I decided to run a Windows update using the Microsoft servers and noticed that all of the 2012 servers that I checked are missing .NET patches 2018-01 Security and Quality Rollup (4055266), 2018-02 Security and Quality Rollup (4076494), and Microsoft .NET Framework 4.7.1 (4033369).  Similar patches are missing on our 2008 servers. I normally scan for all security patches on all products so I decided to set Ivanti to scan for all security and non-security patches.  Using View -> Patch I see 2018-01 shows up as a non-security.  The other two do not show up in View -> Patch or in the list of missing patches after a completed scan.

Should these be able to be pushed out by Ivanti or do I have something incorrectly configured? 

Thanks,

Ron

Hi all,

We are migrating from WSUS to Protect and I want to easily find out which machines have a patch schedule? I can't see any reports that easily reports on all machines that are a part of a patch schedule.

Thanks in advance.

Kieren

Hey!

I have problems with some machines where it says the following patches are missing Q4088880D and Q4089187D
It is Windows Server 2012 R2.
It stops in deployment that it can not download patches.
Why is the letter D after?
Other machines have the same number but without D and they go on?
Grateful for help.

Regards /Maria

patch error 2147483647.

sfc /scannow comes up empty.

kb3181988 Windows reports manual update "not applicable to this system."

Is there a problem with the .XML patch detection?

Please don't say firewall, its not firewall...unless, of course, its firewall.

Ivanti Patch 9.3  No agents on client systems.

It seems like it started 2 months ago. Before then this was not an issue.

From my console I select a 2012R2 server, a 2008R2 server, and a Win7 box

All get scanned. patches are copied over. patching scheduled.

After that my 2012R2 keeps reporting, listing each executed patch, then the reboot, the rescan, finished.

The 2008R2 and Win7 also fully complete: patched reboots, everything. However they cannot communicate back to the console, which just shows "Scheduled" forever.

I understand that normally this would be a firewall issue. Communication after "Scheduled" is initialed by from the client to the Patch server.

But I got 2012r2 servers shoulder to shoulder with 2008

Has anyone seen this or is seeing it now?

Thank you for any assistance.

When we are trying to Scan(Machine Group and Patch templates), scan is getting failed on " Resolve Machine To Scan" step.

When we select "View Results" it gives Status as "Access Denied to Ip XXXXXX; Cradentials may be invalid" with error code "106".

Software on Machine: Windows 10 64-bit OS.

Please refer the attached screen shot.

Purpose

This document outlines how to scan and show only specific patches in the results, or how to scan and not include certain patches in the results.

Symptoms

While scanning, certain patches are offered that are not desired.
Example: Your organization uses Java 7u40 and upgrading to Java 7u45 will disrupt other programs in your environment.

Adding Patches to a Patch Group

1. To scan or exclude specific patches, begin by assigning the desired patches to a Patch Group. In Protect, openPatch View.

2. Locate the specific patch by searching or filtering.

3. Right click the patch, chooseAdd to Patch Group, then choosing New Patch Group.

4. You will now be able to see that the patch a has been added to the Patch Groups tab below the search window.

5. Next create a newPatch Scan Template.

Selecting to Include the patches in your patch group

1. In thePatch Scan Templatewindow, enter aNameandDescriptionto identify the scan template. UnderBaseline or Exceptions, select Baseline and check your Patch Group.
2. Scan using theScan Templatecreated. Results will only show those patches included in thePatch Group.

  This will ignore any checked boxes in the grayed out fields and will ONLY scan for whats in the patch group.

Selecting to Exclude the patches in your patch group

1. In thePatch Scan Templatewindow, enter aNameandDescriptionto identify the scan template. UnderBaseline or Exceptions, select Exceptions and check your Patch Group.

     2. Scan using theScan Templatecreated. Results willexcludethose patches in thePatch Group.

Related Articles

How To: Include or Exclude Specific Patches in Scan Results

Additional Information

Important 9.2 Upgrade Information: Review Your Patch Scan Templates And Patch Groups

Affected Product(s)

Shavlik Protect 9.2

Ivanti Patch for Windows Servers 9.3.X

I had a scheduled task to patch one server in Machine Group YYYY

Server is a VM hosted in VMware vSphere with all credentials provided:

I have checked credentials in Machine Properties and they match:

Scheduler console credentials are also set:

Why I am getting an error as in title and in logs I found:

W DiscoveryFilterResolver.cs:640|Virtual Server '..............local' with null credentials is unsupported.

Regards

Marcin Milewski

When I create an operation, select a Deployment Template (which includes a post reboot time) and also schedule an install time for the patches, does a template override the Install the patch(es) option?  I am trying to determine when these machines will actually reboot.  If it would be after installation in any circumstance or only when specified in the template.

Is there an easy way to automate the removal of old agents? We had a POC environment that agents were pushed out with. Now in production I am having issues with patching because some servers still have the old agent from the old environment, at least I think this is the reason.  The POC console has already been destroyed so I am unable to remove the old agents from there.

I am currently using Ivanti Patch for windows servers Standard 9.3.0

Can some one explain how the patch deployment will behave if the scheduled date and time is missed:

How is possible that date and time can occur more than ones in the lifetime?

Marcin.

Purpose

This document outlines how to scan and show only specific patches in the results, or how to scan and not include certain patches in the results in Shavlik Protect.

Symptoms

While scanning, certain patches are offered that are not desired.

Adding Patches to a Patch Group

1. To scan or exclude specific patches, begin by assigning the desired patches to a Patch Group. In Protect, openPatch View.

2. Locate the specific patch by searching or filtering.

3. Right-click the patch, chooseAdd to Patch Group, then chooseNew Patch Group.

4. In thePatch Groupwindow, enter aNameandDescriptionto identify what thePatch Groupwill be used for, then clickSave.

5. Next create a newPatch Scan Template.

Finding Specific Patches

1. In the Patch Scan Template window, enter a Name and Description to identify the scan template. Under Baseline or Exceptions - Applies to Agents, select Baseline and then check the box for the newly created Patch Group. Hit Save.

2. Scan using theScan Templatecreated. Results will only show those patches included in thePatch Group.

Exclude Specific Patches

1. In the Patch Scan Template window, enter a Name and Description to identify the scan template. Under Baseline or Exceptions - Applies to Agents, select Exceptions and then check the box for the newly created Patch Group. Hit Save.

2. Scan using the Scan Template created. Results will exclude those patches in the Patch Group.

Additional Information

How To:  Include or Exclude Specific Patches in Scan Results in Ivanti Patch for Windows Servers

Affected Product

Shavlik Protect 9.2.x

Purpose

This document will provide helpful tips and tricks for Ivanti Patch for Windows Servers.

Prerequisites

The following information assumes that you have a basic understanding of the functionality of Ivanti Patch for Windows Servers. If you are brand new to this product we recommend you check out the following training resources:

• Ivanti Patch for Windows Product Training (Formerly Shavlik Protect)
• Ivanti Patch for Windows Demo
  

Overview

Licensing

• Licensing is based on use of deployment seats. One deployment seat is taken for 45 days when:
  • You deploy to a machine in an agentless configuration
  • An agent checks in in an agentless configuration
• Because deployments to hosted virtual machines differ from deployments to physical machines, deploying to the same machine as both a hosted virtual machine and a physical machine will result in two deployment seats being taken.
• There is no way to force removal of a deployment seat. If you run out of seats you must request additional seats from your account manager or in a temporary situation request temporary seats from Support.
• For more information about licensing in Ivanti Patch for Windows Servers, please check out How To: Managing License Seat Usage with Shavlik Protect .

Database

• While Patch will be installed with SQL Express by default, you should install a full version of Microsoft SQL Server if you plan on the database containing more than 10 GB of data as that is the SQL Express limit.
• You can view the instance and database that your console is connected to at the bottom of Help > About in the Ivanti Patch for Windows Servers console.
• If you are using a local database, you can check the actual database file by going to C:\ProgramFiles\Micrsoft SQL Server\...\Data.

View > Event History

• View > Event History shows the status and information for tasks executed in the background such as scheduled console tasks, database maintenance, and distribution server syncs.
• You can see inforamtion about a certain event in View > Event History by clicking on the event and looking at the information in a pain underneath the event window.

View > Patches

• Search for the numbers in KBs such as "9405382" instead of "KB9405382" or "Q9405382."
  
• When searching for a specific KB, Q number, or Bulletin ID, make sure that you have the most recent data in your console and all options selected in your filters as is discussed in this document How To: View All Patches, Software Distributions, Security Tools and Service Packs in Protect 9.2.
• You can right click any patch or group of patches to add them to a new or existing patch group.

View > Machines

• View > Machines is a view of the database and therefore any machine that you have ever successfully scanned will show up here unless you right click the machine and select to delete it.
• Only machines that have been successfully scanned through a particular machine group agentlessly will show up associated with that particular group in View > Machines. This is discussed in further detail here Understanding Machine Groups and the Machines View

Reporting

• You can right click and export almost any list such as a list of machines in View > Machines or a list of patches in View > Patches to a CSV.
• We provide canned reports on demand in Tools > Create Report or scheduled reports in Tools > Schedule Report as well as emailed report options, but you can make your own custom reports by using this guide Report Views Guide

Agentless Scan and Deployment

Scanning

• You can only scan the amount of machines that you are licensed for at one time. For example, if you have a license for 3000 workstations and 200 servers, you can only scan 3000 workstations and 200 servers at one time.
• Ensure that you meet the prerequisites discussed in the Configuration Requirements section under System Requirements in the Patch administration guide https://help.ivanti.com/sh/help/en_US/PWS/93/ag-pws-9-3.pdf before scanning.
• You can find information on almost any scan error here Troubleshooting Shavlik Protect Patch Scan Error Messages

Deployment

• Ensure that Windows Automatic Updates is disabled on machines that you deploy to. You can disable Windows Automatic Updates via Group Policy or locally following the steps here Best Practice: Windows Automatic Updates.
• If you have antivirus or malware prevention software on your clients and you see strange behavior in your deployments or reboots, whitelist the items under the Agentless Deployments section in this document Antivirus Exclusions For Patch Deployments
• If your deployment remain at the status scheduled in your console, but patches are installed on your clients, follow the steps in this document to fix your deployment tracker Deployment Tracker Stuck At Scheduled During Deployment But Patches Install
• We include the following deployment logs in C:\Windows\ProPatches\Logs:
  • STDeploy.log - This gives feedback on the deployment process itself.
  • STDeploycore.log - This gives feedback on the specific patch installation and you can find patch return codes by doing a search in the log for the word "Return".
  • STdplyevnts.log - This gives feedback on the deployment tracker.
  • Safereboot.log This gives feedback on the reboot process.
  • Keep in mind that all log times are in GMT.
• For more information on our deployments please see Shavlik Protect 9.2 Deployment Process Workflow and Troubleshooting

Agents

• It is recommended that you check the items mentioned in this document Agent Status Message: "Agent didn't respond" before installing agents that you intend to control from the console.
  
• You can control agents on your network from the console by right clicking a particular machine with an agent installed in View > Machines, selecting Agent from the menu and then selecting a desired task.
• When using a cloud agent, you can force a change to the agent over the cloud quickly by going to Tools > Options (Operations in Protect 9.2) > Protect Cloud Sync > Force Full Update Now.

Additional Resources

• Protect Console Information and Troubleshooting
• Agent Information and Troubleshooting
• Protect Cloud Agent Information and Troubleshooting
• ESXI Host - Hypervisor Information and Troubleshooting
• Hosted Virtual Machine and Template Information and Troubleshooting
• Report and Views Information and Troubleshooting
• Patch Scanning Information and Troubleshooting
• Shavlik Protect Deployment Information and Troubleshooting
• Custom Action, Custom Patch, and ITScript Information and Troubleshooting
• Troubleshooting Detection Issues in Shavlik Protect

Affected Product(s)

Ivanti Patch for Windows Servers (Shavlik Protect) 9.2, 9.3

Purpose

This is a list of highly recommended documents for improving general knowledge of the Shavlik Protect product. This article is not a comprehensive list of documents.

For the Shavik Protect specific landing page, please see document DOC-23514.

Initial Installation & Configuration

• Download Site
• Training Videos
• Protect 9.1 Installation Guide
• Protect 9.1 Upgrade Guide
• Protect 9.1 Online Help
• Protect 9.2 Online Help
• Protect 9.2 Agent Quick Start Guide
• Protect 9.2 Quick Start Guide
• Protect 9.2 Installation and Setup Guide
• Protect 9.2 Upgrade Guide
• Protect 9.2 Administration Guide
• Protect 9.2 Report Views Guide
• Protect 9.2 Virtual Machine Quick Start Guide
• Protect 9.2 Best Practices Guide
• Protect 9.2 Guidelines For Creating Custom ITScripts
• Protect 9.2 Supported Products
• Shavlik Protect Requirements Guide
• Firewall & Proxy Exception White-List
• Installing Prerequisite Software

Licensing Information

• How to Activate Shavlik Protect
• Managing License Seat Usage
• Offline Activation Process
• Sales/Licensing Contact Information

Best Practices & How To's

• Best Practices Guide (9.1)
• Best Practices: Java Deployment
• Best Practices: Software Distribution
• Best Practices: Agentless Scanning & Deployment of Service Packs
• Best Practices: Using Security Tools
• Best Practices and FAQ on using Threat protection with Shavlik Protect agents
• How To Configure Windows Firewall for Protect
• How to Create a Custom Patch
• How to manage Shavlik in an Offline network
  • Offline Environment: How To Manually Update patch data files
  • Offline Environment: How to Manually Update threat definitions

Troubleshooting & Common Issues

Installation & Upgrade

• Preparing for Upgrade of Protect and Resolving Common Upgrade Issues
• Data Conversion error during Upgrade
• Cleaning up broken installs of Protect
• Resolving database upgrade timeout failures

Obtaining Trace Logs

• Console, Client Side (agentless), and Agent log files
• Console Install and Setup Logs
• DPD Trace (for scan detection issues)
• Listing & Purpose of All Log Files

Scanning & Detection

• Troubleshooting Patch Scan Error Codes
• Scans running slow or taking long time to complete
• Scan Results fail to import (Incomplete results)
• Why Shavlik Protect scan results may differ from Windows Update
• Java patches not shown missing or installed
• How to include or exclude specific patches in scan
• Adobe & Mozilla Incremental Updating process
• Patch install/uninstall loops (patches that always show missing)

Patch Deployment & Shavlik Scheduler

• Deployed patches appear as missing
• Deployment Tracker Status Message Values
• How to Troubleshoot A Failed Patch Install
• Service Pack Deployment Guidelines
• Reinstalling the Shavlik Remote Scheduler Service

Database Related

• SQL Database Maintenance Recommendations for Protect
• Cleaning up (purging) a Protect Database
• Increasing database timeout period
• How To Move Your Database To Another SQL Server
  

Agents

• Agent Diagnosis Commands
• Agent Install failing at 67% (registration failure)
• How to fully uninstall and reinstall an agent

Other

• Issues adding machines to a group via Active Directory/OU
• Verifying Proxy Settings for Download Issues
• Role Based Administration Lockout Fix
• Understanding the Machine Groups and the Machines View

Other Useful Information

• XML (Patch Definitions) Update Information
• List of Currently Supported Products
• Feature or Change Requests

Purpose

This document will outline the steps required to migrate Shavlik Protect from one machine to another.

Downloads - License Key

Identify what version of Protect you are currently using under Help > About. Decide if you will be upgrading with the migration, or if you will be retaining the current version. Also write down your current License Key for use on the new console.

Shavlik Protect Download Files:http://www.shavlik.com/downloads/

Note:If planning to upgrade, be sure to review theimportant'Upgrade Guide' pertaining to the version you will be using. Failure to review pre-requisites to an upgrade increase likelihood of issues.

SQL Server

Backup Databases

Whenever modifiying the database, or console it is best practice to create a backup of the Protect Database first.

How to Backup a Database:http://community.shavlik.com/docs/DOC-23037

SQL Server and Shavlik Protect on same machine - Keeping Machine for SQL Server

If Shavlik Protect and the SQL are installed on the same machine, and the machine will continue being used as the SQL Server, but will not house Shavlik Protect, it is recommended to make a backup of the database, then nothing else needs to be done to the database.

SQL Server and Shavlik Protect on same machine - Retiring Machine from any Shavlik Protect Use

If SQL is installed on the same machine as Shavlik Protect, and the machine is being retired from all Shavlik Protect use, you will need to backup the Protect Database in use to be migrated to the new console server.

How to move databases between computers that are running SQL Server:http://support.microsoft.com/kb/314546
- Or -

Moving a Protect database from one SQL server to another: How To Move Your Database To Another SQL Server

SQL Server and Shavlik Protect on different machines

If Shavlik Protect and SQL are hosted on seperate machines, the new Console will need to be able to reach the SQL Server,it is recommended to make a backup of the database, then nothing else needs to be done to the database.

Note:These documents are offered as a reference only. Database Management questions should be directed through associated DBA or Microsoft.

Using Agents?

If you are using Agents in your environment special consideration must be taken to prevent causing problems with these machines. When a Protect Agent is deployed it is setup utilizing certificates based off the current Shavlik Protect Console. When migrating Shavlik Protect to a new computer, these certificates will become invalidated and Agents will no longer communicate with the Console or vice versa.

Resolution

Uninstall all Agents currently deployed. This will allow the newly installed console to create an association with the Agents.

Uninstalling Shavlik Protect Agent: http://www.shavlik.com/uploadedFiles/Support/Online_Documentation/Shavlik_Protect_90/administration-guide.pdf#page=460
Steps to perform full uninstall of the Shavlik Protect Agent (Manual):http://community.shavlik.com/docs/DOC-2216

Install New Console

Now that the SQL Databases are backed-up, and all Agents have been uninstalled, it is time to install Shavlik Protect on the new console.

When installing Protect a prompt will occur indicating no SQL instance detected.

---------------------------
Shavlik Protect Setup
---------------------------
A Microsoft SQL Server database is required for use with this product.
SQL Server was not detected on your local system.
If you want to install SQL Server Express on your local system, click "Yes".
If you have a remote SQL Server database that you will connect to at the end of the installation process, click "No".
---------------------------
Yes  No 
---------------------------

SQL Server on Different Machine from Shavlik Protect

If SQL is setup on a different server, selectNohere to prevent its installation on the new machine with Protect.

No Separate SQL Server

If SQL was installed on the same server as Protect and the original machine will no longer be used, then SQL will need to be installed on the new computer, chooseYes.

Protect 9 Installation and Setup:http://www.shavlik.com/uploadedFiles/Support/Online_Documentation/Shavlik_Protect_90/administration-guide.pdf#page=30

After installing SQL, attach the backed-up/migrated database from the original console to the new SQL Server Instance.

Moving a Protect database from one SQL server to another:http://community.shavlik.com/docs/DOC-2212

SQL

At the Database Setup Tool choose "Use an existing database (link or upgrade)'.

In the SQL Database Configuration page, enter the appropriate values for the Server Name, Database Name, and Credentials according to where the original Database is currently attached.

Reinstall Agents

Now that the new Protect Console is installed, and aimed at the original Database, redeploy the agents to necessary machines.

Initiating an agent installation from a machine group:http://www.shavlik.com/uploadedFiles/Support/Online_Documentation/Shavlik_Protect_90/administration-guide.pdf#page=122

Affected Product(s)

Protect Version: All

When I create an operation, select a Deployment Template (which includes a post reboot time) and also schedule an install time for the patches, does a template override the Install the patch(es) option?  I am trying to determine when these machines will actually reboot.  If it would be after installation in any circumstance or only when specified in the template.

The Operations Monitor on my Ivanti Server does not update status from scheduled to installing or done on the majority but not all of my servers.  On the server being patched the dplyevts.log says "PingBack.cpp:63 Sending data to 'https://[Console alias]:3121/ST/Console/Deployment/Tracker/v92' failed: 12175."

The patches are installed OK with STDeploy.log on the target servers saying  "Process exit code: 0"  but I need to get the Operations Monitor to report this back.

Disclaimer

Please read this disclaimer before using this tool:  LANDESK Share IT Disclaimer

Description

We created a GUI tool to simplify diagnostic scanning to troubleshoot patch scan issues.

The DPDTrace GUI interface requires .Net 2.0 or greater to work.

How to use the DPDTrace GUI

1. Download the latest version of the DPDTrace GUI. Download Link (the download is also attached to the bottom of this document)
2. Extract the DPDTrace.zip to the desktop of the machine you will scan from.  This can be on a server remote to the target machine or on the target machine itself.  Support may specify where to scan from depending on the issue being diagnosed.
3. Open the DPDTrace GUI by double-clicking DPDTraceGUI.exe from the extracted folder.

     4. Choose Local to scan the local machine. The IP address or the Machine Name of the local machine will automatically populate.

     5. Choose Remote to scan a remote machine. You will need to provide a valid Machine Name or IP Address to scan.

     6. Enter a username with administrator access to the target machine.

          a. The format must be DomainName\UserName or MachineName\UserName depending on how you are authenticating to the target machine.

     7. Enter a valid Password. You can choose to un-check the Hide option if you wish to see your password for troubleshooting purposes.

Protect Version: (Protect Customers)

     8. Choose the Protect scan engine version to be used during the scan.

          a. The GUI defaults to 9.2.5112 and 9.3.4510, it is OK to leave the default selection and often a good idea since it provides cross engine version data..

OEM Version: (OEM partners)

     9. Choose the OEM scan engine version to be used during the scan.

Patch Type:

     10. Choose Patch Type to be used during the scan.

          a. We highly suggest leaving the defaults of Security Patches and Non-Security Patches selected unless a support tech requests a change.

     11. Click Run to start the scan.

     12. You will see Command Prompt popups and popups for the Rename HF.Log utility during the scan process.  Do not close either these.

     13. All popup windows will close and a new popup will occur once the scan is complete.  Click OK.

     14. The scan diagnostic is complete and all of the trace logs, scan outputs and registry exports have been zipped to this folder:  C:\Users\UserName\Desktop\DPDTrace\SendToSupport

          a. The zip file will be named HFCLi_YearMonthDay.zip

     15. Provide this zip files to support!  If you have any issues attaching this zip to the case, please let the support tech know so they can provide you with more options.

Additional Information

A command line DPDTrace tool can be used by customers who cannot run this GUI version:  DPDTrace command line logging tool used for patch detection issues

Scenario

This document provides an overview of requirements necessary for this configuration and the specific options that need to be set for this to work. The following applies in a scenario where you may have one of the following setups:

• You have a Protect console connected to the internet, and another Protect consoles withe no connection to the internet.
• The internet connected console may be a rollup console with the other consoles sending results back to it.

Requirements/Prerequisites

You will need to be able to set up a Distribution Server (share) that can be accessible by the internet connected and disconnected Protect servers, and it must meet any connection/port requirements. See the following linked documentation for more information on configuring a Distribution Server and any requirements:

• Configuring a Distribution Server
• Port Requirements for Shavlik Protect
• Synchronizing Distribution Servers
• How to Manually Synchronize Distribution Servers

If you would like for definitions and patches to be downloaded automatically on the online console so that they will be ready to sync to your distribution server without intervention, you can set this up by scheduling an automatic download of definitions and selecting to use the Predictive patch downloads feature which is further discussed here:

Overview on the Predictive Patch Download Feature

You will find this configuration option in Tools > Operations > Downloads on the online console in Protect 9.2 and in Tools > Options > Downloads in the online console in Ivanti Patch for Windows Server 9.3.

Configuration

This section assumes that you have already set up a Distribution Server meeting all requirements outlined in above documents. Below are the special requirements or information you may need to set up special configurations. The graphic below is intended to provide a basic illustration of possible configurations covered here.

Using Distribution Server to Host Data files & Patch Files for disconnected consoles

This configuration can only be used if you have at least one offline Protect console server that can reach the Distribution Server share. This allows the offline

Protect console(s) to update patch definitions, binaries, and patch files easily without being connected to the internet.

Once you have your Distribution Server set up in all consoles, change the following settings for the Protect console servers located on the offline network:

1. Navigate to Tools > Operations in Protect 9.2 or Tools > Options in Ivanti Patch for Windows Servers 9.3.

2. Click the 'Downloads' tab.

3. Change the 'Definition download source' to "Specific Distribution Server" and set it to use your distribution server.

4. Change the 'Patch and Service Pack download source' to use a "Specific Distribution Server" and point to your distribution server.

(Optional) You can set the 'Schedule automatic downloads' settings.

If the latest definitions and patches do not exist on the distribution sever share, your offline consoles will not display the latest patches and most likely fail to install many outdated patches.

If the "Specific Distribution Server" section is grayed out and cannot be chosen, refer to this document:

Attempting To Set Definition Download Source - "Specific Distribution Server" Is Grayed Out

If using data rollup

You can still use the data rollup function, however, you will need to either:

A) Open port 3121 and have a connection available to the master console system, or;

B) Set up port forwarding to port 3121 from one network to the other. We do not assist in setting this up so you will need to contact your network admin.

This will allow you to run reports on your master console to see the current status of all machines in your environment. Note that the master console for data rollup has no control over the other Protect consoles - it is only able to run reports based on results available from any other console that is set to run data rollup to the master console.

More information about setting up the data rollup function can be found here:

• Implementing a Data Rollup from a Secondary Console to a Primary Console
• Help: Data Rollup Operations

Affected Product(s)

Shavlik Protect 9.x

Purpose

The purpose of this document is to highlight a Microsoft Windows Task Scheduler bug that can cause your scheduled console tasks to run a week early or not at all.

Symptoms

The Ivanti Patch for Windows Servers console is installed on Windows Server 2016 or Windows 10, and you have a monthly console task that is set to run on a specific occurrence of a day of the week (4th Wednesday, 2nd Saturday, etc.).  Occasionally, this task executes exactly one week early or not at all.

Cause

Microsoft has confirmed a bug in the Windows Server 2016/Windows 10 Task Scheduler that will execute scheduled tasks one week early or not at all when specific conditions are met:

• The month does not start on Sunday
• The monthly task is set to execute on a specific occurrence of a day of the week (4th Wednesday, 2nd Saturday, etc.)
• The date the task is scheduled to execute is a multiple of 7 (7th, 14th, 21st, or 28th)

If these conditions exist and the task is scheduled to execute on the 7th, the task will not run.

If these conditions exist and the task is scheduled to execute on the 14th, 21st, or 28th, the task will execute one week early.

This calendar from Microsoft's TechNet post regarding the issue illustrates the affected days of 2018.  Tasks scheduled days circled in red will execute one week early, while tasks scheduled on the days circled in grey will not execute.

Resolution

There is no workaround, but Microsoft is aware of the issue and is working on a resolution.

Additional Information

Microsoft has acknowledged this issue and describes it further on their TechNet AskCore Japan blog:

https://blogs.technet.microsoft.com/askcorejp/2017/12/11/mouthly_tasks_issue/

Affected Product(s)

Shavlik Protect 9.2.x

Ivanti Patch for Windows Servers 9.3.x