Purpose

The purpose of this document is to provide the necessary steps to schedule automatic definition downloads.

Resolution

1. From within the Console select Tools > Options.

2. Within the Options window, navigate to the Downloads tab and the 'Scheduled automatic downloads' pane and click the 'Add' button.

3. The scheduler window will now allow you to select the frequency/schedule of your automatic download. When finished, click 'Save'.

4. The scheduled download task will now appear within the 'Scheduled automatic downloads' pane.

Affected Product(s)

Ivanti Patch for Windows 9.x

Shavlik Protect 9.x

Purpose

This document will help you identify and correct a Patch for SCCM crash caused by missing prerequisite C++ x86 install.

This can be identified by looking in the Application event log:

Application: Microsoft.ConfigurationManagement.exe

Framework Version: v4.0.30319

Description: The process was terminated due to an unhandled exception.

Exception Info: System.DllNotFoundException

   at ST.Engines.NativeMethods.IsDigitallySignedBy(System.String, ST.Engines.Crypto.Signers, Boolean ByRef)

   at ST.Engines.Crypto.SignatureVerifier.IsSignedBy(System.String, ST.Engines.Crypto.Signers)

   at ST.Engines.Catalog.SingleFileDownload.HandleCompletedFile(System.Object, System.ComponentModel.AsyncCompletedEventArgs)

   at ST.Engines.Catalog.SingleFileDownload.ClientDownloadFileCompleted(System.Object, System.ComponentModel.AsyncCompletedEventArgs)

   at System.Net.WebClient.OnDownloadFileCompleted(System.ComponentModel.AsyncCompletedEventArgs)

   at System.Net.WebClient.DownloadFileOperationCompleted(System.Object)

   at System.Threading.QueueUserWorkItemCallback.WaitCallback_Context(System.Object)

   at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)

   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)

   at System.Threading.QueueUserWorkItemCallback.System.Threading.IThreadPoolWorkItem.ExecuteWorkItem()

   at System.Threading.ThreadPoolWorkQueue.Dispatch()

   at System.Threading._ThreadPoolWaitCallback.PerformWaitCallback()

Resolution

Install Microsoft Software C++ 2015 Redistributable (x86) - 14.0.24215.

Affected Products

Patch for SCCM 2.3.x

Patch for SCCM 2.4.x

Purpose

The following is a sample integration script for the Ivanti Patch for Windows Servers API integration with the BeyondTrust vulnerability scanner.

If you use a vulnerability scanner to identify weaknesses in your network, the scanner may detect hundreds or even thousands of issues on your machines. At first this might seem a bit overwhelming, but what’s likely happening is that the vulnerability scanner is simply producing a lot of noise. The scanner is assessing for CVEs (Common Vulnerabilities and Exposures) explicitly.  In reality a software update will often include many CVEs.  A patch can also be superseded or replaced by a newer update.  What this tends to cause is the Vulnerability Assessment reflecting hundreds of vulnerabilities that can be resolved by updating just a few software titles on a system. 

To address this, you can use the API to:

• Make calls to the vulnerability scanner
• Extract the vulnerability list (consisting of CVEs)
• Import those CVEs into a Ivanti Patch for Windows Servers patch group via the Patch Group API
• Perform patch scans and deployments using that patch group
• The patch engine will take into account any superseded patches and will identify the handful of patches that are required to bring the target system into compliance. If you rerun the vulnerability scanner after deploying the patches, the vulnerability count should be greatly reduced.

Overview

Please note:

• The scripts can be downloaded from here: BeyondInsightToPatch_API.zip
  
  • We included 2 scripts, one that will verify the BeyondTrust certificate and another where it will not.
• The PS script needs run from the Patch for Windows Servers console server.

Environment confirmation steps:

1. Ensure the BeyondInsight console is set up correctly

    a. Go to the Configure tab

    b. Go to the API Registration tab

    c. Make sure the current IPv4 address/range is in the Source Addresses list.

    d. Click Update

2. Edit the $Authorization variable at the top of the BeyondInsightToPatch.ps1 file to include your BeyondInsight authorization connection string as specified in the BeyondInsight API documentation.

    a. http://<yourBIhost>/eEye.RetinaCS.Server/Flex/Help/BeyondInsightAndPasswordSafeAPIUserGuide.pdf

    b. Use the example style text from the Authorization Header section of the API guide. Only include the text to the right of "Authorization="

        Example: PS-Auth key=XXXXXXXX...XXXX; runas=demo;

How to invoke the script - BeyondInsightToPatch.ps1

1. Open PowerShell

2. Run BeyondInsightToPatch.ps1 or invoke it with the following mandatory parameters:

3. BeyondInsightToPatch -BtHostOrIpAddress '127.0.0.1' -SmartRuleId 10001 -ScanTemplate 'Demo' -DeployTemplate 'Agent Standard' -PatchGroupName 'Demo' -MachineGroupName 'Demo' -ScanName 'BT-Ivanti demo' -DeployMissingPatches $False

    a. BtHostOrIpAddress should be the current IPv4 address of the console VM. I've configured BI to allow 127.0.0.1

    b. SmartRuleId should be the smart asset group defined by BeyondInsight.

         I. 1 is the system group of All Assets

        II. 2 is the system group of All Workstations.

    c. DeployMissingPatches set to $True will actually download and deploy the patches to the machines in $MachineGroupName

4. If/when you see yellow warning messages like "WARNING: Cve item was not found: CVE-YYYY-NNNN", don't worry.

    a. It means we don't have that CVE in our (Ivanti Patch for Windows Servers content)

    b. The patch for the vulnerability may be in our content, but under a different CVE. We add all CVEs for all vulnerabilities to the Patch Group.

5. Open Patch for Windows Servers and view the full results of the patch scan/deployment. You'll see the scan result by $ScanName, date, and source of API in the left navigator.

Symptoms

Within Tools > Operation > Downloads you see that "Specific Distribution Server" is grayed out under Definition download source, and you do have distribution sever(s) configured in this Protect console already.

Cause

1) You do not have a Distribution Server configured, or;

2) Your Distribution Servers are set up with at least one scheduled automatic synchronization tasks.

   (Distribution Servers set up with automatic synchronization cannot be used a definition download source.)

Resolution

1) Ensure that you have at least one Distribution Server configured within Tools > Operations > Distribution Servers.

2) Ensure that the Distribution Server you intend to use as a definition download source is not configured for any Scheduled automatic synchronization under Tools > Operations > Distribution Servers.

Additional Information

Be aware that if you are intending to use a Distribution Server (share) as a definition download source - this share must be getting new data copied into it from a separate console that has an internet connection.

Refer to the following documentation for more information:

Configuring consoles within an offline environment to obtain definitions & patches from a distribution server share

Help: Configuring Distribution Servers

Affected Product(s)

Shavlik Protect 9.x

Purpose

To help identify what is blocking the upgrade of Windows 10 when deploying with Shavlik Protect 9.2.x or Ivanti Patch for Windows Servers (PWS) 9.3+

Symptoms

When you attempt to deploy a Windows 10 build upgrade using Protect/PWS, the deployment fails with error 2147483647

Cause

This may indicate something is preventing the installation of the upgrade, such as incompatible software or an application blocking the process from proceeding

Resolution

Method 1

1. Try executing the upgrade manually so that you can receive interactive prompts from the installer to identify what might be causing the issue. The example below shows the installer failing because of certain installed software being out of date, but because our process runs installers silently as the local System account, you would not see what was stopping the installation.

2. In an elevated command prompt, run the command:

fltmc filters

You should see a list like this:

This identifies possible filters that could be blocking the ISO from mounting properly (possibly antivirus, encryption software, etc.), and you will need to temporarily disable anything that is interfering to deploy the upgrade through Protect/PWS

Method 2

1) Load the ISO

2) Open an admin command prompt

3) Navigate to the Drive the ISO created

4) Run the command "SETUP.EXE /Auto Upgrade /NoReboot /DynamicUpdate Disable /Compat ScanOnly"

Doing this will create an output that you can use to determine the cause of the failure without having to actually deploy the product manually.

Additional Information

See this doc for more info about deploying Windows 10 Build Upgrades with Protect/PWS:

Windows 10 Build Upgrade Deployment Support in Protect 9.2+ and Patch for Windows Server 9.3+

Affected Product(s)

Shavlik Protect 9.2.x

Ivanti Patch for Windows Servers 9.3+

• Purpose
• Description
  • Standard License
    • Configuration
    • Group Policy
    • Information
    • Maintenance
    • Support -
  • Advanced License (Includes All Standard ITScripts Plus the Following)
    • Configuration
    • Information
    • Maintenance
    • Network
    • Support
• Additional Information
• Affected Products

Purpose

The purpose of this document is to show what scripts are available in the standard licensing versus what is available in the advanced licensing.

Description

Standard License

Configuration

• Disable Adobe Flash Update
• Disable Adobe Reader and Acrobat Updater
• Disable Apple Auto Update
• Disable Java Update Service
• Disable Mozilla Firefox Updates
• Disable Remote Desktop
• Enable Remote Desktop
• Set Target Machine Verbose Logging

Group Policy

• Get List of Machines from Active Directory Security Group

Information

• Get Date and Time
• Get Hardware Asset Tag
• Get Reboot Time
• Get Registry Key Value
• Get Remote User Accounts Last Login Times
• Get Running Processes
• Get Services
• Get Shares

Maintenance

• Check Disk
• Console Clean Up
• Remove Temp Files

Support -

• Get Console & Agent Logs

Advanced License (Includes All Standard ITScripts Plus the Following)

Configuration

• Disable USB Disk Service
• Enable Wake-on-LAN
• Set Power Plan

Information

• Get Account Information for All Local Accounts
• Get Available Disk Space
• Get Dell Warranty Information
• Get GPO Account Lockout Settings
• Get GPO Password Policy Settings
• Get List of Files in a Directory
• Get Local Groups and Members
• Get McAfee Enterprise Antivirus Engine and DATs Versions
• Get Security Center Status
• Get Statuses for Built-in Administrator and Guest Accounts
• Get Symantec Antivirus Engine and Definition Versions
• Get System Events

Maintenance

• Defrag Disk Drive
• Terminate Process

Network

• Open Port Scanner

Support

• Get Client Computer Group Policies

Additional Information

How to: Execute an ITScript using Ivanti Patch for Windows

Custom Action, Custom Patch, and ITScript Information and Troubleshooting

Affected Products

Shavlik Protect 9.2

Ivanti Patch for Windows Servers 9.3

Purpose

The purpose of this document is to outline the issues surrounding FileZilla updates particularly related to the downloading of the patch files from the vendor.

Cause

Changes from the vendor, Filezilla, has caused downloads of the updates not from a Web browser to fail with an error 403 authentication error. From review, the cause is the lack of user token authentication as updates downloaded through Patch for SCCM are done on behalf of a user or system account, not as the actual user. Additional findings have shown the direct download links to also reroute to the main Filezilla site versus downloading the actual installer.

Resolution

The current workaround to this issue can be found in this document: Publish Manually Downloaded Products in Patch for SCCM

Affected Product

Ivanti Patch for SCCM 2.4

Purpose

This will show how to patch products that cannot be downloaded by normal means in Ivanti Patch for SCCM such as UltraVNC or Audacity. Additional help documentation and information can be found here.

Resolution

Step 1: Obtain a copy of the needed update.

• Download an appropriate copy of the patch from the vendor (if available). Always use any safe and reliable source to obtain the needed patch.

• Ensure the downloaded file matches the Patch file name listed in SCCM

Step 2: Configure SCCM Local Source

• After patch has been downloaded, enabled the Local Source feature in Ivanti Patch (if not already enabled).
• Open the settings and navigate to the Offline Options tab to get the location of the Local Source Folder

• Navigate to the folder configured for Local Source publishing and drop in the appropriate installer.

Step 3: Publish

• Publishing is no different, just select the needed patch and publish as normal. After publishing is complete, SCCM will be able to deploy and detect the patch on the endpoints connected to the SCCM environment.

Affected Version

Ivanti Patch for SCCM 2.4

Purpose

The purpose of this document is to show how to perform a patch uninstall on multiple systems in Ivanti Patch for Windows

Description

Below is an example of how to set up the uninstall of one patch for multiple machines when using Shavlik Protect. This example is using agentless scan and deployment features.

1) Scan any systems you wish to remove a patch from.

Generally it's best to ensure you run a new scan so you have the most current assessment result available.

2) View the scan result.

You can also get to a scan result if you already have one by clicking the left drop down menu, and choose 'Results'.

3) In the scan result:

    1. Choose the machines you want to uninstall a patch from in the upper (Machines) pane. You can use CTRL + click or CTRL+Shift to select highlight multiple machines.

    2. In the lower pane, select any patch you wish to uninstall. Patches with an orange U and 'Yes' in the 'Uninstallable' column can be uninstalled. You can see how many machines currently have the patch installed viewing the 'Affected Machine Count' column.

    3. Right click on the highlighted patch, and choose 'Uninstall Select'.

    Note: Only one patch can be uninstalled from each system on a single deployment, and a reboot is required to complete the uninstall process.

4) You'll be prompted with the 'Deployment Configuration' window.

You can use an existing deployment template, or create a new one. For patch uninstall it's recommended to use a deployment template that has a post-deployment reboot enabled since the uninstall process will require a reboot to complete. You can also change the time of the deployment to take place immediately (default), scheduled at a certain date/time, or perform the uninstall at the target system's next reboot.

Under 'Patches to be deployed by machine' you can see a list of which machines will have the uninstall performed and whatever patch will be uninstalled from each system.

Additional Information

More information about uninstalling patches can be found here:

Help Guide - Uninstall Patches

Microsoft Documentation - Removing Patches

Affected Product

Ivanti Patch for Windows Server 9.3

Overview

These instructions will help you enable All logging (verbose logging) then those collect logs and supporting information to help Support troubleshoot issues on your console and remote clients.

Instructions

Ivanti Patch for Windows Servers (PWS) 9.X Console Logging:

1. Open the Patch for Windows GUI and navigate to Tools > Options > Logging and change logging to All for both user interface and services.

     a. If you are unable to set logging via the GUI see this doc: http://community.shavlik.com/docs/DOC-22938

2. Close the console GUI.

3. Stop the 'Ivanti Patch for Windows Servers Console Service' service.

4. Delete the contents of C:\ProgramData\LANDesk\Shavlik Protect\Logs on your console.

     a. If troubleshooting agentless deployment or scheduling, delete the contents of C:\Windows\ProPatches\Logs on your target machine as well.

5. Start the 'Ivanti Patch for Windows Servers Console Service' service and open the Patch for Windows GUI.

6. Attempt to reproduce the issue.  Please document steps to reproduce.  Screenshots are very helpful.

7. Collect the logs from the Logs folder(s) from steps 4 (please zip).

     a. Include applicable screenshots.

     b. [Deployment issues only] On the target system, zip a copy of the entire C:\Windows\ProPatches folder and its contents (exclude the Patches sub-folder).

8. Zip everything together and attach to the case on the support portal.

Shavlik Protect - Ivanti Patch for Windows Servers Agent Logging:

1. You will need to set your agent's logging level to All by opening the Agent Policy assigned to the machine you are gathering logs from. The option is in the General tab.

2. If not already set, change the logging level to ‘All’ then Save and update Agents. Choose to update agents if prompted again.

     a. If Patch for Windows fails to update the agent, you will need to perform an Agent Check-in from the agent GUI on the target machine or wait for the scheduled check-in.

3. Remote to the agent client machine, close the agent GUI and stop the services:

     a. The services start with Ivanti or ST.

4. Delete the contents of theC:\ProgramData\LANDesk\Shavlik Protect\Logs folder on the agent client machine.

5. Start services that start with Ivanti or ST.

6. Attempt to reproduce the issue.  Please document steps to reproduce.  Screenshots are very helpful.

7. Take applicable screenshots of errors or information relevant to the issue.

     a.  Collect the logs from step 4.

     b.  Collect the screenshots.

8. Zip everything together and attach to the case on the support portal.

Ivanti Patch for Windows Servers Deployment Logging: (the information collected here is specific to agentless deployments)

1. Navigate to the target machine with the deployment issues.

2. Stop all services that start with Ivanti or ST.

3. Attempt to reproduce the issue.  Please document steps to reproduce.  Screenshots are very helpful.

4. Delete the patches from C:\Windows\ProPatches\Patches.

5.  Zip the entire C:\Windows\ProPatches folder.

     a. Include applicable screenshots.

6. Zip everything together and attach to the case on the support portal.

Ivanti Patch for Windows Servers install issues:

• Obtaining Protect Console and Agent Installation Logs
  

Affected Product(s)

Ivanti Patch for Windows Servers 9.3+

Overview

This document provides a list of required URL addresses for Shavlik Protect and Ivanti Patch for Windows Servers to allow:

• Patch executable download.
• Patch content definition download.
• Online license activation or license refresh.
  
• Home page RSS feed.
  
• Product check for update.
  

URL List

The following URLs may be used to download updates and must allowed through firewalls, proxies and web filters:

Additional Information

• To obtain the IP for vendor sites you can ping the vendor site or contact the vendor to obtain this information. We are unable to provide a list of IP addresses due to the varied dynamic IP addresses being used by the vendors. It may be easier to create an exception for an entire domain rather than entering all specific URLs, you can usually do so by entering the exception in this format:
  • *.domain.com.

Affected Product

Ivanti Patch for Windows Servers

Purpose

This article provides a list of URLs that may be required to download catalog content and patches when using Shavlik Patch for Microsoft System Center and Ivanti Patch for SCCM.

Description

The following URLs may be used to download updates and must allowed through firewalls, proxies and web filters.

Additional Information

• license.shavlik.com is required for activation the license on the product.
• If using the Shavlik Patch plugin with SCCM or Ivanti Patch for SCCM, you may also want to review the following for certificate site requirements:  Certificate verification sites to allow for Shavlik Patch
• To obtain the IP for vendor sites you can ping the vendor site or contact the vendor to obtain this information. It may be easier to create an exception for an entire domain rather than entering all specific URLs, you can usually do so by entering the exception in this format: *.domain.com.

Affected Product(s)

Ivanti Patch for SCCM

Shavlik Patch for Microsoft System Center

Purpose

This is a list of Microsoft Security Patches that are not supported by Shavlik. The patch and the reasoning is listed below.

Products

Microsoft Word 2010

Purpose

The purpose of this document is to go over what to do when the deployment tracker fails to update beyond Scheduled.

Symptoms

• Deployment tracker will stay at scheduled despite the deployments being initialized on the target machines being deployed to.
  
• Deployment tracker shows scheduled:

• When looking at the STDeployerCore.log on the target machine(s), you will see results similar to below indicating the patches were installed successfully:

2016-10-06T21:01:35.1775494Z 0b78 I DeploymentPackageReader.cpp:782 Deploy package 'C:\Windows\ProPatches\Installation\InstallationSandbox#2016-10-06-T-21-00-54\deployPackage-2855.zip' successfully opened unsigned for package IO

2016-10-06T21:02:38.2639494Z 0b78 I Authenticode.cpp:134 Verifying signature of C:\Windows\ProPatches\Patches\Windows6.1-KB2544893-x64.msu with CWinTrustVerifier

2016-10-06T21:02:38.3263494Z 0b78 V UnScriptedInstallation.cpp:29 Executing (C:\Windows\ProPatches\Patches\Windows6.1-KB2544893-x64.msu /quiet /norestart), nShow: true.

2016-10-06T21:02:47.7895494Z 0b78 V ChildProcess.cpp:140 Process handle 000004FC returned '0'.

Cause

• Port 3121 being blocked.
  • Port Requirements for Ivanti Patch for Windows Servers (Formerly Shavlik Protect)
• The Deployment Template used for the deployment doesn't have 'Send Tracker Status' enabled.
• TLS 1.0 may be disabled without another version being properly configured
  • Disabling TLS 1.0 may causes issues with Patch for Windows Servers
  • Enabling TLS 1.2 for Ivanti Patch for Windows Servers
• The Console Alias Editor doesn't have the NetBIOS name, FQDN, and IP address of the Protect console added to it.
• The Shavlik Scheduler is in a corrupted state.

Resolution

1. Ensure that port 3121 is not being blocked in your network. Perform a telnet command from the target machine(s) to your Protect console machine's IP or FQDN address.

telnet {console IP/FQDN} 3121

     If Telnet is not installed, you will see the following:

     To Enable Telnet:

     If the port is blocked, you will see a similar error:

   If at this point you see the port fail to connect, you will need to make sure that 3121 is enabled in your network before attempting to deploy again.

     If the port is not blocked, you should see a blank command prompt:

2. Once you have confirmed that port 3121 is able to connect, check to ensure that your Deployment Template being used has 'Send Tracker Status' enabled:

3. Confirm that either TLS 1.0 is enabled between the console and the problem client machine or TLS 1.2 is properly configured

     Disabling TLS 1.0 may causes issues with Patch for Windows Servers.

     Enabling TLS 1.2 for Ivanti Patch for Windows Servers

4. Verify that you 'Console Alias Editor' has all of the following located within it:

• Console NetBIOS name
• FQDN
• IP address

Tools > Console Alias Editor

Once updated, test your deployment again. If the device is able to properly connect, the tracker status will updated as expected.

If after updating the 'Console Alias Editor' the deployment status is still showing 'Scheduled', you will find in the dplyevts.log file on the target machine something similar to the following:

PingBack.cpp:63 Sending data to 'https://PROTECT-92-5119:3121/ST/Console/Deployment/Tracker/V92' failed: 12002.

If you find something similar to the above, you will need to uninstall the scheduler service from the machine(s).

Protect 9.2:

Manage > Scheduled Remote Tasks

Find device(s) being deployed to, right click the machine and select 'Refresh Selected':

Device will be shown as 'Online':

Once online, right click the device again, go to Scheduler service > Uninstall:

Patch for Windows Servers 9.3:

View > Machines

Find the device affected using the search window

Highlight machine > Right-click > View scheduled tasks

Click Uninstall to remove the scheduler service.

NOTE: To validate scheduler is uninstalled, go to C:\Windows\ProPatches and if you don't see a folder named Scheduler, the service was uninstalled.

Test another deployment to your target machine(s). During this deployment, the Scheduler service will reinstall and should update the deployment tracker to show the deployment operation executing.

Additional Information

• Deciphering Shavlik Protect Deployment Tracker Status Messages
• Using Telnet to Test Ports
• Understanding installer return codes

Affected Products

Shavlik Protect 9.2.x

Ivanti Patch for Windows Servers 9.3.x

Overview

Microsoft has released a Critical Update KB4078130 to disable mitigation against CVE-2017-5715.

MSNS18-01-4078130 / Q4078130 is a Critical Non-Security Patch that will disable the fix for variant 2 for stability issues.  You must reboot after installing the patch for it to apply on the system.

Additional Information

The Security Tool IVA18-001 ADV180002 will enable the fix again:Security Tool: Implement registry keys per Windows Server guidance to protect against speculative execution side-channel vulnerabilities

Affected Products

Ivanti Patch for Windows Servers 9.3

Purpose

The purpose of this document is to outline the issues surrounding FileZilla updates particularly related to the downloading of the patch files from the vendor.

Cause

Changes from the vendor, Filezilla, has caused downloads of the updates not from a Web browser to fail with an error 403 authentication error. From review, the cause is the lack of user token authentication as updates downloaded through Patch for Windows are done on behalf of a user or system account, not as the actual user. Additional findings have shown the direct download links to also reroute to the main Filezilla site versus downloading the actual installer.

Resolution

The current workaround to this issue can be found in this document: How To: Supply and Deploy Patches That Can Not Be Downloaded

Affected Product

Patch for Windows Servers 9.3

Symptom

STAgentUpdater.log

WinTrustVerifier.cpp:195 Certificate verification failed with error : -2146762748

Cause

The OS is unable to verify the digital signature. The specific error is -2146762748 which is a Mircosoft error that translates to "The subject is not trusted for the specified action"

Resolution

1) Update the Root Certificate on the client machine. You can update it manually or run a scan with Security Tools enabled against it. It's going to be MSRC-001 or MSRC-002.

2) It's possible the System Account (used to run the agent services) is having issues on the machine. You could attempt to run the agent services as a domain account as a test.

Updated:

3) it is also possible that computers were missing root CA cert VeriSign Universal Root Certification Authority. While Windows was attempting to connect to Microsoft Update to obtain this cert automatically during update install and failing. Allowing ctldl.windowsupdate.com through the firewall and network security appliances, the issue could also be corrected.

Purpose

The purpose of this article is to go over the issues that may arise when TLS 1.0 is disabled in the environment and how to get Shavlik Protect and Patch for Windows Servers to work with TLS 1.2.

Symptoms

Per PCI requirements, all SCHANNEL protocols are vulnerable, except for TLS 1.2. Organizations may already have a GPO in place to disable all the protocols, except for TLS 1.2 (namely SSLV2, SSLV3, TLS1.1, and TLS1.0). Issues that can arise when these channels are disabled include:

• Deployment Tracker gets stuck at Scheduled or Executing when deploying to target machines.
• Agent installation gets stuck at 50%
• Connection to Shavlik Protect SQL database cannot be established:

Attempting to recover from a broken connection in the database connection pool. Attempt: 1, connection state: Closed, error: System.Data.SqlClient.SqlException (0x80131904): A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - No process is on the other end of the pipe.) ---> System.ComponentModel.Win32Exception (0x80004005): No process is on the other end of the pipe

• Commands to Shavlik Protect Agents are unsuccessful - Agents did not respond:

System.ServiceModel.CommunicationException: An error occurred while making the HTTP request to https://consolename.FQDN:3121/ST/Console/STS/ConsoleSTS. This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server. ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. --->System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host

• Cannot download patches from vendors:

The underlying connection was closed: An unexpected error occurred on a receive. ---> System.ComponentModel.Win32Exception: The client and server cannot communicate, because they do not possess a common algorithm

Cause

No secure communication channel can be established, either because no form of TLS is enabled, or whatever is enabled is not properly configured.

Resolution

You must either enable TLS 1.0 or configure TLS 1.2 correctly using Enabling TLS 1.2 for Shavlik Protect and Ivanti Patch for Windows.

Affected Product(s)

Ivanti Patch for Windows Servers 9.3

Shavlik Protect 9.x

Purpose

This document will list common install return code errors from the vendor and possible solutions to the error.

Overview

Protect and Patch for Windows Servers (PWS) track patch deployment progress.  The View > Deployment Tracker (F9) will display the final status of the install attempt and display the return code from the vendor.

As an example return code 0 is success and return code 3010 is reboot required, but there are many other codes that can help troubleshoot patch install issues.

Downloads

• Adobe_Update_Errors.docx
• Error_codes_for_Office_update_packages.docx
• MsiExecErrorCodes.docx

Affected Product(s)

Shavlik Protect 9.x

Ivanti Patch for Windows Servers 9.3.x+

Purpose

This article provides information the affect a Patch Group can have on patch supersedence.

Description

Shavlik Protect filters out patches that have been superseded by later patches and shows only the latest applicable patch that is missing.

Resolution

• In some cases, our Content Team can workaround the issue in our data. For this reason, highly recommend all customers open a case with support:  Support Portal
  
• If the Content Team is unable to correct this, the workaround would be to remove the affected patches from the Patch Group.
  

Additional Information

For more information on patch supersedence, in Shavlik Protect, go to Help> Index> Search.  Search for:Determining Patch Replacements

Affected Product(s)

Shavlik Protect 9.x