Currently using Patch for WIndows. have setup some IP ranges for a distribution server. Is there a specific log I can look at to see if the computer being patched is actually downloading the patches from the correct distribution server? If so where is that log located. Thanks.
Log Files
Patch deployment failed
Hi,
Yesterday we have scheduled one server for patching and found that the server has 3 missing patches to install. After patching, those 3 patches installed in the server successfully.
But later we observed that the patches we are actually trying to install did not get either installed or showed as missing in the patch scan. These patches are already added to the template before we initiated the scan. Surprisingly we could able to install the patches manually in the server.
My question is why these patches were not shown as missing when it get scanned & how installed manually.
Troubleshooting Slow Patch Scans In Ivanti Patch for Windows
Purpose
This document provides information to troubleshoot slow patch scans when using Ivanti Patch for Windows.
Symptoms
Causes
There can be a number of causes of slow patch scans. The first thing you should look into is if there have been any recent changes - either to the console system or the network you are on.
Some of the most common causes of slow scans addressed in this article are:
- Insufficient system resources (RAM, CPU, etc.)
- Antivirus scanning- particularly those that perform on-access scans.
- Network/Latency issues (poor latency, scanning over WAN, etc.)
- Database issues - (lack of database maintenance, insufficient SQL server system resources, etc.)
Resolution
Possible issues that may need to be addressed:
Note: The "console system" refers to the system where you are running Ivanti Patch for Windows or Shavlik Protect.
1. Ensure that you are on the latest version/build of Protect.
Whenever we have a new version released there is a possibility that there may be bug fixes or product improvements which could help resolve your issue.
You can verify the latest version and download it from the following link:
https://go.ivanti.com/Web-Download-Patch-Windows.html
2. Make sure that your console system has enough resources to run your scans.
If you are scanning a high number of machines you may need to increase the CPU and/or memory available to the console system. Our hardware system requirements for processor and memory are as follows:
Processor/CPU:
- Minimum: 2 processor cores 2 GHz or faster
- Recommended: 4 processor cores 2 GHz or faster (for 250 - 1000 seat license)
- High performance: 8 processor cores 2 GHz or faster (for 1000+ seat license)
Memory/RAM:
- Minimum: 2 GB of RAM
- Recommended: 4 GB of RAM (for 250 - 1000 seat license)
- High performance: 8 GB of RAM (for 1000+ seat license)
For more information, see Protect Console System Hardware Performance Guidelines.
3. Antivirus or real-time threat protection software may be scanning our patch scan results as they are being sent back to the Protect console system.
Sometimes antivirus software, in particular those that perform on-access scanning may slow down the patch scan process. Most often we see these programs slow the process as the results are sent to the console's arrivals folder to be imported to the database.
Solution:
-Test disabling your antivirus/threat protection software to see if scans run faster while it's disabled.
-Create an exception in your Antivirus/threat protection for the following folder on the console machine:
On Windows 7, 8, 2008, 2012, or Vista: C:\ProgramData\LANDesk\Shavlik Protect\Console\Arrivals
On Windows XP or 2003: C:\Documents & Settings\All Users\Application Data\LANDesk\Shavlik Protect\Console\Arrivals
4. There may be network/configuration issues.
The most common issue is that high latency will cause scanning of remote systems to take a long time to complete. Things to check:
-Check the latency.
On your console system run a ping connecting to a target system. To do so click Start > Run > type CMD and hit enter, then enter the following command- ping [target machine name or ipaddress] i.e ping machine01 or ping 10.1.10.5.
The higher the latency (the value next to time=), the longer you can expect the scan to take for Protect. High latency impacts scans due to the fact that our scan engine uses a separate connection for each check that is performed during the Dynamic Product Detection process.
-Is the scan taking place over a LAN connection or WAN connection?
Most often WAN connections will have much higher latency. As such, longer patch scans can be expected over WAN.
Workarounds available for latency/network issues:
-If you have many machines in other areas that the console system would be scanning over a WAN connection it may be best to install a second Protect console on a system that is local to those systems. You can then scan those systems over a LAN connection rather than over a high latency WAN connection to avoid these problems.
-You can install a Protect agent on systems to avoid slow scanning issues caused by network problems. The agent will run the scan locally on the client system so it avoids all network traffic while scanning.
-There is an option to change the number of simultaneous machines scanned during the scan process. To make this change you will need to create a custom patch scan template in Protect. On the 'General' tab under the template you can decrease the number of machines the scan will simultaneously run on. Dragging the bar to a lower number may help improve scan speeds. You will need to use your custom patch scan template to run a scan for this to take effect.
-It's possible it may help you to perform network monitoring during the scan. This would require a 3rd party network monitoring tool which we do not support.
5. Possible Database Issues
You will need SQL Server Management Studio to perform some of these checks. If you are using SQL Express you will most likely need to download the free Management Studio Express from Microsoft's download site. See the links below:
For SQL 2005 Express: http://www.microsoft.com/downloads/details.aspx?FamilyID=c243a5ae-4bd1-4e3d-94b8-5a0f62bf7796&displaylang=en
For SQL 2008 Express: http://www.microsoft.com/downloads/details.aspx?FamilyID=08e52ac2-1d62-45f6-9a4a-4b76a8564a2b&displaylang=en
For SQL 2008R2 Express: http://www.microsoft.com/download/en/details.aspx?id=22985
For SQL 2012 Express (Choose the management studio after clicking download): http://www.microsoft.com/en-us/download/details.aspx?id=29062
-Open Management Studio and connect to your SQL server. Expand 'Databases', and locate your 'Protect' or 'Shavlikscans' database. Right click on the database, and then go to Properties > General tab. Check the Size of your database. If your database is over 4GB in size, it's possible that you may need to perform database cleanup.
-If you are using SQL Express there is a database size limitation built into SQL. Full versions of SQL are only limited by allocated space given by the DBA or space of the hard disk. The size limitations for currently support versions of SQL Express are as follows:
SQL Express 2005: 4GB size limit per database
SQL Express 2008: 4GB size limit per database
SQL Express 2008R2: 10GB size limit per database
-Perform database maintenance. You can now easily do this from within the Protect console under Tools > Database Maintenance. If you are having slow scans take place it may help to delete as many old results as possible as well as perform the option to 'Rebuild Indexes'.-After this it may help to close Protect, go into SQL Management Studio, and perform the following steps: Right click on the Protect database and go to Properties > Options. Set the Recovery model to "Simple". Hit Ok. Then right click on the Protect database again and go to Tasks > Shrink > Database. This will help shrink the size of the database and the log file.
-It can depend if the SQL server being used is remote or local. If the database is hosted on a remote server you may need to check into your network connection between the console system and the SQL server. If there is any latency or any network issues it could cause your scans to run slow.
6. Virtual Machine resource contention:
If you have the console running on a virtual machine make sure that the resources that the VM are trying to use are actually available in case you have other VM's running simultaneously that are possibly using all of the host server resources.
Affected Product(s)
Ivanti Patch for Windows 9.x
Shavlik Protect 9.x
Database Maintenance - Purging or Cleaning Up a Large Database
Purpose
This article provides steps to purge a large database in Ivanti Patch for Windows for maintenance purposes.
Resolution
To purge the database of old data (clean up):
Using Database Maintenance tool built into Ivanti Patch for Windows:
- Launch Ivanti Patch for Windows.
- Navigate to Tools > Options > Database Maintenance (Tools > Operations > Database Maintenance in Protect)
- Change the Delete results older than (days) or max results to keep to the desired amount.Optional): Enable the 'Rebuild Indexes' options and the option to 'Backup database and transaction log'.
4. Click Run Now. You will be prompted to confirm you want to run the maintenance task.
5. After clicking to run the maintenance task you should see a pop up in the lower right of your screen stating the database maintenance task has started and will run in the background.
6. Wait approximately 15 minutes to allow time deletion of old results to take place. The operation runs as a background task and may take more or less time than this based on how many records are being deleted during the maintenance.
Alternate method of deleting results using Manage > Items
- In Ivanti Patch for Windows, go into Manage > Items from the menu.
- You can select specific results to delete, then click 'Delete selected', or you can click 'Delete All'. This needs to be repeated for each type of results that you want to delete from your database (Patch Scans, Patch Deployments, etc.).
- You will be prompted to confirm when you click a delete option.
- You will then see a progress bar showing the status of the deletion of results. If you have a large amount of results to be deteted, this can take some time to run.
Additional optional steps to be performed within SQL Management Studio:
- Launch the SQL Management Studio.
- Expand Databases.
- Right-click your ShavlikScans database and click Properties.
- Click Options.
- Change the Recovery Model from Full to Simple.
- Click OK.
- Right-click the IvantiScans database again and click Tasks.
- Click Shrink> Files.
- Change the File type to log.
- Under Shrink Action, click Reorganize pages before releasing unused space and set the Shrink file to field to 0.
- Click OK. This truncates the transaction log to 0 bytes.
- (Optional) Repeat Steps 8 through 10 and reset the Recovery model to Full.
- Right-click the ShavlikScans database again and click Tasks.
- Click Shrink> Database and click OK.
- Wait for the shrink operation to complete. In case of large databases, it may take a long time to complete.
Additional Information
If you are using SQL Express you may need to install the SQL Management Studio for express editions before you can perform the actions described above. The links for SQL Express Management Studio downloads can be found here.
Products
Ivanti Patch for Windows Servers 9.3.x
Protect 9.2.x
How To: Upload A File To Ivanti Support (FTP)
Purpose
The purpose of this document is to assist in uploading large files to the Shavlik Support team.
Description
1. Go to one of the following websites :
- If you have an account log on and go to Send a new package
- If you have never created an account or if your account is older than 7 days click on Register and Send Files :
- Enter the Technical Support Engineer's (TSE) email address and your email address:
If when registering you receive an error "Invalid registration info, invalid reCAPTCHA response, or not allowed to register from this location." please contact support. The issue is caused if the Support Engineer has not used their ftp account for 90 days and they will need to reactivate this before you can send your database to them.
- You will receive an email to with instructions on how to sign on to the system, please follow them. Your account will be active for 7 days, during this time you can upload files. Once the account has expired you will have to create a new one to upload any more files
- Login into moveit as shown in step 3.
- click on the Home link
- Here you click on the "Install and Enable the Upload/Download Wizard" link. The installer will guide you through the installation process.
This process will only work when using IE.
- Close your browser and login again as shown in step 3 and proceed with step 5.
- Enter the Engineer's email, Subject, Note and Upload your file, then click on Send:
- The technician will receive a notification by email
Affected Product(s)
Ivanti Patch for Windows
Shavlik Protect 9.x
Ivanti Patch for SCCM
Best Practice: Windows Automatic Updates
Purpose
The purpose of this document is to explain the best practices for Windows Automatic Update configuration in a Shavlik environment.
Description
When Windows Automatic Update is configured to check for updates, even if it is not configured to download or install them, it can cause slow deployments with Shavlik.
Recommendations
Configure settings at the local computer level.
Go to Control Panel> All Control Panel Items> Windows Update> Change settings and choose "Never check for updates (not recommended)" then hit OK.
Disable Automatic Updates through GPO.
1. Click Start, and then click Run.
2. Type gpedit.msc, and then click OK.
3. Expand Computer Configuration > Administrative Templates> Windows Components> Windows Update.
4. Select Configure Automatic Updates,choose Disabled, and hit Ok.
5. As GPO updates every 90 minutes, you can force this update to take effect by running the command gpudate /force.
More information on this process can be found in Configure Automatic Updates using Group Policy.
Windows Update Service
- From the local machine, open services.msc, find the Windows Update service, right-click and go to Properties. Stop the service first. Set the Startup type to Manual and then click Apply/OK to save the change.
- From GPO, go to Computer Configuration > Policies > Windows Settings > Security Settings > System Services. Find Windows Updates in the list, double-click to enter the configuration window. Check 'Define this policy setting' then select Manual. Click Apply/OK to save.
Remove specific intranet Microsoft update service location
- This is set in Group Policy Object Editor. Go to Computer Configuration > Administrative Templates >Windows Components >Windows Update. Find the setting "Specify intranet Microsoft update service location". If setting is currently configured, change to 'Not Configured'.
Additional Information
Methodology has changed in Windows 10 build 1511, 1607, and 1703. To disable Windows Automatic Updates for Windows 10 Build 1607 and 1703, view this document: How To: Disable Automatic Updates in Windows 10 1607 and 1703
Microsoft has reverted back to the methodology in this document with Windows 10 build 1709
Affected Product(s)
All Windows OS with the exception of Window 10 build 1511, 1607, and 1703
How To: Run a PowerShell Script with a Custom Action
Purpose
The purpose of this document is to outline how to configure a Deployment Template to use a Custom Action to execute a PowerShell script.
Steps
To execute a Custom Action, make sure you scan with a Patch Scan Template configured for Custom Actions (How To: Perform a Custom Action Complete Tutorial with Custom Actions), then deploy with the template you create following the steps below
In our example, we will create a Deployment Template to be used exclusively for this Custom Action. However, you can add a Custom Action to any Deployment Template you want.
- Click New > Deployment Template
- Configure the General and Reboot tabs however you need to
- On the Custom Actions tab, configure the following steps:
- Push your PowerShell Script
- Click New
- For Step 1, choose which deployments you want to perform this step (we'll choose "All deployments" since this template is purely for our PowerShell script, which means we'll skip "Step 2" on this tab)
- For Step 3, choose "Push File"
- For Step 4, enter or browse to the filepath for your PowerShell Script (e.g., C:\ExampleScript.ps1)
- Click Save
- Execute your PowerShell script
- Click New again to open a second action
- For Step 1, again choose which deployments you want to perform this step (this generally matches the same choice in the first action, but doesn't have to)
- For Step 3, choose when in your deployment to execute the script (we chose "After all patches", but it doesn't matter on a template like this that is only for the Custom Action)
- For Step 4, enter your command to call your script. In this example, our script is named ExampleScript.ps1. You simply call PowerShell using your script as an argument, like this:
- Push your PowerShell Script
PowerShell %PATHTOFIXES%ExampleScript.ps1
You can also call PowerShell with the -ExecutionPolicy switch to bypass a Restricted Execution Policy on the target machines, like this:
PowerShell -ExecutionPolicy Bypass -File %PATHTOFIXES%ExampleScript.ps1
NOTE: If your script name contains spaces, your command will require extra formatting to run properly. It's significantly less complicated if you name your script with no spaces, but it can be called like this:
PowerShell "& ""%PATHTOFIXES%Example Script.ps1"""
You'll need all of the quotation marks for it to be recognized as a proper argument - one before the & and then two at the beginning of the filepath, then three to close them all at the end.
- Click Save
Your Custom Actions tab should now look like this:
Affected Product(s)
Shavlik Protect 9.x
Ivanti Patch for Windows Servers 9.3+
How can I exclude Preview of monthly rollup and Preview of the quality rollup updates
How can I exclude Preview of monthly rollup and Preview of the quality rollup updates without having to create a new patch list each month and manually add them
Notification From Ivanti
I used to received email from Shavlik about newly released updates. Did this process end? I haven't received any notices of any kind for a few years. We've been a customer for a long time and would appreciate the communication..
Windows 10 Build Upgrade Fails with Error 2147483647
Purpose
To help identify what is blocking the upgrade of Windows 10 when deploying with Shavlik Protect 9.2.x or Ivanti Patch for Windows Servers (PWS) 9.3+
Symptoms
When you attempt to deploy a Windows 10 build upgrade using Protect/PWS, the deployment fails with error 2147483647
Cause
This may indicate something is preventing the installation of the upgrade, such as incompatible software or an application blocking the process from proceeding
Resolution
1. In an elevated command prompt, run the command:
fltmc filters
You should see a list like this:
This identifies possible filters that could be blocking the ISO from mounting properly (possibly antivirus, encryption software, etc.), and you will need to temporarily disable anything that is interfering to deploy the upgrade through Protect/PWS
2. Try executing the upgrade manually so that you can receive interactive prompts from the installer to identify what might be causing the issue. The example below shows the installer failing because of certain installed software being out of date, but because our process runs installers silently as the local System account, you would not see what was stopping the installation.
Additional Information
See this doc for more info about deploying Windows 10 Build Upgrades with Protect/PWS:
Windows 10 Build Upgrade Deployment Support in Protect 9.2+ and Patch for Windows Server 9.3+
Affected Product(s)
Shavlik Protect 9.2.x
Ivanti Patch for Windows Servers 9.3+
After reboot custom action is not running until user logon when deploying Windows 10 1803
Hi!
When we upgraded from Windows 10 1507 to 1709 we used a batch file in a custom action (after reboot) to change the default wallaper file. That way all users got our custom wallpaper at first logon.
We are now trying to do the same thing when upgrading from 1709 to 1803, but the batch file that changes the wallpaper is not run until a user is logging on, and at that time the user have already gotten Windows default wallpaper. Is this by design? Shouldn't the batch file be run during reboot, before users can logon?
Custom Actions:
Push File: <filepath>\ChangeWallaper.bat
Push File: <filepath>\img0.jpg (our custom wallpaper file)
After reboot: call %PATHTOFIXES%ChangeWallpaper.bat
All files are pushed out correctly and the batch file works, but it is just executed at the wrong time.
The last 5 lines in STDeploy.log before user logon:
2018-05-25T12:41:59.2986567Z 1bd4 I STPackageDeployer.cpp:478 Launching SafeReboot. deployerSpecifiedRebootRequired=true
2018-05-25T12:41:59.2986567Z 1bd4 I STPackageDeployer.cpp:390 SafeReboot command line: '"C:\windows\ProPatches\Installation\InstallationSandbox#2018-05-25-T-12-09-18\SafeReboot.exe" -o 8 -requestor 1 -power 4'
2018-05-25T12:41:59.4393167Z 1bd4 S DeployExeStates.cpp:409 Leaving STDeploy::CInitialExecutionPackageDeploy::DoStatefulRemediateActions.
2018-05-25T12:41:59.4393167Z 1bd4 I STDeploy.cpp:365 Current remediation phase completed. Process exit code: 3010.
2018-05-25T12:41:59.4393167Z 1bd4 S STDeploy.cpp:257 Leaving wmain.
And the first 5 lines after user logon:
2018-05-25T14:36:40.5522428Z 0fd8 S STDeploy.cpp:257 Entering wmain.
2018-05-25T14:36:40.6710626Z 0fd8 I STDeploy.cpp:262 'C:\windows\ProPatches\Installation\InstallationSandbox#2018-05-25-T-12-09-18\STDeploy.exe' is starting, version: 9.3.2708.0.
2018-05-25T14:36:40.8110531Z 0fd8 V DeployContext.cpp:259 STDeploy.exe command line args: 'package="C:\windows\ProPatches\Installation\InstallationSandbox#2018-05-25-T-12-09-18\deployPackage-16946.zip" "relaunchSandbox=C:\windows\ProPatches\Installation\InstallationSandbox#2018-05-25-T-12-09-18" "relaunchReason=afterPostDeploymentReboot=1"'
2018-05-25T14:36:40.8110531Z 0fd8 S DeployExeStates.cpp:344 Entering STDeploy::CExtendedCmdLineHandlingPackageDeploy::ProcessExtendedCmdLineArguments.
2018-05-25T14:36:40.8804006Z 0fd8 S DeployExeStates.cpp:344 Leaving STDeploy::CExtendedCmdLineHandlingPackageDeploy::ProcessExtendedCmdLineArguments.
After a while the batch file is executed.
2018-05-25T14:37:22.7928924Z 0fd8 I ChildProcess.cpp:114 Started C:\WINDOWS\sysnative\cmd.exe /U /Q /D /V:ON /C "call %PATHTOFIXES%ChangeWallpaper.bat"
Report needed - Inventory of all groups
regarding Ivanti Patch for Windows® Servers Standard 9.3.0 Build 4510
I've been asked to produce a report that details the inventory for all patching groups, meaning lists all the hostnames for the servers contained in each patching group.
Does something like this exist in the canned reports?
How To: Know When XML/Catalog Updates for Patch for Windows and Patch for SCCM Are Released and How to Receive Notifications
Purpose
This document will provide information about how to obtain information about Ivanti Patch for Windows XML updates (patch definitions) and Ivanti Patch for SCCM updates (catalog updates).
Description
Ivanti Patch for Windows
Generally the Shavlik content team will provide patch definition updates every Tuesday and Thursday. However, there are a few easy sources that can be used to see when new XML updates (patch definitions) are released.
1) XML Announcements Sign up: http://www.shavlik.com/forms/xmlsubscribe.aspx
You can sign up to receive Shavlik Protect content (patch definition) email notifications under the 'Shavlik Protect Content Updates' form here.
Or, send a blank email to subscribe-shavlik-xml@listserv.shavlik.com to sign up for these notifications.
2) Patch Data Information Blog Page: Shavlik Protect | Simplify and Automate your IT Management
This web page displays all patch definitions released by the Shavlik content team for the Protect application.
3) Patch Data Information RSS Feed: https://protect7.shavlik.com/
All the same information as protect7.shavlik.com in an RSS feed.
4) Patch Data Information Twitter: https://twitter.com/ShavlikXML
This Twitter account is updated every time an XML release is put out. This is a good alternative to recieving email notifications, depending upon your preferences.
Ivanti Patch for SCCM
Generally the Shavlik content team will provide catalog updates every Wednesday and Friday. These sources can help you stay up to date with those catalog updates.
1) Catalog Update Announcements: To sign up for catalog updates for Ivanti Patch for SCCM, please navigate to the blog page https://protectupdate.shavlik.com, click the Follow button in the bottom right hand corner of the page and enter your email address.
2) Patch Data Information Blog Page: https://protectupdate.shavlik.com
Affected Products
Ivanti Patch for Windows Servers 9.3.x
Shavlik Protect 9.2.x
Ivanti Patch for SCCM
Windows 10 Build Upgrade Deployment Support in Protect 9.2+ and Patch for Windows Server 9.3+
Purpose
The Shavlik Content Team has created a deployment for Windows 10 Version 1511, 1607, 1703, 1709, and 1803.
Deployment of Windows 10 Version 1511, 1607, 1703, 1709, or 1803 applies to systems with a Windows 10 OS already installed. The deployment will not work for systems with OS previous to Windows 10.
Description
What considerations must be taken into account prior to deploying Windows 10 Version 1511, 1607, 1703, 1709, or 1803?
- Encryption such as BitLocker must be disabled for the deployment to be successful. The machine must be able to fully reboot on its own to complete the deployment properly.
- The deployment of the Windows 10 build upgrade is effectively a full operating system install, which includes all of the potential risks of a traditional OS upgrade. This can include, but are not limited to:
- Blue screens (BSOD)
- Data loss
- Loss of existing settings
- Program incompatibility
- Driver incompatibility can cause the update to fail. The Windows 10 app can help find some of these problematic drivers. If this is not available on the endpoint, see here for assistance.
- There are multiple versions of the 1511 ISOs. Older versions are more likely to cause blue screens, or otherwise fail. It is strongly recommended to use the most recent published version of the ISO.
- The first release ISOs from November 2015 caused a BSOD or install failures on a number of systems. The install will then revert the machine to RTM. None of the defective ISO files made the machine unusable.
- Both the endpoint receiving the update and the console deploying it need to have sufficient hard drive space.
- The Shavlik Protect console needs to have at least 5GB free to download the ISO
- The endpoint that is receiving the update needs to have at least 10GB free, but 20GB is recommended
- When patching from a unpatched RTM version of Windows 10 to 1607, our internal QA found that there is a high chance of a BSOD occurring and the update reverting to the RTM state. This can be avoided by fully patching the Windows 10 RTM machine, rebooting, and then applying the 1607 update.
- This deployment method only works to upgrade an existing Windows 10 installation. Protect/Patch for Windows Servers cannot upgrade an older OS to Windows 10 (e.g., Windows 7 > Windows 10).
Step 1: Obtain the ISO
- The most recently published ISO that is needed for the build upgrade deployment can be found in two places, depending on which edition needs to be deployed:
- For Home and Pro endpoints, download the Media Creation Tool from Microsoft Tech Bench and follow the directions under "Using the tool to create installation media". Select the option to download the ISO file. "Windows 10" is the Edition for Windows 10 Professional, "Windows 10 Home Single Language" is the Edition for Windows 10 Home. This will download the most recent ISO available.
We currently do not support the Architecture selection of Both in the Media Creation Tool, please select the specific architecture you are supporting.
- For Enterprise and Education, obtain the correct ISO from MSDN or Microsoft Volume Licensing
Step 2: Prepare the ISO
- The ISO must be renamed to match the Shavlik naming scheme which includes the OS architecture, the edition, locale, and version. See below for examples
- Windows10x86Education1511.iso
- Windows10x64Enterprise1511_NL.iso
- Windows10x64Enterprise1607.iso
- Windows10x64Enterprise1703.iso
- Windows10x64Enterprise1709.iso
- Windows10x64Professional1709.iso
- Windows10x86Education1709.iso
- Windows10x64ProfessionalN1709.iso
- Windows10x64Enterprise1803.iso
- Windows10x64Professional1803.iso
- To find out exactly which naming scheme to use, scan the endpoint that will be receiving the update with the Shavlik Protect console or you can look up the update in View > Patches. Under "Bulletin Details", the File Name will show what the ISO needs to be renamed to. See below for an example:
- The renamed ISO must now be placed in the patch repository on the Shavlik Protect console. The default location for this is: "C:\ProgramData\LANDESK\Shavlik Protect\Console\Patches", but you can find where your patch repository location is set in Tools > Options > Downloads.
- For customers using distribution servers or agent-based patching, move the renamed ISO to the according Patch Store location
Step 3: Deploy the ISO
- Perform a patch scan of the desired machines. Once the scan is complete, go to the scan results and expand the Service Pack Missing list. For example:
- Select the 1803 (or 1511/1607/1703/1709 depending on which version is being deployed) option to deploy the update (do not select TH2). If the TH2 option is selected, or if the ISO file for 1511/1607/1703/1709/1803 is not named correctly or is not placed in the Patch Store, then errors will occur. For example:
- The Shavlik Protect/Ivanti Patch for Windows Servers deployment will verify different aspects of the deployment before staging it on the endpoint. It will verify that:
- The language of the ISO dropped into that Patch Store matches the language of the endpoint's OS
- The remote registry setting is saved
- The status of the built-in Admin account (enabled or disabled) is saved
- The endpoint receives all necessary scripts and files for the deployment
- The deployment of one of these updates can take up to and possibly longer than 3 hours. During this time the endpoint will boot to an installation environment after the ISO is successfully staged. Shavlik Protect has no way of interacting with this environment. If something goes wrong, the Windows 10 installer will attempt to roll back to the previous OS state, but this is not guaranteed.
- Once the deployment has been initiated, Protect will show the screen below. Since the deployment of these updates boots into a OS install environment, Shavlik Protect cannot get any feedback from it. If the description field returns 0, then all pre-deployment checks have passed and the target machine has rebooted into the OS install environment.
Step 4: Verifying the Deployment was Successful
- Once the endpoint has finished the install, use the console to re-scan the target. If the update deployment was successful, the re-scan will not show any missing service packs. See image below:
- The 1511/1607/1703/1709/1803 deployment can also be verified by going to the target and running the "winver" command. The About Windows pop up should show Version 1511, 1607, 1703, 1709, or 1803 depending on which was deployed.
Affected Products
Shavlik Protect 9.2
Ivanti Patch for Windows Servers 9.3
Remote Agent Uninstall
In my enterprise environment I have an avg of 50-200 machines at any given time that fail check-in (out of several thousand machines). At the end of my troubleshooting process, I found it most expedient to send the Uninstall Agent task to these machines, but that task only works "at the next agent check-in". The original issue is that the agents are not checking in...so the machines remain marked as "Uninstall Pending" indefinitely. My question is this...Is there a script already built to uninstall the agent on remote machines using msiexec /x or wmic or similar method independent of the Ivanti software itself?
Do you use agentless- or agent-based deployment?
Hi,
I just wanted to know which kind of patch deployment is most commonly used in different organisations.
Do you use agentless- or agent-based deployment or both? and why?
-Jimmy
ps. if someone knows how to create a poll, please tell me .
Can clients (with or without and agent) request/start a scan and update cycle? If so how?
Is it possible to initiate a scan and automatic update initiated from the client? Instead of the push update via the Protect server with a scheduled task?
When creating a new template/image for VDI roll out I want to implement a quick update cycle with all updates that are available instead of
opening the Avanti Protect console but start it from a script.
Is this possible or not?
Execute PowerShell script in elevated mode
While the suggestions at How To: Run a PowerShell Script with a Custom Action work for basic functions, I need to disable the SMBv1 setting on servers and that requires the PowerShell to run in an elevated version. I haven't been able to find anything that starts the PS session that way. Suggestions?
IEProxy.DLL being flagged as a virus Everytime im patching DMZ machines
Good morning all. I was hoping to save me a support call.
I have an issue that is constantly a problem every time we patch DMZ machines. We have a PAN, and every time there is an execution of patches being deployed; PAN is saying the source (dmz machine), and the destination (ivanti console), is saying this below:
Virus/Win32.WGeneric.rervj(2107546)reset-both
misc: IEProxy.dll
My only comment to this is, I am wondering if the DLL is being used to talk back to the Ivanti Console for listener feedback on patch status. Can someone confirm this for me? Or explain in detail as to how IEProxy.dll is being used during patching?
Error: ST Remote Scheduler Service Is Marked As An Interactive Service
Purpose
The purpose of this document is to address an Interactive Service error showing up in Windows logging relating to the ST Remote Scheduler Service (STSchedEx).
Symptoms
Customers running newer operating systems may see the following error in the Windows System event log:
The ST Remote Scheduler Service service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
Cause
The error is due to the fact that some patches require the Scheduler to run as an interactive service to properly to execute the patch. On systems that do not allow interactive services, this can cause a minor monitoring/reporting issue since the error shows in the System event log, but the scheduler will execute as normal.
Resolution
If your monitoring system is flagging this error as an issue, you'll need to configure your software to whitelist or ignore this error. It's a false positive since it doesn't actually cause any problems.
Affected Product(s)
Shavlik Protect 9.x
Ivanti Patch for Windows Servers 9.3+