Purpose

To help identify what is blocking the upgrade of Windows 10 when deploying with Shavlik Protect 9.2.x or Ivanti Patch for Windows Servers (PWS) 9.3+

Symptoms

When you attempt to deploy a Windows 10 build upgrade using Protect/PWS, the deployment fails with error 2147483647

Cause

This may indicate something is preventing the mounting of the ISO necessary to execute the upgrade

Resolution

1. In an administrator command prompt, run the command:

fltmc filters

You should see a list like this:

This identifies possible filters that could be blocking the ISO from mounting properly (possibly antivirus, encryption software, etc.), and you will need to temporarily disable anything that is interfering to deploy the upgrade through Protect/PWS

2. Try running the installer by hand so that you can receive interactive prompts from the installer to identify what might be causing the issue. The example below shows the installer failing because of certain installed software being out of date, but because our process runs installers silently as the system account How To Test SYSTEM Account Permissions , you would not see the error unless you ran the installer by hand.

Additional Information

See this doc for more info about deploying Windows 10 Build Upgrades with Protect/PWS:

Windows 10 Build 1511, 1607, 1703, and 1709 Deployment Support in Protect 9.2+

Affected Product(s)

Shavlik Protect 9.2.x

Ivanti Patch for Windows Servers 9.3+

Overview

Starting with the April 11th 2017 Patch Tuesday, no longer has used a traditional naming format for Security Bulletins. To help our customer's, we created our own naming format as follows:

The new Security Bulletin mappings our products will be using: MS[YY]-[MM]-[PP(P)]

• MS = Microsoft
• YY = Year
• MM = Month Released
• PP =  Product

Here are examples from Patch Tuesday December 12, 2017:

• MS17-12-OFF
  • All Office patches
• MS17-11-O365
  • Security Only Updates for Office 365
• MS17-12-IE
  • All IE patches
• MS17-12-AFP
  • All Microsoft released Flash patches
• MS17-12-W10
  • All Windows 10 patches, rollups and Deltas
• MS17-12-2K8
  • All Vista and 2008 patches
• MS17-12-SO7
  • Security Only Update for Windows 7 and Server 2008 R2
• MS17-12-SO8
  • Security Only Update for Server 2012
• MS17-12-SO81
  • Security Only Update for Windows 8.1 and Server 2012 R2
• MS17-12-MR7
  • Monthly Rollup for Windows 7 and Server 2008 R2 (this is the rollup that includes non-security fixes)
• MS17-12-MR8
  • Monthly Rollup for Server 2012 (this is the rollup that includes non-security fixes)
• MS17-12-MR81
  • Monthly Rollup for Windows 8.1 and Server 2012 R2 (this is the rollup that includes non-security fixes)
• MS17-12-SLV
  • All Microsoft Silverlight patches
• MS17-12-2K3
  • All Server 2003 patches for the customers that subscribe to them (Extended support)
• MS17-12-XPE
  • All Microsoft XP Embedded patches
• MS18-02-SPT
  • All Microsoft SharePoint patches

.NET Patches will follow a slightly different naming scheme:

• MS[YY]-[MM]-[TT][PP]-[KB]
  • YY = Year
  • MM = Month
  • TT = Type (Security Only or Monthly Rollup)
  • PP = Product (.NET)
  • KB = Parent KB
• MS17-12-SONET-1234567
  • Security only patches associated with that parent KB
  • Security patch type
• MS17-12-MRNET-1234567
  • Monthly Rollup associated with that parent KB
  • Non-Security patch type

Non-security .NET Patches also have a slightly different naming scheme:

• MSNS[YY]-[MM]-[TT][PP]-[KB]
  • YY = Year
  • MM = Month
  • TT = Type (Quality Preview or Quality Rollup)
  • PP = Product (.NET)
  • KB = Parent KB
• MSNS17-12-QPNET-1234567
  • Quality Preview patches associated with that parent KB
  • Non-Security patch type
• MSNS17-12-QRNET-1234567
  • Quality Rollup associated with that parent KB
  • Non-Security patch type

Additional Information

Additional Naming Conventions

• QP = Quality Preview
• NS = Non-Security

Microsoft released the following article for FAQ on the changes made: Security Updates Guide dashboard and API:

Q: Why is the security bulletin ID number (e.g. MS16-XXX) not included in the new Security Update Guide?

A: The way Microsoft documents security updates is changing. The previous model used security bulletin webpages and included security bulletin ID numbers (e.g. MS16-XXX) as a pivot point. This form of security update documentation, including bulletin ID numbers, is being retired and replaced with the Security Update Guide. Instead of bulletin IDs, the new guide pivots on vulnerability ID numbers and KB Article ID numbers.

Affected Product(s)

Shavlik Protect

Shavlik Patch

Ivanti Patch for Windows Servers

Ivanti Patch for SCCM

Our "Patch for Windows Server" administrator will be upgrading to 9.3 in a few weeks.  I am excited about the new PowerShell functionality and have been reviewing the online documentation for it.  One of the requirements I noticed it that it needs to be run on machine hosting the management console.  Will I be able to use PowerShell remoting instead from my machine to the management console?  For example, could I do "enter-pssession -computername "shavlikserver"" and then load the modules and run the commands that way?  Or will that require pass-through authentication to be enabled using CredSSP?  For example "Enable-WSManCredSSP –Role Client –DelegateComputer RemoteServerName"?  Or will that not even work?

Thanks

NK

Purpose

The purpose of this document is to outline the new changes in viewing detect only patches.

Symptoms

Patch Q numbers are displayed with a "D" at the end of the Q Number and will detect as missing, but they will fail to download or deploy.

Cause

Previously, we listed the same Qnumber for the detect only and the install versions of patches, but now, to ease confusion, we have changed the detect only updates to include a D at the end of the Qnumber.

Resolution

For security updates and monthly rollups released in 2018, please check out this document How To: Deploy Windows Security OOB updates released January 3, 2018

Affected Products

Shavlik Protect 9.2

Ivanti Patch for Windows Server 9.3

When my remote clients try and remote back to my console via the cloud, they can't. I believe it is because the firewall I have is blocking incoming traffic from the cloud hitting my Shavlik server. I just need the IP addresses so our network guys can allow traffic originating from protectcloud to the console.

I have upgrade to 9.3 today but i don't think it helped . All the patches list do not get deployed .

Overview

Microsoft has identified a severe compatibility issue with a small number of anti-virus software products.

Due to to possible BSOD issues that may occur when installing this update on system with out of date AV software, we will be adding a detection prerequisite:

Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat"

Value="cadca5fe-87d3-4b96-b7fb-a231484277cc"

Type="REG_DWORD”

• The patches will be offered for deployment if the key exists.
• If key does not exist you will be offered the detection only version of this patch.

Affected patches:

• MS18-01-IE Q4056568 - Cumulative Updates for Internet Explorer
• MS18-01-SO7 Q4056897 - Security Only Update for Windows 7 and Server 2008 R2
• MS18-01-SO81 Q4056898 - Security Only Update for Windows 8.1 and 2012 R2
• MS18-01-MR7 Q4056894 - Monthly Rollup for Windows 7: January 4, 2018
• MS18-01-MR81 Q4056895 - Monthly Rollup for Windows 8.1 and 2012 R2: January 8, 2018
• MS18-01-W10 Q4056888, Q4056890, Q4056891, Q4056892, Q4056893 - Cumulative Update for Windows 10 and Server 2016

• MS18-02-IE Q4074736 - Cumulative security update for Internet Explorer: February 13, 2018
• MS18-02-SO7 Q4074587 - Security Only Update for Windows 7 and 2008 R2: February 13, 2018
• MS18-02-SO81 Q4074597 - Security Only Update for Windows 8.1 and 2012 R2: February 13, 2018
• MS18-02-MR7 Q4074598 - Monthly Rollup for Windows 7: February 13, 2018
• MS18-02-MR81 Q4074594 - Monthly Rollup for Windows 8.1 and 2012 R2: February 13, 2018
• MS18-02-W10 Q4074588, Q4074592, Q4074596, Q4074590, Q4074591 - Cumulative Update for Windows 10 and Windows Server 2016

Affected CVEs:

• CVE-2017-5753
• CVE-2017-5715
• CVE-2017-5754

Link to Security bulletin advisory:  https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002

Additional Information

How to scan for specific patches: How To: Include or Exclude Specific Patches in Scan Results

How to deploy these patches:  How To: Deploy Windows Security OOB updates released January 3, 2018

How to add the registry using Security Tool IVA18-002 Q4072699: Security Tool: Implement the QualityCompat registry key that enables Windows security updates released on January 3, 2018

Affected Products

Ivanti Patch for Windows Servers 9.3.x

Shavlik Protect 9.2.x

Hey group,

I handle the windows server patching for our org with about 2,000 servers, currently use Ivanti Patch for Windows Server, and would love to bang some ideas back and forth with other groups responsible for patching to swap stories and find out how each of you are handling your patching governance, prep and deployment etc.

If anyone is interested in a bit of a group conversation, something more than is possible through just forum discussions, let me know. I'll put together a bit of a template and maybe we can get a call going between a few of us.

Thanks in advance, chat soon.

Joey

Purpose

This document provides a list of patches that have been released by supported vendors, but that we have chosen to not support, as well as the reason why.

If you have a question about a patch that isn't on this list, but isn't available in the catalog, please add a comment with the patch in question and we will look into it, and update the list if needed.

List of Patches

Microsoft Patches:

• KB2264107 - This patch requires that the user download and run a fixit tool after KB2264107 installs. We usually don't add patches that require post deployment tasks requiring user intervention.
• KB2624668 - This is a hotfix where you need to request the download. We only add patches with a public download link.
• KB3159706 - Manual steps required to complete the installation of this update.
• KB4011658 - This is patch contains 2 KBnumbers. We can't determine the environment to test against and Microsoft doesn't disclose what special feature is required to make this patch applicable.
• Cumulative update packages for Microsoft SharePoint Server 2013 - We are currently not able to support these updates due to deployment requirement of the updates.  Mainly requirements like "After installing the fixes you need to run the SharePoint Products Configuration Wizard on each machine in the farm."
• Cumulative update packages for Exchange Server 2013 - We are currently not able to support these updates due to deployment requirement of the updates. These include placing mailbox servers in maintenance mode prior to updates, possible preparation steps required in Active Directory, and interaction required during the Readiness check.

Additional Information

Patches that will detect, but cannot be properly downloaded via Protect:

Windows 10 Major Builds (1511, 1607, 1703, etc) - Downloading the .iso for these Windows 10 Service Packs requires accepting a Terms of Use. We can't automate a Terms of Use acceptance on behalf of the user. The deployment process for these updates is explained here: Windows 10 Build 1511, 1607, 1703, and 1709 Deployment Support in Protect 9.2+

Affected Product(s)

Shavlik Protect 9.2

Ivanti Patch for Windows Servers 9.3

Overview

This document provides a list of required URL addresses for Shavlik Protect and Ivanti Patch for Windows Servers to allow:

• Patch executable download.
• Patch content definition download.
• Online license activation or license refresh.
  
• Home page RSS feed.
  
• Product check for update.
  

URL List

The following URLs may be used to download updates and must allowed through firewalls, proxies and web filters

Additional Information

• To obtain the IP for vendor sites you can ping the vendor site or contact the vendor to obtain this information. We are unable to provide a list of IP addresses due to the varied dynamic IP addresses being used by the vendors. It may be easier to create an exception for an entire domain rather than entering all specific URLs, you can usually do so by entering the exception in this format:
  • *.domain.com.

Affected Product(s)

Shavlik Protect

Ivanti Patch for Windows Servers

Purpose

The purpose of this document is to walk through the agent Patch tab, in order to understand and utilize these functions and features of agents.

Description

Patch Tab:

Add a Patch Task

• Creates a new patch task

*Note: You can add multiple patch tasks to an agent policy, each will have scan and deploy options as well as schedule options.

Patch Task Options (drop down)

• Scan and deploy options
• Schedule

Scan and Deploy Options

• Patch scan Template
  • Select or create the patch scan template that will be used to scan your machines.
• Patch Deployment
  • Deployment Template
    • Select or create the Deployment Template you want your agent machines to use.
  • Deploy patches (which needs to be checked in order to configure the deployment template)
    • You can choose to deploy all patches detected as missing.
    • Or you can select or create a Patch Group to control what patches are deployed.
  • Deploy Service Packs - An option not included in the agentless scan/deploy, allows you to automatically deploy Service Packs.

• You can choose to deploy all SPs detected as missing.
• Or you can select or create a Service Pack group to control what Service Packs are deployed.
  • You can also limit SP deployments per day. Since each Service Pack deployment requires a reboot you may want to limit deployment to only a few a day.

Schedule

• Hourly
  • Run Every - 1 to 100 hours
  • Starting time
    • Enter desired time to have the schedule run.
• Daily
  • Enter desired time to have the schedule run.
  • Days
    • Select the days of the week in which you would like the schedule to run.
  • Once Per Month
    • Day - Select the numerical date in which to have the schedule run.
    • The - Here you can select the first, second, third, ect. day of any day of the week. Meaning if you select the third Monday, the schedule will run every third Monday of the month. 
• Randomize schedule time (minutes)
  • Select how many minutes the schedule is randomized, up to 120 minutes.
• Run on boot if schedule is missed.
  • Use this setting if you would like your machines to run the task on boot if the schedule was missed.
    • You can also delay the schedule after boot by minutes, up to 120 minutes.

Affected Product(s)

Shavlik Protect 9.x

Symptoms

The following error is encountered either during installation/removal of an update or other software. The Ivanti Patch for Windows deployment logs, the product's Installation log files, and the Window's Event Viewer logs will show the following error:

Cause

The Windows Installer process can only run one installation at a time.  Error 1618 indicates that the Windows Installer Service is currently being utilized for another installation or update.

Resolution

• Complete the current installation or wait a few minutes for the background installation taking place completes.
• End the Windows Installer process manually:

1. Reboot the computer and try installing again.
2. If the error returns, attempt to find any applications currently installing and close them.
3. If unable to find an application running updates:

• Open Task Manager and navigate to the "Processes" tab.
• Select "Show processes from all users" if it is not already.
• Locate and end any "MSIExec.exe" entries you see.

Perform another scan and deployment.

Affected Products

Ivanti Patch for Windows 9.3

Shavlik Protect 9.2

Purpose

The purpose of this document is to discuss the behaviors when deploying the Windows Security out-of-band updates that were released on January 3, 2018.

The following document contains information on the changes to detection for the applicable patches: Important information on detection logic for the Intel 'Meltdown' security vulnerability

Description

Microsoft is requiring a registry key to be on every machine that has no Anti-Virus or outdated Anti-Virus. The following Windows Security OOB updates released January 3, 2018 are affected by this:

• MS18-01-IE Q4056568 - Cumulative Updates for Internet Explorer
• MS18-01-SO7 Q4056897 - Security Only Update for Windows 7 and Server 2008 R2
• MS18-01-SO8 Q4056899 - Security Only Update for Server 2012
• MS18-01-SO81 Q4056898 - Security Only Update for Windows 8.1 and 2012 R2
• MS18-01-W10 Q4056888, Q4056890, Q4056891, Q4056892, Q4056893 - Cumulative Update for Windows 10 and Server 2016

Below is what the expected behavior when scan and deploying these patches without and with the registry key in place.

This is what to expect for scan and deployments when the registry key does not exist on the target machine:

When scanning machines without the registry key in place, you will be offered detection of the updates, but will not be able to download or deploy the update. This will be noted in the Ivanti Comments section for the patch:

In Protect 9.2, the error 'Patch is not available for the language selected' may also appear when the registry key is not detected.

Detection only support means the following:

The patch is not downloadable. If you try to download the patch, a message stating 'None of the selected patches need to be downloaded'.

This patch cannot be deployed, this is what the  Deployment Tracker will look like during the attempt. The download patches will not turn green as the patch cannot be downloaded and deployed until the registry key is detected.

This is what to expect for scan and deployments when the registry key exists on the target machine:

When scanning a machine that has the required registry key in place, the patches will be offered with full deployment support. This means the patch is now able to be downloaded from Microsoft and to be deployed to the endpoints.

The patch will now be downloaded and then packaged as normal.

The patch will now be scheduled and then start the deployment execution process.

Additional Information

Security Tool: Implement the QualityCompat registry key that enables Windows security updates released on January 3, 2018

How To: Use Custom Action To Add Required Registry Key For Deploying Microsoft Patches as of January 3rd, 2018

Affected Product(s)

Shavlik Protect 9.2

Ivanti Patch for Windows Servers 9.3

Purpose

This document outlines the steps necessary to ensure that Shavlik Protect and Ivanti Patch for Windows can make use of TLS 1.2 when TLS 1.0 and TLS 1.1 are disabled.

Symptoms

When TLS 1.0 and TLS 1.1 are disabled, the Deployment Tracker will remain stuck at "Scheduled" or Executing".

Cause

The target machine has a process to send status updates back to the console. If TLS 1.2 isn't properly configured on the client machines and the protect console, these updates will fail to reach the console.

Resolution

1. SQL Server needs to be updated per https://support.microsoft.com/en-us/kb/3135244.
2. Per https://technet.microsoft.com/en-us/library/security/2960358.aspx follow the suggested actions
3. For machines running Windows 7, 2K8R2, or 2K12, follow the instructions in https://support.microsoft.com/en-us/kb/3140245 to create the needed registry key and then install patch MSWU-1964.

Registry changes will need to be made to both client machines, and to the Shavlik Protect and Ivanti Patch for Windows console.

Additional Info

This document explains how to deploy registry changes via group policy: https://technet.microsoft.com/en-us/library/cc753092(v=ws.11).aspx

Affected Product(s)

Protect 9.2

Ivanti Patch for Windows 9.3+

Purpose

The purpose of this document is to discuss how to make patches available for deployment when they can not be downloaded through Protect or Ivanti Patch for Windows Servers.

Cause

This can be caused by patches being moved behind a login screen, a vendor uses a static update URL,  or the patch has been removed from a public download location.

Description

Step 1: Obtain a copy of the needed patch

• Download an appropriate copy of the patch from the vendor (if available). Always use any safe and reliable source to obtain the needed patch.

Step 2: Rename Patch to match the Protect naming convention

• In order for Protect to recognize the patch as downloaded, it will need to match the correct naming convention.
• You will find the required file name in the Patch Information tab. Example found below:

Step 3: Add Patch to Console Repository

• After an appropriate copy of the patch as been downloaded and has been renamed appropriately, move the patch to the console's repository location.
• To find the location of your repository,
  • In Protect 9.2 and earlier: Go to Tools > Operations

• In Ivanti Patch for Windows Servers 9.3: Go to Tools>Options>Downloads

• Console Repository is reflected under 'Patch download directory'

• Navigate to the patch repository location (as found previously) and drop in the patch file.

• To verify the console knows the patch is available for deployment, look for the downloaded icon to show green as shown here:

Step 4: Deploy

• Deploying is no different. Just select the patch and deploy as normal.

Additional Information

To exclude these patches from your scan please follow this guide: How To: Include or Exclude Patches from your Scan Results

Affected Product(s)

Protect 9.x

Protect SDK (download caveat)

Ivanti Patch for Windows Servers 9.3+

I would like some Best Practices posted for MS Hyper-v servers. Is it just another server? Is there a way to patch offline servers? Do you need virus protection on the VM? etc.

This NItro Pro patch always shows missing after being installed on the target devices. The KB on Shavlik doesn't show a U after it so it shouldn't be stuck in an install/uninstall loop.

Wondering if anyone else is experiencing this issue. Would like to get to some help solving this. the patch I'm having trouble with is is QNITRO1107425.

Good day.

It appears my SQL database 'protect' has become corrupted and the SQL Express server basically bombs the machine. so I can't do anything without booting into safe mode. As it happens, I have an auto-generated backup from 1/28. What's the best/easiest way to roll back to this version of the database?

We have several issues regarding superseded patches, and how do we turn this specific function or feature off

Just curious if anybody has seen any performance impact after applying the latest MS patches?