Symptoms

Some administrators may see multiple versions of the same Patch detected as missing despite them all not needed for installation.

An example of this is shown in the following screenshot:

Cause

This behavior is caused by Protect having been altered from its default configuration to not use replacement patches/supersedence in its patch scans.

Resolution

To resolve this, only a simple configuration change needs to be made to enable supersedence in Protect.

To do this:

- Open up Shavlik Protect.

- Go to Tools > Options > Scans.

- Check the box next to Use Replacement patches to enable supersedence in Protect and eliminate unnecessary missing patches.

- Rescan and you should see the desired patch scan results.

Affected Product(s)

Shavlik Protect 9.x

Purpose

This document is meant to provide information about where to obtain logging related to Patch for SCCM.

Description

Starting with Microsoft System Center 2012 there is a new log reading tool available called CMTrace.

You can locate this on your Configuration Manager server under:

C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe

We recommend creating a shortcut to this or setting this as the default log reader.

Locations of log files and useful information:

• Installation of Patch for SCCM plugin
  • C:\Users\{CurrentUser}\AppData\Local\Temp
    • Logs that will be found here:
      • SCCMPatchInstall_YYYYMMDD_HHMMSS.log
      • SCCMPatchSetup_YYYYMMDD_HHMMSS.log

• System Center Configuration Manager (SCCM) Server:
  • C:\Program Files\Microsoft Configuration Manager\logs
    • Contains all logs related to operations of Configuration Manager
    • Most useful log(s) when troubleshooting issues with Shavlik Patch:
      • wsyncmgr.log - WSUS synchronization operations
  • C:\Users\*SCCM-Admin*\Shavlik\Shavlik Patch (C:\Users\*SCCM-Admin*\Ivanti\Patch - if you are using Ivanti Patch for SCCM 2.4)
    • Contains both logs and datafiles/binaries used by Shavlik Patch plugin.
      • Logs found here:
        • AutoPublish.log - Contains logging of publishing process.
        • Shavlik Patch.log - Contains logging of Shavlik Patch plugin operations.
• Client
  • For trouble with deployment of dependent action patches (Java or Apple) it can be beneficial to obtain the following:
    • C:\Windows
      • WindowsUpdate.log
    • C:\ProgramData\Shavlik\Installation
      • Contains files related to deployment of dependent action patches (Java, Apple). Collect and zip everything in this folder.
      • Note: This folder is automatically cleaned out after 30 days
    • C:\ProgramData\Ivanti\Patch\Installation (Applicable to Patch 2.4 published updates)

• For trouble with scan and deployment of standard definitions, it can be beneficial to obtain the following:
  • C:\Windows\CCM\Logs
    • UpdatesDeployment.log - Deployments, SDK, UX.
    • UpdatesHandler.log - Updates, Download.
    • ScanAgent.log - Online/Offline scans, WSUS location requests.
    • WUAHandler.log - Update status (missing/installed - verbose logging), WU interaction.
    • UpdatesStore.log - Update status (missing/installed).
    • %windir%\WindowsUpdate.log - Scanning/Installation of updates.

The below table will help in understanding what log(s) may be most helpful during certain workflows:

(Click to Enlarge)

Product(s)

Ivanti Patch for SCCM

Shavlik Patch for Microsoft System Center

(Formerly SCUPdates)

Overview

Xtraction for Shavlik Protect is a self-service, web based solution that presents critical data from Shavlik Protect as customized dashboards and documents in real time. The view only license allows customers to view pre-built dashboards and documents.  The pre-built dashboards make it easier for a customer to get up and running quickly with a simplified reporting solution. If there is a need to create new dashboards or modify existing ones, the license for the Xtraction Protect Connector will need to be upgraded to the Full Enterprise Server license.

Xtraction complements Shavlik Protect by extending reporting visibility without the need to grant access privileges to Shavlik Protect. 

Xtraction for Shavlik Protect helps to:

• Improve speed of response to vulnerabilities
• Improve accuracy of risk assessments
• Manage compliance levels
• Provide self-service reporting access to reduce the administrator burden

Helpful links to get you started:

• Xtraction for Shavlik Protect
• How to use the Xport Process for Xtraction for Protect

Executive Dashboards

Executive Dashboard Download Link

• OS - Details
• Machines not Scanned or Assessed in Last X Time Frame
• Machines Deployed and Patched in Last X Time Frame
• Executive Summary
• Assessed Machine Yearly Metrics
• 7 Metric Dashboard

SecOps Dashboards

SecOps Dashboard Download Link

• Total Missing Patch Assessment
• Machine List with Patch Counts
• Machine Compliance
• Bulletin Details
• All Patches for a Machine
• All Patches for a Machine Group

Additional Dashboards

• Missing Critical Patches
• Patches and Machines with Greatest Risk

Dashboard Download Link

Author: Shavlik

Folder Structure: Shared Folders\Additional Shavlik Protect Dashboards\Patch

Dashboard Name: Critical Missing Patches

Dashboard Data Source View(s):  Patch

Target Audience: Security/Operations

View Record Details: Yes (Patch Data Source - multiple records per machine based on the patch data associated with the returned machines)

Drill-Down Friendly: Limited (the top left tree-grid component)

Cross-Component Filter Friendly: Yes

Version: 1.1

Description:

This dashboard is made up of 4 components all using the same Data Source so all can be cross filtered. Every component (except the top left) is filtered to only show results pertaining to Critical Patches. The middle left component shows the time to patch between when a critical patch was released to when it was installed. The bottom left component shows the top 10 products associated with critical missing patches. The component on the right shows the Distinct critical patches that are missing on some machines. The first column in the grid shows the date the patch was released.

Dashboard Download Link

Author: Shavlik

Folder Structure: Shared Folders\Additional Shavlik Protect Dashboards\Patch

Dashboard Name: Patches/Machines with Greatest Risk

Dashboard Data Source View(s):  Patch

Target Audience: Security/Operations

View Record Details: Yes (Patch Data Source - multiple records per machine based on the patch data associated with the returned machines)

Drill-Down Friendly: Yes (the 2 tree-grid components at the bottom of the dashboard)

Cross-Component Filter Friendly: Yes

Version: 1.1

Description:

This dashboard is made up of 6 components all using the same Data Source so all can be cross filtered. The top 2 components show the top 5 missing critical patches and the top 5 machines missing critical patches. The middle 2 components show the top 5 missing important patches and the top5 machines missing important patches. The bottom left component shows all missing critical and important patches and the associated machines. The bottom right component shows all machines that are missing critical and important patches.

Author: Ivanti

Category: Information

Inputs: Maximum number of days before a virus definition is considered stale.

Minimum ITScripts engine version required: 8.0.0.0

Modifies the target machine: No

Name: Get Symantec Antivirus Engine and Definition Version

Outputs: A CSV file showing Computer Name, Symantec Endpoint Protection Version, AV Definition Version, AV Definition Date, and Status based on the age and the input.

Purpose: This script gets the Symantec Endpoint Protection engine version, the definition file version, and definition age information from target systems in your environment. The script will output the information to a CSV file.

Script Version: 1.0.2.1

Target Type: Any

Technical Description:

This script uses WMI to connect to the target machine's registry and identify the target OS. The script then retrieves information from the target system's registry about Symantec Endpoint Protection (SEP). The script supports SEP version 11.x or later.

• If SEP is not found the script will return the following result: "Symantec Endpoint Protection is not installed."
• If SEP is found the script will access the definition file definfo.dat to get information about the currently installed definitions. This information is processed to get the date & time from the file and is then compared to the current date & time on the local system. If the difference between the two exceeds the staleDays parameter, the definition file is determined to be out of date.

The script returns this information in a CSV output file.

If the script fails to connect to a machine it will return:

"WMI connection to the target machine failed. The machine may be offline or firewalled."

The script pulls the following information from the target machine and outputs it to a CSV file:

"Computer Name", "Symantec Endpoint Protection Version", "AV Definition Version", "AV Definition Date", and "Status"

Possible Operations Monitor results include:

"WMI connection to the target machine failed. The machine may be offline or firewalled."

"Success"

"Symantec Endpoint Protection is not installed."

Download

PatchForWindows_Get-SymantecAntivirusDefinitionInfo.ps1.zip

Author: Shavlik
Category: Information
Inputs: StaleDays - A threshold for the # of days to use to mark accounts stale.  The default is 90.
Minimum ITScripts engine version required:  8.0.0.0
Modifies the target machine: No
Name: Get Remote Users Last Login Times
Outputs: csv

Purpose: Get last login times for users on a remote system

Script Version: 1.0.0.4

Target Type: Any

Technical Description:

This script gets the local accounts from a target machine and the last login for each account.

The script connects to the target machine using WMI and gets the target machine OS. If the connection fails a WMI error is given for the machine.

The script then uses WMI to get all local accounts that are not locked out. Then for all other local accounts it determines the last login date.

The script then determines the age in days of the last login. If the age is greater than or equal to the StaleDays parameter it is marked its status as stale.

If the account has never logged in the status is set to “Has never logged in”.

Output results to csv:

ComputerName, Username, Lastlogin dateTime, Age in Days, Status

The possible Opsmon output options are:

"WMI connection to the target machine failed.  The machine may be offline or firewalled"

ComputerName, UserName, Last Login, Age, Status

"Failed to get WMI access to account information"

Download

PatchForWindows_Get-RemoteUserAccountsLastLoginTimes.ps1.zip

Author: Shavlik
Category:Configuration
Inputs: None
Minimum ITScripts engine version required: 8.0.0.0
Modifies the target machine: Yes
Name: Disable Adobe Reader and Acrobat Updater
Outputs: None

Purpose:Disable Adobe Reader and Acrobat Updates

Script Version: 1.0.1.0

Target Type:Any

Technical Description:

This script will disable the auto updater for Adobe Acrobat and Adobe Reader products.  While many vendors have their own update mechanisms IT Administrators need the ability to centrally manage updates in their environments.  This typically leaves auto update notifications popping up on the user's machine and often will cause confusion and sometimes issues within a customer's environment.

The script begins by determining the OS of the target machine using WMI.  Depending on the OS, specifically x64 vs x86 editions, the location of the registry hive for Adobe products varies.  Once the OS is determined the script continues with detection of Reader andor Acrobat on the machine. This is all done by directly accessing the registry path on the target machine.  The script will modify the registry to change the following keys if the product(s) are present:

• "SOFTWARE\WOW6432Node\Policies\Adobe\Acrobat Reader" + InstalledVersion# and update value "bUpdater" to 0
• "SOFTWARE\WOW6432Node\Policies\Adobe\Adobe Acrobat" + InstalledVersion# and update value "bUpdater" to 0

If ARM is present the value in the following key will be removed:

• Value "Adobe ARM" from registry path "MicrosoftWindowsCurrentVersionRun"

Possible OpsMon results include:

"WMI connection to the target machine failed.  The machine may be offline."

"Failed to connect to target system"

"Adobe Reader is not installed"

"Successfully disabled Adobe Reader updates"

"Failed to disable Adobe Reader updates"

"Adobe Reader updates are already disabled"

"Adobe Acrobat is not installed"

"Successfully disabled Adobe Acrobat updates"

"Failed to disable Adobe Acrobat updates"

"Adobe Acrobat updates are already disabled"

Download:

PatchForWindows_DisableAdobeReader&AcrobatUpdater.ps1.zip

Purpose

This document contains instructions on how to add patches released between specifics dates to a Patch Group using PowerShell and the API feature.

Overview

Basic Instructions:

     1. Download AddPatchesToPatchGroupUsingDateRange.zip from this document. (download link)

     2. Extract the contents of the .zip file to a folder on the console server.

     3. Read Disclaimer.txt.

     4. Open PowerShell as an administrator.

     5. Change directory to the extracted location.

     6. Execute the following to get help. This will provide parameters and instructions on how to use the PowerShell script.

Get-Help .\AddPatchesToPatchGroupUsingDateRange.ps1 -full

Examples:

Add all patches released between to dates.

.\AddPatchesToPatchGroupUsingDateRange.ps1 "Test" "1/1/2018" "1/31/2018" "ServerName\SQLInstance" "MyDatabase"

Add all patches released within the last 30 days.

.\AddPatchesToPatchGroupUsingDateRange.ps1 "Test" ((Get-Date).AddDays(-30)) (Get-Date) "ServerName\SQLInstance" "MyDatabase"

Add security and non-security patches released within the last 30 days

.\AddPatchesToPatchGroupUsingDateRange.ps1 "Test" ((Get-Date).AddDays(-30)) (Get-Date) "ServerName\SQLInstance" "MyDatabase" "0, 1, 4"

Add .net and Java patches released within the last 30 days

.\AddPatchesToPatchGroupUsingDateRange.ps1 "Test" ((Get-Date).AddDays(-30)) (Get-Date) "ServerName\SQLInstance" "MyDatabase" -productList ".net|Java"

Add all patches except .net and Java released within the last 30 days

.\AddPatchesToPatchGroupUsingDateRange.ps1 "Test" ((Get-Date).AddDays(-30)) (Get-Date) "ServerName\SQLInstance" "MyDatabase" -productList ".net|Java" -excludeProductList

Additional Information

API Quick Start Guide

Affect Product

Ivanti Patch for Windows Servers

Purpose

As of January 3rd 2018, Microsoft is now requiring a registry key to be added to machines for addressing compatibility issues with a small number of anti-virus software products.

More information on this can be found here: Important information on detection logic for the Intel 'Meltdown' security vulnerability

Description

1.  Download and extract the attached zip here to get the batch file used for adding the registry key.

2.  Create a new Patch Scan Template that scans for only Custom Actions. (this will allow you run this against machine with no missing patches)

3.  Create a new Deployment Template.

4.  Name the template. Ex: Intel Meltdown Registry Key

4.  Click on Post-deploy Reboot. Change the reboot option to 'Never reboot after deployment'.

5. Click on Custom Actions. Click 'New'. A prompt to save the template will be presented. Click 'Save'.

6. The first action will push the batch file. Ensure that step 3 states 'Push File', and then select the batch file from the local machine. Click 'Save' when completed.

7. Click 'New' once more. Change Step 3 to 'After All Patches' and use the following command in Step 4: Call %pathtofixes%addregkey.bat

8. Click 'Save' twice to finish creating the Deployment Template.

9. Use the new Scan Template to scan your target machines.

10. Once the scan is completed, click 'View Results'

11. The results will offer our nullpatch.exe for deployment. Proceed by right-clicking the patch and clicking 'Deploy all missing patches'.

12. Select the new Deployment Template created earlier. Click 'Deploy' to start the deployment.

13. Open regedit to validate the registry key was added.

Additional Information

How To: Perform a Custom Action Complete Tutorial with Custom Actions

Affected Product(s)

Shavlik Protect 9.2

Ivanti Patch for Windows Servers 9.3

Description

This document will provide a workaround for a crash when navigating to View > Machines in Protect.

Symptoms

When navigating to View > Machines, the Protect Console crashes with an unexpected error. The following generic pop-up will appear:

You can verify the issue by looking in the ST.Protect.managed.UserName@ProtectServer.log where you will see the specific error  This will help you identify the unsupported language culture:

Crash from main UI thread ---> System.InvalidOperationException: Crash from main UI thread ---> System.Globalization.CultureNotFoundException: Culture is not supported.

Parameter name: culture

2073 (0x0819) is an invalid culture identifier.

Cause

One or more of your scanned machines have an unsupported language culture. .Net Framework installed on the Protect Console is unable to verify the language culture of these machine(s) in when opening View > Machines.  In this specific example, the hex value 0x0819 indicates a Moldova language culture.

Parameter name: culture

2073 (0x0819) is an invalid culture identifier.

 

Here is a list of languages with their Hex and Decimal value:  Language Culture Code Table

Resolution

• Download and install the latest .Net Framework language pack for the highest level .Net Framework installed on the Protect server.
• If installing the latest .Net Framework language pack doesn't correct the issue, the workaround for this issues would be to remove the machine(s) in question directly from the database via script.  The remainder of the document will walk you through the workaround.

Identifying the Language Culture

1. You will need to identify the hex value of unsupported language culture from the ST.Protect.managed.UserName@ProtectServer.log.
2. The log is located in the C:\ProgramData\LANDESK\Shavlik Protect\Logs folder on the Protect server.
3. Open the log with your favorite text editor and search for:  is an invalid culture identifier  This will give you the hex value for the next step, for example:

2073 (0x0819) is an invalid culture identifier.

Identifying the machine(s) with the affected language culture

     4. Once you have the hex value for the language culture, you will need to identify machine(s) with this language culture by running this SQL query against the Protect database:

SELECT Domain, Name, * FROM [ManagedMachines] WHERE language = Hex value from logs

Example of output listing machines with specific language culture:

Removing the affected machines via SQL Script

Script Download

1. Extract DeleteMachineView.zip on the server you will be performing the query from.
2. Open SQL Server Management Studio and connect to the Protect database.
3. Backup the Protect database
4. Open DeleteMachineView.sql into a query window.
5. Read disclaimer at the top of the script.
6. Select the Protect database to run the query against.

    7. The next step is to replace the following with the domain\machine or workgroup\machine name values from above.

FROM:

SET @machineDomain = 'Enter Domain or Workgroup Name'    SET @machineName = 'Enter Machine Name'

TO:

SET @machineDomain = 'WORKGROUP'    SET @machineName = 'VM-2K16-64-EN'

  8. Execute the script to delete specified machine.  Repeat this process for all affect machines.

  9. Attempt to open Shavlik Protect.

Contact Support is there are any error when running the script. Save the results and messages from the script output to a text file before closing the script window.

Affected Product(s)

Shavlik Protect 9.x

Purpose

When running the Shavlik Protect console in a secure environment without Internet access, it is necessary to download the latest Shavlik Data Files and supported patches from a machine that has Internet access and then transfer the files to the disconnected Protect Console machine.  We are providing a PowerShell script that downloads the Data Files and supported patches for you.

Instructions

The ability to use this script to download patches is only available in Shavlik Protect 9.2.5119 or later. You can confirm the version in Help > About Shavlik.  The installer can be found here: http://www.shavlik.com/support/protect/downloads/

In order to use the PowerShell script, the internet-connected machine must contain the following:

• Windows PowerShell 4.0 or later.
• Microsoft .NET Framework 4.0 or later.
• The PowerShell script .\DownloadDisconnectedData.ps1: DownloadDisconnectedData.zip
  

Download Only Datafiles using Powershell

1. Create a folder on the internet connected machine on C:\. (this example will use C:\Data)
2. Download and extract the PowerShell script (DownloadDisconnectedData.ps1) attached to this document to C:\Data.
3. Open Powershell and navigate to C:\Data.
4. Run the following command replacing C:\Data with whatever output directory you have chosen in step 1:

The major/minor version argument has a two-digit value. Use the value corresponding to your version:

• Protect 9.2: 92
• Protect 9.3: 93

.\DownloadDisconnectedData.ps1 -outdir "C:\Data" -product "Protect" -version 92

    5. Move the downloaded datafiles from C:\Data to C:\ProgramData\LANDESK\Shavlik Protect\Console\DataFiles on the offline Protect console. Overwrite any duplicate files when prompted.

    6. Run Help > Refresh Files in the console. If you are in an offline environment, you will see errors downloading files which is to be expected, but this will also update the database with the newest definitions which is necessary.

Download Datafiles and Patches using Powershell

How to create the list of patches to download:

1. Create a folder on the internet connected machine on C:\. (this example will use C:\Data)
   
2. Scan machines on your disconnected network. (The scan result will provide the list of patches to be downloaded)
   
3. View the scan results after the scan completes.  Use the link on step 6 from the Operations Monitor or View > Results > Today's Items.
4. Highlight and then right-click on the Patch Missing in the middle pane and choose Export Download Package…
   1. You can also choose specific patches using the CTRL-click or Shift-click method after expanding the missing patches list.

     5. Give the .CSV a name and save to your desktop. (we will be using Patches.csv in this example)

     6. Save this .CSV file to the folder you create in step #1.

To use the PowerShell script:

1. Move the DownloadDisconnectedData.zip to the folder you created on the internet connected machine on C:\.
   
2. Extract the PowerShell script (DownloadDisconnectedData.ps1).
3. Open a Windows Command Prompt with Run as administrator privileges.
4. Change to the directory that contains the PowerShell script.
5. Read Disclaimer.txt.
6. Start PowerShell by typing ‘PowerShell’.
7. Use the PowerShell script to download the desired files. Please see the Powershell script information section below for information on how to do this.
8. Move the downloaded datafiles from the downloaded location specified to C:\ProgramData\LANDESK\Shavlik Protect\Console\DataFiles on the offline Protect console. Overwrite any duplicate files when prompted.
9. Move the downloaded patches from the downloaded location to your console's patch repository which can be located in Tools > Options > Downloads.
10. Run Help > Refresh Files in the console. If you are in an offline environment, you will see errors downloading files which is to be expected, but this will also update the database with the newest definitions which is necessary.

Powershell script information:

The major/minor version argument has a two-digit value. Use the value corresponding to your version:

• Protect 9.2: 92
• Protect 9.3: 93 

• In this example, a folder was created here: C:\Data.
• We will be downloading Protect 9.2 content data.
• The exported port patch list is called Patches.csv located in C:\Data.

.\DownloadDisconnectedData.ps1 -outdir "C:\Data" -product "Protect" -version 92 -downloadPackageInputFilePath "C:\Data\Patches.csv"

• The content data files will be located here: C:\Data\DataFiles.
  • These need to be moved to the C:\ProgramData\LANDESK\Shavlik Protect\Console\DataFiles on the offline Protect console.
    
• The patches will be located here: C:\Data\Patches.
  • These need to be moved to theC:\ProgramData\LANDESK\Shavlik Protect\Console\Patches. on the offline Protect console.
    
  • Verify location of the Patches folder through Tools > Operations > Downloads > Patch Download Directory.

Addition Information

How To: Manually Updating Patch Data Files for Shavlik Protect

• The Content Team created a partner.manifest.xml where customers can see the SHA1 and SHA2 hashes for all downloadable Shavlik Protect content files. This list can be used to compare hashes of local files on disk to those contained in the manifest.
  • http://xml.shavlik.com/data/protect/v9/92hash/manifest/partner.manifest.cab

Affected Product(s)

Ivanti Patch for Windows Servers 9.3

Shavlik Protect 9.X

Overview

These documents provides information about the End of Life policy for legacy Shavlik products, VMware branded versions of the same product lines and legacy Shavlik and HEAT OEM products that are now a part of the Ivanti family. The Ivanti Product Support Policy applies to the products released under the Shavlik or HEAT brand name. The Shavlik Product Support Policy applies to the products released under the Shavlik and VMware brand names. All dates presented in this document are in the ISO developed international format. This format uses a numerical date system as follows: YYYY-MM-DD where YYYY is the year, MM the month and DD the day. The information contained herein is believed to be accurate as of the date of publication, but updates and revisions may be posted periodically and without notice.

Legacy Shavlik products, VMware branded versions of the same product lines:

End of Life Information for Products Powered by Shavlik

Legacy Shavlik and HEAT OEM products that are now a part of the Ivanti family:

End-of-Life Information for OEM Products Powered by Shavlik and HEAT

Symptoms

• Cannot open the Protect application
• In Protect, you see the message:
  You have not been granted access, please see the system administrator to configure your role.
  
• You see this message even if you are the only administrator for the Protect application

Purpose

This article provides information to regain access to the Protect console if you have set your own user account to a no access level with the Role-Based Administration function. 

Cause

This issue occurs because of an incorrect configuration within Protect's Role Based Administration features. These features are configured in underManage>User Role Assignment.

Resolution

Download and run the attached SQL Script against your database.
This script will remove all entries from the dbo.RoleUsers table.

How to run a SQL Query against your Protect database

You can also copy the text into the query manually:

Alternative Resolution

To resolve this issue:

1. Ensure that SQL Server Management Studio corresponding to your SQL version is installed.
   To download SQL Server Management Studio for Express editions, see:
   • SQL Server 2005 – http://www.microsoft.com/download/en/details.aspx?id=8961
   • SQL Server 2008 – http://www.microsoft.com/download/en/details.aspx?id=7593
   • SQL Server 2008 R2 – http://www.microsoft.com/download/en/details.aspx?id=22985
   • SQL Server 2012: http://www.microsoft.com/en-us/download/details.aspx?id=35579
2. Open SQL Server Management Studio and log in to the SQL server where the Protect database resides.
3. Expand Databases.
4. Expand your Protect database.
5. Expand Tables.
6. Locate the table dbo.RoleUsers.
7. Right-click the dbo.RoleUsers table and click Open Table.
   Note: In some versions, you may have to use the Select top 1000 Rows option.
8. Delete any rows in the table by a right-click on the row and Delete.
   Note: Ensure not to delete the table.
9. You should now be able to open the Protect application.

Affected Product(s)

• Shavlik Protect 9.x
• vCenter Protect 8.x

Symptoms

Unable to publish updates.

Following entry could be found in the AutoPublish.log:

Error Publishing 'Adobe Flash Player 22.0.0.210 Internet Explorer' : Failed to sign package; error was: 2147942403

When running Configuration Checker under Shavlik Patch settings you are getting the error below:

Or when your publish location does not match what you expect it to be.

Not all errors associat6ed with this fix are documented but the fix has been tested and will work to resolve many content location issues.

Cause

• There is a WSUS configuration issue with the UpdateServicePackages shares.
• The problem is described here: https://social.technet.microsoft.com/Forums/en-US/5fdb03a7-2605-488b-80ca-f389499ab0df/scup-failed-to-sign-package-error?forum=configmanagersecurity

Resolution

You can verify where WSUS believes the folders are by running this at a CMD prompt on the Shavlik Patch server:

net share

This will show the location of the UpdateServicePackages shares.

You will need to use this command to point WSUS to the correct location of:

• \WSUS\WsusContent
• \WSUS\UpdateServicesPackages

WSUSUtil.exe movecontent <content path> <log path>

wsusutil.exe movecontent contentpath logfile [-skipcopy]

More information:  WSUSUtil.exe

Affected Product(s)

Shavlik Patch Plugin 2.x

Purpose

The purpose of this document is to outline the issues surrounding FileZilla updates particularly related to the downloading of the patch files from the vendor.

Cause

Changes from the vendor, Filezilla, has caused downloads of the updates not from a Web browser to fail with an error 403 authentication error. From review, the cause is the lack of user token authentication as updates downloaded through Patch for Windows are done on behalf of a user or system account, not as the actual user.

Resolution

The current workaround to this issue can be found in this document: How To: Supply and Deploy Patches That Can Not Be Downloaded

Affected Product

Patch for Windows Servers 9.3

• Purpose
• Description
  • Current Branch
  • SCCM 2012 R2
• Additional Information

Purpose

The purpose of this document is to outline the currently supported versions of SCCM that will work with Ivanti Patch for SCCM.

Description

Current Branch

SCCM 2012 R2

Additional Information

SCCM build numbers | Build Numbers

Disclaimer

Please read this disclaimer before using this tool:  LANDESK Share IT Disclaimer

Description

We created a GUI tool to simplify diagnostic scanning to troubleshoot patch scan issues.

The DPDTrace GUI interface requires .Net 2.0 or greater to work.

How to use the DPDTrace GUI

1. Download the latest version of the DPDTrace GUI. Download Link
2. Extract the DPDTrace.zip to the desktop of the machine you will scan from.  This can be on a server remote to the target machine or on the target machine itself.  Support may specify where to scan from depending on the issue being diagnosed.
3. Open the DPDTrace GUI by double-clicking DPDTraceGUI.exe from the extracted folder.

     4. Choose Local to scan the local machine. The IP address or the Machine Name of the local machine will automatically populate.

     5. Choose Remote to scan a remote machine. You will need to provide a valid Machine Name or IP Address to scan.

     6. Enter a username with administrator access to the target machine.

          a. The format must be DomainName\UserName or MachineName\UserName depending on how you are authenticating to the target machine.

     7. Enter a valid Password. You can choose to un-check the Hide option if you wish to see your password for troubleshooting purposes.

Protect Version: (Protect Customers)

     8. Choose the Protect scan engine version to be used during the scan.

          a. The GUI defaults to 9.2.5112 and 9.3.4510, it is OK to leave the default selection and often a good idea since it provides cross engine version data..

OEM Version: (OEM partners)

     9. Choose the OEM scan engine version to be used during the scan.

Patch Type:

     10. Choose Patch Type to be used during the scan.

          a. We highly suggest leaving the defaults of Security Patches and Non-Security Patches selected unless a support tech requests a change.

     11. Click Run to start the scan.

     12. You will see Command Prompt popups and popups for the Rename HF.Log utility during the scan process.  Do not close either these.

     13. All popup windows will close and a new popup will occur once the scan is complete.  Click OK.

     14. The scan diagnostic is complete and all of the trace logs, scan outputs and registry exports have been zipped to this folder:  C:\Users\UserName\Desktop\DPDTrace\SendToSupport

          a. The zip file will be named HFCLi_YearMonthDay.zip

     15. Provide this zip files to support!  If you have any issues attaching this zip to the case, please let the support tech know so they can provide you with more options.

Additional Information

A command line DPDTrace tool can be used by customers who cannot run this GUI version:  DPDTrace command line logging tool used for patch detection issues

Purpose

This document will provide information about how to obtain information about Ivanti Patch for Windows XML updates (patch definitions) and Ivanti Patch for SCCM updates (catalog updates).

Description

Ivanti Patch for Windows Servers

The Ivanti content team will provide patch definition updates at least every Tuesday and Thursday (provided there are new patches to be included). However, there are a few easy sources that can be used to see when new XML updates (patch definitions) are released.

1) Subscribe to the "Patch for Windows Content Notifications" stream using the method outlined here.

2) Patch Data Information Blog Page: https://protect7.shavlik.com/

This web page displays all patch definitions released by the Shavlik content team for the Protect application.

3) Patch Data Information RSS Feed: https://protect7.shavlik.com/     

All the same information as protect7.shavlik.com in an RSS feed.

4) Patch Data Information Twitter: ivanti XML (@ShavlikXML) | Twitter

This Twitter account is updated every time an XML release is put out. This is a good alternative to receiving email notifications, depending upon your preferences.

Ivanti Patch for SCCM

The Ivanti content team will provide catalog updates at least every Wednesday and Friday (provided there are new patches to be included).  These sources can help you stay up to date with those catalog updates.

1) Subscribe to the "Patch for SCCM Content Notifications" stream using the method outlined here.

2) Patch Data Information Blog Page:https://protectupdate.shavlik.com/

Affected Products

Ivanti Patch for Windows Servers 9.3.x

Shavlik Protect 9.2.x

Ivanti Patch for SCCM

Symptoms

When running the Database Setup Tool to connect to a database, you receive an error that you are not able to connect.  In C:\ProgramData\LANDESK\Shavlik Protect\Logs\ST.DatabaseConfiguration.log, you find an error like the following:

ConnectionValidator.cs:395|Failed to authenticate to the SQL Server.: ConnectionException: Unable to connect to SQL Server 'DOMAIN\SQLSERVER'

SqlError message: 'A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: SQL Network Interfaces, error: 28 - Server doesn't support requested protocol)'

Cause

TCP/IP protocols are disabled for the target SQL Server

Resolution

1. Launch SQL Server Configuration Manager
2. Expand "SQL Server Network Configuration" in the left pane
3. Select the SQL instance you are trying to connect to
   
4. Double-click TCP/IP in the right pane to bring up the TCP/IP Properties
   
5. Change "Enabled" to Yes
6. Restart the service for the SQL instance
7. Re-launch the Database Setup Tool and try your connection again

You should be able to successfully connect now.

Affected Products

Ivanti Patch for Windows Servers

Ivanti Security Controls