in Protect to help clear up space - it can be found under Tools > Options > Database Maintenance within Patch for Windows.

3) In Patch for Windows go to Help > View Help and look up the “SQL Server Post Installation Notes” and follow the directions within.

If you still have an issue, please go through the following steps to obtain trace logs and send them to support:

How To: Gather console, patch deployment and agent logs for Ivanti Patch for Windows

Affected Products

Patch for Windows 9.3+

Purpose

The purpose of this article is to explain how patch scanning detection works in Patch for Windows.

Overview

Additional Information

Affected Products

Patch for Windows 9.3+

Symptoms

You are able to manually verify a Java installation exists on a target (client) system, but a patch scan with Patch for Windows does not list a Java patch as missing or installed.

Cause

There are three likely causes for this issue that should be evaluated first:

1. Verify the patch definitions forPatch for Windows are up to date by running Help > Refresh Files. You can verify the version of the patch definitions by going to Help > About > Version Info.  Look for Patch Assessment under the Definition area and then cross reference the version with this website Ivanti Patch for Windows content feed
2. Use a built-in patch scanning template (Security Patch Scan or WUScan template) when troubleshooting scan related issues. If not using the Security Patch Scan or WUScan template, verify the custom scan template does not include filtering that would limit what patches and products scanned. 
3. If you believe the Java patch is installed, manually verify the Java patch is listed as installed in Add/Remove Programs (Programs & Features).

Resolution

Is Java Development Kit installed on the target (client) system? If Java Development Kit (JDK) is installed on the target system, you cannot patch Java (the Java Runtime Environment - JRE) separately. JDK contains its own version of JRE, and applying a separate JRE update will break the JDK on the system, so if the JDK is detected you will not be offered any JRE updates. Another possible cause of the issue is a corrupt install of JRE on the target (client) system.

The Patch for Windows scan engine's detection logic verifies the version of the jvm.dll and java.exe files on the target machine. The scan engine determines the location of these files based on information stored in the registry on the client system. A scan issue occurs if the file location listed in the registry key does not match where the files are located on the system. You can manually verify this by navigating to one of the following registry location using regedit: 

• 32 bit: HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Runtime Environment
• 64 bit: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Runtime Environment

Navigate to one of the versions of Java listed under this key, then for each version there will be a "RuntimeLib" key. The value of the RuntimeLib key contains the location that we check during our patch scan process.

You can also perform a search for jvm.dll and/or java.exe on your system. If the files are not located in the directory specified in the value of the RuntimeLib registry key then you may have a bad install of Java. The best way to correct this is to manually apply the next Java patch or reinstall Java on the system.

If the instructions in this article do not help identify the root cause of this issue, contact the Shavlik support team and please provide the following information:

• How To: Gather console, patch deployment and agent logs for Ivanti Patch for Windows
• DPDTrace GUI Tool: Used to troubleshoot patch detection issues
• Ivanti Support Portal

Affected Products

Patch for Windows 9.3+

Symptoms

• Detected patch continues to show as missing after successfully deploying.
• Patch that shows missing ends with 'U' every other deployment.

Cause

There are patch type that exist as an installer and an uninstaller; these patches can cause a loop when scanning and deploying. When the installation patch is deployed it makes the uninstall patch considered to be missing. These patches are designed by their vendor in this manner to facilitate adding/removing the patch according to environmental needs. If scanning/deploying these types of patches it may appear that the patch continually is missing as it continues to add/remove per deployment. The uninstall patch will end with 'U'. These patches tend to belong to the 'Security Tools' patch type.

Example: Missing the Installation Patch

Example: After Installed, Now Missing Uninstall Patch

Resolution

Exclude the specific patch utilizing a patch group, or choose not to deploy the patches installer/uninstaller after scanning.

Refer to the following document:

How To: How To:  Include or Exclude Specific Patches in Scan Results in Ivanti Patch for Windows Servers

These are known patches that offer an uninstaller.

• Q2719662(U) - MS12-A06
• Q2794220(U) - MS12-A10
• Q2847140(U) - MS13-A02
• Q2887505(U) - MS13-A08
• Q2896666(U) - MS13-A09
• Q4072698(U) - IVA18-001
• Q4072699(U) - IVA18-002

Affected Products

Patch for Windows 9.3+

Purpose

This document will help you determine why previously deployed patches are detected missing after subsequent scans.

Cause

It is possible that the patch is delivered to the remote system, but is never executed or attempted to install but failed. This may happen if the scheduler does not start the deployment. This can also happen if the patch requires a reboot to fully install, and a reboot has not been performed before running another scan.

Resolution

Before you begin, ensure your system is rebooted after the patch is installed. Patches that require a reboot after am installation are not fully installed until a reboot takes place and they will appear as missing. Do not rescan before deployment is complete, or patches may show as missing.  Perform another scan after the system has been rebooted.

To determine whether or not the deployment actually started, go to C:\Windows\ProPatches and look in the Staged folder. If there is nothing in the Staged folder then the deployment has started, but if there are directories in the Staged folders one or more deployments have not started. You can also determine whether or not patches recently ran by going to C:\Windows\ProPatches\Logs\STDeployercore.log and looking for recent entries and return codes. Keep in mind that the times will be in GMT.

To manually test this on the target machine, manually install the patch. Note errors that are displayed during the installation process and inform Technical Support accordingly - screenshots may be useful.

If the re-can scan does not result in showing the patch as installed, it is possible you are experiencing a different issue. To further examine your case, contact support (http://www.shavlik.com/support/contact/). You should have the following information ready before contacting Ivanti Technical Support:

• What is the product name and version build number you are experiencing issues with?
• The Operating System of the console machine.
• The Operating System of the target machine.
• The number of the patch that continues to show as missing.
• Are you using a custom Patch Scan Template?
• Are you using a custom Deployment Template?
• Did you allow a reboot before scanning the machine again?
• What are the exact steps required to reproduce this issue?

Reproduce the issue and generate logs based on the steps in this document: How To: Gather console, patch deployment and agent logs for Ivanti Patch for Windows

Affected Products

Patch for Windows 9.3+