Hello All,
I'm still quite new to Ivanti Patch for Windows, so sorry if this is a simple question.
Our configuration is as follows, one Ivanti Patch for Windows Server and a external SQL server for it's database.
I can't see any documentation explaining how best to patch itself, and if there are any special considerations that I need to be aware of?
Thanks in advance.
Kieren
We are trying to deploy to our workstations, but the majority of the workstations I am testing were not able to be scanned because of the following error.
Does the remote registry service need to be running in order for Shavlik to scan and patch? Or is there an alternative?
Thank you,
Jose
This document will provide information about how to obtain information about Shavlik's XML updates (patch definitions).
Generally the Shavlik content team will provide patch definition updates every Tuesday and Thursday. However, there are three easy sources that can be used to see when new XML updates (patch definitions) are released.
1) XML Announcements Sign up: http://www.shavlik.com/forms/xmlsubscribe.aspx
You can sign up to receive Shavlik Protect content (patch definition) email notifications under the 'Shavlik Protect Content Updates' form here.
Or, send a blank email to subscribe-shavlik-xml@listserv.shavlik.com to sign up for these notifications.
2) Patch Data Information Blog Page: Shavlik Protect | Simplify and Automate your IT Management
This web page displays all patch definitions released by the Shavlik content team for the Protect application.
3) Patch Data Information RSS Feed: http://protect7.shavlik.com/feed/
All the same information as protect7.shavlik.com in an RSS feed.
4) Patch Data Information Twitter: https://twitter.com/ShavlikXML
This Twitter account is updated every time an XML release is put out. This is a good alternative to recieving email notifications, depending upon your preferences.
Ivanti Patch for Windows Servers 9.x
Shavlik Protect 9.x
Shavlik Protect SDK
Starting with the April 11th 2017 Patch Tuesday, Microsoft will no longer be using a traditional naming format for Security Bulletins.
The new Security Bulletin mappings our products will be using: MS[YY]-[MM]-[PP(P)]
Here are examples from Patch Tuesday Nov 14, 2017:
.NET Patches will follow a slightly different naming scheme:
Non-security .NET Patches also have a slightly different naming scheme:
Additional Naming Conventions
Microsoft released the following article for FAQ on the changes made: Security Updates Guide dashboard and API:
Q: Why is the security bulletin ID number (e.g. MS16-XXX) not included in the new Security Update Guide?
A: The way Microsoft documents security updates is changing. The previous model used security bulletin webpages and included security bulletin ID numbers (e.g. MS16-XXX) as a pivot point. This form of security update documentation, including bulletin ID numbers, is being retired and replaced with the Security Update Guide. Instead of bulletin IDs, the new guide pivots on vulnerability ID numbers and KB Article ID numbers.
Shavlik Protect
Shavlik Patch
Ivanti Patch for Windows Servers
Ivanti Patch for SCCM
The purpose of this document is to help determine the version of Windows 10 being used
1. Open Control Panel - System - Windows Edition. If LTSB it will end with LTSB, e.g. Windows 10 Enterprise 2016 LTSB
2. Look at registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName and will end in LTSB if LTSB
3. From PowerShell execute:
gwmi win32_operatingsystem | select OperatingSystemSKU
A value of 4 means CB while 125 means LTSB
Windows 10
The Scheduled Console Tasks Manager is designed to give you a single location from which to monitor the tasks currently scheduled on the console. These tasks can include patch scans, asset scans, patch deployments to the console machine, patch deployments to hosted virtual machines, power tasks run against the console, script executions, and scheduled reports. The Scheduled Console Tasks Manager uses the services of the Microsoft Task Scheduler to schedule and initiate each task. If you prefer, you can view the tasks within the Microsoft Scheduler by accessing the Task Scheduler dialog on your Windows console machine and then expanding the Task Schedule Library > LANDESK > Protect tree.
Note: To monitor scheduled tasks on your remote machines, use the Scheduled Remote Tasks Manager.
You can use the Scheduled Console Tasks Manager to modify and delete the scheduled tasks. For example, if you know a certain machine will be unavailable on a certain day you can reschedule any scans that are set to be performed on that machine.
Overview
You access the Scheduled Console Tasks Manager by selecting Manage > Scheduled Console Tasks.
The following commands are available using the buttons on the dialog or by right-clicking a task on any of the tabs.
How To Test SYSTEM Account Permissions
Protect 9.X
Ivanti Patch for Windows Servers 9.3.X
The Notifications and Warnings dialog allows you to specify when you want Ivanti Patch for Windows® Servers to inform you about potential operational issues.
Ivanti Patch for Windows® Servers
This document is made to assist in automatically exporting the result of a ping command to a text file for troubleshooting.
Open the command prompt (Start > Run > type "cmd").
Type the following command "C:\>ping nameofwebsiteorip >> c:\namefile.txt -t".
For example if you want to ping the loopback address
Output located at C:\namefile.txt
The Patch Options dialog allows you to specify patch scanning and deployment options.
Ivanti Patch for Windows 9.3
Hello -
We recently picked up Shavlik Protect to patch our Windows Servers, and I had a question that I don't seem to be able to find a quick answer for:
Schedule reboot | If you elect to reboot the machines, you can specify when the reboot should occur. You can:
|
If I schedule updates to begin at 11PM, and I have a “must be available” timeline of 3AM (server must be available again in terms of maintenance window). If I schedule a reboot at specific time of 2:30 AM and the patching is still occurring will this interrupt/halt the patching (and notify me?), or will it continue patching AFTER the reboot and then reboot again down the road? I really want to ensure that if patching takes longer than expected I wont be an situation of a reboot occurring post 3AM (if I pick reboot immediately after install), but I also don’t want to cause issues with the patching because we rebooted in the middle of patching?
Also how does it handle several patches that trip the reboot flag? Does it apply all the patches in the group and then reboot, or is intelligent enough to apply patch, reboot and then continue patching?
Thanks!
This documents describes how to disable Automatic Updates in Windows 10 build 1607 and 1703.
Note: You must create these registry keys manually
1. Click Start, click Run, and then type regedit in the Open box.
2. Locate and then click the following key in the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
3. Add the following settings:
Value data: 0 or 1
Registry Value Type: Reg_DWORD
Value data: 1 to 4
Registry Value Type: Reg_DWORD
This method contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
How to back up and restore the registry in Windows: https://support.microsoft.com/en-us/help/322756
Windows 10 Build 1607
Windows 10 Build 1703
This documents details how to disable Automatic Updates in Windows 10 build 1709 through a GPO
Steps for single computer:
1. Click Start, and then click Run.
2. Type gpedit.msc, and then click OK.
3. Expand Computer Configuration.
4. Right-click Administrative Templates, and then click Add/Remove Templates.
5. Click Add, click Wuau.admin the Windows\Inf folder, and then click Open.
6. Click Close.
7. Under Computer Configuration, expand Administrative Templates, expand Windows Components, and then expand Windows Update.
The Configure Automatic Updatespolicy appears. This policy specifies whether the computer receives security updates and other important downloads through the Windows Automatic Updates feature. The settings for this policy let you specify if automatic updates are enabled on the computer. If the service is enabled, you must select one of the three configuration options.
8. To view the policy settings, double-click the Configure Automatic Updatespolicy.
9. To turn on Automatic Updates, click Enabled or to turn off select Disabled
Steps for multiple computers:
1. From the server, click the "Start" button and select "Programs" > "Administrative Tools" > "Active Directory Users and Computers."
2. Right-click the domain name whose settings you want to change and select "Properties." Select the "Group Policy" tab.
3. Highlight the domain policy you wish to modify, which will typically be the default group policy, and then click the "Edit" button.
4. The Group Policy Object Editor will now be open. In the left window, navigate to "Computer Configuration" > "Administrative Templates" > "Windows Components" > "Windows Update."
5. In the main frame, double-click the option "Configure Automatic Updates."
6. Select "Disabled" to turn off automatic updates.
Policy changes are not applied immediately to the workstations. Active sessions will have their policy refreshed every 90 minutes by default. Inactive machines will have their policy updated when a user logs in or when the computer starts up
Windows 10 Build 1709
This document will provide information about how to obtain information about Shavlik's XML updates (patch definitions).
Generally the Shavlik content team will provide patch definition updates every Tuesday and Thursday. However, there are three easy sources that can be used to see when new XML updates (patch definitions) are released.
1) XML Announcements Sign up: http://www.shavlik.com/forms/xmlsubscribe.aspx
You can sign up to receive Shavlik Protect content (patch definition) email notifications under the 'Shavlik Protect Content Updates' form here.
Or, send a blank email to subscribe-shavlik-xml@listserv.shavlik.com to sign up for these notifications.
2) Patch Data Information Blog Page: Shavlik Protect | Simplify and Automate your IT Management
This web page displays all patch definitions released by the Shavlik content team for the Protect application.
3) Patch Data Information RSS Feed: http://protect7.shavlik.com/feed/
All the same information as protect7.shavlik.com in an RSS feed.
4) Patch Data Information Twitter: https://twitter.com/ShavlikXML
This Twitter account is updated every time an XML release is put out. This is a good alternative to recieving email notifications, depending upon your preferences.
Ivanti Patch for Windows Servers 9.x
Shavlik Protect 9.x
Shavlik Protect SDK
The purpose of this document is to explain the best practices for Windows Automatic Update configuration in a Shavlik environment.
When Windows Automatic Update is configured to check for updates, even if it is not configured to download or install them, it can cause slow deployments with Shavlik.
A. Set Automatic Updates to "Never check for updates".
a. Configure settings at the local computer level.
Go to Control Panel> All Control Panel Items> Windows Update> Change settings and choose "Never check for updates (not recommended)" then hit OK.
b. Disable Automatic Updates through GPO.
1. Click Start, and then click Run.
2. Type gpedit.msc, and then click OK.
3. Expand Computer Configuration > Administrative Templates> Windows Components> Windows Update.
4. Select Configure Automatic Updates,choose Disabled, and hit Ok.
5. As GPO updates every 90 minutes, you can force this update to take effect by running the command gpudate /force.
More information on this process can be found in Configure Automatic Updates using Group Policy.
B. Stop the Windows Update Service and set the service to Manual. (The service will start as needed)
C. Make sure you don't have a custom location setting for "Specify intranet Microsoft updater service location". This is set in in Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update and remove this setting.
Methodology has changed in Windows 10 build 1511, 1607, and 1703. To disable Windows Automatic Updates for Windows 10 Build 1607 and 1703 click here.
Microsoft has reverted back to the methodology in this document with Windows 10 build 1709
All Windows OS with the exception of Window 10 build 1511, 1607, and 1703
Can Ivanti provide a non-ftp link for agentinstaller.msi and patchinstaller.msi for version 9.3.4440.0 ?
Thanks,
John
Hypervisor scanning and deployment
Scanning and deployment operations are performed by the hypervisor. In order to scan for installed and missing Bulletins, the hypervisor needs the latest patching metadata files. The metadata files are available from VMware inside an archive 9ZIP0 file. There is a different metadata package for each supported version of ESX and ESXi. Protect supplies the target hypervisor with the URL to the proper metadata file, but in this release, the hypervisor must download the file from the internet.
When the user selects the Bulletins to install, Protect will analyze the request and determine the proper bundles to be install by using the same metadata that was used by the hypervisor during the scan.
Protect gets the URLs for the bundles and passes them to the hypervisor. The hypervisor will download the bundles from VMware and perform the installation. The scan and installation processes are initiated by the Protect Console Service. Once initiated, the Scan or Deployment operation will continue even if the Protect GUI is shut down.
Deploying patches to the Virtual Environment
Details of the deployment operation can be found in the following locations:
ESX - 4.0 or later
ESXi - 4.1 or later
Purpose
Shavlik Protect has the ability to take VMware snapshots. You can set this in a Custom Deployment Template, Under the tab Hosted VM/Templates. You also have the ability to delete old snapshots.
Protect waits to delete the snapshots until the next deployment. If your deployments are spread out, and you would like your snapshots erased sooner, you can do this by deploying a custom patch that is always detected as missing. (QSK2745, MSST-001)
Overview
1. Create a new Patch Scan Template by going to New-> Patch Scan Template and name is "Custom Action Scan". The only thing you need to change is under Patch Properties in the bottom right, click the radio button for "Scan Selected" and click the "Custom Actions" box.
2. Create a New Deployment Template by going to New-> Deployment Template and name it "Custom Action for VMware Snapshot"
3. Go to the Post-deploy Reboot tab, and set this to ‘Never reboot after deployment’.
4. Under the Hosted VMs/Templates Tab, choose Delete old snapshots created by Shavlik Protect Advanced (age in days): (I set 2. You set your desired results. You need to set this to take pre-deployment snapshots as well.
Protect can only delete existing snapshots at the time it takes a new snapshot. It does NOT delete a snapshot at the age specified without a snapshot creation event triggering the age calculation and deletion
5. Click Save.
Click the Home button and follow these instructions to schedule the task.
a. Click Auto-Deploy patches after scan
b. Chose "Custom Action for VMware Snapshot"
c.Click "Install immediately.
5. Click Schedule.
Protect 9.X
In our deployment template, users can initiate the reboot as soon as patch installation is complete. When they do so, it takes some time before the computer actually reboots (sometimes as long as 10 minutes).
Is there a way to quicken this restart time?
The following is a sample integration script for the Ivanti Patch for Windows Servers API integration with the BeyondTrust vulnerability scanner.
If you use a vulnerability scanner to identify weaknesses in your network, the scanner may detect hundreds or even thousands of issues on your machines. At first this might seem a bit overwhelming, but what’s likely happening is that the vulnerability scanner is simply producing a lot of noise. The scanner is assessing for CVEs (Common Vulnerabilities and Exposures) explicitly. In reality a software update will often include many CVEs. A patch can also be superseded or replaced by a newer update. What this tends to cause is the Vulnerability Assessment reflecting hundreds of vulnerabilities that can be resolved by updating just a few software titles on a system.
To address this, you can use the API to:
Please note:
Environment confirmation steps:
1. Ensure the BeyondInsight console is set up correctly
a. Go to the Configure tab
b. Go to the API Registration tab
c. Make sure the current IPv4 address/range is in the Source Addresses list.
d. Click Update
2. Edit the $Authorization variable at the top of the BeyondInsightToPatch.ps1 file to include your BeyondInsight authorization connection string as specified in the BeyondInsight API documentation.
a. http://<yourBIhost>/eEye.RetinaCS.Server/Flex/Help/BeyondInsightAndPasswordSafeAPIUserGuide.pdf
b. Use the example style text from the Authorization Header section of the API guide. Only include the text to the right of "Authorization="
Example: PS-Auth key=XXXXXXXX...XXXX; runas=demo;
How to invoke the script - BeyondInsightToPatch.ps1
1. Open PowerShell
2. Run BeyondInsightToPatch.ps1 or invoke it with the following mandatory parameters:
3. BeyondInsightToPatch -BtHostOrIpAddress '127.0.0.1' -SmartRuleId 10001 -ScanTemplate 'Demo' -DeployTemplate 'Agent Standard' -PatchGroupName 'Demo' -MachineGroupName 'Demo' -ScanName 'BT-Ivanti demo' -DeployMissingPatches $False
a. BtHostOrIpAddress should be the current IPv4 address of the console VM. I've configured BI to allow 127.0.0.1
b. SmartRuleId should be the smart asset group defined by BeyondInsight.
I. 1 is the system group of All Assets
II. 2 is the system group of All Workstations.
c. DeployMissingPatches set to $True will actually download and deploy the patches to the machines in $MachineGroupName
4. If/when you see yellow warning messages like "WARNING: Cve item was not found: CVE-YYYY-NNNN", don't worry.
a. It means we don't have that CVE in our (Ivanti Patch for Windows Servers content)
b. The patch for the vulnerability may be in our content, but under a different CVE. We add all CVEs for all vulnerabilities to the Patch Group.
5. Open Patch for Windows Servers and view the full results of the patch scan/deployment. You'll see the scan result by $ScanName, date, and source of API in the left navigator.