Purpose
This document will provide helpful tips and tricks for Ivanti Patch for Windows Servers.
Prerequisites
The following information assumes that you have a basic understanding of the functionality of Ivanti Patch for Windows Servers. If you are brand new to this product we recommend you check out the following training resources:
Overview
Licensing
- Licensing is based on use of deployment seats. One deployment seat is taken for 45 days when:
- You deploy to a machine in an agentless configuration
- An agent checks in in an agentless configuration
- Because deployments to hosted virtual machines differ from deployments to physical machines, deploying to the same machine as both a hosted virtual machine and a physical machine will result in two deployment seats being taken.
- There is no way to force removal of a deployment seat. If you run out of seats you must request additional seats from your account manager or in a temporary situation request temporary seats from Support.
- For more information about licensing in Ivanti Patch for Windows Servers, please check out How To: Managing License Seat Usage with Shavlik Protect .
Database
- While Patch will be installed with SQL Express by default, you should install a full version of Microsoft SQL Server if you plan on the database containing more than 10 GB of data as that is the SQL Express limit.
- You can view the instance and database that your console is connected to at the bottom of Help > About in the Ivanti Patch for Windows Servers console.
- If you are using a local database, you can check the actual database file by going to C:\ProgramFiles\Micrsoft SQL Server\...\Data.
View > Event History
- View > Event History shows the status and information for tasks executed in the background such as scheduled console tasks, database maintenance, and distribution server syncs.
- You can see inforamtion about a certain event in View > Event History by clicking on the event and looking at the information in a pain underneath the event window.
View > Patches
- Search for the numbers in KBs such as "9405382" instead of "KB9405382" or "Q9405382"
- When searching for a specific KB, Q number, or Bulletin ID, make sure that you have the most recent data in your console and all options selected in your filters as is discussed in this document How To: View All Patches, Software Distributions, Security Tools and Service Packs in Protect 9.2
View > Machines
- View > Machines is a view of the database and therefore any machine that you have ever successfully scanned will show up here unless you right click the machine and select to delete it.
- Only machines that have been successfully scanned through a particular machine group agentlessly will show up associated with that particular group in View > Machines. This is discussed in further detail here Understanding Machine Groups and the Machines View
Agentless Scan and Deployment
Scanning
- You can only scan the amount of machines that you are licensed for at one time. For example, if you have a license for 3000 workstations and 200 servers, you can only scan 3000 workstations and 200 servers at one time.
- Ensure that you meet the prerequisites discussed in the Configuration Requirements section under System Requirements in the Patch administration guide https://help.ivanti.com/sh/help/en_US/PWS/93/ag-pws-9-3.pdf before scanning.
- You can find information on almost any scan error here Troubleshooting Shavlik Protect Patch Scan Error Messages
Deployment
- Ensure that Windows Automatic Updates is disabled on machines that you deploy to. You can disable Windows Automatic Updates via Group Policy or locally following the steps here Best Practice: Windows Automatic Updates.
- If you have antivirus or malware prevention software on your clients and you see strange behavior in your deployments or reboots, whitelist the items under the Agentless Deployments section in this document Antivirus Exclusions For Patch Deployments
- If your deployment remain at the status scheduled in your console, but patches are installed on your clients, follow the steps in this document to fix your deployment tracker Deployment Tracker Stuck At Scheduled During Deployment But Patches Install
- We include the following deployment logs in C:\Windows\ProPatches\Logs:
- STDeploy.log - This gives feedback on the deployment process itself.
- STDeploycore.log - This gives feedback on the specific patch installation and you can find patch return codes by doing a search in the log for the word "Return".
- STdplyevnts.log - This gives feedback on the deployment tracker.
- Safereboot.log This gives feedback on the reboot process.
- Keep in mind that all log times are in GMT.
- For more information on our deployments please see Shavlik Protect 9.2 Deployment Process Workflow and Troubleshooting
Agents
- It is recommended that you check the items mentioned in this document Agent Status Message: "Agent didn't respond" before installing agents that you intend to control from the console.
- You can control agents on your network from the console by right clicking a particular machine with an agent installed in View > Machines, selecting Agent from the menu and then selecting a desired task.
- When using a cloud agent, you can force a change to the agent over the cloud quickly by going to Tools > Options (Operations in Protect 9.2) > Protect Cloud Sync > Force Full Update Now.
Additional Resources
- Protect Console Information and Troubleshooting
- Agent Information and Troubleshooting
- Protect Cloud Agent Information and Troubleshooting
- ESXI Host - Hypervisor Information and Troubleshooting
- Hosted Virtual Machine and Template Information and Troubleshooting
- Report and Views Information and Troubleshooting
- Patch Scanning Information and Troubleshooting
- Shavlik Protect Deployment Information and Troubleshooting
- Custom Action, Custom Patch, and ITScript Information and Troubleshooting
- Troubleshooting Detection Issues in Shavlik Protect
Affected Product(s)
Ivanti Patch for Windows Servers (Shavlik Protect) 9.2, 9.3