When setting up agent policies we only have the option to use vendor over internet or a distribution server as a source for the patches.  Is there any way to use the Shavlik console as the source as we are currently maintaining a distribution server share just for the agent based clients.

I have a machine that was deployed 60 patches yesterday around 4pm.  18 hours later it is still patching at 52/60.  We have several servers that exhibit this behavior with Shavlik and I'm trying to figure out why. These are agentless, console-push deployments.  90% of servers work great.

The dplyevts log shows:

2015-11-12T15:30:08.0595602Z 0730 I PingBack.cpp:53 Sending data to 'https://LHI-SECPRD03:3121/ST/Console/Deployment/Tracker/V92'.

2015-11-12T15:30:08.0595602Z 0730 E HttpDownload.cpp:1249 WinHttpOpen failed: 87.

2015-11-12T15:30:08.0595602Z 0730 E HttpDownload.cpp:491 AttemptIEProxySession failed.

Other logs in the folder do not have any errors, warnings, or failures I can see.  Logs in the ProPatches (cl5, etc) folder are not updating, maybe not used with 9.2?''

Processes Trusted Installer is at 25% with 1.8 GB of memory committed and churning.  Svchost has almost a GB.  Memory usage only 60% total on the machine.

I have an SRV 2017 event in the System log:  System unable to allocate nonpaged pool - at configured limit.  4 events total since patching started.  Never seen before today.

TONS of MsiInstaller events in the Application log, but just a few yellows.

We've had issues in the past with certs/keys for the scheduler, but I am not seeing that.  I will scrub every last vestige of Shavlik from the machine and rescan - that usually sorts things out, but I am at a loss currently as to what is causing the slowness here and where to look next for a clue.

On Win7 Enterprise SP1 x64 with Office 2013

I go through the 3 scans/deployments to install MS15-122, MS15-121, and MS15-115, then the next scan shows that the system needs 9 more:

MS14-068

MS14-074

MS15-055

MS15-085

MS15-090

MS15-122 (again?)

MSWU-1329

MSWU-1485

MSWU-1526

I deployed all 9, after restart scan shows all 9 still missing.  Some are IAVAs past due.  I'm not concerned about the non-security patches, but the reappearance of MS15-122 and the other security patches is of concern.

Thanks,

Diane

I'm trying to figure out how I can or if it's even possible to create a scan package to deploy to a dev environment and deploy to prod env a week after testing of the dev env.

For example, I scan our dev environment on the following Monday of Microsoft Patch Tuesday. So, I scan Dev env. with our scan template and deploy it to group_dev1 on Monday and on Wednesday group_dev2. What I'd like to do is use the same missing patches it found on group_dev1 to deploy on group_dev1. And, eventually use the same original scan from group_dev1 to group_prod1 and on group_prod2. Is this prossible?

From my understanding of Shavlik scan, the scan goes to fetch XML and determines what it needs to patch the server. How do I make sure that the same patches goes on the dev and prod environment? I noticed that sometimes the patches are not the same and sometimes causes an issue with trying to keep the dev similar to prod. I understand that dev and prod will sometime differ but I'd like to know if this is possible or not.

The Scheduled Tasks Manager contains a list of machines that have been discovered in Protect.  This document outlines how to remove machines from that list to cut down on the overhead cost of Scheduled Tasks Manager trying to resolve machines that no longer exist and to make finding actively managed machines a little easier.

You can access the Scheduled Tasks Manager the following ways:

• Select Manage > Scheduled Tasks
• Select Start > All Programs > Shavlik Protect > Scheduled Tasks Manager

1. Open Protect and navigate to View > Machines.
2. Locate the machine(s) you wish to remove from the Scheduled Task Manager manually or by using the search field.
3. Right-click on the machine and choose Delete. (you can higlight more than one machine)
4. A popup box will appear where you can choose your next action.
5. Choose Delete Machine(s) to remove the machine from the list.

     5. Verify the machine has been removed from the Scheduled Tasks Manager.

  The machine will populate the View > Machine any time you scan it, install an agent or install the Shavlik scheduler.  You should remove the from any Machine Groups to ensure it is not scanned and do not install an agent on it if you do not wish to manage it anymore.

This will have no effect on your deployment seat count.

Shavlik Protect 9.x
vCenter Prtoect 8.x

Hi Guys

I have a scheduled group of 60 servers to be scanned and then reboot at a latter time.

But I need to delete / cancel this schedule.

I did find the articles below but this is for one server at a time and this would take for ever, there must be a better way.

If I simply right hand mouse and select delete nothing happens.

How To Cancel / Delete Scheduled Tasks

How to remove machines from Scheduled Tasks Manager machine list

Thanks

Steve

My Windows Update services was advertising the following patches.

Windows Malicious Software Removal Tool x64 - October 2015 (KB890830)

Security Update for Windows Server 2008 R2 x64 Edition (KB3042058)

Security Update for Windows Server 2008 R2 x64 Edition (KB3097966)

I let Shavlik Protect scan and deploy updates for a few weeks... assuming these patches would be deployed, and would vanish from my Windows Update information pop up.

However, this did not occur.

I then scanned a specific server, which required these three updates, using the WUScan in Shavlik Protect, and it came back and said that there were no patches available.  It also said there were 197 patches Installed in the Installed Patch Count.  I then ran Windows Update, installed the three patches above, and rebooted the server.

I re-ran the WUScan patch scan, and it now said there were 196 patches installed.  That's weird but not the main concern.

I just wanted to know why those patches are not detected, that are available via Windows Update.  They have been available for some time.

Has something changed today with the signing of the instllation files pushed from Ivanti Patch server?

When deploying from 2 different patch server the status of deployment stays at scheduled and we are seeing the following errors in STDeploy.log

2017-07-03T13:45:58.3722064Z 061c E STPackageDeployer.cpp:252 Required deployment support file content in 'CL5.exe'not signed by ST.

2017-07-03T13:45:58.3802064Z 061c I STPackageDeployer.cpp:230 Skipping extraction of existing support file 'C:\Windows\ProPatches\Installation\InstallationSandbox#2017-07-03-T-13-44-49\DplyEvts.dll'. Performing authenticode check on the existing sandbox version.

2017-07-03T13:45:58.3802064Z 061c I Authenticode.cpp:153 Verifying signature of C:\Windows\ProPatches\Installation\InstallationSandbox#2017-07-03-T-13-44-49\DplyEvts.dll with CWinTrustVerifier

2017-07-03T13:45:58.3962064Z 061c E WinTrustVerifier.cpp:270 Certificate verification failed with error: -2146762748.

2017-07-03T13:45:58.3962064Z 061c E STPackageDeployer.cpp:252 Required deployment support file content in 'DplyEvts.dll'not signed by ST.

2017-07-03T13:45:58.4062064Z 061c I STPackageDeployer.cpp:230 Skipping extraction of existing support file 'C:\Windows\ProPatches\Installation\InstallationSandbox#2017-07-03-T-13-44-49\SafeReboot.exe'. Performing authenticode check on the existing sandbox version.

2017-07-03T13:45:58.4062064Z 061c I Authenticode.cpp:153 Verifying signature of C:\Windows\ProPatches\Installation\InstallationSandbox#2017-07-03-T-13-44-49\SafeReboot.exe with CWinTrustVerifier

2017-07-03T13:45:58.4242064Z 061c E WinTrustVerifier.cpp:270 Certificate verification failed with error: -2146762748.

2017-07-03T13:45:58.4242064Z 061c E STPackageDeployer.cpp:252 Required deployment support file content in 'SafeReboot.exe'not signed by ST.

2017-07-03T13:45:58.4362064Z 061c I STPackageDeployer.cpp:230 Skipping extraction of existing support file 'C:\Windows\ProPatches\Installation\InstallationSandbox#2017-07-03-T-13-44-49\SafeReboot64.exe'. Performing authenticode check on the existing sandbox version.

2017-07-03T13:45:58.4362064Z 061c I Authenticode.cpp:153 Verifying signature of C:\Windows\ProPatches\Installation\InstallationSandbox#2017-07-03-T-13-44-49\SafeReboot64.exe with CWinTrustVerifier

2017-07-03T13:45:58.4562064Z 061c E WinTrustVerifier.cpp:270 Certificate verification failed with error: -2146762748.

Adding additional certs to trusted certificates seems to have resolved the issue. Was this a planned change?

I've encounter issue while deploying patches.

In machine progress status is finished but in patch progress state some failed and some successfully installed.

When I tried installing patches manually on the target machine it’s already installed.

But in Shavlik Protect is still indicate Patch Missing. Do you have workaround on this?

I am unable to see see latest Vmware tools version 10.1.5 or above in the applications. Please suggest me on how to get vmtools 10.1.5 available in the list so I can select same and deploy across the servers through shavlik protect.

Purpose

This article explains how our detection the Delta or Cumulative version of the patch is offered.

Description

Our detection logic will verify the  'UBR' value from the registry to determine if the Delta or the Cumulative update will be offered.

HKLM" Key="SOFTWARE\Microsoft\Windows NT\CurrentVersion" Value="UBR" (Update Build Revision)

• The Delta is offered if build version equals N 1. (N= Latest Build. Current build being offered minus one version level)
• The full Cumulative update is offered if build version is N 2 or less.

You will only be offered one or the other and never both.

Related Documentation

Windows 10 release information

Affected Product(s)

Shavlik Protect 9.x

Ivanti Patch for Windows Server 9.x

Is there a way to retrieve Agent Patch Logs from the console? I have a handful of machines across multiple offices that are reporting missing patches and I need to know if there is an easier way of retrieving such information without having to manually investigate their machines.

If there isn't any official way, is it possible through the means of a script?

Hi everyone!

Is there a way to export a list of all the machines that exist in schedules, preferably with the schedule they are in? My end goal would be a csv file along the lines of:

SERVER01, FileServersGroup, Every Friday at 21.00

SERVER02, WebServersGroup, Every Wednesday at 20.00

...etc.

I guess that as the schedules are linked to the groups, it might not be possible to put those - but at the very least it would be good to enumerate the groups and machines.

The reason I want to do this is because I have a script to pull out all the virtual machines from vCentre - I want to use Powershell to compare the two lists and report any machines which aren't in the patch schedules. I also need to report on schedules for audit purposes.

Any ideas anyone?

Thanks!

Purpose

The purpose of this document is to outline the process for creating a custom patch, and to provide an example of how to create a custom patch using Shavlik Protect.

If you have any questions about whether a product or patch is supported in Ivanti Patch for Windows Servers, please contact support before creating a custom patch. A misconfigured custom patch could cause your console to work incorrectly so it is important that you follow these instructions precisely.

Description

- Open the custom patch editor. Tools > Custom patch editor

- Next, click on Create a new custom XML file.

*Notes:

• You can add a Custom Product if this patch relates to a specific product. Although this step is not necessary it will add detection for the product itself.  In this case it is not needed as the product is the operating system. Adding a custom product will allow you to target that application for the patch. If the product is not detected it will not look for the patch.

• I created an example product called X-Zip. You will need to provide a HKEY_LOCAL_MACHINE registry key path for the software as well as the corresponding information.

- Click insert, then Add Bulletin (or right click Custom Bulletins > Add New Bulletin).

- Give the bulletin a name. In this example I used HF01-001 because it is a hotfix.

- Give the bulletin a title, typically this will be a description. In the summary portion provide any important information.

*Note: The only required field is the bulletin name.

- Click on Insert and add a custom patch (or right click Custom Patches > Add New Patch).

- Give your patch a name. In this example I used the KB as the patch name.

- Select the bulletin you created in the above steps.

- Select the type of patch, and the severity.

- From here you will add the detection information in the Scan Information tab.

*Note: This step is very important as it will identify if the system needs this patch or not. If this is a MS patch, their KB on the patch will indicate what files or registry keys are used when detecting if the patch is needed. If this is not a MS patch and you are not sure how to detect it, it is recommended to install the patch on at least one machine to verify what files and/or registry keys are involved. In the example below we are using a file to detect if the patch is missing.

- You can also target a particular application or operation system using the targeting tab. In this case, since this update is only applicable to Windows Server 2008 SP2 and Vista SP2 I selected all corresponding operating systems.

*Notes:

• Targeting is not required, however if not specified the update will be offered for all systems that meet the scanning requirements.

• If you added a custom product it will show under targeting available products. You will first need to save the XML and import the custom XML before your custom product will appear in the list.

- On the deployment tab browse to the location of the patch and select it. Protect will automatically fill in the file size. Select any install switches that are required or desired for the patch deployment. In this case since the file is a .msu we need the /quiet switch.

*Note: Click the link for more information on using .msu files: http://community.shavlik.com/docs/DOC-1902

- Next you will need to validate your XML. There will be more information in the issue column if the validation fails.

- Save your custom XML, and then click the X to close the dialog box. This will prompt for you to import the custom patch.

- Click import now.

- When the below dialog box pops up select your Custom XML file and click OK. It goes through a second validation.

- After validation the Import Patch Definitions process automatically updates the database with the latest definitions, including the newly created custom XML. If you created a custom product you should see it added as well.

- Once the definitions are updated proceed to scanning your machines.

*Notes:

• Be sure to copy the patch to the patch repository on the console so it is available for deployment. You can locate your patch repository by going to Tools > Operations, under Patch download directory.

• Make sure that the scan template you're using includes the patch filter type that applies to your custom patch when scanning (i.e. Security Patch, Non-Security, Security Tool, etc.)

• We recommend testing with one machine that needs the patch to verify everything is working properly.

- Deploy the patch and verify it installs properly.

*Note: You should now also be able to look up and view your custom patch using View > Patches in Protect.

Additional Information

Additional information about custom patch creation and use can be found in the Shavlik Help - Overview of the Custom Patch XML Process.

If the patch detects as missing correctly, but the .bat file never runs on the target system, see our knowledge base related to custom patch .bat file never completing:

Custom Patch Deployment .bat File Never Completes.

Affected Product(s)

Ivanti Patch for Windows Servers

Shavlik Protect 9.X

I have a concern regarding patching.

When I try to patch a server it was stuck in schedule status.

Please see image below for your reference.

I am trying to step up an patch Server in a network that doesnot have internet connection.   It is set up..but now I want to get patch from another server since I cannot download from the internet to this pc. 

I had taken the patch folder from other system and put on new system, however when I try to deploy patches it fails due to not validating certificates.

I am only concerned about getting the patches.. no need to get other information like machines, users etc..

What is the best way to do this.

Thanks

Is anyone else finding that Protect fails with Windows 10/Server 2016 because of remote registry not starting when configured with the default of Automatic (Trigger Start)?  If we start the service manually it works.

We are on build 9.3.0 4440.

I've downloaded the iso file via the media creation tool. I've named it correctly, Shavlik starts to copy the iso to the client and then executes it (The filesize of the iso on the client is correct), but then i get the error 9999

I've tried to install the update with the iso directly on another client and it worked. so the iso file should be ok.

cl5.log:

2017-10-26T18:39:34.8343942Z 1ef8 I CommandLine.cpp:548 CMD_TRACELOG: [ISO edition:  error: 9999]

2017-10-26T18:40:05.7210157Z 23a0 I cl5.cpp:31 'C:\WINDOWS\ProPatches\Installation\InstallationSandbox#2017-10-26-T-17-59-19\cl5.exe' is starting, version: 9.3.2666.0.

2017-10-26T18:40:05.7210157Z 23a0 V CommandLine.cpp:165 DoAction 4 arguments: [C:\WINDOWS\ProPatches\Installation\InstallationSandbox#2017-10-26-T-17-59-19\cl5.exe 2097212 0  ISO unmount error: 0]

2017-10-26T18:40:05.7210157Z 23a0 I CommandLine.cpp:548 CMD_TRACELOG: [ ISO unmount error: 0]

2017-10-26T18:40:05.8147758Z 2c30 I cl5.cpp:31 'C:\WINDOWS\ProPatches\Installation\InstallationSandbox#2017-10-26-T-17-59-19\cl5.exe' is starting, version: 9.3.2666.0.

2017-10-26T18:40:05.8147758Z 2c30 V CommandLine.cpp:165 DoAction 4 arguments: [C:\WINDOWS\ProPatches\Installation\InstallationSandbox#2017-10-26-T-17-59-19\cl5.exe 2097212 0 Windows10x64Professional1709_GER.iso returned 9999]

2017-10-26T18:40:05.8147758Z 2c30 I CommandLine.cpp:548 CMD_TRACELOG: [Windows10x64Professional1709_GER.iso returned 9999]

STDeploy.log:

2017-10-26T17:59:57.6859999Z 1cac S StatusClient.cpp:90 Entering STDeployment::CStatusClient::ReportPatchStatusOnline.

2017-10-26T17:59:57.7641592Z 1cac V SingleFileDownload.cpp:92 About to retrieve Windows10x64Professional1709_GER.iso

2017-10-26T17:59:57.7641592Z 1cac V SingleFileDownload.cpp:114 Delete succeeded. Starting extract/copy/download...

2017-10-26T17:59:57.7641592Z 1cac V SingleFileDownload.cpp:136 Performing download to 'C:\WINDOWS\ProPatches\Patches\Windows10x64Professional1709_GER.iso'.

2017-10-26T18:38:43.2197701Z 1cac V SingleFileDownload.cpp:209 Copied \\192.168.2.200\Shavlik\Windows10x64Professional1709_GER.iso to C:\WINDOWS\ProPatches\Patches\Windows10x64Professional1709_GER.iso

2017-10-26T18:38:43.2666882Z 1cac I DeploymentFileSetDownloader.cpp:109 File 'Windows10x64Professional1709_GER.iso' ('0' bytes): download completed successfully

2017-10-26T18:38:43.2666882Z 1cac V DeployStatusReporter.cpp:239 Queueing online patch progress msg. DeploymentId='4b6fad2b-5d31-44b3-886e-e6f8c8663f2b', statusId='145544', patchStatus='40', isFinal='false'

2017-10-26T18:38:43.2666882Z 1cac S StatusClient.cpp:90 Entering STDeployment::CStatusClient::ReportPatchStatusOnline.

2017-10-26T18:38:43.5399709Z 1cac I DeploymentFileSetDownloader.cpp:82 File set download complete, resultCode='0'

2017-10-26T18:38:43.5399709Z 1cac V DeployStatusReporter.cpp:128 Queueing online machine status msg. DeploymentId='4b6fad2b-5d31-44b3-886e-e6f8c8663f2b', machineId='51819', status='41', isFinal='false'

2017-10-26T18:38:43.5399709Z 1cac S StatusClient.cpp:109 Entering STDeployment::CStatusClient::ReportMachineStatusOnline.

2017-10-26T18:38:43.6180821Z 1cac V DeployStatusReporter.cpp:128 Queueing online machine status msg. DeploymentId='4b6fad2b-5d31-44b3-886e-e6f8c8663f2b', machineId='51819', status='43', isFinal='false'

2017-10-26T18:38:43.6180821Z 1cac S StatusClient.cpp:109 Entering STDeployment::CStatusClient::ReportMachineStatusOnline.

2017-10-26T18:38:43.6962325Z 1cac I STPackageDeployer.cpp:1932 Deploying patches...

2017-10-26T18:38:43.6962325Z 1cac V STPackageDeployer.cpp:1937 statusId='145544' <= StatusId from PatchDesc: patchId='00001c36-0001-0000-0000-000000000000', regionId='1031', instanceName=''

2017-10-26T18:38:43.6962325Z 1cac I STPackageDeployer.cpp:307 Deploy arguments: machineName 'NB-Schulung10', patchId '00001c36-0001-0000-0000-000000000000', isServicePack 'true', regionId '1031'

2017-10-26T18:38:43.6962325Z 1cac V DeployStatusReporter.cpp:239 Queueing online patch progress msg. DeploymentId='4b6fad2b-5d31-44b3-886e-e6f8c8663f2b', statusId='145544', patchStatus='4', isFinal='false'

2017-10-26T18:38:43.6962325Z 1cac S StatusClient.cpp:90 Entering STDeployment::CStatusClient::ReportPatchStatusOnline.

2017-10-26T18:40:05.8460310Z 1cac V DeployStatusReporter.cpp:257 Queueing online patch progress msg. DeploymentId='4b6fad2b-5d31-44b3-886e-e6f8c8663f2b', statusId='145544', cookedResult='1', isFinal='true'

2017-10-26T18:40:05.8460310Z 1cac S StatusClient.cpp:99 Entering STDeployment::CStatusClient::ReportPatchStatusOnline.

2017-10-26T18:40:05.9710234Z 1cac I STPackageDeployer.cpp:1236 Patch file 'C:\WINDOWS\ProPatches\Patches\Windows10x64Professional1709_GER.iso' install operation completed. Cooked result='1'. RebootRequired='false'

2017-10-26T18:40:05.9710234Z 1cac I STPackageDeployer.cpp:1964 Done deploying patches...

2017-10-26T18:40:05.9710234Z 1cac I STPackageDeployer.cpp:1966 Deploying product instances patches...

2017-10-26T18:40:05.9710234Z 1cac I STPackageDeployer.cpp:2006 Done deploying product instances patches...

2017-10-26T18:40:05.9710234Z 1cac W SingleInstanceLock.cpp:28 Waiting for another deployment to finish.

2017-10-26T18:40:05.9710234Z 1cac I SingleInstanceLock.cpp:36 Exclusively continuing deployment.

2017-10-26T18:40:05.9710234Z 1cac V STPackageDeployer.cpp:85 Initiating patch store servicing.

2017-10-26T18:40:05.9710234Z 1cac V STPackageDeployer.cpp:106 Patch store servicing complete.

2017-10-26T18:40:05.9710234Z 1cac I STPackageDeployer.cpp:1336 Postboot actions filename='PostBootTasks.xml' does not exist on the file system

2017-10-26T18:40:05.9710234Z 1cac I STPackageDeployer.cpp:1342 Remove temp files flag is set. Pingbacks pending='false'. Sandbox cleanup deferred if true.

STDeployerCore.log:

2017-10-26T17:59:57.0453582Z 1cac I DeployerImpl.cpp:63 STDeployerCore.dll version: 9.3.2644.0.

2017-10-26T17:59:57.2641167Z 1cac I DeploymentPackageReader.cpp:783 Deploy package 'C:\WINDOWS\ProPatches\Installation\InstallationSandbox#2017-10-26-T-17-59-19\deployPackage-51819.zip' successfully opened unsigned for package IO

2017-10-26T18:38:43.7743698Z 1cac V BatchInstallation.cpp:290 Action type 10 ignored.

2017-10-26T18:38:43.8056120Z 1cac V BatchInstallation.cpp:290 Action type 10 ignored.

2017-10-26T18:38:43.8212342Z 1cac V BatchInstallation.cpp:290 Action type 10 ignored.

2017-10-26T18:38:43.8212342Z 1cac V BatchInstallation.cpp:290 Action type 10 ignored.

2017-10-26T18:38:43.8212342Z 1cac I ChildProcess.cpp:70 PATHTOFIXES=C:\WINDOWS\ProPatches\Installation\InstallationSandbox#2017-10-26-T-17-59-19\

2017-10-26T18:38:43.8212342Z 1cac I ChildProcess.cpp:77 EXTRACTDIR=Windows10x64Professional1709_GER.dir\; LSFN=Windows10x64Professional1709_GER.iso

2017-10-26T18:38:43.8368514Z 1cac I ChildProcess.cpp:114 Started C:\WINDOWS\sysnative\cmd.exe /Q /D /V:ON /C "C:\WINDOWS\ProPatches\Installation\InstallationSandbox#2017-10-26-T-17-59-19\Windows10x64Professional1709_GER.iso_install.bat"

2017-10-26T18:40:05.8303906Z 1cac V ChildProcess.cpp:140 Process handle 00000954 returned '9999'.

2017-10-26T18:40:05.8460310Z 1cac W DeployerImpl.cpp:106 Patch state is 'Failed'. Registry bread crumb patch state not updated.

Hi Everyone;

Customer want to change language of notification message.

İs it possible?

Can you help us?

I was wondering if anyone has figured out how to run a script to suspend bitlocker and then run a msi. I'm trying to remotely update surface book firmware with a bat or vbs or any other script combo. I have figured out how to get Ivanti to push the script and msi to the surface book or laptop but I can't get the script to run to suspend bitlocker before I try to run the msi.

Question 1. What type of (Script/What should I put in it) should I be using and how should I put it into Ivanti to run and is their anything I need to configure for it to run with administrator rights on the target machine ?

Question 2. I have put the MSI in the Custom Auction but is their anything that I need to put in the run line like msi.exec ?

Question 3. If Ivanti Shavlik can't do this is their a product or way that can ?