Hi All

I am looking at installing the Intel Meltdown patches eg. Q4056898

I have created a template and deployment group that installs the Reg Key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat /v cadca5fe-87d3-4b96-b7fb-a231484277cc /t "REG_DWORD" /d 0 /f

I then was able to deploy the patches Q4056898

I then need to activate the patch by adding the enable reg entries

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

all good did the same as above created a template and deployment group.

The issue is I have no way of knowing if the reg entry has actually been applied.

Is there any way Shavlik can interrogate the registry and tell me if the new reg key exists 

Thanks

Steve

Overview

These instructions will help you enable All logging (verbose logging) then those collect logs and supporting information to help Support troubleshoot issues on your console and remote clients.

Instructions

Shavlik Protect - Ivanti Patch for Windows Servers (PWS) 9.X Console Logging:

1. Open the Protect/PWS GUI and navigate to Tools > Options > Logging and change logging to All for both user interface and services.

     a. If you are unable to set logging via the GUI see this doc: http://community.shavlik.com/docs/DOC-22938

2. Close the console GUI.

3. Stop the 'Shavlik Protect Console Service' / 'Ivanti Patch for Windows Servers Console Service' service.

4. Delete the contents of C:\ProgramData\LANDesk\Shavlik Protect\Logs on your console.

     a. If troubleshooting agentless deployment or scheduling, delete the contents of C:\Windows\ProPatches\Logs on your target machine as well.

5. Start the 'Shavlik Protect Console Service / Ivanti Patch for Windows Servers Console Service' service and open the Protect GUI.

6. Attempt to reproduce the issue.  Please document steps to reproduce.  Screenshots are very helpful.

     a. Collect the logs from the Logs folder(s) from steps 4 (please zip).

     b. Include applicable screenshots.

     c. [Deployment issues only] On the target system, zip a copy of the entire C:\Windows\ProPatches folder and its contents (exclude the Patches sub-folder).

7. Zip everything together and attach to the case on the support portal.

Shavlik Protect - Ivanti Patch for Windows Servers Agent Logging:

1. You will need to set your agent's logging level to All by opening the Agent Policy assigned to the machine you are gathering logs from. The option is in the General tab.

2. If not already set, change the logging level to ‘All’ then Save and update Agents. Choose to update agents if prompted again.

     a. If Protect fails to update the agent, you will need to perform an Agent Check-in from the agent GUI on the target machine or wait for the scheduled check-in.

3. Remote to the agent client machine, close the agent GUI and stop the services:

     a. The services start with Shavlik, Ivanti or ST.

4. Delete the contents of theC:\ProgramData\LANDesk\Shavlik Protect\Logs folder on the agent client machine.

5. Start services that start with Shavlik, Ivanti or ST.

6. Attempt to reproduce the issue.  Please document steps to reproduce.  Screenshots are very helpful.

7. Take applicable screenshots of errors or information relevant to the issue.

     a.  Collect the logs from step 4.

     b.  Collect the screenshots.

8. Zip everything together and attach to the case on the support portal.

Shavlik Protect - Ivanti Patch for Windows Servers Deployment Logging: (the information collected here is specific to agentless deployments)

1. Navigate to the target machine with the deployment issues.

2. Stop all services that start with Shavlik, Ivanti or ST.

3. Attempt to reproduce the issue.  Please document steps to reproduce.  Screenshots are very helpful.

4. Delete the patches from C:\Windows\ProPatches\Patches.

     a.  Zip the entire C:\Windows\ProPatches folder.

     a. Include applicable screenshots.

5. Zip everything together and attach to the case on the support portal.

For Shavlik Protect - Ivanti Patch for Windows Servers install issues:

• Obtaining Protect Console and Agent Installation Logs
  

Affected Product(s)

Shavlik Protect 9.2

Ivanti Patch for Windows Servers 9.3

Overview

Microsoft has identified a severe compatibility issue with a small number of anti-virus software products.

Due to to possible BSOD issues that may occur when installing this update on system with out of date AV software, we will be adding a detection prerequisite:

Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat"

Value="cadca5fe-87d3-4b96-b7fb-a231484277cc"

Type="REG_DWORD”

• The patches will be offered for deployment if the key exists.
• If key does not exist you will be offered the detection only version of this patch.

Affected patches:

• MS18-01-IE Q4056568 - Cumulative Updates for Internet Explorer
• MS18-01-SO7 Q4056897 - Security Only Update for Windows 7 and Server 2008 R2
• MS18-01-SO8 Q4056899 - Security Only Update for Server 2012
• MS18-01-SO81 Q4056898 - Security Only Update for Windows 8.1 and 2012 R2
• MS18-01-W10 Q4056888, Q4056890, Q4056891, Q4056892, Q4056893 - Cumulative Update for Windows 10 and Server 2016

Affected CVEs:

• CVE-2017-5753
• CVE-2017-5715
• CVE-2017-5754

Link to Security bulletin advisory:  https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002

Additional Information

How to scan for specific patches: How To: Include or Exclude Specific Patches in Scan Results

How to deploy these patches:  How To: Deploy Windows Security OOB updates released January 3, 2018

How to add the registry using Security Tool IVA18-002 Q4072699: Security Tool: Implement the QualityCompat registry key that enables Windows security updates released on January 3, 2018

Affected Products

Ivanti Patch for Windows Servers 9.3.x

Shavlik Protect 9.2.x

When  will Windows Server 2016 Core/Nano be a support client?

We are starting to look into these, but we need to be able to patch them.  We are currently on Patch for Windows 9.3, but Core/Nano are currently unsupported clients.

I currently use the Federal version of Shavlik/Ivanti Patch in my company's network infrastructure. I was told that Ivanti was supposed to be introducing some sort of compatibility with ACAS this fall. I would like to see if there is any information regarding this feature that I can review.

We currently have Ivanti Protect (clients and console) set up in both an online and offline environment. I have read other posts regarding the procedure for patching an offline system, and am currently utilizing the Powershell script that has been given as the main solution for downloading patches for an offline console. However, are there currently any plans to make this process easier?

I created a Deployment template with a custom action just like in  How To: Run a PowerShell Script with a Custom Action

The patch deploys but it does not seem to run the powershell custom action comand or even put the file on the computer  being patched.

It looks like it started in the log below but thats all I get.

-01-25T16:58:22.0378315Z 15dc I ChildProcess.cpp:114 Started C:\WINDOWS\sysnative\cmd.exe /U /Q /D /V:ON /C "PowerShell -Command "Start-Process PowerShell -Verb Runas"  %C:\Windows\ProPatches\Patches%AppX-Removal.ps1"

2018-01-25T16:58:40.2728313Z 15dc V ChildProcess.cpp:140 Process handle 000007D0 returned '0'.

2018-01-25T16:58:40.2728313Z 15dc W SingleInstanceLock.cpp:28 Waiting for another deployment to finish.

2018-01-25T16:58:40.2728313Z 15dc I SingleInstanceLock.cpp:36 Exclusively continuing deployment.

2018-01-25T16:58:40.2728313Z 15dc V STPackageDeployer.cpp:85 Initiating patch store servicing.

2018-01-25T16:58:40.2884594Z 15dc V STPackageDeployer.cpp:106 Patch store servicing complete.

2018-01-25T16:58:40.2884594Z 15dc I STPackageDeployer.cpp:1336 Postboot actions filename='PostBootTasks.xml' does not exist on the file system

2018-01-25T16:58:40.2884594Z 15dc I STPackageDeployer.cpp:484 Reboot disallowed or not required. safeRebootOption = '3', deployer requested reboot: false

2018-01-25T16:58:40.2884594Z 15dc V DeployStatusReporter.cpp:128 Queueing online machine status msg. DeploymentId='8667cef7-0aed-4c52-90a3-d8ce04f54058', machineId='230557', status='99', isFinal='true'

2018-01-25T16:58:40.2884594Z 15dc S StatusClient.cpp:109 Entering STDeployment::CStatusClient::ReportMachineStatusOnline.

2018-01-25T16:58:41.5697520Z 15dc S DeployExeStates.cpp:409 Leaving STDeploy::CInitialExecutionPackageDeploy::DoStatefulRemediateActions.

2018-01-25T16:58:41.5697520Z 15dc I STDeploy.cpp:365 Current remediation phase completed. Process exit code: 0.

2018-01-25T16:58:41.5697520Z 15dc S STDeploy.cpp:257 Leaving wmain.

Purpose

To provide information regarding Microsoft's 1/3/18 out-of-band release addressing critical security vulnerabilities

Information

Microsoft released January monthly security updates late the night of 1/3/18 (out of band) to address a CPU firmware vulnerability.  The patches released were added to our patch definition XML update released the evening of 1/4/18.

Please see Important information on detection logic for the Intel 'Meltdown' security vulnerability  for more detailed info.

Affected Product(s)

Shavlik Protect 9.2.x

Ivanti Patch for Windows Server 9.3.x

I am being asked to provide a list of products that are installed on our workstation base.  Not per machine or per patch detail, but simply a list of all products installed consolidated into cumulative total for all.  I have been reading and experimenting but can't find a way to produce this, but was hoping a like issue was addresses by one of you here.

Purpose

The purpose of this document is to go over what to do when the deployment tracker fails to update beyond Scheduled.

Symptoms

• Deployment tracker will stay at scheduled despite the deployments being initialized on the target machines being deployed to.
  
• Deployment tracker shows scheduled:

• When looking at the STDeployerCore.log on the target machine(s), you will see results similar to below indicating the patches were installed successfully:

2016-10-06T21:01:35.1775494Z 0b78 I DeploymentPackageReader.cpp:782 Deploy package 'C:\Windows\ProPatches\Installation\InstallationSandbox#2016-10-06-T-21-00-54\deployPackage-2855.zip' successfully opened unsigned for package IO

2016-10-06T21:02:38.2639494Z 0b78 I Authenticode.cpp:134 Verifying signature of C:\Windows\ProPatches\Patches\Windows6.1-KB2544893-x64.msu with CWinTrustVerifier

2016-10-06T21:02:38.3263494Z 0b78 V UnScriptedInstallation.cpp:29 Executing (C:\Windows\ProPatches\Patches\Windows6.1-KB2544893-x64.msu /quiet /norestart), nShow: true.

2016-10-06T21:02:47.7895494Z 0b78 V ChildProcess.cpp:140 Process handle 000004FC returned '0'.

Cause

• Port 3121 being blocked.
  • Port Requirements for Shavlik Protect
• The Deployment Template used for the deployment doesn't have 'Send Tracker Status' enabled.
• The Console Alias Editor doesn't have the NetBIOS name, FQDN, and IP address of the Protect console added to it.
• The Shavlik Scheduler is in a corrupted state.
  

Resolution

1. Ensure that port 3121 is not being blocked in your network. Perform a telnet command from the target machine(s) to your Protect console machine's IP or FQDN address.

telnet {console IP/FQDN} 3121

     If Telnet is not installed, you will see the following:

     To Enable Telnet:

     If the port is blocked, you will see a similar error:

   If at this point you see the port fail to connect, you will need to make sure that 3121 is enabled in your network before attempting to deploy again.

     If the port is not blocked, you should see a blank command prompt:

2. Once you have confirmed that port 3121 is able to connect, check to ensure that your Deployment Template being used has 'Send Tracker Status' enabled:

3. Verify that you 'Console Alias Editor' has all of the following located within it:

• Console NetBIOS name
• FQDN
• IP address

Tools > Console Alias Editor

Once updated, test your deployment again. If the device is able to properly connect, the tracker status will updated as expected.

If after updating the 'Console Alias Editor' the deployment status is still showing 'Scheduled', you will find in the dplyevts.log file on the target machine something similar to the following:

PingBack.cpp:63 Sending data to 'https://PROTECT-92-5119:3121/ST/Console/Deployment/Tracker/V92' failed: 12002.

If you find something similar to the above, you will need to uninstall the scheduler service from the machine(s).

Protect 9.2:

Manage > Scheduled Remote Tasks

Find device(s) being deployed to, right click the machine and select 'Refresh Selected':

Device will be shown as 'Online':

Once online, right click the device again, go to Scheduler service > Uninstall:

Patch for Windows Servers 9.3:

View > Machines

Find the device affected using the search window

Highlight machine > Right-click > View scheduled tasks

Click Uninstall to remove the scheduler service.

NOTE: To validate scheduler is uninstalled, go to C:\Windows\ProPatches and if you don't see a folder named Scheduler, the service was uninstalled.

Test another deployment to your target machine(s). During this deployment, the Scheduler service will reinstall and should update the deployment tracker to show the deployment operation executing.

Additional Information

• Deciphering Shavlik Protect Deployment Tracker Status Messages
• Using Telnet to Test Ports
• Understanding installer return codes

Affected Product(s)

Protect 9.2.X

IPWS 9.3.X

I realize this is probably more of a Microsoft issue, but has anyone else noticed dramatically slower deployment of patches to Server 2016 servers compared to 2008 R2/2012 R2?

We are seeing patching take almost an hour to deploy when with older versions it was 10-15 minutes.  Windows update is disabled and turning off A/V results in no change.  It's similar to complaints found in the technet forums:

what's with the really slow windows updates on 2016?

-Keith

We use Ivanti Protect patch management for patching our VM servers.  We would like to rollout a new version of the Fortinet client to the servers as a patch/distribution so that we can coordinate reboots within our maintenance window.  Is this possible to do?  Unfortunately, Fortinet is not listed in the Software Distribution list, where this would likely go..

Thanks in advance,

Steve

Purpose

This document will show you how to run/schedule the "Console Clean Up" ITScript to clean up your Patch Repository

The Patch Repository location is the path listed under "Patch download directory" in the Downloads tab under Tools > Operations (Tools > Options in 9.3)

The default location is C:\ProgramData\LANDesk\Shavlik Protect\Console\Patches

Symptoms

Your patch repository is taking up too much storage space storing old patches you no longer need

Steps

Go to Manage > ITScripts, and when it is done updating, close the pop-up if it did not close automatically

Under the "Maintenance" category, highlight "Console Clean Up" and click "Approve"

Then go to Tools > "Run console ITScripts"

The values listed are in Days (the default value for both is 180 days) - if you want to modify a value, double-click on the parameter you want to change (patchAge/deploymentAge) and enter the desired value

* NOTE - The patchAge value references how long ago the local patch file was downloaded/created (Date created), not the date the patch was originally published by the vendor (Date modified), so you may still see files with old dates under "Date modified" after running the script

When finished, press "Continue" to proceed to the scheduling options

Click "Run" to run immediately, or select the scheduling options you want and click "Schedule" (the "Run" button changes to "Schedule" when you select scheduling options)

Affected Product(s)

Shavlik Protect 9.2

Ivanti Patch for Windows  Servers 9.3

Purpose

The purpose of this document is to discuss how to change your console's patch repository from its default location to any location on the current server or network.

Description

Protect 9.2

- Go to Tools > Operations. Select Downloads in the left column.

Patch for Windows Servers 9.3

- Go to Tools > Options. Select Downloads in the left column.

- By default, the patch repository location is stored in C:\Programdata\Landesk\Shavlik Protect\Console\Patches.

- If the desired path location is known, you may enter it in the field manually. If needed, you can navigate to the location using the button to use File Exporer.

- Once the new location has been selected, hit 'OK' to complete the change. Verify that the correct path shows in the directory location.

Additional Information

How To: Clean Up Your Patch Repository Using ITscripts

Affected Product(s)

Shavlik Protect 9.2

Ivanti Patch for Windows Servers 9.3

Just curious if anybody has seen any performance impact after applying the latest MS patches?

I have one server out of several dozen that I've scheduled patches on this cycle that won't kick off the actual patching that it shows as being scheduled. I've tried several times to reschedule, and it's been rebooted several times as well.

It started last December.  Must of my computer are not accessible with the agent.

But I can scan and Push Manually the patches

If I right click one computer that have the agent and try a ( Check-in request )

I get <<Agent did not respond>>. anything I tried like from the console ex: Update Binary (get Agent didn't respond, but is up-to-date)

I check Manage Machine Properties , Port : 3389 and Credential are Normal like the rest of the computer where it is working.

I tried view Scheduled Task, Got a popup refresh machine....

The scheduler on machine 10.1.24.25 is not available -2080374779 - unknown error (0x84000005) The list of jobs currently scheduled on 'computerneme' is unreadable

Then I tried ''Upgrade scheduler now'' with the right admin credential.

Got unother popup :

Atleast one of your credentials can no longer be decrypted. PLease edit or delete every credential with a 'Username' of 'None' in the credential manager.

I am stuck here  and not sure if I can delete the credential ?

Tks

Dan

Hello everybody,

I have a problem following the instalaltion of Ivanti Patch for Windows on the Windows Server 2016 operating system.

My problem is that the PC scan lasts about 5 hours, and there are a lot of mistakes "201" "235" and "452" in the result.

To summarize the situation, the Ivanti console is mounted on a virtual machine using the Windows server OS 2016, it is integrated into the domain of the company.

This virtual machine is hosted on a physical server running on Windows 2012 STD, the virtualization is Hyper-V.

Can you help me find a solution to correct the slowness of the scan?

Is this a problem related to the FQDN? , since the virtual machine I PING correctly the name of the PC and its full name.

Looking forward to a help, thank you in advance.

Best regards

Thank Grégoire

Hi All

I am looking at installing the Intel Meltdown patches eg. Q4056898

I have created a template and deployment group that installs the Reg Key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat /v cadca5fe-87d3-4b96-b7fb-a231484277cc /t "REG_DWORD" /d 0 /f

I then was able to deploy the patches Q4056898

I then need to activate the patch by adding the enable reg entries

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

all good did the same as above created a template and deployment group.

The issue is I have no way of knowing if the reg entry has actually been applied.

Is there any way Shavlik can interrogate the registry and tell me if the new reg key exists 

Thanks

Steve

Overview

Microsoft has released a Critical Update KB4078130 to disable mitigation against CVE-2017-5715.

MSNS18-01-4078130 / Q4078130 is a Critical Non-Security Patch that will disable the fix for variant 2 for stability issues.  You must reboot after installing the patch for it to apply on the system.

Additional Information

The Security Tool IVA18-001 ADV180002 will enable the fix again:Security Tool: Implement registry keys per Windows Server guidance to protect against speculative execution side-channel vulnerabilities

Affected Product(s)

Shavlik Protect 9.2

Ivanti Patch for Windows Servers 9.3