In our deployment template, users can initiate the reboot as soon as patch installation is complete. When they do so, it takes some time before the computer actually reboots (sometimes as long as 10 minutes).
Is there a way to quicken this restart time?
Hi, could anyone recommend a way to patch multiple servers that hold one application in the correct order?
Ideally what I'd like to do:
1 - stop application services across multiple servers
2 - patch application & database servers
3 - reboot database server first & ensure its back on line (pre 4)
4 - reboot application servers.
Any ideas would be greatly welcome. I believe I can achieve step 1 with the use of a Powershell script (though I can currently only get it to work if each server is running its own individual script) but I can't see a way to reboot/patch the servers in a particular order.
Thanks,
Lynette.
Hi all,
So the task is this : i need to export all patches installed by Shavlik on server X in a specific time frame (for ex : 1July - 1Dec) . Sounds easy but i can.t have the report that i want . Tried all custom reports /Condensed Patch Listing / advanced filters....but i don.t get the result i need.
Of course i could use things like :
wmic qfe list full /format:htable > hotfixes.htm or get-hotfix - but this doesn.t report updates for office/exchange etc and i deployed with Shavlik a lot of updates for different applications.
Or i could just go to Control Pannel and manually get the installed updates but there are not present updates for Vmtools/Firefox / etc that i normally did with shavlik.
So my only hope is that Shavlik can acutally do a report like this, it sounds super easy should definitelly be available.
Thus, can it be done ?
Anothing thing : i could just view in the Results tab in shavlik and manually check previous deployments...but the problem is that i can only see them from the last month. Any way to see the previous deployments from the last 6 months ?
Super urgent help needed here, i.m in the middle of an audit and need this to be done.
Thanks in advance.
Alex.
Every time I go into Tools... Options... and select Distribution Servers, the Ivanti Console crashes with the attached error message. Has anyone run into this problem before.
Hallo zusammen,
auf einigen unserer Rechner sind administrative Freigaben via GPO deaktivert (AutoShareServer und AutoShareWks = 0).
Auf diesen Rechnern schlägt daher der Patchscan mit dem Fehlercode 301 fehl, obwohl wir bereits in den Patchoptionen den Punkt "Temporäres Systemlaufwerk erstellen, falls keines vorhanden ist" aktiviert haben.
Welche Maßnahmen müssen wir zwecks Lösung treffen?
(Anmerkung: Das Aktivieren der administrative Freigaben ist in diesem Fall leider keine Option für uns.)
Zur Info auf den betroffenen Rechnern gibt es nur noch die Systemfreigabe IPC$, zu dieser werden über den, im ivanti konfigurierten Admin-User, beim scannen auch kurzzeitig 3 Sitzungen aufgebaut, es wird jedoch kein temp. Systemlaufwerk angelegt.
Grüße
When running a batch file as part of a custom action, the deployment never completes or the deployment hangs.
When Protect is running a deployment, it creates a batch file that is copied to the target machine. This batch file contains all the information related to that deployment, including what patches should run, and with what switches. It also includes any Custom Actions that the user defined. This batch file will be referred to as the Protect Generated Batch. When the Protect Generated Batch file is running, it initiates each task sequentially going through the list (one task must finish before the next can begin). When the Protect Generated Batch file calls the users custom batch file, the Protect Generated Batch file waits for the users custom batch file to return an exit code to indicate it is done. If the users' custom batch file is not accessed with an appropriate command, it will not return the necessary exit code for the Protect Generated Batch File to continue through its pending actions.
If the Custom Action batch file is going to run an action that following actions are dependent on (example: batch file stops a service so a custom action can run a .exe), then utilize the CALL command.
The call command will allow the custom batch file to return an exit code to the Protect Generated Batch file so it can continue on its jobs, once the custom batch file finishes.
Example:
Call %PATHTOFIXES%\stop_services.bat
If the Custom Action batch file is going to present the end user with information that should stay open (example: a custom message that the batch file shows), then utilize the START command.
The Start command will begin the custom batch file, and once it has started, the Protect Generated Batch file will continue without waiting for the custom batch file to close.
Example:
Start %PATHTOFIXES%\show_warning.bat
These are CMD commands, not Shavlik custom variables. More info on CMD commands here: An A-Z Index of the Windows CMD command line | SS64.com
We would recommend having your batch file run After All Patches rather than Before All Patches to avoid any conflicts with patches being installed in the deployment.
Custom Action - Using the Null Patch
Ivanti Patch for Windows Server 9.x
Shavlik Protect 9.x
The following is a sample integration script for the Ivanti Patch for Windows Servers API integration with the Qualys vulnerability scanner.
If you use a vulnerability scanner to identify weaknesses in your network, the scanner may detect hundreds or even thousands of issues on your machines. At first this might seem a bit overwhelming, but what’s likely happening is that the vulnerability scanner is simply producing a lot of noise. The scanner is assessing for CVEs (Common Vulnerabilities and Exposures) explicitly. In reality a software update will often include many CVEs. A patch can also be superseded or replaced by a newer update. What this tends to cause is the Vulnerability Assessment reflecting hundreds of vulnerabilities that can be resolved by updating just a few software titles on a system.
To address this, you can use the API to::
Overview
The API feature is meant for advanced users who have a working knowledge of PowerShell and who want to perform tasks beyond those available through the Ivanti Patch for Windows Servers user interface. The PS script needs run from the Patch for Windows Servers console server.
1. Edit the variables in the UpdateLocalQualysFiles.bat. This batch file is used to download data files directly from the Qualys content servers.
a. SET CURLPATH=C:\curl\curl.exe - Set the location of your curl.exe.
b. SET LOCALDATA="C:\QualysToPatch_API\Qualys" - Set the location of your Qualys scripts.
c. SET PLATFORM=qualysapi.qg3.apps.qualys.com - Specify host you were assigned when you setup your Qualys account.
d. SET USER="user:pass" - Set a username and password for your Qualys account.
2. Run UpdateLocalQualysFiles.bat to get the latest data from Qualys. This will download the data files directly from the Qualys content servers and place them in the location specified in the batch file.
3. Run the script: (Scan)
> . .\QualysToIvanti.ps1
> QualysToIvanti -machinesXmlFile C:\QualysToPatch_API\hosts.xml -qualysKbXmlFile C:\QualysToPatch_API\qualyskb.xml -ScanTemplate 'Demo' -DeployTemplate 'Agent Standard' -PatchGroupName 'Demo' -MachineGroupName 'Demo' -ScanName 'Qualys-Ivanti demo' -DeployMissingPatches $False
4. You can choose not to perform a scan and update a Patch Group in Patch for Windows Servers.
> . .\QualysToIvantiPatchGroup.ps1
> QualysToIvantiPatchGroup -machinesXmlFile "C:\QualysToPatch_API\hosts.xml" -qualysKbXmlFile "C:\QualysToPatch_API\qualyskb.xml" -PatchGroupName 'Demo'
Hey guys,
We just became aware of the issue regarding ccleaner 5.53 being a trojan. Better late than never I guess. While we're already scanning everything with antivirus, I was curious what the best method to scan for the software is. So far I have attempted to make a patch group solely scanning for Piriform CCleaner. I know that we can run a Software Scan Report, but I have to go through and ctrl+F every time to find what version is installed on the computers. The other reports simply tell me what computers have CCleaner and that it needs to be updated (not what the current version has).
I'm sure this is something simple that I'm overlooking. Can someone help me with this?
Update Failed: unable to download manifest. Already followed doc 2216 How to remove an agent and all of its components. Any suggestions? Thanks.
Just need to report weekly by email on all servers I'm patching just on failures please
How do you contact a person to speak with?
This document is meant to provide information on how to properly scan and deploy in Ivanti Patch for Windows Servers 9.3.
When you run a scan and deployment from the upgraded console the scan completes and the deployment gets to a "Scheduled" status and does not progress.
Recreate or edit the scan and deployment making sure to complete the "Execute deployment package" section after you select the Stage deployment package item you wish to use.
How To: Schedule and Configure a Deployment in Patch for Windows Servers 9.3
Ivanti Patch for Windows Servers 9.3+
Hello,
I would like add machines with its respective credential to a machine group by text file, but i can't because shavlik takes the credentials as a machine name. is there a way to do this?, import machines and its credentials by text files.
Thak you for your help
I am trying to run a simple:
Add-PatchGroupItem -Name 'PatchGroup-A' -Cve 'CVE-2016-0127','CVE-2016-0149'
However, I am getting an exception:
Add-PatchGroupItem : Failed to add patch group items: Exception calling "AddPatchGroupItem" with "2" argument(s):
"Generic data access layer exception. SQL exception message: Cannot insert the value NULL into column 'patchGroupId',
table 'Protect.dbo.PatchGroupPatch'; column does not allow nulls. INSERT fails.
The statement has been terminated."
At line:1 char:1
+ Add-PatchGroupItem -Name 'PatchGroup-A' -Cve 'CVE-2016-0127','CVE-2016-0149'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Add-PatchGroupItem
Thanks!
Hello,
I would like to deploy a Firefox executable to a machine group, but I'm not sure how to deploy a separate installer from what Ivanti already provides. I'm noticing a select group of machines are having an issue with updating Firefox, so I manually downloaded the recent update from Firefox and would like to deploy it to a machine group I created. How would I go about doing this?
Hello,
I implement rings for patching and has to disable automatic updates and create a scheduled automatic download task in the Options to update the definitions and download the patchs using the Predictive patch downloads feature. I would like to run the Scheduled automatic downloads task more than one (i.e. first and thirt monday of the month) but I could only create one schedule for the task, If I click on the add button to create a schedule it replace the schedule of the active task. For now I have to use the Microsoft scheduler and create multiple trigger of the tasks. I was wondering if there is Qan easier solution to do it.
Secondly I would like to exclude some Services Packs in the scan. I can see the Service Pack 1709 for Windows 10 missing but I don't want to install it now, is there any way to exclude it from the scan like a patch ?
Thanks in advance for any help
Best regards
Gabriel
A crash occurs when after upgrading Ivanti Patch for Windows Servers prompting the error - An unexpected error has occurred and Ivanti Patch for Windows Servers Activation must close to recover.
The following error is found in the ST.Protect.managed.user.log:
Launcher.cs:87|System.InvalidOperationException: Crash from UI thread ---> System.AggregateException: One or more errors occurred. ---> System.Configuration.ConfigurationErrorsException: Unrecognized attribute 'threatDataDirectory'. Note that attribute names are case-sensitive. (C:\Program Files\LANDESK\Shavlik Protect\STEnvironment.config line 2)
The STEnvironment.config is either corrupt or contains custom changes that are no longer compatible with the upgraded system
Ivanti Patch for Windows Server 9.3.x
I have configured User role Assignment in our environment because I don't want a single user account to be used by all users of the system (10 - 15 users). However I didn’t realise when I configured settings/ options in my profile that they are not set globally in the environment and inconsistencies are cropping up and causing at a per user level.
Is there any way to configure a default profile for all users? Meaning we have a consistent setup for each user that includes all the settings i have configured e.g Credential Manager, Internet Proxy settings e.t.c.
Starting with the April 11th 2017 Patch Tuesday, no longer has used a traditional naming format for Security Bulletins. To help our customer's, we created our own naming format as follows:
The new Security Bulletin mappings our products will be using: MS[YY]-[MM]-[PP(P)]
Here are examples from Patch Tuesday December 12, 2017:
.NET Patches will follow a slightly different naming scheme:
Non-security .NET Patches also have a slightly different naming scheme:
Additional Naming Conventions
Microsoft released the following article for FAQ on the changes made: Security Updates Guide dashboard and API:
Q: Why is the security bulletin ID number (e.g. MS16-XXX) not included in the new Security Update Guide?
A: The way Microsoft documents security updates is changing. The previous model used security bulletin webpages and included security bulletin ID numbers (e.g. MS16-XXX) as a pivot point. This form of security update documentation, including bulletin ID numbers, is being retired and replaced with the Security Update Guide. Instead of bulletin IDs, the new guide pivots on vulnerability ID numbers and KB Article ID numbers.
Shavlik Protect
Shavlik Patch
Ivanti Patch for Windows Servers
Ivanti Patch for SCCM