I recently started noticing that on a lot of my 2012 R2 servers,  show that Microsoft Patch MS14-053 is missing.   I went through a patch cycle thinking this would be taken care of but I look again this month and they are still showing as missing.  I download the patch manually to the server and start the install.  It fails with the error  "The update Is not applicable to your computer" 

This is happening on multiple servers

KB that is trying to install or says missing is kb2973114.

I can't seem to find any prereq that is needed either.  Anyone ever seen anything like this?

I am working with Ivanti Patch for Windows® Servers Standard 9.3.0 Build 4510.

I saw the latest xml had some updated detection logic for this patch, but even after downloading it is still showing as missing on multiple 2012 r2 servers.

Purpose

The purpose of this document is to provide a batch file to use with the Custom Actions feature in Shavlik Protect and Ivanti Patch for Windows Servers to uninstall Java up through version 7 update 75.

Description

You will need to set up a Custom Actions Scan Template, this will scan for a Null Patch and allow you to deploy your custom action without actually deploying any patches.

Create a Deployment Template with Custom Actions that will push out the uninstall Java batch file to the target machine, and to run the batch file.

The batch file is attached to this document.

Scan for the Custom Action Null patch, and deploy it. It is very important to use the Deployment Template that contains the uninstall script and call action.

Additional Information

• You may need to verify your specific version of Java is included in the batch file. You can also add new versions of Java by using the document below to get the uninstall string for that specific version of Java.
  • How To Uninstall A Program Using Custom Actions
• More information on working with batch files
  • Custom Action - How To Work With Batch Files

Affected Product(s)

Shavlik Protect 9.2.

Ivanti Patch for Windows Servers 9.3

Is there limit on the amount of machine groups? At what point does the amount of machine group on a console become a problem?

Purpose

This document will provide information about how to obtain information about Ivanti Patch for Windows XML updates (patch definitions) and Ivanti Patch for SCCM updates (catalog updates).

Description

Ivanti Patch for Windows

Generally the Shavlik content team will provide patch definition updates every Tuesday and Thursday. However, there are a few easy sources that can be used to see when new XML updates (patch definitions) are released.

1) XML Announcements Sign up: http://www.shavlik.com/forms/xmlsubscribe.aspx

You can sign up to receive Shavlik Protect content (patch definition) email notifications under the 'Shavlik Protect Content Updates' form here.

Or, send a blank email to subscribe-shavlik-xml@listserv.shavlik.com to sign up for these notifications.

2) Patch Data Information Blog Page: Shavlik Protect | Simplify and Automate your IT Management

This web page displays all patch definitions released by the Shavlik content team for the Protect application.

3) Patch Data Information RSS Feed: http://protect7.shavlik.com/feed/

All the same information as protect7.shavlik.com in an RSS feed.

4) Patch Data Information Twitter: https://twitter.com/ShavlikXML

This Twitter account is updated every time an XML release is put out. This is a good alternative to recieving email notifications, depending upon your preferences.

Ivanti Patch for SCCM

Generally the Shavlik content team will provide catalog updates every Wednesday and Friday.  These sources can help you stay up to date with those catalog updates.

1) Catalog Update Announcements: To sign up for catalog updates for Ivanti Patch for SCCM, please navigate to the blog page above, https://protectupdate.shavlik.com, click the Follow button in the bottom right hand corner of the page and enter your email address.

2) Patch Data Information Blog Page: https://protectupdate.shavlik.com

Affected Products

Ivanti Patch for Windows Servers 9.3.x

Shavlik Protect 9.2.x

Ivanti Patch for SCCM

Is it possible after successful patch scan and patch deployment to reboot servers from a machine group in specific order?

Thanks,

Marcin

Howdy, This patch has been trying to deploy and failing every time.

I'm deploying it to Windows 10 1709 Enterprise x64 machines, it fails being deployed via Ivanti Patch, and if I try to install the patch locally it says it does not apply to the machine.

This is the specific patch that is failing:

• windows10.0-RS3-kb4074608-x64-RS3.msu

Anyone else having this problem?

Ivanti Patch News Bulletin: A servicing stack u... | Ivanti User Community

I've created a file share for every distribution server, roughly 30, one per site. These servers are used for a few other services, and we cannot afford to have the disks fill up and run out of space. How can we limit the space the patches take up on the distribution servers and automate the cleanup?

Hello again,

I was just curious what the expected behavior for an agent is in the following two scenarios?  No complaints or issues, just curious about the expected behavior:

• Setup:  Agent installed.  Agent Policy has Patch Scan/Deploy scheduled with the following options enabled: Run on boot if schedule missed and Delay after boot (minutes): 30

• Scenario 1 -System is in sleep mode at time of scheduled Patch Scan/Deploy.  Does patch installation proceed in sleep mode?  If not, what happens when the system returns from sleep?

• Scenario 2 - System is online and completes patch installation.  User extends timer and leaves.  Computer goes to sleep prior to timer expiring.  What happens when the timer expires and/or when the computer returns from sleep?

Thanks Again,

Chris

Hi All,

I've been experiencing the a problem with the recent February rollup patches for Windows 1709 (KB4074588). Namely, they fail to install. That's more of a Windows issue than an Ivanti  issue as it doesn't matter what method I install them with.

My problem is I'm installing via agent, patches install, machine reboots and does a post patch scan so I can see what patches have been applied. On the post install scan it picks up the failed patch as missing and then attempts to install it again, where the same thing happens. I know in the agent policy I can disable the reboot, but I don't want to do that as I want the patch applied. On the other hand it's going to be a pain for the user concerned with this perpetual patch cycle.

Any ideas?

Thanks,

Mashood

Purpose

The purpose of this document is to show how to scan for the null patch. The null patch is a blank executable detected as a patch for testing purposes or custom actions as is mentioned here Custom Action - Using The Null Patch

Overview

1. Go to New > Patch Scan Template and name your new template.

2. You may leave the Vendor, Family, and Products, but under Patch Properties, make sure only Custom Actions is selected then Save the template.

3. Pick a machine or group to scan then select your new template and scan.

4. From the results you can then deploy your null patch as part of a custom action Custom Action - Using The Null Patch or a test deployment.

Affected Products

Ivanti Patch for Windows Server 9.3

Shavlik Patch 9.2

Purpose

The purpose of this article is to explain how patch scan detection works in Shavlik Protect, Ivanti Patch for Windows Servers and patch scan SDK.

Overview

To understand the basics of how the scan engine works in our products, please see the following information from the online Help system Patch Scanning Overview

The Ivanti Patch for Windows scan engine performs security patch assessment against a variety of Windows-based operating systems and products from Microsoft and other product 3rd party vendors.

The Ivanti patch scan engine uses a data definition file that contains information about which security hotfixes are available for each product. The data file contains security bulletin name and title, and detailed data about product-specific security hotfixes, including:

• Files in each hotfix package and their file versions
• Registry changes that were applied by the hotfix installation package
• Information about which patches replace which other patches
• Related Microsoft Knowledge Base article numbers
• Cross references to the Common Vulnerabilities and Exposures (CVE) database hosted by Mitre.org (CVEID)

The data definition file, which is contained on the console in a secured file named WindowsPatchData.zip, is created and hosted by Ivanti.  The WindowsPatchData.zip replaces the hf7b.xml used by previous patch scan engine versions and is used for the following Product versions:

• Ivanti Patch for Windows Servers 9.3+
• Shavlik Protect 9.2+
• OEM patch scan SDK 9.2+

When you run Ivanti Patch for Windows (without specifying advanced file input options), the program must download a copy of this XML file so that it can identify the hotfixes that are available for each product. The XML file is a digitally signed CAB file and is available on the Ivanti website. Ivanti Patch for Windows downloads the CAB file, verifies its digital signature, and then extracts the XML file to your local computer. Note that a CAB file is a compressed archive that is similar to a ZIP file.

After the data file is extracted, Ivanti Patch for Windows scans your machine (or the selected machines) to determine the operating system, service packs, and programs that you are running. Ivanti Patch for Windows then identifies security patches that are available for your combination of installed software. Patches that are applicable to your machine but are not currently installed are displayed as Missing Patch in the resulting output. In the default configuration, Ivanti Patch for Windows output displays only those patches that are necessary to bring your machine up to date. Ivanti Patch for Windows recognizes roll-up packages and does not display those patches that are replaced by later patches.

During the scanning process the detection goes through a few main steps, simplified in order here:

1. DPD (Dynamic Product Detection) - The scan engine will first use DPD to identify the:

       A. Operating System

       B. Any products installed on the target system

       C. The service pack level of any installed products (if applicable).

   2. Patch detection: Once DPD determines all applicable products on the target system the scan then goes into individual patch detection for any patches that apply to the OS or products on the target system. For each individual patch the scan goes through registry and/or file checks for any registry keys or files that are affected by the patch. This is also where any filtering comes into play. (i.e. product, patch type, severity, or any other patch filter settings)

Additional Information

• Online help files can be found here: Online Help System

Affected Products

• Ivanti Patch for Windows Servers 9.3+
• Shavlik Protect 9.2+
• OEM SDK 9.2+

I have watched the online videos for creating a null patch scan and then a third party software push and install deployment.  The null scan works great.  However, when I run the custom action deployment, pushing out firefox, it never pushes the .exe out to the target machine.  The target machine does receive and install patches from Shavlik, but not my custom deployment.

I have two lines in my custom actions:

Push File - which pushes the Firefox.exe, located on the shavlik server

Before All Patches - I have the command in place: %pathtofile%firefox.exe

Since the firefox.exe never pushes to the target machine the latter command never is executed.  I gone through the logs on both the host and server and nothing indicates that the server is trying to even push. I clicking on the Null Patch scan result and selecting all missing patches, then changing the deployment template to my custom deployment.  It just never pushes the firefox.exe

I know it in general can, as it has been used to upgrade Firefox on other target machines that already have firefox.  I am just not able to get custom action to push out the .exe let alone give a fresh install.

I have no Firewall on the target machine, and Windows Defender AV is also turned off. No other AV exists on target machine at this time. Using Shavlik Protect 9.2

Purpose

The purpose of this document is to show to how run an msi or executable with a custom action. For the example in this document, we will be using a .msi file which may use different command line switches than an .exe file. However the process of executing each file is the same.

Overview

Test the command that will be used to run the executable or msi on the target machine

1. Open a command prompt as the system account as is specified here:How To Test SYSTEM Account Permissions  and navigate to the proper location of the .msi in the command prompt.

2. Run the .msi in the command prompt with the necessary switches needed to run it silently. Usually a quick online search will give you the information you need to run. For example, this article installation - How can I silently install Google Chrome? - Super User gives the information necessary to run a Google Chrome .msi silently.

3. Verify that the command executed successfully. Since the .msi we are using installs Google Chrome, we can validate that the .msi command ran successfully by checking installed programs for Google Chrome.

4. Once you are sure that the .msi file can be successfully run silently in a system command prompt as the system account and copy the .msi file to your console server.

Create and deploy a custom action to run the executable or .msi file.

1. Go to New > Deployment Template to make a new Deployment Template or else open your existing template.

2. Name and save your template if necessary then click on the Custom Actions tab in the template.

3. Click New, leave Step 1 and 2 default unless you have a reason to change them, then select Push File in Step 3.

4. In Step 4, browse to the location of the .msi file on your server by using the button with the ellipses off to the side then save the current task in the custom action.

5. Open another custom action by clicking New, leave Step 1 and 2 default unless you have a reason to change them, then select After All Patches in Step 3.

6. In Step 4, input the exact command that you used in testing on your local machine and save this custom action task. As we are installing Google Chrome, we will use the following command:

msiexec /q /i googlechrome.msi

7. Save your deployment template. You may elect to have machines not reboot after the deployment in the Post-deploy and Pre-deploy Reboot tabs of the template

8. Run a scan on the machine you wish to run your .msi or .exe on. If you do not wish to install actual patches, you can scan for the null patch as is mentioned here How to: Scan for the Null Patch using the Custom Actions scan filter

9. Deploy your patch(s) and select the deployment template that you created.

Affected Products

• Ivanti Patch for Windows Servers 9.3
• Shavlik Protect 9.2

Purpose

The purpose of this document illustrates the multiple ways to execute ITScripts using Ivanti Patch for Windows.

Solution

How to Execute an ITScript from the Home Page:

1. Type a name for the operation you are about to perform. (optional)

2. Select the desired machine group(s).

3. On the ITScripts tab, select how you want to execute the script.

• ITScript: When this option is selected, additional fields are displayed that let you:
  • Choose the script you want to execute (scripts defined as target type = Console are not available here)
  • Edit any parameters associated with the script
• ITScript template: When this option is selected, this area lets you choose the template you want to use when executing the script.

4. Select when you want to execute the script (Now, Once, or Recurring).

• Run: This is the button name if Now is your selected scheduling option. This will immediately begin executing the script on the machines in the machine group(s).
• Schedule: This is the button name if Once or Recurring is your scheduling option.

5. Click either Run or Schedule.

How to Execute a ITScript from the Machine View or Scan View:

You can execute a script from within Machine View or Scan View by using right-click commands.

1.Highlight one or more machine(s).

2.Right-click the machine(s), select ITScripts, and then specify how you want to execute the script.

• Open prompt: Enables you to start a Windows PowerShell session with the selected machine.
• Run script: Opens the Run Operation dialog, which enables you to run a script with or without a template.

How to Execute a ITScript from a Machine Group:

1. In the Machine Groups pane select the desired machine group.

2. Within the machine group dialog click Run Operation.

3. On the Run Operation dialog, select when and how you want to execute the script.

• ITScript: When this option is selected, additional fields are displayed that let you:
  • Choose the script you want to execute (scripts defined as target type = Console are not available here)
  • Edit any parameters associated with the script
• ITScript template: When this option is selected, this area lets you choose the template you want to use when executing the script.

4. Click either Run or Schedule.

• Run: This is the button name if Now is your selected scheduling option. This will immediately begin executing the script on the machines in the machine group.
• Schedule: This is the button name if Once or Recurring is your scheduling option.

Affected Products

• Ivanti Patch for Windows 9.3 +

Purpose

This article provides steps to completely remove all components of the Protect/Patch for Windows Servers (PWS) agent from a client system and then perform a clean re-installation of the agent.

Resolution

To uninstall and then reinstall the agent:

1. Uninstall the Shavlik Protect/Ivanti PWS Agent and its components from Add/Remove Programs or Programs & Features in the Windows Control Panel.
2. Delete the ProgramData folder: C:\ProgramData\LANDesk\Shavlik Protect
3. Delete the C:\Program Files\LANDesk\Shavlik Protect Agentfolder

4. Delete the relevant certificates.
   
   To delete certificates:
   1. ClickStart>Run, type mmc, and clickOK. The MMC Snap In window opens.
   2. ClickFile>Add/Remove Snap-In.
   3. Under Available Snap Ins, selectCertificates.
   4. ClickAdd.
   5. Select theComputer Accountoption and clickNext.
   6. Ensure that theLocal Computeroption is selected and then clickFinish.
   7. Close the Add or Remove Snap Ins window.   
      You should now see Certificates listed under Console Root.
   8. Expand Certificates.
   9. Delete these certificates that are listed as being issued by ST Root Authority:
      • Personal\Certificates
      • Trusted Root Certification Authorities\Certificates
      • Intermediate Certification Authorities\Certificates
   10. Close the window.
5. Verify that the agent machine keys are removed.

Do not delete any certificates or files in theCrypto\RSA\MachineKeysfolder that you are not sure about. If you have any questions, contact Shavlik Support.

6. Open regedit and navigate to HKEY_CLASSES_ROOT\Installer\UpgradeCodes\

        Delete or rename the key that contains any of the GUIDS below:

        Make sure to use the corresponding GUID for the version of Protect you are attempting to uninstall.

• Protect 7.0.832.0: {C6D1AE7C-DE93-4E93-A916-C4144525C82C}
• Protect 7.0.841.0: {C6D1AE7C-DE93-4E93-A916-C4144525C82C}
• Protect 7.1.410.0: {90047C28-0B1B-4B30-8177-50729907EBF2}
• Protect 7.2.155.0: {9B7F1E45-4C47-4E25-9EAB-098923E4171C}
• Protect 7.5.2716.0: {CEA2D643-08C0-422E-9B27-B58ED9D38D07}
• Protect 7.6.1482.0: {661A3308-5BE2-4E0F-A752-BDDB247DD2DB}
• Protect 7.8.1340.0: {0A4D8D5E-7177-4A45-8A7F-0A5757403F97}
• Protect 7.8.1388.0: {0A4D8D5E-7177-4A45-8A7F-0A5757403F97}
• Protect 7.8.1392.0: {0A4D8D5E-7177-4A45-8A7F-0A5757403F97}
• Protect 8.0.3756.0: {F77AFB04-D13F-48DA-BB99-A5B31B6AAE0B}
• Protect 8.0.3965.1: {5A696B05-9F06-4B3D-83A0-69E848EFAC4A}
• Protect 9.0.1106:    {FD2F9A12-2845-7E54-5BD6-99619B461852}
• Protect 9.0.1182:    {FD2F9A12-2845-7E54-5BD6-99619B461852}
• Protect 9.1.4334:    {FD2F9A12-2845-7E54-5BD6-99619B461852}
• Protect 9.1.4472:    {FD2F9A12-2845-7E54-5BD6-99619B461852}
• Patch for Windows Servers 9.3.4379 {FD2F9A1228457E545BD699619B461852}
• Patch for Windows Servers 9.3.4440 {FD2F9A1228457E545BD699619B461852}
• Patch for Windows Servers 9.3.4510 {FD2F9A1228457E545BD699619B461852}

7. Delete the following registry key, if it exists: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\LANDESK\Shavlik Protect\Agent
8. Reboot the machine.
9. (Optional) Install the agent either from the Protect console or using the manual installer package.

Affected Product(s)

Shavlik Protect 9.x

Ivanti Patch for Windows Server 9.3+

Purpose

This document will discuss how to resolve discrepancies between the Shavlik Protect patch scan results and the scan results from popular vulnerability scanners.

Description

After scanning, your vulnerability scanner shows several KBs missing, but Shavlik Protect scan results show no missing patches.

Cause

1. Vulnerability scanners can detect security advisories which are not actually patches and therefore cannot be installed. For instance, your vulnerability scanner might detect KB3119884 as needed for your environment, but you will not be able to find this KB when searching View > Patches as it is not an actual patch and therefore will not be supported by Shavlik Protect.

2. Vulnerability scanners can detect Security Tools which are filtered out when scanning with the default Security Patch Scan and WUScan Templates.

3. Vulnerability scanners will sometimes detect patches replaced by newer patches (superseded patches) already installed on the target system or are being detected as needed by Shavlik Protect.

4. If the KBs detected by the vulnerability scanners are not security advisories, Security Tools or superseded then they many not be supported by Shavlik Protect or there may be a problem with the Shavlik detection.

Resolution

1. If the KB detected by your vulnerability scanner is a security advisory, you will need to go to the security advisory KB article and follow the instructions in the article to eliminate the vulnerability. For example, the KB article for KB3119884  Microsoft Security Advisory 3119884 gives a list of suggested action such as updating your CTL.

2. If the KB detected by your vulnerability scanner is a Security Tool and you would like to scan and install security tools through Shavlik, open up your Patch Scan Template (or create a new template) and select to scan for Security Tools under the Patch Properties section then save the template.

3. If the patch being detected by your vulnerability scanner is superseded, you can check if its replacement patch is installed or being detected on your systems by doing the following:

a) Go to View > Patches.

b) Make sure that you are viewing all available patches as is mentioned in this document How To: View All Patches, Software Distributions, Security Tools and Service Packs in Protect 9.2 .

c) Type in the missing bulletin or KB number (type in KB numbers without a KB or Q) into the search field.

d)  Click the Patch Information tab in the lower window pane of View > Patches then look at the Bulletin ID that replaces the missing patch in the Replaced by section.

e) Once you have the replacement bulletin, you can search for the replacement bulletin in View > Patches to make sure that it is not superseded by following steps a) through d). If the replacement bulletin is current, you can check your scan results to see if patches from that bulletin are installed on your machines or is being detected as missing by Shavlik.

4. If the KBs detected by the vulnerability scanners are not security advisories, security tools, or superseded please submit a case with Shavlik Support.

Additional Information

Ivanti Patch for Windows Servers API integration with the Qualys vulnerability scanner

Ivanti Patch for Windows Servers API integration with the BeyondTrust vulnerability scanner

Affected Product(s)

Ivanti Patch for Windows 9.3

Shavlik Protect 9.2

My company has created custom software that we are wanting to deploy across our domain utilizing Shavlik Protect 9.2.  I saw that this was possible through Custom Actions.

https://community.shavlik.com/docs/DOC-23447

We created the Null Patch Scan and successfully scanned a target machine.  We created a Custom Action to push out the customapp.exe only. No install (baby steps).

However, When we create a Push File job, Shavlik never pushes out the file. We scoured the target machine's Propatches folder but do not see it in any folder.  We turned off the host firewall, AV, and defender.  The Push File still never pushes the .exe app.

I thought maybe it was just the size of the .exe (although we pushed out Windows 10 patches over a GB easily enough). So I create a batch file that simply restarts the target machine.  I create a Push File Job (no Call run job, again, baby steps) and even after waiting an hour, I never see the batch file in the target machine's propatches folder.

This is custom app that is not in the Software Distribution folder so we are not able to use that option as a method of pushing out (unless you can add custom software to that folder, have not seen documents on how to do that yet). Are there particular settings or features that are needed for this to be doable?

When we run scans we noticed some of our machines come up with Office 2003 SP3 as missing, but since it is no longer available to download via Ivanti Patch for Windows, can we suppress reporting the missing service pack?

Purpose

This document provides links to other documents addressing custom action, custom patch, and ITScript information and troubleshooting.

Overview

Custom Action

Prerequisites and Process

How To: Perform a Custom Action Complete Tutorial with Custom Actions

Can You Use Custom Actions With Agents?

Custom Action - Using The Null Patch

How to: Scan for the Null Patch using the Custom Actions scan filter

Run a batch file

Custom Action - How to Work with Batch Files

Install programs

Work with custom patches

How To: Run An Executable or MSI With A Custom Action

Using Custom Actions To Deploy MSU/MSI Files

Uninstall programs or remove files

Custom Action - Remove the Remote Scheduler for Protect Version 9

How To Uninstall A Program Using Custom Actions

How To Remove The Propatches Folder Using Custom Actions in Protect 9.1

How To: Uninstall Java using a Custom Actions

Reboot a machine

How To: Reboot Target Machines with Using the Custom Actions Patch Type in a Custom Scan Template

Work with custom patches

Custom Action vs. Custom XML

Custom Patch: Custom .exe File Distribution With Custom Action

Custom Patch

Considerations For Custom Patches And Products

How To: Create a Custom Patch

Custom Patch Deployment .bat File Never Completes.

ITScript

ITScript - Errors Importing Custom ITScripts

ITScripts - Enabled Scripts Not Showing in Run Console ITScripts

Temp Folder Fills Up With Small Files Troubleshooting

Purging Downloaded Patch Install Files From The Protect Console

You Receive "Error: A Command That Prompts the User Failed because the Host Program or the Command Type Does Not Support…

Affected Product(s)

Shavlik Protect 9.x

Purpose

This document outlines how to scan and show only specific patches in the results, or how to scan and not include certain patches in the results.

Symptoms

While scanning, certain patches are offered that are not desired.
Example: Your organization uses Java 7u40 and upgrading to Java 7u45 will disrupt other programs in your environment.

Adding Patches to a Patch Group

1. To scan or exclude specific patches, begin by assigning the desired patches to a Patch Group. In Protect, openPatch View.

2. Locate the specific patch by searching or filtering.

3. Right click the patch, chooseAdd to Patch Group, then chooseNew Patch Group.

4. In thePatch Groupwindow, enter aNameandDescriptionto identify what thePatch Groupwill be used for, then clickSave.

5. Next create a newPatch Scan Template.

Finding Specific Patches

1. In the Patch Scan Template window, enter a Name and Description to identify the scan template. Under Baseline or Exceptions - Applies to Agents, select Baseline and then check the box for the newly created Patch Group. Hit Save.

2. Scan using theScan Templatecreated. Results will only show those patches included in thePatch Group.

Exclude Specific Patches

1. In the Patch Scan Template window, enter a Name and Description to identify the scan template. Under Baseline or Exceptions - Applies to Agents, select Exceptions and then check the box for the newly created Patch Group. Hit Save.

2. Scan using the Scan Template created. Results will exclude those patches in the Patch Group.

Affected Product(s)

Shavlik Protect 9.2.x

Ivanti Patch for Windows Server 9.3.x