I Need to exclude a specific patch from being deployed to a specific computer..

Hi.

I am working on scheduling scans and patching and would like to put the servers in Maintenance Mode in SCOM as a pre deply task. I have a working powershell script to do this remotely but I am unable to execute the script local on the Ivanti console server. My understanding is that "Custom Actions" can only be used for remote execution on clients/servers that are being patched.

Has anyone else found a solution to this? Would scheduling a custom IT script work or is this also only used for remote execution?

BR
Jon

When attempting to create a scheduled recurring task I get the error "the selected console scheduler credential is not valid on this machine".

The credential I'm selecting is already successfully being used with other tasks. If I create a new credential using the same account it still fails. If I use my

personal credentials it works. I'm confused on what the problem could possibly be.

Purpose

The purpose of this document illustrates the multiple ways to execute ITScripts using Ivanti Patch for Windows.

Solution

How to Execute an ITScript from the Home Page:

1. Type a name for the operation you are about to perform. (optional)

2. Select the desired machine group(s).

3. On the ITScripts tab, select how you want to execute the script.

• ITScript: When this option is selected, additional fields are displayed that let you:
  • Choose the script you want to execute (scripts defined as target type = Console are not available here)
  • Edit any parameters associated with the script
• ITScript template: When this option is selected, this area lets you choose the template you want to use when executing the script.

4. Select when you want to execute the script (Now, Once, or Recurring).

• Run: This is the button name if Now is your selected scheduling option. This will immediately begin executing the script on the machines in the machine group(s).
• Schedule: This is the button name if Once or Recurring is your scheduling option.

5. Click either Run or Schedule.

How to Execute a ITScript from the Machine View or Scan View:

You can execute a script from within Machine View or Scan View by using right-click commands.

1.Highlight one or more machine(s).

2.Right-click the machine(s), select ITScripts, and then specify how you want to execute the script.

• Open prompt: Enables you to start a Windows PowerShell session with the selected machine.
• Run script: Opens the Run Operation dialog, which enables you to run a script with or without a template.

How to Execute a ITScript from a Machine Group:

1. In the Machine Groups pane select the desired machine group.

2. Within the machine group dialog click Run Operation.

3. On the Run Operation dialog, select when and how you want to execute the script.

• ITScript: When this option is selected, additional fields are displayed that let you:
  • Choose the script you want to execute (scripts defined as target type = Console are not available here)
  • Edit any parameters associated with the script
• ITScript template: When this option is selected, this area lets you choose the template you want to use when executing the script.

4. Click either Run or Schedule.

• Run: This is the button name if Now is your selected scheduling option. This will immediately begin executing the script on the machines in the machine group.
• Schedule: This is the button name if Once or Recurring is your scheduling option.

Affected Products

• Ivanti Patch for Windows 9.3 +

After upgrading our console to version Ivanti 9.3, every time I perform a Patch Download I get about 32 patches that state the following.

Is there anyway so that these get download or at least do not clutter up the log.

Thank you,

So Shavlik doesn't seem to be working, but I'm not getting any errors either. I've reinstalled to no avail.

I'm thinking it is most likely ports, but was there a change in Shavlik that caused this? It was working fine.

Was on Server 2012 R2, but when I reinstalled I went ahead and rebuilt the server.

Currently Server 2016.

I'm attaching a screenshot, although there isn't mush there to see.

Any ideas would be appreciated.

I recently started noticing that on a lot of my 2012 R2 servers,  show that Microsoft Patch MS14-053 is missing.   I went through a patch cycle thinking this would be taken care of but I look again this month and they are still showing as missing.  I download the patch manually to the server and start the install.  It fails with the error  "The update Is not applicable to your computer" 

This is happening on multiple servers

KB that is trying to install or says missing is kb2973114.

I can't seem to find any prereq that is needed either.  Anyone ever seen anything like this?

I am working with Ivanti Patch for Windows® Servers Standard 9.3.0 Build 4510.

I saw the latest xml had some updated detection logic for this patch, but even after downloading it is still showing as missing on multiple 2012 r2 servers.

Is there limit on the amount of machine groups? At what point does the amount of machine group on a console become a problem?

I've been trying to scan& deploy using some scan template with specific patch group,

but the scan result shows; Installed patch 0, Missing patch 0

The target server is Windows Server 2008.

I see the specific patches are installed in different server with same OS.

Details for your refference;

- Shavlik Protect Standard 9.2.0 Build 5119

Anyone know why it happens?

Purpose

The purpose of this document is to discuss the behaviors when deploying the Windows Security out-of-band updates that were released on January 3, 2018.

The following document contains information on the changes to detection for the applicable patches: Important information on detection logic for the Intel 'Meltdown' security vulnerability

Description

Microsoft is requiring a registry key to be on every machine that has no Anti-Virus or outdated Anti-Virus. The following Windows Security OOB updates released January 3, 2018 are affected by this:

• MS18-01-IE Q4056568 - Cumulative Updates for Internet Explorer
• MS18-01-SO7 Q4056897 - Security Only Update for Windows 7 and Server 2008 R2
• MS18-01-SO8 Q4056899 - Security Only Update for Server 2012
• MS18-01-SO81 Q4056898 - Security Only Update for Windows 8.1 and 2012 R2
• MS18-01-W10 Q4056888, Q4056890, Q4056891, Q4056892, Q4056893 - Cumulative Update for Windows 10 and Server 2016

Below is what the expected behavior when scan and deploying these patches without and with the registry key in place.

This is what to expect for scan and deployments when the registry key does not exist on the target machine:

When scanning machines without the registry key in place, you will be offered detection of the updates, but will not be able to download or deploy the update. This will be noted in the Ivanti Comments section for the patch:

In Protect 9.2, the error 'Patch is not available for the language selected' may also appear when the registry key is not detected.

Additionally in Protect 9.2, the Deployment tracker may show the following and when clicking on 'View Errors', the error will show 'Zero patches are available and properly signed'.

Detection only support means the following:

The patch is not downloadable. If you try to download the patch, a message stating 'None of the selected patches need to be downloaded'.

This patch cannot be deployed, this is what the  Deployment Tracker will look like during the attempt. The download patches will not turn green as the patch cannot be downloaded and deployed until the registry key is detected.

This is what to expect for scan and deployments when the registry key exists on the target machine:

When scanning a machine that has the required registry key in place, the patches will be offered with full deployment support. This means the patch is now able to be downloaded from Microsoft and to be deployed to the endpoints.

The patch will now be downloaded and then packaged as normal.

The patch will now be scheduled and then start the deployment execution process.

Additional Information

Security Tool: Implement the QualityCompat registry key that enables Windows security updates released on January 3, 2018

How To: Use Custom Action To Add Required Registry Key For Deploying Microsoft Patches as of January 3rd, 2018

Affected Product(s)

Shavlik Protect 9.2

Ivanti Patch for Windows Servers 9.3

Purpose

This document is meant to be a guide to link you to all requirements or pre-requisite information you may need for Shavlik Protect.

Description

Below is a list of links to the different requirements you may need to use Protect or certain features within Protect.

Affected Product(s)

Shavlik Protect 9.2

Ivanti Patch for Windows Server 9.3

Symptoms

• Detected patch continues to show as missing after successfully deploying.
• Patch that shows missing ends with 'U' every other deployment.

Cause

Certain patches exist as an installer and an uninstaller; these patches can cause a loop when scanning and deploying. When the installation patch is deployed it makes the uninstall patch considered to be missing. These patches are designed by their vendor in this manner to facilitate adding/removing the patch according to environmental needs. If scanning/deploying these types of patches it may appear that the patch continually is missing as it continues to add/remove per deployment. The uninstall patch will end with 'U'. These patches tend to belong to the 'Security Tools' patch type.

Example: Missing the Installation Patch

Example: After Installed, Now Missing Uninstall Patch

Resolution

Exclude the specific patch utilizing a patch group, or choose not to deploy the patches installer/uninstaller after scanning.

Refer to the following document:

How To: Include or Exclude Specific Patches in Scan Results

These are known patches that offer an uninstaller.

• Q2719662(U) - MS12-A06
• Q2794220(U) - MS12-A10
• Q2847140(U) - MS13-A02
• Q2887505(U) - MS13-A08
• Q2896666(U) - MS13-A09
• Q4072698(U) - IVA18-001
• Q4072699(U) - IVA18-002

Affected Product(s)

Shavlik Protect 9.x

Ivanti Patch for Windows Servers 9.3+

Hi all,

So, i.m trying to create a patch scan and use it the entire month.

The problem is thatthe patch scan is using the xml database from that specific time. If the database xml is being upgraded with the new available patches then it will mess my work.

So is it possible to make shavlik stop upgrading for new definition until i say other wise? something like cutting off the internet connection and after that just using shavlik with a specific xml definition

If there any option that i can.t see ? Or even if i cut the internet connection, does anybody know if the full functionality will be still there ?

Thanks 

Howdy,

We use Ivanti Protect for our servers, and have done so for 3 years (or more). Separately, we use AlienVault to monitor systems for breaches and vulnerabilities, etc. AlienVault is showing a variety of missing security patches for a number of the servers getting patched via Ivanti.

We are not using a remote agent for said servers.

Patches are installed monthly and for most servers, are auto deployed after download with forced reboot.

Our Ivanti is the latest version.

Some of the patches shown as missing in AlienVault are recent, e.g., 2 or 3 months old.

I use WUScan (canned) as the scan template.

What am I missing? How is it that important security patches are not showing up in the scans to begin with?

Thanks.

Purpose

The purpose of this document is to show how to cancel a scheduled deployment that has not started.

Description

Canceling the scheduled task can be done from the Deployment tracker or from Scheduled Remote Tasks.

Canceling a deployment from Deployment Tracker

1. Go to View > Deployment Tracker

     2. Find the tab that contains the machine(s) that you wish to cancel the deployment on.

     3. Highlight the appropriate machine(s), right-click and then click on 'Cancel deployment'.

     4. A notification window will then pop-up asking to make sure that you want to cancel the deployment. If you wish to proceed, click 'Delete scheduled deployment'. If not, then click 'Cancel'.

     5. A new tab will open to show the progress of the task deletion. A successful deletion will look as follows:

     6. The status of the machine(s) will then show 'User Canceled'.

Canceling a deployment from Scheduled Remote Tasks

1. Go to View > Machines.

• Use the search field to find the necessary machine

     2. Once the desired machine is found, right-click on the machine and select 'View scheduled tasks'.

     3. When the Scheduled Remote Tasks window loads, the scheduled deployment task will show in the list of tasks.

     4. To delete the task, right-click and Delete. Confirm the prompt to delete

     5. The window will refresh and the task will no longer show in the view.

Canceling a deployment from Results

1. Go to Results by clicking the drop-down in the upper right corner of the GUI.

     2. Find the deployment you wish to cancel. Right-click the deployment record, without a left-click first, to get the 'Cancel Deployment' option.

     3. Confirm the cancellation of the deployment.

     4. The operations monitor will open to confirm the deletion of the scheduled task.

Additional Information

How To: Schedule and Configure a Deployment in Patch for Windows Servers 9.3

Affected Product(s)

Ivanti Patch for Windows Server 9.3.x

Does Ivanti excluded recent buggy patches for Windows 7 / Windows 2008: KB4088875 and KB4088878?

According to Computerworld.com Microsoft stops pushing buggy Windows 7 patch KB 4088875 | Computerworld  MS stopped already pushing those patches but they are still available in MS Update Catalog.

Thanks,

Marcin

https://help.ivanti.com/sh/help/en_US/PWS/93/ag-pws-9-3.pdf

This guide explicitly says that Core is supported on 2008 and not on 2016. How about 2012 r2?  I have many 2012 r2 running Core with HyperV and I cannot patch them.

Purpose

The purpose of this document is to list the currently supported operating systems for Ivanti Patch for Windows Servers 9.3.

Description

Agentless scanning for operating systems: (32- and 64-bit versions of any of the following)

• Windows XP Professional (Note: Can deploy patches to Windows XP Family SP3 or later)
• Windows XP Tablet PC Edition • Windows XP Embedded
• Windows Server 2003, Enterprise Edition (Note: Can deploy patches to Windows Server 2003 Family SP2 or later)
• Windows Server 2003, Standard Edition
• Windows Server 2003, Web Edition
• Windows Server 2003 for Small Business Server
• Windows Server 2003, Datacenter Edition
• Windows Vista, Business Edition
• Windows Vista, Enterprise Edition
• Windows Vista, Ultimate Edition
• Windows 7, Professional Edition
• Windows 7, Enterprise Edition
• Windows 7, Ultimate Edition
• Windows Server 2008, Standard
• Windows Server 2008, Enterprise
• Windows Server 2008, Datacenter
• Windows Server 2008, Standard - Core
• Windows Server 2008, Enterprise - Core
• Windows Server 2008, Datacenter – Core
• Windows Server 2008 R2, Standard
• Windows Server 2008 R2, Enterprise
• Windows Server 2008 R2, Datacenter
• Windows Server 2008 R2, Standard - Core
• Windows Server 2008 R2, Enterprise - Core
• Windows Server 2008 R2, Datacenter - Core
• Windows 8
• Windows 8 Pro
• Windows 8 Enterprise
• Windows 8.1
• Windows 8.1 Enterprise
• Windows Server 2012, Foundation Edition (including Server Core)
• Windows Server 2012, Essentials Edition(including Server Core)
• Windows Server 2012, Standard Edition(including Server Core)
• Windows Server 2012, Datacenter Edition(including Server Core)
• Windows Server 2012 R2, Essentials Edition(including Server Core)
• Windows Server 2012 R2, Standard Edition(including Server Core)
• Windows Server 2012 R2, Datacenter Edition (including Server Core)
• Windows 10 Pro
• Windows 10 Enterprise
• Windows 10 Education
• Windows Server 2016, Essentials Edition
• Windows Server 2016, Standard Edition (excluding Server Core and Nano Server)
• Windows Server 2016, Datacenter Edition (excluding Server Core and Nano Server)

Clients running with an agent: (64bit only)

• Windows Vista Family
• Windows 7 Family
• Windows 8 Family, excluding Windows RT
• Windows 10 Family
• Windows Server 2008 Family
• Windows Server 2008 Family R2
• Windows Server 2012 Family
• Windows Server 2012 Family R2
• Windows Server 2016 Family

Additional Information

• https://help.ivanti.com/sh/help/en_US/PWS/93/ag-pws-9-3.pdf
• Administration Guide
  

Affected Product(s)

Ivanti Patch for Windows Servers 9.3

I am planning to install the windows patch on friday for windows server 2008 R2. Is there any issue with this two patches kb4088878  and kb4088875

Purpose

This document contains instructions on how to add patches released between specifics dates to a Patch Group using PowerShell and the API feature.

Overview

Basic Instructions:

     1. Download AddPatchesToPatchGroupUsingDateRange.zip from this document. (download link)

     2. Extract the contents of the .zip file to a folder on the console server.

     3. Read Disclaimer.txt.

     4. Open PowerShell as an administrator.

     5. Change directory to the extracted location.

     6. Execute the following to get help. This will provide parameters and instructions on how to use the PowerShell script.

Get-Help .\AddPatchesToPatchGroupUsingDateRange.ps1 -full

Examples:

Add all patches released between to dates.

.\AddPatchesToPatchGroupUsingDateRange.ps1 "Test" "1/1/2018" "1/31/2018" "ServerName\SQLInstance" "MyDatabase"

Add all patches released within the last 30 days.

.\AddPatchesToPatchGroupUsingDateRange.ps1 "Test" ((Get-Date).AddDays(-30)) (Get-Date) "ServerName\SQLInstance" "MyDatabase"

Add security and non-security patches released within the last 30 days

.\AddPatchesToPatchGroupUsingDateRange.ps1 "Test" ((Get-Date).AddDays(-30)) (Get-Date) "ServerName\SQLInstance" "MyDatabase" "0, 1, 4"

Add .net and Java patches released within the last 30 days

.\AddPatchesToPatchGroupUsingDateRange.ps1 "Test" ((Get-Date).AddDays(-30)) (Get-Date) "ServerName\SQLInstance" "MyDatabase" -productList ".net|Java"

Add all patches except .net and Java released within the last 30 days

.\AddPatchesToPatchGroupUsingDateRange.ps1 "Test" ((Get-Date).AddDays(-30)) (Get-Date) "ServerName\SQLInstance" "MyDatabase" -productList ".net|Java" -excludeProductList

Additional Information

API Quick Start Guide

Affect Product

Ivanti Patch for Windows Servers