Overview

Changes to expect in the Ivanti Content:

• With the Ivanti Content release on 04/25/2018, we will be removing detection only patches for machines that do not have the AV registry entry as per the Microsoft article above and will be offering the patches in this document to applicable machines.

Affected patches:

• MS18-01-IE Q4056568 - Cumulative Updates for Internet Explorer
• MS18-01-SO7 Q4056897 - Security Only Update for Windows 7 and Server 2008 R2
• MS18-01-SO81 Q4056898 - Security Only Update for Windows 8.1 and 2012 R2
• MS18-01-MR7 Q4056894 - Monthly Rollup for Windows 7: January 4, 2018
• MS18-01-MR81 Q4056895 - Monthly Rollup for Windows 8.1 and 2012 R2: January 8, 2018
• MS18-01-W10 Q4056888, Q4056890, Q4056891, Q4056892, Q4056893 - Cumulative Update for Windows 10 and Server 2016

• MS18-02-IE Q4074736 - Cumulative security update for Internet Explorer: February 13, 2018
• MS18-02-SO7 Q4074587 - Security Only Update for Windows 7 and 2008 R2: February 13, 2018
• MS18-02-SO81 Q4074597 - Security Only Update for Windows 8.1 and 2012 R2: February 13, 2018
• MS18-02-MR7 Q4074598 - Monthly Rollup for Windows 7: February 13, 2018
• MS18-02-MR81 Q4074594 - Monthly Rollup for Windows 8.1 and 2012 R2: February 13, 2018
• MS18-02-W10 Q4074588, Q4074592, Q4074596, Q4074590, Q4074591 - Cumulative Update for Windows 10 and Windows Server 2016

Affected CVEs:

• CVE-2017-5753
• CVE-2017-5715
• CVE-2017-5754

Link to Security bulletin advisory:  https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002

Additional Information

How to scan for specific patches: How To: Include or Exclude Specific Patches in Scan Results in Shavlik Protect

How to deploy these patches:  How To: Deploy Windows Security OOB updates released January and February 2018

How to add the registry using Security Tool IVA18-002 Q4072699: Security Tool: Implement the QualityCompat registry key that enables Windows security updates released on January 3, 2018

Affected Products

Ivanti Patch for Windows Servers 9.3.x

Shavlik Protect 9.2.x

Purpose

Instructions

You will be creating a Scan Template and Patch Group to specifically target this Security Tool.  This will allow you to scan with automatic deployment without having to worry about installing other Security Tools we offer.  We will be offering 2 Security Tools, one to implement the registry keys and another to remove the registry keys.

• IVA18-001 Q4072698: This tool enables the fix for ADV180002
• IVA18-001 Q4072698U: This tool disables the fix for ADV180002

Creating the Patch Group

A Patch Group contains a list of patches you can use to use as a baseline (to scan for) or use to exclude from scan results. We will be using a Patch Group as a baseline to scan for IVA18-001 Q4072698.

1. Navigate to New > Patch Group.  Enter a Name for the Patch Group and optionally a Description. Click Save.

2. Search for IVA18-001 or 4072698. Right-click on the Security Tool IVA18-001 Q4072698 and choose Add to Patch Group then choose the Patch Group you created.

3. The Patch Group is created and can be added to the Patch Scan Template, close the Patches window.

Creating the Patch Scan Template

The Scan Template, along with your new Patch Group will help you scan for the new Security Tool.

1. Navigate to New > Patch Scan Template. 

2. Give the Scan Template a Name, matching the Patch Group Name is advisable.

3. In the Baseline or Exceptions section, choose Baseline and check-mark your Patch Group. (no other filtering is needed)

4. The Scan Template should look similar to this:

5. The Patch Scan Template is created, Click Save.

Scanning for the Security Tool

The setup is complete, you can use your new Patch Scan Template to scan for the new Security Tool IVA18-001 Q4072698. The Security Tool will show missing on systems that do not have the registry keys on them and can be deployed like a regular update.  A reboot is required.

Additional Information

• The target systems need to be restarted after running the Security Tools to enable or disable the registry keys for the changes to take effect.
• You can follow these instructions to scan for the uninstall Security Tool by creating a Patch Group including the IVA18-001 Q4072698U version of the tool.

Affected Product(s)

Ivanti Patch for Windows Servers 9.3.x

Shavlik Protect 9.2.x

Purpose

The purpose of this document is to go over what to do when the deployment tracker fails to update beyond Scheduled.

Symptoms

• Deployment tracker will stay at scheduled despite the deployments being initialized on the target machines being deployed to.
  
• Deployment tracker shows scheduled:

• When looking at the STDeployerCore.log on the target machine(s), you will see results similar to below indicating the patches were installed successfully:

2016-10-06T21:01:35.1775494Z 0b78 I DeploymentPackageReader.cpp:782 Deploy package 'C:\Windows\ProPatches\Installation\InstallationSandbox#2016-10-06-T-21-00-54\deployPackage-2855.zip' successfully opened unsigned for package IO

2016-10-06T21:02:38.2639494Z 0b78 I Authenticode.cpp:134 Verifying signature of C:\Windows\ProPatches\Patches\Windows6.1-KB2544893-x64.msu with CWinTrustVerifier

2016-10-06T21:02:38.3263494Z 0b78 V UnScriptedInstallation.cpp:29 Executing (C:\Windows\ProPatches\Patches\Windows6.1-KB2544893-x64.msu /quiet /norestart), nShow: true.

2016-10-06T21:02:47.7895494Z 0b78 V ChildProcess.cpp:140 Process handle 000004FC returned '0'.

Cause

• Port 3121 being blocked.
  • Port Requirements for Shavlik Protect
• The Deployment Template used for the deployment doesn't have 'Send Tracker Status' enabled.
• The Console Alias Editor doesn't have the NetBIOS name, FQDN, and IP address of the Protect console added to it.
• The Shavlik Scheduler is in a corrupted state.
  

Resolution

1. Ensure that port 3121 is not being blocked in your network. Perform a telnet command from the target machine(s) to your Protect console machine's IP or FQDN address.

telnet {console IP/FQDN} 3121

     If Telnet is not installed, you will see the following:

     To Enable Telnet:

     If the port is blocked, you will see a similar error:

   If at this point you see the port fail to connect, you will need to make sure that 3121 is enabled in your network before attempting to deploy again.

     If the port is not blocked, you should see a blank command prompt:

2. Once you have confirmed that port 3121 is able to connect, check to ensure that your Deployment Template being used has 'Send Tracker Status' enabled:

3. Confirm that either TLS 1.0 is enabled between the console and the problem client machine or TLS 1.2 is properly configured Disabling TLS 1.0 may causes issues with Protect and Patch for Windows Servers.

4. Verify that you 'Console Alias Editor' has all of the following located within it:

• Console NetBIOS name
• FQDN
• IP address

Tools > Console Alias Editor

Once updated, test your deployment again. If the device is able to properly connect, the tracker status will updated as expected.

If after updating the 'Console Alias Editor' the deployment status is still showing 'Scheduled', you will find in the dplyevts.log file on the target machine something similar to the following:

PingBack.cpp:63 Sending data to 'https://PROTECT-92-5119:3121/ST/Console/Deployment/Tracker/V92' failed: 12002.

If you find something similar to the above, you will need to uninstall the scheduler service from the machine(s).

Protect 9.2:

Manage > Scheduled Remote Tasks

Find device(s) being deployed to, right click the machine and select 'Refresh Selected':

Device will be shown as 'Online':

Once online, right click the device again, go to Scheduler service > Uninstall:

Patch for Windows Servers 9.3:

View > Machines

Find the device affected using the search window

Highlight machine > Right-click > View scheduled tasks

Click Uninstall to remove the scheduler service.

NOTE: To validate scheduler is uninstalled, go to C:\Windows\ProPatches and if you don't see a folder named Scheduler, the service was uninstalled.

Test another deployment to your target machine(s). During this deployment, the Scheduler service will reinstall and should update the deployment tracker to show the deployment operation executing.

Additional Information

• Deciphering Shavlik Protect Deployment Tracker Status Messages
• Using Telnet to Test Ports
• Understanding installer return codes

Affected Products

Shavlik Protect 9.2.x

Ivanti Patch for Windows Servers 9.3.x

Purpose

This document outlines how to use the Nullpatch.exe patch for Custom Actions.

Symptoms

A Custom Action may include executing a specific command or invoking a custom batch file at specified time(s) during the deployment process. You can specify custom files and actions that occur during every deployment that uses the template, or only for those deployments that install a specific patch or service pack.

Note: A Custom Action will only run if a deployment occurs. If there are no missing patches selected to deploy to a target machine, the Custom Action will NOT occur.

Because a Custom Action will only run when there is a 'missing' patch to deploy with, Shavlik has created a patch called 'Nullpatch.exe'.

This item will allow you to perform 'custom actions' on selected machines.  Create a deployment template with a custom action, then deploy this 'patch' to execute the custom action on the remote machine.  (the patch associated with this item does not install anything on the target systems).

Steps

1. Create a NewDeployment Template;enter a Name for theTemplate, andSaveit.
   1. Alternatively - open an existingDeployment Templateyou wish to modify.
2. Click theCustomActionstab.
3. Click theNewoption.

4. The Custom Actions window will now be open

1. Specify what patch deployment action will trigger the command.
2. If in Step 1 you indicate that only the deployment of specific patches or service packs will trigger the command, specify those files here.
3. Specify when during the patch deployment process the command will be triggered. The choices will depend on the selection made in Step 1.
   • If the action is to be applied to all deployments that use this template, then the choices are:
     • Before any patches are installed
     • Before each patch is installed
     • After each patch is installed
     • After all patches are installed (but before reboot)
     • After reboot

This allows you to perform actions such as custom logging.

• If the action is to be applied to a specific patch or service pack, then the choices are:
• Before any patches are installed
• Before the patch/service pack file selected in Step 2 is installed
• After the patch/service pack file selected in Step 2 is installed
• After all patches are installed (but before reboot)
• After reboot

This allows you to perform actions only when pushing a specific patch or service pack to a target machine using this deployment template.

• You can also choose to push a custom file (such as a custom batch file or custom executable file) to the target machines as part of the deployment by selecting Push File.

4. Specify the file to push or the command to execute. The command will be inserted into the patch installation batch file at the point(s) specified in Step 3. If Step 3 specifies Push Filethen the specified file will be copied to the target machines and put in the ProPatches\Installdirectory. You can reference the file in other custom actions by specifying %PATHTOFIXES%Install\file_name.

Example 1: If you push the file myFile.exe, you can execute that file with the following custom command: %PATHTOFIXES%Install\myFile.exe.

Example 2: If you push the batch file myCommands.batto the target machines, you can invoke the batch file at the appropriate point in the deployment with the following custom command:
call%PATHTOFIXES%Install\myCommands.bat.

Related Documents

• NullPatch.exe/Noop.exe Information
• Null.exe or Noop.exe False-Positive
• Custom Action - Remove the Remote Scheduler
• Custom Action - Uninstall a Program
• Delete Patches from Target After Deployment

Affected Product(s)

Protect Version: All

Purpose

This article provides steps to completely remove all components of the Protect/Patch for Windows Servers (PWS) agent from a client system and then perform a clean re-installation of the agent.

Resolution

To uninstall and then reinstall the agent:

1. Uninstall the Shavlik Protect/Ivanti PWS Agent and its components from Add/Remove Programs or Programs & Features in the Windows Control Panel.
2. Delete the ProgramData folder: C:\ProgramData\LANDesk\Shavlik Protect
3. Delete the C:\Program Files\LANDesk\Shavlik Protect Agentfolder

4. Delete the relevant certificates.
   
   To delete certificates:
   1. ClickStart>Run, type mmc, and clickOK. The MMC Snap In window opens.
   2. ClickFile>Add/Remove Snap-In.
   3. Under Available Snap Ins, selectCertificates.
   4. ClickAdd.
   5. Select theComputer Accountoption and clickNext.
   6. Ensure that theLocal Computeroption is selected and then clickFinish.
   7. Close the Add or Remove Snap Ins window.   
      You should now see Certificates listed under Console Root.
   8. Expand Certificates.
   9. Delete these certificates that are listed as being issued by ST Root Authority:
      • Personal\Certificates
      • Trusted Root Certification Authorities\Certificates
      • Intermediate Certification Authorities\Certificates
   10. Close the window.
5. Verify that the agent machine keys are removed.

Do not delete any certificates or files in theCrypto\RSA\MachineKeysfolder that you are not sure about. If you have any questions, contact Shavlik Support.

6. Open regedit and navigate to HKEY_CLASSES_ROOT\Installer\UpgradeCodes\

        Delete or rename the key that contains any of the GUIDS below:

        Make sure to use the corresponding GUID for the version of Protect you are attempting to uninstall.

• Protect 9.2.x:                                    {FD2F9A1228457E545BD699619B461852}
• Patch for Windows Servers 9.3.x     {FD2F9A1228457E545BD699619B461852}

7. Delete the following registry key, if it exists: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\LANDESK\Shavlik Protect\Agent
8. Reboot the machine.
9. (Optional) Install the agent either from the Protect console or using the manual installer package.

Affected Product(s)

Shavlik Protect 9.x

Ivanti Patch for Windows Server 9.3+

Purpose

The Shavlik Content Team has created a deployment for Windows 10 Version 1511, 1607, 1703, 1709, and 1803.

Deployment of Windows 10 Version 1511, 1607, 1703, 1709, or 1803 applies to systems with a Windows 10 OS already installed. The deployment will not work for systems with OS previous to Windows 10.

Description

What considerations must be taken into account prior to deploying Windows 10 Version 1511, 1607, 1703, 1709, or 1803?

• Encryption such as BitLocker must be disabled for the deployment to be successful.  The machine must be able to fully reboot on its own to complete the deployment properly.
• The deployment of the Windows 10 build upgrade is effectively a full operating system install, which includes all of the potential risks of a traditional OS upgrade. This can include, but are not limited to:
  • Blue screens (BSOD)
  • Data loss
  • Loss of existing settings
  • Program incompatibility
• Driver incompatibility can cause the update to fail. The Windows 10 app can help find some of these problematic drivers. If this is not available on the endpoint, see here for assistance.
• There are multiple versions of the 1511 ISOs. Older versions are more likely to cause blue screens, or otherwise fail. It is strongly recommended to use the most recent published version of the ISO.
  • The first release ISOs from November 2015 caused a BSOD or install failures on a number of systems. The install will then revert the machine to RTM. None of the defective ISO files made the machine unusable.
• Both the endpoint receiving the update and the console deploying it need to have sufficient hard drive space.
  • The Shavlik Protect console needs to have at least 5GB  free to download the ISO
  • The endpoint that is receiving the update needs to have at least 10GB free, but 20GB is recommended
• When patching from a unpatched RTM version of Windows 10 to 1607, our internal QA found that there is a high chance of a BSOD occurring and the update reverting to the RTM state. This can be avoided by fully patching the Windows 10 RTM machine, rebooting, and then applying the 1607 update.
• This deployment method only works to upgrade an existing Windows 10 installation.  Protect/Patch for Windows Servers cannot upgrade an older OS to Windows 10 (e.g., Windows 7 > Windows 10).

Step 1: Obtain the ISO

• The most recently published ISO that is needed for the build upgrade deployment can be found in two places, depending on which edition needs to be deployed:
  • For Home and Pro endpoints, download the Media Creation Tool from Microsoft Tech Bench and follow the directions under "Using the tool to create installation media". Select the option to download the ISO file. "Windows 10" is the Edition for Windows 10 Professional, "Windows 10 Home Single Language" is the Edition for Windows 10 Home. This will download the most recent ISO available.

• For Enterprise and Education, obtain the correct ISO from MSDN or Microsoft Volume Licensing
  

Step 2: Prepare the ISO

• The ISO must be renamed to match the Shavlik naming scheme which includes the OS architecture, the edition, locale, and version. See below for examples
  • Windows10x86Education1511.iso
  • Windows10x64Enterprise1511_NL.iso
  • Windows10x64Enterprise1607.iso
  • Windows10x64Enterprise1703.iso
  • Windows10x64Enterprise1709.iso
  • Windows10x64Professional1709.iso
  • Windows10x86Education1709.iso
  • Windows10x64ProfessionalN1709.iso
  • Windows10x64Enterprise1803.iso
  • Windows10x64Professional1803.iso

• To find out exactly which naming scheme to use, scan the endpoint that will be receiving the update with the Shavlik Protect console or you can look up the update in View > Patches. Under "Bulletin Details", the File Name will show what the ISO needs to be renamed to. See below for an example:

• The renamed ISO must now be placed in the patch store on the Shavlik Protect console.. The default location for this is: "C:\ProgramData\LANDESK\Shavlik Protect\Console\Patches"
• For customers using distribution servers or agent-based patching, move the renamed ISO to the according Patch Store location
  

Step 3: Deploy the ISO

• Perform a patch scan of the desired machines. Once the scan is complete, go to the scan results and expand the Service Pack Missing list. For example:

• Select the 1803 (or 1511/1607/1703/1709 depending on which version is being deployed) option to deploy the update (do not select TH2). If the TH2 option is selected, or if the ISO file for 1511/1607/1703/1709/1803 is not named correctly or is not placed in the Patch Store, then errors will occur. For example:

• The Shavlik Protect/Ivanti Patch for Windows Servers deployment will verify different aspects of the deployment before staging it on the endpoint. It will verify that:
  • The language of the ISO dropped into that Patch Store matches the language of the endpoint's OS
  • The remote registry setting is saved
  • The status of the built-in Admin account (enabled or disabled) is saved
  • The endpoint receives all necessary scripts and files for the deployment
• The deployment of one of these updates can take up to and possibly longer than 3 hours. During this time the endpoint will boot to an installation environment after the ISO is successfully staged. Shavlik Protect has no way of interacting with this environment. If something goes wrong, the Windows 10 installer will attempt to roll back to the previous OS state, but this is not guaranteed.
• Once the deployment has been initiated, Protect will show the screen below. Since the deployment of these updates boots into a OS install environment, Shavlik Protect cannot get any feedback from it. If the description field returns 0, then all pre-deployment checks have passed and the target machine has rebooted into the OS install environment.

Step 4: Verifying the Deployment was Successful

• Once the endpoint has finished the install, use the console to re-scan the target. If the update deployment was successful, the re-scan will not show any missing service packs. See image below:

• The 1511/1607/1703/1709/1803 deployment can also be verified by going to the target and running the "winver" command. The About Windows pop up should show Version 1511, 1607, 1703, 1709, or 1803 depending on which was deployed.

Affected Products

Shavlik Protect 9.2

Ivanti Patch for Windows Servers 9.3

Purpose

These steps are intended for use if you need to remove the Ivanti (ST) Remote Scheduler service from multiple systems.

Steps

1. Please download the attached zip file at the bottom of this document called "RemoveScheduler.zip". Extract the files from this zip. The files have been renamed to avoid conflict during download so you will need to make sure they are named as follows:
   1. Stopscheduler.bat
   2. DeleteScheduler.reg
2. Create a folder to contain these files for deployment. We recommend creating a folder titled RemoveSched or similar under your current patch repository (patch download directory). The default patch repository is located in the following:
   1. For Vista/2008/7/8/2012: C:\ProgramData\LANDesk\Shavlik Protect\Console\Patches
   2. For 2003/XP: C:\Documents & Settings\All Users\Application Data\ LANDesk\Shavlik Protect\Console\Patches
3. Create a new patch scan template within the Ivanti console, and call it “Custom Action Scan”. This scan template can be used for future custom action scans as well if you like.
   1. The scan template should have the Patch Type Filter set to ‘Scan Selected’ with only the ‘Custom Actions’ patch type selected.
   2. No other settings need to be changed in the template. Click Save.
      
4. Create a new Patch Deployment Template, and call it “Custom Action to Remove Scheduler”. Make sure to set the following settings:
   1. On the General Tab, deselect the ‘Send Tracker status’ option. This change is so that the tracker doesn’t falsely report the deployment as failed. Be aware you will not receive a tracker status for this deployment.
      
   2. Go to the Post-deploy Reboot tab, and set this to ‘Never reboot after deployment’.
      
   3. Go to the Custom Actions Tab, and Click ‘New’ to create a new step in the custom action. All of these will use the setting at the top as ‘All deployments using this template’. Set up the following:
      • Step 3: Push File
      • Step 4: Path to the Stopscheduler.bat
        
   4. Create another action like the one above, this time for the DeleteScheduler.reg file. Click ‘New’ to create a new step in the custom action. All of these will use the setting at the top as ‘All deployments using this template’. Set up the following:
      • Step 3: Push File
      • Step 4: Path to the DeleteScheduler.reg
        
   5. Now create a new action to stop the scheduler service. This one will differ from the previous 2 actions by having step 3 occur "before any patches".
      • Step 3: Before any patches;
   6. For Protect 9.0 and 9.1:Step 4: CALL %pathtofixes%Install\Stopscheduler.bat
   7. For Protect 9.2 and Ivanti Patch for Windows 9.3+: Step 4. CALL %pathtofixes%\Stopscheduler.bat

Here is what the complete custom action should look like (all steps):

Using the Custom Action Scan and Deployment Template

Run a scan on any machines you wish to remove the scheduler from using the Custom Action Scan template that you created. You should see the dummy patch (bulletin MSST-001) shown as missing. This will always show as missing.

1. Right click and choose to deploy. Then make sure to choose your deployment template of Custom Action to Remove Scheduler.
2. This will not push any actual patches, but it will allow the custom action in the template to run. It will in turn remove the registry key for the scheduler.
3. *Important* The the next time you deploy patches the scheduler service will be reinstalled. You can also reinstall the scheduler service by going into the Ivanti console under Manage > Scheduled Tasks. Right click on a system in the left column, then choose Scheduler Service > Install.

Purpose

Previously deployed patches show as missing in Protect.

Cause

This issue occurs when Protect cannot locate the patch you installed. It is possible that the patch is delivered to the remote system, but is never executed. This may happen if the scheduler does not start the deployment. This can also happen if the patch requires a reboot to fully install, and a reboot has not been performed before running another scan.

Resolution

Before you begin, ensure your system is rebooted after the patch is installed. Patches that require a reboot after am installation are not fully installed until a reboot takes place and they will appear as missing. Do not rescan before deployment is complete, or patches may show as missing.  Perform another scan after the system has been rebooted.

To determine whether or not the deployment actually started, go to C:\Windows\ProPatches and look in the Staged folder. If there is nothing in the Staged folder then the deployment has started, but if there are directories in the Staged folders one or more deployments have not started. You can also detemine whether or not patches recently ran by going to C:\Windows\ProPatches\Logs\STDeployercore.log and looking for recent entries and return codes. Keep in mind that the times will be in GMT.

To manually test this on the target machine, launch the patch file manually and follow the prompts. Note errors that are displayed during the installation process and inform Technical Support accordingly - screenshots may be useful.

If the re-can scan does not result in showing the patch as installed, it is possible you are experiencing a different issue. To further examine your case, contact support (http://www.shavlik.com/support/contact/). You should have the following information ready before contacting Shavlik Technical Support:

• What is the product name and version build number you are experiencing issues with?
• The Operating System of the console machine.
• The Operating System of the target machine.
• The number of the patch that continues to show as missing.
• Are you using a custom Patch Scan Template?
• Are you using a custom Deployment Template?
• Did you allow a reboot before scanning the machine again?
• What are the exact steps required to reproduce this issue?

Gathering logs for support: Reproduce the issue and generate logs based on the steps in this document: http://community.shavlik.com/docs/DOC-22921

Affected Products

Ivanti Patch for Windows 9.3.x

Shavlik Protect 9.2.x

Purpose

This article provides information about the port requirements for Shavlik Protect.

Symptoms

Features of Protect and Protect Agents may not work if these ports are blocked.

Description/Resolution

You will need to ensure the following ports are open/allowed for the corresponding features of Protect to work.

Inbound Ports

Outbound Ports

Additional Information

There is a port requirements table within Protect under Help > Contents > System Requirements.

In some locked down environments, you will also need to specifically allow traffic over the default dynamic port range which is: 49152 - 65535.

How to use Telnet to test the connection over specific ports

How to configure Windows Firewall port exceptions

Explanations of port requirements

Configurable Ports

Affected Product(s)

All Versions

Purpose

The purpose of this document is to highlight a Microsoft Windows Task Scheduler bug that can cause your monthly scheduled console tasks to run a week early or not at all.

Symptoms

The Ivanti Patch for Windows Servers console is installed on Windows Server 2016 or Windows 10, and you have a monthly console task that is set to run on a specific occurrence of a day of the week (4th Wednesday, 2nd Saturday, etc.).  Occasionally, this task executes exactly one week early or not at all.

Cause

Microsoft has confirmed a bug in the Windows Server 2016/Windows 10 Task Scheduler that will execute scheduled tasks one week early or not at all when specific conditions are met:

• The monthly task is set to execute on a specific occurrence of a day of the week (4th Wednesday, 2nd Saturday, etc.)
• The date the task is scheduled to execute is a multiple of 7 (7th, 14th, 21st, or 28th)

If these conditions exist and the task is scheduled to execute on the 7th, the task will not run.

If these conditions exist and the task is scheduled to execute on the 14th, 21st, or 28th, the task will execute one week early.

NOTE: This bug does not affect one-time tasks scheduled for an explicit time and date or monthly tasks set for a specific day of the month.  This will only affect monthly tasks scheduled for a certain occurrence of a day of the week.

This calendar from Microsoft's TechNet post regarding the issue illustrates the affected days of 2018.  Tasks scheduled days circled in red will execute one week early, while tasks scheduled on the days circled in grey will not execute.

• NOTE: Microsoft originally stated this issue would not affect April and October as illustrated on the calendar below, but they have updated the TechNet post linked above to indicate the issue is occurring in April.  We recommend operating under the assumption this bug will surface in any month until Microsoft has released a fix for it.

Resolution

There is no workaround, but Microsoft is aware of the issue and is working on a resolution.

Additional Information

Microsoft has acknowledged this issue and describes it further on their TechNet AskCore Japan blog:

https://blogs.technet.microsoft.com/askcorejp/2017/12/11/mouthly_tasks_issue/

Affected Product(s)

Shavlik Protect 9.2.x

Ivanti Patch for Windows Servers 9.3.x

Purpose

The purpose of this article is to go over the issues that may arise when TLS 1.0 is disabled in the environment and how to get Shavlik Protect and Patch for Windows Servers to work with TLS 1.2.

Symptoms

Per PCI requirements, all SCHANNEL protocols are vulnerable, except for TLS 1.2. Organizations may already have a GPO in place to disable all the protocols, except for TLS 1.2 (namely SSLV2, SSLV3, TLS1.1, and TLS1.0). Issues that can arise when these channels are disabled include:

• Connection to Shavlik Protect SQL database cannot be established:

Attempting to recover from a broken connection in the database connection pool. Attempt: 1, connection state: Closed, error: System.Data.SqlClient.SqlException (0x80131904): A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - No process is on the other end of the pipe.) ---> System.ComponentModel.Win32Exception (0x80004005): No process is on the other end of the pipe

• Commands to Shavlik Protect Agents are unsuccessful - Agents did not respond:

System.ServiceModel.CommunicationException: An error occurred while making the HTTP request to https://consolename.FQDN:3121/ST/Console/STS/ConsoleSTS. This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server. ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. --->System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host

• Cannot download patches from vendors:

The underlying connection was closed: An unexpected error occurred on a receive. ---> System.ComponentModel.Win32Exception: The client and server cannot communicate, because they do not possess a common algorithm

• Deployment Tracker gets stuck at Scheduled or Executing when deploying to target machines

Cause

TLS 1.0 is not enabled.

Resolution

You must either enable TLS 1.0 or configure TLS 1.2 correctly using Enabling TLS 1.2 for Shavlik Protect and Ivanti Patch for Windows .

Affected Product(s)

Ivanti Patch for Windows Servers 9.3

Shavlik Protect 9.x

Overview

We have seen numerous changes to how Microsoft content was being organized through 2016 and 2017, the two main changes being the following:

1. On October 2016, Microsoft moved to a security bundle and monthly patch rollup model for Windows 7 and newer, supplying a single KB each respective branch.

2. On April 2017, Microsoft abandoned the Security Bulletin model that had been used for nearly 20 years.

The Ivanti Content team has worked hard to accommodate these changes, while attempting to preserve the previous bulletin organization. This allowed our customers to navigate these drastic changes with confidence, ensuring the updates released each month were properly accounted for. It has been a year since the last major change to Microsoft’s patching model.In response to this, the Ivanti Content team is normalizing our content to be more consistent each month. The more readable bulletin model is preserved, with the Microsoft KB appended to the end.

The new Security Bulletin mappings our products will be using: MS[YY]-[MM]-[PP]-[KB]

• MS = Microsoft
• YY = Year
• MM = Month Released
• PP =  Product
• Followed by the KB number

Here are some examples:

• MS18-03-OFF-3114416
  • All Office patches
• MS18-03-IE-4089187
  • All IE patches
• MS18-03-AFP-4088785
  • All Microsoft released Flash patches
• MS18-03-W10-4088776
  • All Windows 10 patches, rollups and Deltas
• MS18-03-SO7-4088878
  • Security Only Update for Windows 7 and Server 2008 R2
• MS18-03-SO8-4088880
  • Security Only Update for Server 2012
• MS18-03-SO81-4088879
  • Security Only Update for Windows 8.1 and Server 2012 R2
• MS18-03-MR7-4088875
  • Monthly Rollup for Windows 7 and Server 2008 R2 (this is the rollup that includes non-security fixes)
• MS18-03-MR8-4088877
  • Monthly Rollup for Server 2012 (this is the rollup that includes non-security fixes)
• MS18-03-MR81-4088876
  • Monthly Rollup for Windows 8.1 and Server 2012 R2 (this is the rollup that includes non-security fixes)

  .NET Patches will follow a slightly different naming scheme:

• MS[YY]-[MM]-[TT][PP]-[KB]
  • YY = Year
  • MM = Month
  • TT = Type (Security Only or Monthly Rollup)
  • PP = Product (.NET)
  • KB = Parent KB
• MS17-12-SONET-1234567 MS17-12-MRNET-1234567
  • Security only patches associated with that parent KB
  • Security patch type
  • Monthly Rollup associated with that parent KB
  • Non-Security patch type

Non-security .NET Patches also have a slightly different naming scheme:

• MSNS[YY]-[MM]-[TT][PP]-[KB]
  • YY = Year
  • MM = Month
  • TT = Type (Quality Preview or Quality Rollup)
  • PP = Product (.NET)
  • KB = Parent KB
• MSNS17-12-QPNET-1234567 MSNS17-12-QRNET-1234567
  • Quality Preview patches associated with that parent KB
  • Non-Security patch type
  • Quality Rollup associated with that parent KB
  • Non-Security patch type

Office 365

Additional Information

Additional Naming Conventions

• QP = Quality Preview
• NS = Non-Security

Microsoft released the following article for FAQ on the changes made: Security Updates Guide dashboard and API:

Q: Why is the security bulletin ID number (e.g. MS16-XXX) not included in the new Security Update Guide?

A: The way Microsoft documents security updates is changing. The previous model used security bulletin webpages and included security bulletin ID numbers (e.g. MS16-XXX) as a pivot point. This form of security update documentation, including bulletin ID numbers, is being retired and replaced with the Security Update Guide. Instead of bulletin IDs, the new guide pivots on vulnerability ID numbers and KB Article ID numbers.

Affected Products

Shavlik Protect

Ivanti Patch for Windows Servers

Ivanti Patch for SCCM

   1374 Views    Categories:    Tags:  landesk management suite 2016.x, patch tuesday, next gen naming

Overview

This document provides a list of required URL addresses for Shavlik Protect and Ivanti Patch for Windows Servers to allow:

• Patch executable download.
• Patch content definition download.
• Online license activation or license refresh.
  
• Home page RSS feed.
  
• Product check for update.
  

URL List

The following URLs may be used to download updates and must allowed through firewalls, proxies and web filters:

Additional Information

• To obtain the IP for vendor sites you can ping the vendor site or contact the vendor to obtain this information. We are unable to provide a list of IP addresses due to the varied dynamic IP addresses being used by the vendors. It may be easier to create an exception for an entire domain rather than entering all specific URLs, you can usually do so by entering the exception in this format:
  • *.domain.com.

Affected Product(s)

Shavlik Protect

Ivanti Patch for Windows Servers

Purpose

This article provides a list of URLs that may be required to download catalog content and patches when using Shavlik Patch for Microsoft System Center and Ivanti Patch for SCCM.

Description

The following URLs may be used to download updates and must allowed through firewalls, proxies and web filters.

Additional Information

• license.shavlik.com is required for activation the license on the product.
• If using the Shavlik Patch plugin with SCCM or Ivanti Patch for SCCM, you may also want to review the following for certificate site requirements:  Certificate verification sites to allow for Shavlik Patch
• To obtain the IP for vendor sites you can ping the vendor site or contact the vendor to obtain this information. It may be easier to create an exception for an entire domain rather than entering all specific URLs, you can usually do so by entering the exception in this format: *.domain.com.

Affected Product(s)

Ivanti Patch for SCCM

Shavlik Patch for Microsoft System Center

Purpose

This article provides steps to perform a manual uninstall and re-install of the Shavlik (ST) Remote Scheduler service on a single machine.

Description

1. On the target machine:
   1. Open a command prompt as an administrator.
   2. Run this command:

           c. CD C:\Windows\ProPatches\scheduler

           d. Run this command:  stschedex.exe /remove

   2.  Open Windows Explorer and delete the C:\Windows\ProPatches folder and its contents.

   3.  Open Windows Registry Editor and verify that the following registry keys have been deleted:

• 9.x key for 32bit: HKEY_LOCAL_MACHINE\SOFTWARE\LANDesk\Shavlik Protect\Scheduler
• 9.x key for 64bit: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\LANDesk\Shavlik Protect\Scheduler

Further steps to ensure successful re-installation of the scheduler service:

1. On the Protect console:
   • In Shavlik Protect 9.x:
     • Go to Manage> Credentials.
     • Add credentials that you want to use as default or edit existing credentials to ensure that the password is up-to-date.
     • Ensure to set the proper credentials as the default credentials.
     • Go to Tools > Options > Scheduling and ensure the Shavlik Scheduler is selected.

Alternatively, to uninstall the Scheduler from a target machine on the Protect console:

1. Click Manage> Scheduled Tasks.
2. Right-click the target machine name in the list on the left, and click Scheduler Service> Uninstall.

Installation of the scheduler service:

During next deployment to the target system, the scheduler is automatically reinstalled. If you prefer to force the install of the scheduler service prior to the next deployment you can do so in the Protect console by going to Manage > Scheduled Tasks, then right click on a target system name in the list on the left and choose Scheduler Service > Install.

If this issue exists on multiple systems:

If you are experiencing this problem on multiple systems and would like a way to resolve the issue for all machines affected, please refer to this document on how to set up a custom action to delete the scheduler service from target systems:

http://community.shavlik.com/docs/DOC-23009

Affected Product(s)

Shavlik Protect 9.x

Author: Ivanti
Category:Information
Inputs: None
Minimum ITScripts engine version required:8.0.0.0
Modifies the target machine: No
Name: Get McAfee Enterprise Antivirus Engine and DAT Versions
Outputs: CSV file

Purpose:  Retrieves the McAfee Enterprise Antivirus DAT and version information from target systems in your environment and outputs the data to a CSV file.

Script Version: 1.0.0.9

Target Type:  Any

Technical Description:

The script queries the target machines registry to verify the machine is running McAffee Enterprise.  The script then retrieves the engine and DAT versions from the registry.  The script will output to CSV the following:

Computer Name

McAfee Enterprise Version

Major Engine Version

Minor Engine Version

AV DAT Version

AV DAT Date

Possible OpsMon results include:

Failed to get a registry connection to the system via WMI.

McAfee Enterpise Antivirus is not installed.

WMI connection to the target machine failed.  The machine may be offline or firewalled.
Success

Purpose

This document covers error 2147942432 in the AutoPublish.log.

Symptoms

When attempting to publish, Patch for SCCM is unable to publish updates. The AutoPublish.log file shows the .cab was created successfully, but then the error:

Failed To Sign Package; Error Was: 2147942432

Cause

Error 2147942432 indicates that a required resource is already in use by another process. This usually happens when an anti virus application is trying to scan the .cab file at the same time Patch for SCCM is trying to sign it.

Resolution

Add an antivirus exclusion for the content directory that Patch for SCCM stores update packages in. This is usually something like "C:\WSUS\UpdateServicesPackages" or "C:\WSUS\WsusContent\UpdateServicesPackages"

Affected Product(s)

Ivanti Patch for SCCM 2.x

Shavlik Patch 2.x

Author: Ivanti
Category: Information
Inputs: None
Minimum ITScripts engine version required:  8.0.0.0
Modifies the target machine: No
Name: Get Security Center Status
Outputs: A CSV file showing whether anti-virus and anti-spyware engines are registered, and whether they are providing real-time protection with up-to-date definitions.

Purpose: Get the status of the AntiVirus and AntiSpyware engines on target machine that are running Microsoft Security Center

Script Version: 1.0.0.41

Target Type: Any

Technical Description:

This script will return the status of Anti-Virus and Spyware protection in the Microsoft Security Center from Windows workstations.  The script begins by connecting using WMI to determine OS.  XP and newer workstation OSs include the Security Center feature.  Servers would return the "Security Center is not installed" message.  For a supported OS the script continues to query using WMI using the namespace rootSecurityCenter2 or rootSecurityCenter and checks the AntiVirusProduct and AntiSpywareProduct classes to determine if a product is running and if it is up to date.

Possible OpsMon results include:

"WMI connection to the target machine failed.  The machine may be offline."

"Security Center is not supported on this OS"

"Security Center is not installed"

"Security Center is not running"

(If a product is present) "On"or "Off"

(Definitions) "Out of date" or "Up to date"

Author: Ivanti

Category: Information

Inputs: Maximum number of days before a virus definition is considered stale.

Minimum ITScripts engine version required: 8.0.0.0

Modifies the target machine: No

Name: Get Symantec Antivirus Engine and Definition Version

Outputs: A CSV file showing Computer Name, Symantec Endpoint Protection Version, AV Definition Version, AV Definition Date, and Status based on the age and the input.

Purpose: This script gets the Symantec Endpoint Protection engine version, the definition file version, and definition age information from target systems in your environment. The script will output the information to a CSV file.

Script Version: 1.0.2.1

Target Type: Any

Technical Description:

This script uses WMI to connect to the target machine's registry and identify the target OS. The script then retrieves information from the target system's registry about Symantec Endpoint Protection (SEP). The script supports SEP version 11.x or later.

• If SEP is not found the script will return the following result: "Symantec Endpoint Protection is not installed."
• If SEP is found the script will access the definition file definfo.dat to get information about the currently installed definitions. This information is processed to get the date & time from the file and is then compared to the current date & time on the local system. If the difference between the two exceeds the staleDays parameter, the definition file is determined to be out of date.

The script returns this information in a CSV output file.

If the script fails to connect to a machine it will return:

"WMI connection to the target machine failed. The machine may be offline or firewalled."

The script pulls the following information from the target machine and outputs it to a CSV file:

"Computer Name", "Symantec Endpoint Protection Version", "AV Definition Version", "AV Definition Date", and "Status"

Possible Operations Monitor results include:

"WMI connection to the target machine failed. The machine may be offline or firewalled."

"Success"

"Symantec Endpoint Protection is not installed."

Purpose

This document provides information to troubleshoot slow patch scans when using Ivanti Patch for Windows.

Symptoms

There can be a number of causes of slow patch scans. The first thing you should look into is if there have been any recent changes - either to the console system or the network you are on.

Some of the most common causes of slow scans addressed in this article are:

- Insufficient system resources (RAM, CPU, etc.)

- Antivirus scanning- particularly those that perform on-access scans.

- Network/Latency issues (poor latency, scanning over WAN, etc.)

- Database issues - (lack of database maintenance, insufficient SQL server system resources, etc.)

Resolution

Possible issues that may need to be addressed:

Affected Product(s)

Ivanti Patch for Windows 9.x

Shavlik Protect 9.x