During the webinar scripting the required registry changes to enable the patch changes was discussed.
I see a reference to scripting for checking the AV registry changes in a previous discussion.
Has Ivanti developed a script to make the registry changes required to enable the patch features?
Also, in the chat window, it was indicated that one could run the script to enable the features prior to patching, thus eliminating the second reboot. Is that correct?
Thanks,
Joe
We use Ivanti Protect patch management for patching our VM servers. We would like to rollout a new version of the Fortinet client to the servers as a patch/distribution so that we can coordinate reboots within our maintenance window. Is this possible to do? Unfortunately, Fortinet is not listed in the Software Distribution list, where this would likely go..
Thanks in advance,
Steve
The Ivanti Content Team created a Security Tool to help implement the required registry keys discussed in the Microsoft article linked below. This document will step through the configuration to specifically target the new Security Tool and deploy it your clients.
"Microsoft is aware of a new publicly disclosed class of vulnerabilities that are referred to as “speculative execution side-channel attacks” that affect many modern processors and operating systems, including chipsets from Intel, AMD, and ARM. Microsoft has not yet received any information to indicate that these vulnerabilities have been used to attack customers. Microsoft continues working closely with industry partners including chip makers, hardware OEMs, and app vendors to protect customers. To get all available protections, hardware or firmware updates and software updates are required. This includes microcode from device OEMs and, in some cases, updates to antivirus software."
You will be creating a Scan Template and Patch Group to specifically target this Security Tool. This will allow you to scan with automatic deployment without having to worry about installing other Security Tools we offer. We will be offering 2 Security Tools, one to implement the registry keys and another to remove the registry keys.
Creating the Patch Group
A Patch Group contains a list of patches you can use to use as a baseline (to scan for) or use to exclude from scan results. We will be using a Patch Group as a baseline to scan for IVA18-001 Q4072698.
1. Navigate to New > Patch Group. Enter a Name for the Patch Group and optionally a Description. Click Save.
2. Search for IVA18-001 or 4072698. Right-click on the Security Tool IVA18-001 Q4072698 and choose Add to Patch Group then choose the Patch Group you created.
3. The Patch Group is created and can be added to the Patch Scan Template, close the Patches window.
Creating the Patch Scan Template
The Scan Template, along with your new Patch Group will help you scan for the new Security Tool.
1. Navigate to New > Patch Scan Template.
2. Give the Scan Template a Name, matching the Patch Group Name is advisable.
3. In the Baseline or Exceptions section, choose Baseline and check-mark your Patch Group. (no other filtering is needed)
4. The Scan Template should look similar to this:
5. The Patch Scan Template is created, Click Save.
Scanning for the Security Tool
The setup is complete, you can use your new Patch Scan Template to scan for the new Security Tool IVA18-001 Q4072698. The Security Tool will show missing on systems that do not have the registry keys on them and can be deployed like a regular update. A reboot is required.
Ivanti Patch for Windows Servers 9.3.x
Shavlik Protect 9.2.x
Just curious if anybody has seen any performance impact after applying the latest MS patches?
We have a server that was joined to our domain but we have now moved it to our DMZ and set it to workgroup instead of domain member. When we try to scan getting error 261; we confirmed that the required ports are open. Is there by chance a known issue with having servers joined to a domain but then set to work group having problems with being patched by Shavlik?
Regards,
Michael
After applying MS15-A02 KB3033929, the patch MS12-001 KB2644615 is now showing as missing.
The introduction of MS15-A02 in March 2015 opened up a security hole that is addressed by the installation of MS12-001 KB2644615 or MS13-063 KB2859537.
Deploy MS12-001 KB2644615 based on the scan results from Shavlik Protect or download the install file for MS13-063 KB2859537 and manually run the file on the target machine
Protect 9.X
It started last December. Must of my computer are not accessible with the agent.
But I can scan and Push Manually the patches
If I right click one computer that have the agent and try a ( Check-in request )
I get <<Agent did not respond>>. anything I tried like from the console ex: Update Binary (get Agent didn't respond, but is up-to-date)
I check Manage Machine Properties , Port : 3389 and Credential are Normal like the rest of the computer where it is working.
I tried view Scheduled Task, Got a popup refresh machine....
The scheduler on machine 10.1.24.25 is not available -2080374779 - unknown error (0x84000005) The list of jobs currently scheduled on 'computerneme' is unreadable
Then I tried ''Upgrade scheduler now'' with the right admin credential.
Got unother popup :
Atleast one of your credentials can no longer be decrypted. PLease edit or delete every credential with a 'Username' of 'None' in the credential manager.
I am stuck here and not sure if I can delete the credential ?
Tks
Dan
Purpose
The Ivanti Content Team has created a Security Tool to help implement the QualityCompat registry key that enables deployment of the Windows security updates released on January 3, 2018. This document will step through the configuration to specifically target the new Security Tool and deploy it your clients.
Instructions
You will be creating a Scan Template and Patch Group to specifically target this Security Tool. This will allow you to scan with automatic deployment without having to worry about installing other Security Tools we offer. We will be offering 2 Security Tools, one to implement the registry key and another to remove the registry key.
Creating the Patch Group
A Patch Group contains a list of patches you can use to use as a baseline (to scan for) or use to exclude from scan results. We will be using a Patch Group as a baseline to scan for IVA18-002 Q4072699.
1. Navigate to New > Patch Group. Enter a Name for the Patch Group and optionally a Description. Click Save.
2. Search for IVA18-002 or 4072699. Right-click on the Security Tool IVA18-002 Q4072699 and choose Add to Patch Group then choose the Patch Group you created.
3. The Patch Group is created and can be added to the Patch Scan Template, close the Patches window.
Creating the Patch Scan Template
The Scan Template, along with your new Patch Group will help you scan for the new Security Tool.
1. Navigate to New > Patch Scan Template.
2. Give the Scan Template a Name, matching the Patch Group Name is advisable.
3. In the Baseline or Exceptions section, choose Baseline and check-mark your Patch Group. (no other filtering is needed)
4. The Scan Template should look similar to this:
5. The Patch Scan Template is created, Click Save.
Scanning for the Security Tool
The setup is complete, you can use your new Patch Scan Template to scan for the new Security Tool IVA18-002 Q4072699. The Security Tool will show missing on systems that do not have the registry key on them and can be deployed like a regular update.
Additional Information
Affected Product(s)
Ivanti Patch for Windows Servers 9.3.x
Shavlik Protect 9.2.x
January KB4056897 & KB4056898 both require registry keys to activate patch. ( Server OS only)
Is there any guidance on including this in the push? Or Is Ivanti creating a custom patch to set these keys?
Thanks
Tim
As of January 3rd 2018, Microsoft is now requiring a registry key to be added to machines for addressing compatibility issues with a small number of anti-virus software products.
More information on this can be found here: Important information on detection logic for the Intel 'Meltdown' security vulnerability
Adding this registry key on machines that have out-of-date AV could cause BSOD's. Please use this custom action at your own risk.
See Microsoft link for further details: https://support.microsoft.com/en-us/help/4072699/important-information-regarding-the-windows-security-updates-released
1. Download and extract the attached zip below or here to get the batch file used for adding the registry key.
2. Create a new Patch Scan Template that scans for only Custom Actions. (this will allow you run this against machine with no missing patches)
3. Create a new Deployment Template.
4. Name the template. Ex: Intel Meltdown Registry Key
4. Click on Post-deploy Reboot. Change the reboot option to 'Never reboot after deployment'.
5. Click on Custom Actions. Click 'New'. A prompt to save the template will be presented. Click 'Save'.
6. The first action will push the batch file. Ensure that step 3 states 'Push File', and then select the batch file from the local machine. Click 'Save' when completed.
7. Click 'New' once more. Change Step 3 to 'After All Patches' and use the following command in Step 4: Call %pathtofixes%addregkey.bat
8. Click 'Save' twice to finish creating the Deployment Template.
9. Use the new Scan Template to scan your target machines.
10. Once the scan is completed, click 'View Results'
11. The results will offer our nullpatch.exe for deployment. Proceed by right-clicking the patch and clicking 'Deploy all missing patches'.
12. Select the new Deployment Template created earlier. Click 'Deploy' to start the deployment.
13. Open regedit to validate the registry key was added.
How To: Perform a Custom Action Complete Tutorial with Custom Actions
Shavlik Protect 9.2
Ivanti Patch for Windows Servers 9.3
The Ivanti Content Team created a Security Tool to help implement the required registry keys discussed in the Microsoft article linked below. This document will step through the configuration to specifically target the new Security Tool and deploy it your clients.
"Microsoft is aware of a new publicly disclosed class of vulnerabilities that are referred to as “speculative execution side-channel attacks” that affect many modern processors and operating systems, including chipsets from Intel, AMD, and ARM. Microsoft has not yet received any information to indicate that these vulnerabilities have been used to attack customers. Microsoft continues working closely with industry partners including chip makers, hardware OEMs, and app vendors to protect customers. To get all available protections, hardware or firmware updates and software updates are required. This includes microcode from device OEMs and, in some cases, updates to antivirus software."
You will be creating a Scan Template and Patch Group to specifically target this Security Tool. This will allow you to scan with automatic deployment without having to worry about installing other Security Tools we offer. We will be offering 2 Security Tools, one to implement the registry keys and another to remove the registry keys.
Creating the Patch Group
A Patch Group contains a list of patches you can use to use as a baseline (to scan for) or use to exclude from scan results. We will be using a Patch Group as a baseline to scan for IVA18-001 Q4072698.
1. Navigate to New > Patch Group. Enter a Name for the Patch Group and optionally a Description. Click Save.
2. Search for IVA18-001 or 4072698. Right-click on the Security Tool IVA18-001 Q4072698 and choose Add to Patch Group then choose the Patch Group you created.
3. The Patch Group is created and can be added to the Patch Scan Template, close the Patches window.
Creating the Patch Scan Template
The Scan Template, along with your new Patch Group will help you scan for the new Security Tool.
1. Navigate to New > Patch Scan Template.
2. Give the Scan Template a Name, matching the Patch Group Name is advisable.
3. In the Baseline or Exceptions section, choose Baseline and check-mark your Patch Group. (no other filtering is needed)
4. The Scan Template should look similar to this:
5. The Patch Scan Template is created, Click Save.
Scanning for the Security Tool
The setup is complete, you can use your new Patch Scan Template to scan for the new Security Tool IVA18-001 Q4072698. The Security Tool will show missing on systems that do not have the registry keys on them and can be deployed like a regular update. A reboot is required.
Ivanti Patch for Windows Servers 9.3.x
Shavlik Protect 9.2.x
We are changing how we handle patching for Citrix Receiver to better match up with Citrix's lifecycle process. The changes we are making are:
Versions less than 4.9: Systems running versions of Citrix Receiver prior to version 4.9 will detect as previously, with the newest patch being offered updating the software to version 4.9 which is the Long Term Service Release (LTSR) of Citrix Receiver.
Version 4.9: As this is the LTSR release it will have any Cumulative Updates marked as applicable for it, but it will not have the update to version 4.10 marked as applicable. If you want to upgrade to 4.10 from 4.9, 4.10 will be available as a Software Distribution as a separate branch, similar to how major version updates are handled currently of Java Runtime Environment.
Due to the fact that Citrix only provides links for token based downloads of previous versions of Citrix Receiver we are unable to automatically download the files for the LTSR updates. The patches will need to be manually downloaded and added to the patch repository as detailed in the following document: How To: Supply and Deploy Patches That Can No Longer Be Downloaded
For Citrix Receiver 4.9, the latest version can be found here: https://www.citrix.com/downloads/citrix-receiver/windows-ltsr/receiver-for-windows-ltsr_4_9_1000.html
Version 4.10: As this is the current release, and the start of a new branch, it will have updates marked as applicable as they are released up to the point of the next LTSR release of Citrix Receiver. At this point a new branch will be created, with versions between 4.10 and the next LTSR being offered updates to the LTSR version.
Shavlik Protect 9.2.x
Protect SDK 9.2.x
Ivanti Patch for Windows Servers 9.3.x
Certain patches exist as an installer and an uninstaller; these patches can cause a loop when scanning and deploying. When the installation patch is deployed it makes the uninstall patch considered to be missing. These patches are designed by their vendor in this manner to facilitate adding/removing the patch according to environmental needs. If scanning/deploying these types of patches it may appear that the patch continually is missing as it continues to add/remove per deployment. The uninstall patch will end with 'U'. These patches tend to belong to the 'Security Tools' patch type.
Example: Missing the Installation Patch
Example: After Installed, Now Missing Uninstall Patch
Exclude the specific patch utilizing a patch group, or choose not to deploy the patches installer/uninstaller after scanning.
Refer to the following document:
How To: Include or Exclude Specific Patches in Scan Results
How To: Include or Exclude Specific Patches in Scan Results
These are known patches that offer an uninstaller.
Shavlik Protect 9.x
Hi Team
During Patch Tuesday week, we patch our IT machines before our scheduled deployment on the weekend. We patch our machines, and they reboot as per normal, is there way to stop the second reboot on the weekend when the scheduled patches run, as the machine have been patched.
Thanks
Hemal
I realize this is probably more of a Microsoft issue, but has anyone else noticed dramatically slower deployment of patches to Server 2016 servers compared to 2008 R2/2012 R2?
We are seeing patching take almost an hour to deploy when with older versions it was 10-15 minutes. Windows update is disabled and turning off A/V results in no change. It's similar to complaints found in the technet forums:
what's with the really slow windows updates on 2016?
-Keith
The purpose of this document is to list the currently supported operating systems for Ivanti Patch for Windows Servers 9.3.
Agentless scanning for operating systems: (32- and 64-bit versions of any of the following)
Clients running with an agent: (64bit only)
Ivanti Patch for Windows Servers 9.3
This article provides a list of required web addresses for the Protect application to allow:
Protect and Patch for Windows Servers require these URLs to be accessible through firewalls, proxies and web filters:
If you require the IP addresses to create exceptions, you can ping the site for the current IP address or contact the vendor directly to obtain this information. We are unable to list the IP addresses due to the varied dynamic IP addresses being used by the vendors.
Shavlik Protect, All versions
Ivanti Patch For Windows Servers, All versions
I've been doing some test pushes of the IVA18-002 tool using 9.3.0 build 4510 and came across an issue.
The tracker never gets the final updates, so it still says "Deployment opearation executing", even though the patch progress is executed.
I think there's either a timing or order of operations issue..
Dplyevts.log shows some successful updates as the files are pushed, job schedule, started, but it fails at the end.
STdeploy.log shows the file clean up, which happens before the last update to track is supposed to be sent.
(snips below)
So is this a bug? (e.g. the order got changed?) or just a timing thing because its one small patch???
2018-01-17T17:29:01.9336112Z 0d2c I TrackerAddress.cpp:49 Read 2 messages from 'e294d7ce-7f0e-4da1-a9de-8ae9357ea0d6.tracker'.
2018-01-17T17:29:01.9336112Z 0d2c I DplyEvts.cpp:291 PingBack updates code - tracker(https://e294d7ce-7f0e-4da1-a9de-8ae9357ea0d6:3121/ST/Console/Deployment/Tracker/v92) deploymentId(e294d7ce-7f0e-4da1-a9de-8ae9357ea0d6), machineId(28672), status(43), failure(false), terminal(false).
2018-01-17T17:29:01.9336112Z 0d2c I SequenceState.cpp:30 Sequence state file 'C:\WINDOWS\ProPatches\Installation\InstallationSandbox#2018-01-17-T-17-28-21\e294d7ce-7f0e-4da1-a9de-8ae9357ea0d6.sequence.txt' does not exist, reverting sequence to default.
2018-01-17T17:29:01.9336112Z 0d2c I PingBack.cpp:53 Sending data to 'https://SHAVLIK1:3121/ST/Console/Deployment/Tracker/v92'.
2018-01-17T17:29:01.9336112Z 0d2c W HttpDownload.cpp:560 IE Proxy not found: 2.
2018-01-17T17:29:01.9336112Z 0d2c E HttpDownload.cpp:492 AttemptIEProxySession failed.
2018-01-17T17:29:02.1052134Z 0d2c I TrackerAddress.cpp:49 Read 2 messages from 'e294d7ce-7f0e-4da1-a9de-8ae9357ea0d6.tracker'.
2018-01-17T17:29:02.1052134Z 0d2c I DplyEvts.cpp:244 PingBack updates no code - tracker(https://e294d7ce-7f0e-4da1-a9de-8ae9357ea0d6:3121/ST/Console/Deployment/Tracker/v92) deploymentId(e294d7ce-7f0e-4da1-a9de-8ae9357ea0d6), machineId(28672), patchId(143123), status(4), failure(false), terminal(false).
2018-01-17T17:29:02.1052134Z 0d2c I SequenceState.cpp:48 Read sequence 15001 from 'C:\WINDOWS\ProPatches\Installation\InstallationSandbox#2018-01-17-T-17-28-21\e294d7ce-7f0e-4da1-a9de-8ae9357ea0d6.sequence.txt'.
2018-01-17T17:29:02.1052134Z 0d2c I PingBack.cpp:53 Sending data to 'https://SHAVLIK1:3121/ST/Console/Deployment/Tracker/v92'.
2018-01-17T17:29:02.1208136Z 0d2c W HttpDownload.cpp:560 IE Proxy not found: 2.
2018-01-17T17:29:02.1208136Z 0d2c E HttpDownload.cpp:492 AttemptIEProxySession failed.
2018-01-17T17:29:02.4952184Z 0d2c I TrackerAddress.cpp:49 Read 2 messages from 'e294d7ce-7f0e-4da1-a9de-8ae9357ea0d6.tracker'.
2018-01-17T17:29:02.4952184Z 0d2c I DplyEvts.cpp:266 PingBack updates code - tracker(https://e294d7ce-7f0e-4da1-a9de-8ae9357ea0d6:3121/ST/Console/Deployment/Tracker/v92) deploymentId(e294d7ce-7f0e-4da1-a9de-8ae9357ea0d6), machineId(28672), patchId(143123), status(5), failure(false), terminal(true), returnCode(0).
2018-01-17T17:29:02.4952184Z 0d2c I SequenceState.cpp:48 Read sequence 15002 from 'C:\WINDOWS\ProPatches\Installation\InstallationSandbox#2018-01-17-T-17-28-21\e294d7ce-7f0e-4da1-a9de-8ae9357ea0d6.sequence.txt'.
2018-01-17T17:29:02.4952184Z 0d2c I PingBack.cpp:53 Sending data to 'https://SHAVLIK1:3121/ST/Console/Deployment/Tracker/v92'.
2018-01-17T17:29:02.5108186Z 0d2c W HttpDownload.cpp:560 IE Proxy not found: 2.
2018-01-17T17:29:02.5108186Z 0d2c E HttpDownload.cpp:492 AttemptIEProxySession failed.
2018-01-17T17:29:02.7136212Z 0d2c I DplyEvts.cpp:70 Checking for necessary services.
2018-01-17T17:29:03.7432344Z 0d2c I DplyEvts.cpp:54 SvcIsRunning service name: LanmanServer, status: Running.
2018-01-17T17:29:03.7432344Z 0d2c I DplyEvts.cpp:54 SvcIsRunning service name: LanmanWorkstation, status: Running.
2018-01-17T17:29:03.7432344Z 0d2c I DplyEvts.cpp:54 SvcIsRunning service name: RemoteRegistry, status: Running.
2018-01-17T17:29:03.7432344Z 0d2c E TrackerAddress.cpp:34 Tracker address file 'C:\WINDOWS\ProPatches\Installation\InstallationSandbox#2018-01-17-T-17-28-21\e294d7ce-7f0e-4da1-a9de-8ae9357ea0d6.tracker' does not exist.
2018-01-17T17:29:03.7432344Z 0d2c I DplyEvts.cpp:291 PingBack updates code - tracker(https://e294d7ce-7f0e-4da1-a9de-8ae9357ea0d6:3121/ST/Console/Deployment/Tracker/v92) deploymentId(e294d7ce-7f0e-4da1-a9de-8ae9357ea0d6), machineId(28672), status(99), failure(false), terminal(true).
2018-01-17T17:29:03.7432344Z 0d2c I SequenceState.cpp:30 Sequence state file 'C:\WINDOWS\ProPatches\Installation\InstallationSandbox#2018-01-17-T-17-28-21\e294d7ce-7f0e-4da1-a9de-8ae9357ea0d6.sequence.txt' does not exist, reverting sequence to default.
2018-01-17T17:29:03.7432344Z 0d2c W HttpDownload.cpp:560 IE Proxy not found: 2.
2018-01-17T17:29:03.7432344Z 0d2c E HttpDownload.cpp:492 AttemptIEProxySession failed.
2018-01-17T17:29:03.7432344Z 0d2c E HttpDownload.cpp:1029 WinHttpSendRequest failed: 12007.
2018-01-17T17:29:03.7432344Z 0d2c E HttpDownload.cpp:500 AttemptStraightSession failed.
2018-01-17T17:29:02.5888196Z 0d2c I STPackageDeployer.cpp:1236 Patch file 'C:\WINDOWS\ProPatches\Patches\KB4072699.exe' install operation completed. Cooked result='5'. RebootRequired='false'
2018-01-17T17:29:02.5888196Z 0d2c I STPackageDeployer.cpp:1964 Done deploying patches...
2018-01-17T17:29:02.5888196Z 0d2c I STPackageDeployer.cpp:1966 Deploying product instances patches...
2018-01-17T17:29:02.5888196Z 0d2c I STPackageDeployer.cpp:2006 Done deploying product instances patches...
2018-01-17T17:29:02.5888196Z 0d2c W SingleInstanceLock.cpp:28 Waiting for another deployment to finish.
2018-01-17T17:29:02.5888196Z 0d2c I SingleInstanceLock.cpp:36 Exclusively continuing deployment.
2018-01-17T17:29:02.5888196Z 0d2c V STPackageDeployer.cpp:85 Initiating patch store servicing.
2018-01-17T17:29:02.5888196Z 0d2c V STPackageDeployer.cpp:106 Patch store servicing complete.
2018-01-17T17:29:02.5888196Z 0d2c I STPackageDeployer.cpp:1336 Postboot actions filename='PostBootTasks.xml' does not exist on the file system
2018-01-17T17:29:02.5888196Z 0d2c I STPackageDeployer.cpp:1342 Remove temp files flag is set. Pingbacks pending='false'. Sandbox cleanup deferred if true.
2018-01-17T17:29:02.5888196Z 0d2c V Sandbox.cpp:66 DoSandboxCleanup: Deleted file='C:\WINDOWS\ProPatches\Patches\KB4072699.exe'
2018-01-17T17:29:02.5888196Z 0d2c V Sandbox.cpp:66 DoSandboxCleanup: Deleted file='C:\WINDOWS\ProPatches\Installation\InstallationSandbox#2018-01-17-T-17-28-21\7z.dll'
2018-01-17T17:29:02.7136212Z 0d2c V Sandbox.cpp:66 DoSandboxCleanup: Deleted file='C:\WINDOWS\ProPatches\Installation\InstallationSandbox#2018-01-17-T-17-28-21\cl5.exe'
2018-01-17T17:29:02.7136212Z 0d2c V Sandbox.cpp:66 DoSandboxCleanup: Deleted file='C:\WINDOWS\ProPatches\Installation\InstallationSandbox#2018-01-17-T-17-28-21\deployPackage-28672.zip'
2018-01-17T17:29:02.7136212Z 0d2c I Sandbox.cpp:75 DoSandboxCleanup: Cannot delete filename='C:\WINDOWS\ProPatches\Installation\InstallationSandbox#2018-01-17-T-17-28-21\dplyevts.dll', file in use. Scheduled delete at next bootup.
2018-01-17T17:29:02.7136212Z 0d2c V Sandbox.cpp:66 DoSandboxCleanup: Deleted file='C:\WINDOWS\ProPatches\Installation\InstallationSandbox#2018-01-17-T-17-28-21\e294d7ce-7f0e-4da1-a9de-8ae9357ea0d6.sequence.txt'
2018-01-17T17:29:02.7136212Z 0d2c V Sandbox.cpp:66 DoSandboxCleanup: Deleted file='C:\WINDOWS\ProPatches\Installation\InstallationSandbox#2018-01-17-T-17-28-21\e294d7ce-7f0e-4da1-a9de-8ae9357ea0d6.tracker'
2018-01-17T17:29:02.7136212Z 0d2c V Sandbox.cpp:66 DoSandboxCleanup: Deleted file='C:\WINDOWS\ProPatches\Installation\InstallationSandbox#2018-01-17-T-17-28-21\InstallPatches-28672.bat'
2018-01-17T17:29:02.7136212Z 0d2c V Sandbox.cpp:66 DoSandboxCleanup: Deleted file='C:\WINDOWS\ProPatches\Installation\InstallationSandbox#2018-01-17-T-17-28-21\KB4072699.exe_install.bat'
2018-01-17T17:29:02.7136212Z 0d2c V Sandbox.cpp:66 DoSandboxCleanup: Deleted file='C:\WINDOWS\ProPatches\Installation\InstallationSandbox#2018-01-17-T-17-28-21\safereboot.exe'
2018-01-17T17:29:02.7136212Z 0d2c V Sandbox.cpp:66 DoSandboxCleanup: Deleted file='C:\WINDOWS\ProPatches\Installation\InstallationSandbox#2018-01-17-T-17-28-21\safereboot64.exe'
2018-01-17T17:29:02.7136212Z 0d2c I Sandbox.cpp:75 DoSandboxCleanup: Cannot delete filename='C:\WINDOWS\ProPatches\Installation\InstallationSandbox#2018-01-17-T-17-28-21\stdeploy.exe', file in use. Scheduled delete at next bootup.
2018-01-17T17:29:02.7136212Z 0d2c V Sandbox.cpp:66 DoSandboxCleanup: Deleted file='C:\WINDOWS\ProPatches\Installation\InstallationSandbox#2018-01-17-T-17-28-21\stdeploy.exe.config'
2018-01-17T17:29:02.7136212Z 0d2c V Sandbox.cpp:66 DoSandboxCleanup: Deleted file='C:\WINDOWS\ProPatches\Installation\InstallationSandbox#2018-01-17-T-17-28-21\STDeployerCore.dll'
2018-01-17T17:29:02.7136212Z 0d2c V Sandbox.cpp:66 DoSandboxCleanup: Deleted file='C:\WINDOWS\ProPatches\Installation\InstallationSandbox#2018-01-17-T-17-28-21\ToDelete.txt'
2018-01-17T17:29:02.7136212Z 0d2c E STPackageDeployer.cpp:507 Reboot disallowed or not required. externalRebootOption = '2', deployer requested reboot: false
2018-01-17T17:29:02.7136212Z 0d2c V DeployStatusReporter.cpp:128 Queueing online machine status msg. DeploymentId='e294d7ce-7f0e-4da1-a9de-8ae9357ea0d6', machineId='28672', status='99', isFinal='true'
2018-01-17T17:29:02.7136212Z 0d2c S StatusClient.cpp:109 Entering STDeployment::CStatusClient::ReportMachineStatusOnline.
2018-01-17T17:29:03.7432344Z 0d2c V SchedClt.cpp:148 CSchedClt(): schedulerType=1, jobCreator=STPackageDeployer, jobName=LaunchSTDeployForOnlineStatusRetry (e294d7ce-7f0e-4da1-a9de-8ae9357ea0d6), comment=Schedule STDeploy.exe to retry status reports..
2018-01-17T17:29:03.7432344Z 0d2c I STPackageDeployer.cpp:1002 'STDeploy.exe package="deployPackage-28672.zip" relaunchSandbox="C:\WINDOWS\ProPatches\Installation\InstallationSandbox#2018-01-17-T-17-28-21" relaunchReason="finalStatusRetry=1"' scheduled to in 5 minutes.
2018-01-17T17:29:03.7432344Z 0d2c S DeployExeStates.cpp:409 Leaving STDeploy::CInitialExecutionPackageDeploy::DoStatefulRemediateActions.
2018-01-17T17:29:03.7432344Z 0d2c I STDeploy.cpp:365 Current remediation phase completed. Process exit code: 0.
2018-01-17T17:29:03.7432344Z 0d2c S STDeploy.cpp:257 Leaving wmain.
January KB4056897 & KB4056898 both require registry keys to activate patch. ( Server OS only)
Is there any guidance on including this in the push? Or Is Ivanti creating a custom patch to set these keys?
Thanks
Tim
I have multiple consoles on three networks, all on WinServer 2012R2, all at Ivanti Patch 9.3. Once a month (or more depending on urgency) I move files from Datafiles on an Internet facing console to that folder on the non-Internet facing console. This month's transfer is not working. When I attempt the first scan after copying the datafiles in, all the steps turn red with the error 'Failed to update the database with new definitions.'
I went back to the December datafiles and a scan worked fine. I've updated the deployment credentials, used different credentials, copied and transferred datafiles over from a different console, but get the same results.
Any ideas?
dwhit5555