I am being asked to provide a list of products that are installed on our workstation base. Not per machine or per patch detail, but simply a list of all products installed consolidated into cumulative total for all. I have been reading and experimenting but can't find a way to produce this, but was hoping a like issue was addresses by one of you here.
↧
Report to simply list products installed on workstations (consolidated)
↧
power shell custom action
I created a Deployment template with a custom action just like in How To: Run a PowerShell Script with a Custom Action
The patch deploys but it does not seem to run the powershell custom action comand or even put the file on the computer being patched.
It looks like it started in the log below but thats all I get.
-01-25T16:58:22.0378315Z 15dc I ChildProcess.cpp:114 Started C:\WINDOWS\sysnative\cmd.exe /U /Q /D /V:ON /C "PowerShell -Command "Start-Process PowerShell -Verb Runas" %C:\Windows\ProPatches\Patches%AppX-Removal.ps1"
2018-01-25T16:58:40.2728313Z 15dc V ChildProcess.cpp:140 Process handle 000007D0 returned '0'.
2018-01-25T16:58:40.2728313Z 15dc W SingleInstanceLock.cpp:28 Waiting for another deployment to finish.
2018-01-25T16:58:40.2728313Z 15dc I SingleInstanceLock.cpp:36 Exclusively continuing deployment.
2018-01-25T16:58:40.2728313Z 15dc V STPackageDeployer.cpp:85 Initiating patch store servicing.
2018-01-25T16:58:40.2884594Z 15dc V STPackageDeployer.cpp:106 Patch store servicing complete.
2018-01-25T16:58:40.2884594Z 15dc I STPackageDeployer.cpp:1336 Postboot actions filename='PostBootTasks.xml' does not exist on the file system
2018-01-25T16:58:40.2884594Z 15dc I STPackageDeployer.cpp:484 Reboot disallowed or not required. safeRebootOption = '3', deployer requested reboot: false
2018-01-25T16:58:40.2884594Z 15dc V DeployStatusReporter.cpp:128 Queueing online machine status msg. DeploymentId='8667cef7-0aed-4c52-90a3-d8ce04f54058', machineId='230557', status='99', isFinal='true'
2018-01-25T16:58:40.2884594Z 15dc S StatusClient.cpp:109 Entering STDeployment::CStatusClient::ReportMachineStatusOnline.
2018-01-25T16:58:41.5697520Z 15dc S DeployExeStates.cpp:409 Leaving STDeploy::CInitialExecutionPackageDeploy::DoStatefulRemediateActions.
2018-01-25T16:58:41.5697520Z 15dc I STDeploy.cpp:365 Current remediation phase completed. Process exit code: 0.
2018-01-25T16:58:41.5697520Z 15dc S STDeploy.cpp:257 Leaving wmain.
↧
↧
Can't see results of Agent patching task
I've created an agent policy which will patch a machine at a scheduled time. This part has worked. These are the messages from the machine.
However what I don't get is why I can't see the results from my Shavlik console. I can see the results of machines I've patched and scanned manually.
But I would expect to see the results of Agent installs as well. I have left the check-in time to 480 mins but I ran a check in request from the console to the machine.
Now if I generate a report using the Reporting function I can see the patch report. So I know the Agent job worked and it reported back to the console.
When I look at the machine in machine view, it is out of date however. I can't see the patches I've just applied. It looks to be getting the information from the last time a scan was run on the machine manually.
Q4074590 isn't showing here. Which is the February cumulative patch.
I was under the impression a check-in to the console would fill in the results of the patching and show an Agent install and show the correct level of patching in machine view.
Is this the case, or will it take time for the Agent install to propagate its results to the Ivanti Console?
I can see that's scans have taken place if I create reports to query the database. But surely Agent installs should show up in the results Window? Or do I have to run some sort of scan afterwards?
Help!!!
↧
Q2973114 - Patch detected but not needed on host
Good afternoon,
I've been using Ivanti Patch manager for a couple months now with quite a bit of success however this month I'm running into some inconsistency. When I try to apply missing patches to the servers I have a few that will not apply to the systems. After a little investigating I've found that when I try to manually install the missing patch I get a "The update is not applicable to your computer" error.
Does anyone else run into this and if so how do you address the incorrect detection? I would imagine this false reporting could also affect reporting to my management team so accuracy would be nice as well as to keep me from mistakenly thinking that a server needs a patch when it apparently doesn't.
thanks,
Mike Hanson
↧
API / Powershell to update Baseline
Hello,
I would like to update my baselines automatically or by clicking a Powershell Script. It seems that the only way could be to use the new API and Powershell.
There is a Add-PatchGroupItem cmdlet that seems to be the key but I have to specify bulletin or KB name. There is no way to get the Ivanti Patches by date or a list of all of the patches.
Is there any way to query the Ivanti Patches with arguments (date before, date after) in order to add them in a baseline with the Add-PatchGroupItem ?
Thanks in advance
Best regards
Gabriel Maret
↧
↧
Disable Automatic Updates Of Definitions?
First of all I read the document linked below and while appears to be for a slightly older version I followed the instructions.
How to Disable Automatic Updates Of Definitions
https://community.shavlik.com/docs/DOC-23845
I then put in a repeating job to schedule the automatic update for Patch Tuesday at 18:00 hours. See this screen shot.
The problem is it appears Shavlik updated its patch definitions after the date. Job should have run on 2/13/2018 and gotten definitions for then. As you can see from this capture below patch content updated on 2/14/2018 at 4:42 PM.
Is there something I missed?
We want shavlik to use a single definition for the entire month for audit purposes to measure patch compliance and so we cant have any change to the definitions at all no matter how minor or major. Any help we can get to make this work would be appreciated.
Regards,
Michael
↧
What does "Updated detection logic" mean exactly?
When updated patch definitions come down many times I will see a stuff like the following. This is the change for 2/12/2018 the 2.0.2.4500 patch data. Last line reads "- Modified MSW-1843(Q3114846): Updated detection logic" What impact does this change have on shavlik's ability in terms of scanning for the patch in question?
Regards,
Michael
↧
Patching Roles with Local Admin
Is there anyway to allow a user to administrate Ivanti Protect, via roles, without being a local admin on the server?
We are currently held to DISA/NIST standards, so we're very hesitant to simply begin adding our admins as local admins on the Ivanti machine.
↧
KB4011123 showing as effectively installed
Just wanted to make sure this update is superseded by the Feb Outlook update KB4011682. The update catalog does not list it as being replaced by 4011682 but Ivanti is showing it as effectively installed on systems that have that.
↧
↧
Changing stored Credentials Password with powershell
I have a password manager that has a Rest API , we wanted to use the password rotate options. So I looked at your powershell module and I have a few questions around this.
1) I see 2 cmdlets that I could use Add and Remove-STCredential
What I wanted to do is remotely reset the stored credentials , I know I can store the password in secure text and add-STcredential with the new password but ,
a) Add a credential is not the same as editting one. I don't want to remove the credentials as that might break associations to group that were made.
b) In essence i wanted to backdoor into a current credentials that is setup as a default cred and assigned to groups and change the password without breaking anything etc.
2) How can accomplish password change without much hassel ?
↧
Execute Powershell Script as Custom Actions in Deployment Template
Since we updated Shavlik Protect to Version 9.2, the powershell scripts are no longer executed (command: powershell "C:\SYSMGR\Shavlik\BeforePatchingScript.ps1") as custom actions in deployment template. Untilversion9.1this has workedperfectly.
Why doesShavliknot longer support powershell scripts (only the very old cmd script)?
How can I runPowerShellscripts in Custom Actions?
↧
propatch not created during agent less scan/ deployment
Hi Anyone have expirence this
c:\windows\propatch not created during agent less scan/ deployment with scheduler, deployment tracker only show "deployment initializing
↧
error 0x80092004 trying to deploy kb4074588 windows 10 x64
windows 10 cumulative update feb 2018 will not deploy
have tried using shavlik and running the file manually
getting error 0x80092004
i deployed the january update KB4056892 via shavlik and that is showing as installed twice ?
anyone else having issues with this patch ?
↧
↧
KB4074608 not installing.
Howdy, This patch has been trying to deploy and failing every time.
I'm deploying it to Windows 10 1709 Enterprise x64 machines, it fails being deployed via Ivanti Patch, and if I try to install the patch locally it says it does not apply to the machine.
This is the specific patch that is failing:
- windows10.0-RS3-kb4074608-x64-RS3.msu
Anyone else having this problem?
Ivanti Patch News Bulletin: A servicing stack u... | Ivanti User Community
↧
Agentless deployment and communication issues
Hello all,
We are experiencing communication and deplyoment results with more and more frequency. I am not blaming your product, and would like to know exactly what you need for me to send to open a case and have you see what you can see.
Thank you.
↧
How To: Deploy Windows Security OOB updates released January and February 2018
Purpose
The purpose of this document is to discuss the behaviors when deploying the Windows Security out-of-band updates that were released on January 3, 2018.
The following document contains information on the changes to detection for the applicable patches: Important information on detection logic for the Intel 'Meltdown' security vulnerability
Description
Microsoft is requiring a registry key to be on every machine that has no Anti-Virus or outdated Anti-Virus. The following Windows Security OOB updates released January 3, 2018 are affected by this:
- MS18-01-IE Q4056568 - Cumulative Updates for Internet Explorer
- MS18-01-SO7 Q4056897 - Security Only Update for Windows 7 and Server 2008 R2
- MS18-01-SO8 Q4056899 - Security Only Update for Server 2012
- MS18-01-SO81 Q4056898 - Security Only Update for Windows 8.1 and 2012 R2
- MS18-01-W10 Q4056888, Q4056890, Q4056891, Q4056892, Q4056893 - Cumulative Update for Windows 10 and Server 2016
Below is what the expected behavior when scan and deploying these patches without and with the registry key in place.
See Additional Information for help creating the registry key using a custom action.
This is what to expect for scan and deployments when the registry key does not exist on the target machine:
When scanning machines without the registry key in place, you will be offered detection of the updates, but will not be able to download or deploy the update. This will be noted in the Ivanti Comments section for the patch:
In Protect 9.2, the error 'Patch is not available for the language selected' may also appear when the registry key is not detected.
Detection only support means the following:
The patch is not downloadable. If you try to download the patch, a message stating 'None of the selected patches need to be downloaded'.
This patch cannot be deployed, this is what the Deployment Tracker will look like during the attempt. The download patches will not turn green as the patch cannot be downloaded and deployed until the registry key is detected.
This is what to expect for scan and deployments when the registry key exists on the target machine:
When scanning a machine that has the required registry key in place, the patches will be offered with full deployment support. This means the patch is now able to be downloaded from Microsoft and to be deployed to the endpoints.
The patch will now be downloaded and then packaged as normal.
The patch will now be scheduled and then start the deployment execution process.
Additional Information
Affected Product(s)
Shavlik Protect 9.2
Ivanti Patch for Windows Servers 9.3
↧
Download February 2018 Security updates for Office
I am trying to download the February 2018 Security updates for Office 2010. All i am getting is the following error:
The remote certificate is invalid according to the Validation procedure.
What could be the reason? I was able to download the Security updates for Windows 2008 R2.
Thanks
↧
↧
Problems with Windows 1709 and Agent patching
Hi All,
I've been experiencing the a problem with the recent February rollup patches for Windows 1709 (KB4074588). Namely, they fail to install. That's more of a Windows issue than an Ivanti issue as it doesn't matter what method I install them with.
My problem is I'm installing via agent, patches install, machine reboots and does a post patch scan so I can see what patches have been applied. On the post install scan it picks up the failed patch as missing and then attempts to install it again, where the same thing happens. I know in the agent policy I can disable the reboot, but I don't want to do that as I want the patch applied. On the other hand it's going to be a pain for the user concerned with this perpetual patch cycle.
Any ideas?
Thanks,
Mashood
↧
Pending reboot
I have a server in a standard deployment stage, with a executed state three patches pending reboots each. The server has been rebooted more than twice. Has not progressed since 2/16/18.
↧
Machine Group Highlighting
Recently upgraded to 9.3 and noticed that when you click on a machine group it only highlights the group name and not the machines underneath? In version 9.2 when you clicked on the machine group it would highlight the members so you can easily export to csv, now in 9.3 you have to open the individual group then clt-a and export so am I missing a setting? Why the extra step?
Thanks
↧