Are there any plans to expand Ivanti Patch to cover OSX / Linux devices?
↧
Plans to expand Ivanti Patch to OSX / Linux Devices?
↧
Access Denied to Ip XXXXXX; Cradentials may be invalid
When we are trying to Scan(Machine Group and Patch templates), scan is getting failed on " Resolve Machine To Scan" step.
When we select "View Results" it gives Status as "Access Denied to Ip XXXXXX; Cradentials may be invalid" with error code "106".
Software on Machine: Windows 10 64-bit OS.
Please refer the attached screen shot.
↧
↧
Pending Reboot
Hello,
On a number of servers we are seeing a pending reboot regkey still enabled even after the servers have been rebooted after a patch cycle. It seems to be occurring on the same 3 values across nearly 500 devices in our estate.
Regkey
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Control\SessionManager\PendingFileRenameOperations
Values
\??\C:\Windows\ProPatches\Installation\InstallationSandbox#2018-03-18-T-08-59-42\dplyevts.dll
\??\C:\Windows\ProPatches\Installation\InstallationSandbox#2018-03-18-T-08-59-42\stdeploy.exe
\??\C:\Windows\ProPatches\Installation\InstallationSandbox#2018-03-18-T-08-59-42\STDeployerCore.dll
Has anyone seen this issue before? It's now causing issues with Chef automation. On some servers an additional reboot clears these values, others it still remains. I don't want to reboot 500 servers an additional time just to check if this may clear. 'STPatch.exe' is present in C:\Windows\ProPatches\Patches on all the servers in question.
Thanks,
Max
↧
Remove patch from agentless deployment
Hi there,
I've followed the below documentation to exclude a patch we do not want to deploy via patch group/patch template. In the patch scan template,above the exclusion grouping,however it says: Baseline or Exception--Applies to Agents. Will this not apply to scheduled agent less deployments as well? Meaning if I have an excluded patch group configured here will it not also exude the patches during an agent less deployment? If not, is there any way to prevent certain patches from deploying with agent less deployments? Thanks!
How To: Include or Exclude Specific Patches in Scan Results in Ivanti Patch for Windows Servers
↧
Scanning "Entire Network" Machine Group Fails with 0 Machines Found
Symptoms
When scanning the "Entire Network" Machine Group, the scan results return 0 machines found.
Cause
This is often caused by the "Computer Browser" service being turned off on the domain controller for domain-joined consoles, or on the console itself for non-domain consoles.
Resolution
Make sure the "Computer Browser" service is not set to "Disabled" on the domain controller if your console is joined to a domain, or the console itself if it is not on a domain.
Affected Product(s)
Ivanti Patch for Windows Servers 9.3.x
Shavlik Protect 9.2
↧
↧
I would like to get a list of the 3rd party Filtering items
Hi All
I have been asked to get a list of the programs Shavlik can scan.
ie. the list in the Templates under filtering and expanded out.
Is there a way of importing this list.
↧
Intel vPro Configuration Tool CVE-2017-5689
Purpose
Ivanti has produced a system configuration tool which minimizes the risk associated with the vulnerability CVE-2017-5689.
This tool DOES NOT fix the underlying firmware vulnerability. You must use special tools provided by Intel or your OEM vendor to correct this vulnerability. Consult the Intel documents at the end of this paper for the latest information.
This Ivanti tool makes configuration changes to your system as recommended by Intel in their whitepaper describing how to mitigate the issue. Specifically, the tool will attempt to unconfigure the Active Management Technology (AMT) framework and disable the Local Management Service (LMS) running on the system
Vulnerability
This vulnerability exists in the Intel AMT firmware of systems with the vPro technology. AMT allows a remote system to be turned on as long as power and network connection are present. This vulnerability is independent of the OS installed on the system. There are several possible attack vectors via this vulnerability including KVM (remote control of mouse keyboard and monitor), IDE-R (IDE Redirection), and SOL (Serial over LAN).
This technology has been in use for over nine years so both old and new systems are potentially vulnerable. Intel provides directions on checking the firmware version to determine vulnerable systems.
Tool Use
In Ivanti Patch for Windows Servers this is an optional security tool: INTEL-SA-00075(QISA00075)
This tool will be offered to any endpoint that has the LMS service installed when scanned with a template that includes security tools. The tool will attempt to unconfigure the AMT framework and disable the LMS service. This tool does not address the vulnerability at a firmware level.
Best Practice & Q/A - Using Security Tools
References:
INTEL-SA-00075 Detection and Mitigation Guide & Tool - (link from Advisory Page - subject to change)
Affected Product(s)
Shavlik Protect 9.2
Ivanti Patch for Windows Servers 9.3
↧
Supported Product List for Ivanti Patch for Windows, Shavlik Protect, and Shavlik Windows SDK
Overview
This document provides a link to the current list of products supported in Ivanti Patch for Windows, Shavlik Protect, and Shavlik Windows SDK
↧
Is KB4099950 now included in march patches?
Hi,
We are all aware that KB4088875 & KB4088875 has NIC issues.
https://support.microsoft.com/ms-my/help/4088875/windows-7-update-kb4088875 and https://support.microsoft.com/en-us/help/4088878/windows-7-update-kb4088878 sites states following:
| A new Ethernet Network Interface Card (NIC) that has default settings may replace the previously existing NIC, causing network issues after you apply this update. Any custom settings on the previous NIC persist in the registry but are unused. | This issue is resolved by KB4099950 which will be automatically applied when installing this update |
Does this mean that KB4099950 is now included in march updates? so there is no need to install KB4099950 seperately?
↧
↧
Ivanti Patch Definition Naming Convention for Microsoft Patches
Overview
Starting with the April 11th 2017 Patch Tuesday, Microsoft no longer uses a traditional naming format for Security Bulletins. To help our customer's, we created our own naming format as follows:
- Starting on Patch Tuesday April 10, 2018 the ID names will change to follow the description below.
- Windows 10 and Office updates are now under their own ID and content can be searched by KB numbers after Tuesday April 10, 2018
The new Security Bulletin mappings our products will be using: MS[YY]-[MM]-[PP]-[KB]
- MS = Microsoft
- YY = Year
- MM = Month Released
- PP = Product
- Followed by the KB number
Here are some examples:
- MS18-03-OFF-3114416
- All Office patches
- MS18-03-IE-4089187
- All IE patches
- MS18-03-AFP-4088785
- All Microsoft released Flash patches
- MS18-03-W10-4088776
- All Windows 10 patches, rollups and Deltas
- MS18-03-SO7-4088878
- Security Only Update for Windows 7 and Server 2008 R2
- MS18-03-SO8-4088880
- Security Only Update for Server 2012
- MS18-03-SO81-4088879
- Security Only Update for Windows 8.1 and Server 2012 R2
- MS18-03-MR7-4088875
- Monthly Rollup for Windows 7 and Server 2008 R2 (this is the rollup that includes non-security fixes)
- MS18-03-MR8-4088877
- Monthly Rollup for Server 2012 (this is the rollup that includes non-security fixes)
- MS18-03-MR81-4088876
- Monthly Rollup for Windows 8.1 and Server 2012 R2 (this is the rollup that includes non-security fixes)
.NET Patches will follow a slightly different naming scheme:
- MS[YY]-[MM]-[TT][PP]-[KB]
- YY = Year
- MM = Month
- TT = Type (Security Only or Monthly Rollup)
- PP = Product (.NET)
- KB = Parent KB
- MS17-12-SONET-1234567MS17-12-MRNET-1234567
- Security only patches associated with that parent KB
- Security patch type
- Monthly Rollup associated with that parent KB
- Non-Security patch type
Non-security .NET Patches also have a slightly different naming scheme:
- MSNS[YY]-[MM]-[TT][PP]-[KB]
- YY = Year
- MM = Month
- TT = Type (Quality Preview or Quality Rollup)
- PP = Product (.NET)
- KB = Parent KB
- MSNS17-12-QPNET-1234567MSNS17-12-QRNET-1234567
- Quality Preview patches associated with that parent KB
- Non-Security patch type
- Quality Rollup associated with that parent KB
- Non-Security patch type
Additional Information
Additional Naming Conventions
- QP = Quality Preview
- NS = Non-Security
Microsoft released the following article for FAQ on the changes made: Security Updates Guide dashboard and API:
Q: Why is the security bulletin ID number (e.g. MS16-XXX) not included in the new Security Update Guide?
A: The way Microsoft documents security updates is changing. The previous model used security bulletin webpages and included security bulletin ID numbers (e.g. MS16-XXX) as a pivot point. This form of security update documentation, including bulletin ID numbers, is being retired and replaced with the Security Update Guide. Instead of bulletin IDs, the new guide pivots on vulnerability ID numbers and KB Article ID numbers.
Affected Products
Shavlik Protect
Ivanti Patch for Windows Servers
Ivanti Patch for SCCM
↧
Patches are not being downloaded or pushed to the node
I am using Shavlik Protect 9.3. I was patching a new server and everything was going fine. I rebooted after some patches and scanned again. This time the server only had 6 missing patches. I tried to push these patches and nothing happens. All other servers seem to be fine. I thought it was the Scheduler on the server, so I followed these directions to uninstall (How To: Uninstall & Reinstall The Shavlik (ST) Remote Scheduler Service On A Single Machine ). This did not resolve the issue and on the next scan/deploy it did not install the scheduler. It opens the deployment tracker once I request the patches to be deployed, but I can immediately click "Clear all completed" and it closes the window. It's like the Shavlik server has an issue with the client. Any help is appreciated.
↧
Patch for Windows Agent installation/Registration
Hello community,
I asked this question on "community.ivanit.com" but with no result or answer till now....
Recently we started to test the Ivanti Patch for Windows solution for our company and I got stuck during the registration process of an agent via command prompt.
I can install the agent manually, with the "STPlatformUpdater.exe" => double click > choose "...connection to the console" > fill out the form > choose the policy > and the installation/registration is done, everything is fine so far.
Now I'm trying to accomplish the same task over the command prompt. To do that, I used the following guides:
for the installation: Installing Agents Using A Manual Installation S...|Shavlik User Community
for the registration: Installing an Agent with No Policy Using a Manu...|Shavlik User Community
So I started the installation with the example form the first link. Customized the values and inserted the command.
STPlatformUpdater.exe /wi:"/qn /l*v install.log SERVERURI=https://XXX.XX.XX.XX:3121 POLICY=AgentPolicy_MyPolicy AUTHENTICATIONTYPE=PASSPHRASE PASSPHRASE=mysecret"
The agent got installed like
described in the guide and I moved forward to the registration part.
Here again I used the
example, customized the values, inserted the command BUT nothing happened.
STAgentManagement.exe-register -p silent=true -p authType=SharedPassphrase -p passphrase=mysecret -p serverURI="https://XXX.XX.XX.XX:3121" -p policy="AgentPolicy_MyPolicy"
In the log files I got no notification or error message, only:
Agent Registration Operation Log.
Created Freitag, 6. April 2018 11:47:42
I tried to change some of arguments in the command, executed the "STAgentManagement.exe" with the "-register" command only and tested some other commands (-list; -status, -monitor...) to see whether I get any result at all.
Most of the commands got executed but showed a plank list or "no tusk" notifications.
Now the question... what did I do wrong?
btw.
I checked the connection from console to agent and reverse - fine
I checked the name-resolution from both sides - fine too
And like I mention before, the manual installation/registration-process works fine as well
Thanks in advance for any advice.
↧
URL exception list for Shavlik Protect - Ivanti Patch for Windows Servers (04-10-2018)
Overview
This document provides a list of required URL addresses for Shavlik Protect and Ivanti Patch for Windows Servers to allow:
- Patch executable download.
- Patch content definition download.
- Online license activation or license refresh.
- Home page RSS feed.
- Product check for update.
URL List
The following URLs may be used to download updates and must allowed through firewalls, proxies and web filters:
Additional Information
- To obtain the IP for vendor sites you can ping the vendor site or contact the vendor to obtain this information. We are unable to provide a list of IP addresses due to the varied dynamic IP addresses being used by the vendors. It may be easier to create an exception for an entire domain rather than entering all specific URLs, you can usually do so by entering the exception in this format:
- *.domain.com.
Affected Product(s)
Shavlik Protect
Ivanti Patch for Windows Servers
↧
↧
How can I exclude Preview of monthly rollup and Preview of the quality rollup updates
How can I exclude Preview of monthly rollup and Preview of the quality rollup updates without having to create a new patch list each month and manually add them
↧
Installing both Cumulative and Security Only patches
To be safe, I usually install both the Windows Cumulative Update and the Security Only patches during the same task. In this example patch Q4093115 installed successfully, but patch Q4093114 reports "File download failed" and is also counted as a "Patch Missing." Is this the expected behavior or is there a different approach I should take to this? I hate to miss the quicker installation if the cumulative is not needed, but then want to make sure I cover all past updates if there are missing.
↧
Power Pack
Hello all,
We pay for a Power Pack for each license yearly for each of our supported Windows servers....What added capability does this provide??
Thanks.
↧
Will PWS will have any effect on App-V delivered programs
I am curious as to whether PWS will have any effect on App-V delivered programs, while patching those installed locally. Do I need to coordinate the patch versions of both or can I maintain them independently. Thank you.
↧
↧
Scheduled Task Runs One Week Early or Not At All
Purpose
The purpose of this document is to highlight a Microsoft Windows Task Scheduler bug that can cause your scheduled console tasks to run a week early or not at all.
Symptoms
The Ivanti Patch for Windows Servers console is installed on Windows Server 2016 or Windows 10, and you have a monthly console task that is set to run on a specific occurrence of a day of the week (4th Wednesday, 2nd Saturday, etc.). Occasionally, this task executes exactly one week early or not at all.
Cause
Microsoft has confirmed a bug in the Windows Server 2016/Windows 10 Task Scheduler that will execute scheduled tasks one week early or not at all when specific conditions are met:
- The month does not start on Sunday
- NOTE: This condition is stated by Microsoft, but we have had customers report this happening on months that began on Sunday as well
- The monthly task is set to execute on a specific occurrence of a day of the week (4th Wednesday, 2nd Saturday, etc.)
- The date the task is scheduled to execute is a multiple of 7 (7th, 14th, 21st, or 28th)
If these conditions exist and the task is scheduled to execute on the 7th, the task will not run.
If these conditions exist and the task is scheduled to execute on the 14th, 21st, or 28th, the task will execute one week early.
This calendar from Microsoft's TechNet post regarding the issue illustrates the affected days of 2018. Tasks scheduled days circled in red will execute one week early, while tasks scheduled on the days circled in grey will not execute.
As noted above, we have had customers report that this bug affected days in April, even though the month started on Sunday. We recommend planning as though the bug will affect you in any month.
Resolution
There is no workaround, but Microsoft is aware of the issue and is working on a resolution.
Additional Information
Microsoft has acknowledged this issue and describes it further on their TechNet AskCore Japan blog:
https://blogs.technet.microsoft.com/askcorejp/2017/12/11/mouthly_tasks_issue/
Affected Product(s)
Shavlik Protect 9.2.x
Ivanti Patch for Windows Servers 9.3.x
↧
How to stop shavlik from updating xml database ?
Hi all,
So, i.m trying to create a patch scan and use it the entire month.
The problem is thatthe patch scan is using the xml database from that specific time. If the database xml is being upgraded with the new available patches then it will mess my work.
So is it possible to make shavlik stop upgrading for new definition until i say other wise? something like cutting off the internet connection and after that just using shavlik with a specific xml definition
If there any option that i can.t see ? Or even if i cut the internet connection, does anybody know if the full functionality will be still there ?
Thanks
↧
Office 365 Support for Shavlik Protect/Ivanti Patch for Windows Servers
Overview
Support for Office 365 has been added to Shavlik Protect 9.2 and Ivanti Patch for Windows Servers 9.3.x
By default, Click-to-Run for Office 365 installations are automatically updated, but most administrators change the update source to control which updated builds are deployed and when they are deployed. Now administrators can scan for and initiate these updates from Shavlik Protect 9.2 and Ivanti Patch for Windows Servers 9.3.x
Caveats
Office 365 patching: The Office 365 patching process is different than other Microsoft patches. Office 365 updates are installed by initiating the Microsoft Office 365 Click-to-Run update process which prompts the target machine to download the patch and install itself.
Where the Office 365 updates are downloaded from: Updates are download from default source Microsoft Content Delivery Network (CDN) which requires a connection to the internet on the target machine. Administrators who do not want their clients downloading from the internet can set their own download source.
- More information on setting a custom download source: Office Deployment Tool
Offline Virtual Machines: Due to the nature of this update, we do not support Office 365 patching on hosted offline virtual machines (VM).
Regarding Current Channel updates: Most companies won't be using this channel in production due the higher update frequency. These updates interfere with line-of-business applications, add-ins and macros so time to test the updates is required any time there is an updated version of Office 365 ProPlus. Here is what is supported for customers who do use the Current Channel:
- Build 6868.2060 and higher are supported. (Released on May 4th, 2016)
- Build 6769.2040 and lower are not supported. (Released April 28th, 2016)
Regarding Deferred Channel updates: This is more common channel customers will be using. Updates for this channel are less frequent to allow time for testing.
- We support all versions of the deferred channel.
Additional Information
- Office 365 Update Q numbers Have D, FD, or C Appended To the Q Number.
- Overview of Office 365 Channels: Overview of update channels for Office 365 ProPlus
- Build list numbers: https://technet.microsoft.com/en-us/library/mt592918.aspx
- GPO administrative templates for Office: Download Office 2016 Administrative Template files (ADMX/ADML) and Office Customization Tool from Official Microsoft Dow…
Affected Product(s)
Shavlik Protect 9.2
Protect SDK 9.2
Ivanti Patch for Windows Servers 9.3.x
↧