Quantcast
Channel: Shavlik User Community : Document List - All Communities
Viewing all 1352 articles
Browse latest View live

Where can I find Patch for Windows Console and Agent installation logs?

October 14, 2013, 1:53 pm
$
0
0

Purpose

 

This document shows how to find the installation and setup logs for Patch for Windows. These are often requested by Ivanti support when troubleshooting installation failures.

 

Description

 

The setup and installation logs for Patch for Windows can be found by doing the following:

 

  • Go to Start > Run (or search) > Type: %temp%
  • C:\Users\*your_user*\AppData\Local\Temp

 

Either option brings you to the same directory. You will need to search the temp directory for the following naming of files. There may be multiple of each depending how many times you have attempted installation. The newest log files would be the best to collect for support.

 

  • ProtectInstall_xxx.log - Patch for Windows install log file.
  • ProtectSetup_xxx.log - Patch for Windows install log file.
  • STPlatformInstall_xxx.log - Agent installation log file.
  • STPlatformUpdater_xxx.log - Additional logging for agent setup/install.

 

 

Additional Information

 

For information on collecting other/additional logging please see the document, How To: Gather console, patch deployment and agent logs for Ivanti Patch for Windows

 

Affected Products

 

Patch for Windows 9.3+

Search

Explanation of how patch scan detection works in Patch for Windows

December 31, 2012, 11:00 pm
$
0
0

Purpose

 

The purpose of this article is to explain how patch scanning detection works in Patch for Windows.

 

Overview

 

To understand the basics of how the scan engine works, please see the following information from the Patch for Windows Help file "Scanning Engine Overview":

 

The Patch for Windows scan engine performs security patch assessment against a variety of Windows-based operating systems and products from Microsoft and other product vendors.

 

The Patch for Windows engine uses an Extensible Markup Language (XML) file that contains information about which security hotfixes are available for each product. The XML file contains security bulletin name and title, and detailed data about product-specific security hotfixes, including:

 

  • Files in each hotfix package and their file versions
  • Registry changes that were applied by the hotfix installation package
  • Information about patch supersedence
  • Related Microsoft Knowledge Base article numbers
  • Links to additional information from Bugtraq (BugtraqID) and cross references to the Common Vulnerabilities and Exposures (CVE) database hosted by Mitre.org (CVEID)

 

The content data file, called WindowsPatchData.zip, is created and hosted by Ivanti.

 

When you run Patch for Windows (without specifying advanced file input options), the program must download a copy of this XML file so that it can identify the hotfixes that are available for each product. The XML file is a digitally signed CAB file and is available on the Shavlik website. Patch for Windows downloads the CAB file, verifies its digital signature, and then extracts the XML file to your local computer. Note that a CAB file is a compressed archive that is similar to a ZIP file.

 

After the XML file is extracted, Patch for Windows scans your machine (or the selected machines) to determine the operating system, service packs, and programs that you are running. Patch for Windows then identifies security patches that are available for your combination of installed software. Patches that are applicable to your machine but are not currently installed are displayed as "Missing Patch" in the resulting output. In the default configuration, Patch for Windows output displays only those patches that are necessary to bring your machine up-to-date. Patch for Windows recognizes roll-up packages and does not display those patches that are replaced by later patches.

 

Read more about supersedence detection (replacement patches) here: Determining Patch Replacements

 

During the scanning process the detection goes through a few main steps, simplified in order here:

 

1. DPD (Dynamic Product Detection) - The scan engine will first use DPD to identify the:

    A. Operating System

    B. Any products installed on the target system

    C. The service pack level of any installed products (if applicable).

 

2. Patch detection - Once the DPD determines all applicable products on the target system the scan then goes into individual patch detection for all patches that apply to the OS or products on the target system. For each individual patch the scan goes through registry and/or file checks for any registry keys or files that are affected by the patch. This is also where any filtering comes into play. (i.e. product, patch type, criticality, or any other patch filter settings)

 

Additional Information

 

Additional information about Patch for Windows scan process can be found the Patch Scanning Overview

 

Affected Products

 

Patch for Windows 9.3+

Troubleshooting why patch scans do not detect Java updates as missing or installed

August 26, 2013, 8:53 am
$
0
0

Symptoms

 

You are able to manually verify a Java installation exists on a target (client) system, but a patch scan with Patch for Windows does not list a Java patch as missing or installed.

 

Cause

 

There are three likely causes for this issue that should be evaluated first:

  1. Verify the patch definitions forPatch for Windows are up to date by running Help > Refresh Files. You can verify the version of the patch definitions by going to Help > About > Version Info.  Look for Patch Assessment under the Definition area and then cross reference the version with this website Ivanti Patch for Windows content feed
  2. Use a built-in patch scanning template (Security Patch Scan or WUScan template) when troubleshooting scan related issues. If not using the Security Patch Scan or WUScan template, verify the custom scan template does not include filtering that would limit what patches and products scanned. 
  3. If you believe the Java patch is installed, manually verify the Java patch is listed as installed in Add/Remove Programs (Programs & Features).

 

Resolution

 

Is Java Development Kit installed on the target (client) system? If Java Development Kit (JDK) is installed on the target system, you cannot patch Java (the Java Runtime Environment - JRE) separately. JDK contains its own version of JRE, and applying a separate JRE update will break the JDK on the system, so if the JDK is detected you will not be offered any JRE updates. Another possible cause of the issue is a corrupt install of JRE on the target (client) system.

 

The Patch for Windows scan engine's detection logic verifies the version of the jvm.dll and java.exe files on the target machine. The scan engine determines the location of these files based on information stored in the registry on the client system. A scan issue occurs if the file location listed in the registry key does not match where the files are located on the system. You can manually verify this by navigating to one of the following registry location using regedit: 

 

  • 32 bit: HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Runtime Environment
  • 64 bit: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Runtime Environment

 

Navigate to one of the versions of Java listed under this key, then for each version there will be a "RuntimeLib" key. The value of the RuntimeLib key contains the location that we check during our patch scan process.

 

You can also perform a search for jvm.dll and/or java.exe on your system. If the files are not located in the directory specified in the value of the RuntimeLib registry key then you may have a bad install of Java. The best way to correct this is to manually apply the next Java patch or reinstall Java on the system.

 

If the instructions in this article do not help identify the root cause of this issue, contact the Shavlik support team and please provide the following information:

 

 

Affected Products

 

Patch for Windows 9.3+

Missing patches that always show missing in results - Security Tools

August 8, 2013, 2:45 pm
$
0
0

Symptoms

 

  • Detected patch continues to show as missing after successfully deploying.
  • Patch that shows missing ends with 'U' every other deployment.

 

Cause

 

There are patch type that exist as an installer and an uninstaller; these patches can cause a loop when scanning and deploying. When the installation patch is deployed it makes the uninstall patch considered to be missing. These patches are designed by their vendor in this manner to facilitate adding/removing the patch according to environmental needs. If scanning/deploying these types of patches it may appear that the patch continually is missing as it continues to add/remove per deployment. The uninstall patch will end with 'U'. These patches tend to belong to the 'Security Tools' patch type.

 

Example: Missing the Installation Patch

Missing Install Patch.png

 

Example: After Installed, Now Missing Uninstall Patch

missing uninstaller.png

 

Resolution

 

Exclude the specific patch utilizing a patch group, or choose not to deploy the patches installer/uninstaller after scanning.

 

Refer to the following document:

 

How To: How To:  Include or Exclude Specific Patches in Scan Results in Ivanti Patch for Windows Servers

 

These are known patches that offer an uninstaller.

 

  • Q2719662(U) - MS12-A06
  • Q2794220(U) - MS12-A10
  • Q2847140(U) - MS13-A02
  • Q2887505(U) - MS13-A08
  • Q2896666(U) - MS13-A09
  • Q4072698(U) - IVA18-001
  • Q4072699(U) - IVA18-002

 

Affected Products

 

Patch for Windows 9.3+

Deployed patches detected missing after subsequent scans

December 31, 2012, 11:00 pm
$
0
0

Purpose

 

This document will help you determine why previously deployed patches are detected missing after subsequent scans.

 

Cause

 

It is possible that the patch is delivered to the remote system, but is never executed or attempted to install but failed. This may happen if the scheduler does not start the deployment. This can also happen if the patch requires a reboot to fully install, and a reboot has not been performed before running another scan.

 

Resolution

 

Before you begin, ensure your system is rebooted after the patch is installed. Patches that require a reboot after am installation are not fully installed until a reboot takes place and they will appear as missing. Do not rescan before deployment is complete, or patches may show as missing.  Perform another scan after the system has been rebooted.

 

To determine whether or not the deployment actually started, go to C:\Windows\ProPatches and look in the Staged folder. If there is nothing in the Staged folder then the deployment has started, but if there are directories in the Staged folders one or more deployments have not started. You can also determine whether or not patches recently ran by going to C:\Windows\ProPatches\Logs\STDeployercore.log and looking for recent entries and return codes. Keep in mind that the times will be in GMT.

 

To manually test this on the target machine, manually install the patch. Note errors that are displayed during the installation process and inform Technical Support accordingly - screenshots may be useful.

 

If the re-can scan does not result in showing the patch as installed, it is possible you are experiencing a different issue. To further examine your case, contact support (http://www.shavlik.com/support/contact/). You should have the following information ready before contacting Ivanti Technical Support:

 

  • What is the product name and version build number you are experiencing issues with?
  • The Operating System of the console machine.
  • The Operating System of the target machine.
  • The number of the patch that continues to show as missing.
  • Are you using a custom Patch Scan Template?
  • Are you using a custom Deployment Template?
  • Did you allow a reboot before scanning the machine again?
  • What are the exact steps required to reproduce this issue?

 

Reproduce the issue and generate logs based on the steps in this document: How To: Gather console, patch deployment and agent logs for Ivanti Patch for Windows

 

Include the exact steps required to reproduce this issue. Include applicable screenshots. Zip up all of the images and logs from the specified folders.

Affected Products

 

Patch for Windows 9.3+

Deciphering the Patch for Windows Deployment Tracker Status Messages

December 31, 2012, 11:00 pm
$
0
0

Purpose

 

This article provides information about the Patch for Windows Tracker status messages.

 

Resolution

 

You can verify the deployment status by going to View> Deployment Tracker or by pressing the F9 key in the Patch for Windows GUI.

 

This table lists possible statuses and their descriptions:

 

StatusDescription
No statusInitial value set when the tracker record is created
FailedDeployment failed for one of these reasons:
  • Not enough deployment seats
  • Not licensed to deploy this patch
  • Patch file is not signed
  • Patch file could not be found
  • Uninstall and the uninstall file is not specified in the XML
  • Uninstall but we were able to locate the uninstall file on the target machine
  • Copy file to the target machine failed
  • Almost anything else that went wrong during deployment (For example, bad credentials or could not schedule)

The message includes the reason.

Copied to machineFiles and data have been copied to the target machine.
ScheduledDeployment has been scheduled on the target machine.
ExecutingThe patch file is executing.
ExecutedPatch has executed and the deployment template specified no reboot.
Executed (pending reboot)Patch has executed, and a reboot of the target machine is pending. This status is set after executing the patch file if the deployment template specifies/allows reboot.   Always reboot the target after running a patch uninstall.
Reboot may be required / Installation failedRescan completed and found the specified patch is missing.
Successfully installedRescan completed and found the specified patch is not missing.
Unable to verifyCould not perform the rescan (that is, failed to connect to target machine) or the patch InstallState attribute is present but not missing or installed in the rescan results.
CanceledDeployment was cancelled.
Install complete. Not verifiedThis status is no longer used.
Awaiting rescanRescanning the target machine. This status is set immediately prior to sending the rescan request to the scan engine.
Installed Success Inferred
Rescan did not report on the patch. It is neither missing nor installed, so tracker infers that the patch was successfully installed. This happens for patches that actually install newer versions of the product. Since the old product is no longer present on the target, the patch for the old product appears neither as missing nor as installed.

 

Additional Information

 

You can find more information About the Deployment Tracker Window

 

Affected Products

 

Patch for Windows 9.3+

Resolving database upgrade timeout failures for Patch for Windows

July 23, 2013, 3:29 pm
$
0
0

Purpose

 

Customers with a large number of previous scan results and/or a slow or a heavily loaded SQL server may experience a failure when upgrading their Patch for Windows database from one version to another.  This document is will provide a resolution for database upgrade issues where the root cause for the failure is a database connection timeout.

 

Symptoms

 

You receive a message such as the following within the GUI or a pop up window of the upgrade:

  • Database conversion error
  • Database connection timeout
  • Failed to commit the database installation or upgrade

 

AND

 

The ST.DatabaseConfiguration.log may contain one of the following errors:

System.Data.SqlClient.SqlException: Timeout expired.  The timeout period elapsed prior to completion of the operation or the server is not responding.

DBInstallWizard.WizardFinishClick|Failed to commit or save the database installation.: A SQL Server query operation timed out. Consider increasing the command timeout in the configuration file.

SqlError message: 'Timeout expired.  The timeout period elapsed prior to completion of the operation or the server is not responding.'

 

Cause

 

The database upgrade process may be taking longer than the default allotted timeout period, or the connection to the SQL server may be slow/unstable.

 

Resolution

 

There are two suggested steps to work around this issue:

 

1) The SQL transaction log may be significantly larger than necessary.  Using SQL Server Management Studio, verify that the transaction log for your database is set to grow or has a max size setting that is large enough (we have seen 4GB databases require 12GB for logs).  Do a FULL back up of the transaction log to force its truncation.  This is a good practice to verify that enough free disk space is available to perform the upgrade process.

 

2) The database upgrade function may be timing out on a single command.  The default command timeout is 30 minutes.  This timeout is implemented to provide feedback in case the command is not responsive or hangs.  However, in some environments altering tables with large amounts of data may require more than 30 minutes to complete.

 

If the upgrade failure was related to a timeout, this timeout value can be by running the installer with an extra parameter from command line as follows:

 

For instance: Patch for Windows 9.3.4510:  "IvantiPatchForServers_9.3.4510.exe"  /wi:"DBCOMMANDTIMEOUT=10800"

The value is in seconds (10800 equals 3 hours)

 

Affected Products


Patch for Windows 9.3+

Why Ivanti Patch for Windows patch scan results may differ from Windows Update

June 12, 2013, 9:27 pm
$
0
0

Purpose

 

An explanation of why Ivanti Patch for Windows patch scan results may differ from Windows Update

 

Solution

 

The patch detection method and logic Patch for Windows and Windows Update is fundamentally the same, yet different in it's execution and scope.

 

Patch for Windows will scan for Microsoft and 3rd party updates while a Windows Update scan will scan for Microsoft updates only.  Both products have the ability to scan for Security Patches, Non-Security Patches, Security Tools, but Windows Update will include driver updates which are not support by Patch for Windows.

 

Windows Updates for the most part won't allow you to filter the scan results, it will attempt to identify all required Microsoft patches on the client. Depending on the Scan Template you are using in Patch for Windows, the results will vary. For instance; the built-in Security Patch scan will only show missing Microsoft and 3rd party security patches and the WUScan scan will scan for Microsoft and 3rd party security patches and non-security patches.

 

Patch for Windows uses a variety of detection methods determine is a patch is Installed or Missing on the client. The process is detailed in the document Explanation of how patch scan detection works in Patch for Windows

 

Administrators can view files and registry entry criteria by searching for the patch in View > Patchesof the Patch for Windows main menu.  Viewing Patch Details

 

Affected Products

 

Patch for Windows 9.3+

Search

How to create a Custom Patch in Patch for Windows

January 29, 2014, 8:13 am
$
0
0

Purpose

 

The purpose of this document is to outline the process for creating a custom patch, and to provide an example of how to create a custom patch using Patch for Windows.

 

If you have any questions about whether a product or patch is supported in Ivanti Patch for Windows Servers, please contact support before creating a custom patch. A mis-configured custom patch could cause your console to work incorrectly so it is important that you follow these instructions precisely

 

                

Description

 

Create a Custom XML

 

1. Open the custom patch editor. Tools > Custom patch editor

 

Custom patch editor.PNG

 

2. Click on Create a new custom XML file.

 

Create a Custom Product

You can add a Custom Product if this patch relates to a specific product. Although this step is not necessary it will add detection for the product itself.  In this case it is not needed as the product is the operating system. Adding a custom product will allow you to target that application for the patch. If the product is not detected it will not look for the patch.

 

In this example, I create a product called X-Zip. You will need to provide a HKEY_LOCAL_MACHINE registry key path for the software as well as the corresponding information.

Custom product.PNG

 

Create a Custom Bulletin

 

1. Click insert, then Add Bulletin (or right click Custom Bulletins > Add New Bulletin).

2. Give the bulletin a name. In this example I used HF01-001 because it is a hotfix.

3. Give the bulletin a title which typically this will be a description. In the summary portion provide any important information.

 

Bulletin.PNG

 

The only required field is the bulletin name.

 

Create a Custom Patch

 

1. Click on Insert and add a custom patch (or right click Custom Patches > Add New Patch).

2. Give your patch a name. In this example I used the KB as the patch name.

3. Select the bulletin you created in the above steps.

4. Select the type of patch, and the severity.

Custom patch.PNG

 

5. From here you will add the detection information in the Scan Information tab.

This step is very important as it will identify if the system needs this patch or not. If this is a MS patch, their KB on the patch will indicate what files or registry keys are used when detecting if the patch is needed. If this is not a MS patch and you are not sure how to detect it, it is recommended to install the patch on at least one machine to verify what files and/or registry keys are involved. In the example below we are using a file to detect if the patch is missing.

File Details.PNG

 

6. You can also target a particular application or operation system using the targeting tab. In this case, since this update is only applicable to Windows Server 2008 SP2 and Vista SP2 I selected all corresponding operating systems.

  • Targeting is not required, however if not specified the update will be offered for all systems that meet the scanning requirements.
  • If you added a custom product it will show under targeting available products. You will first need to save the XML and import the custom XML before your custom product will appear in the list.

Targeting.PNG

 

7. On the deployment tab browse to the location of the patch and select it. Patch for Windows will automatically fill in the file size. Select any install switches that are required or desired for the patch deployment. In this case since the file is a .msu we need the /quiet switch.

Deployment info.PNG

Click the link for more information on using .msu files: http://community.shavlik.com/docs/DOC-1902

 

Import/Validate your XML

 

1. Next you will need to validate your XML. There will be more information in the issue column if the validation fails.

Validate.PNG

 

2.  Save your custom XML, and then click the X to close the dialog box. This will prompt for you to import the custom patch.

3. Click import now.

Import now.PNG

 

4. When the below dialog box pops up select your Custom XML file and click OK. It goes through a second validation.

Validate xml.PNG

 

5. After validation the Import Patch Definitions process automatically updates the database with the latest definitions, including the newly created custom XML. If you created a custom product you should see it added as well.

Import definitions.PNG

 

Scan and deploy to your machines.

 

1. Once the definitions are updated proceed to scanning your machines.

  • Be sure to copy the patch to the patch repository on the console so it is available for deployment. You can locate your patch repository by going to Tools > Operations, under Patch download directory.
  • Make sure that the scan template you're using includes the patch filter type that applies to your custom patch when scanning (i.e. Security Patch, Non-Security, Security Tool, etc.)
  • We recommend testing with one machine that needs the patch to verify everything is working properly.

Scan Complete.PNG

 

2. Deploy the patch and verify it installs properly. You should now also be able to look up and view your custom patch using View > Patches in Patch for Windows.

 

Additional Information

 

Additional information: Creating A New Custom XML File

 

Affected Products

 

Patch for Windows 9.3+

How to increase the database timeout for Patch for Windows

December 31, 2012, 11:00 pm
$
0
0

Symptoms

 

  • Patch for Windows reports database timeout errors.
  • In the ST.Protect.managed.log file, you see may see an error such as the following:

System.Transactions.TransactionAbortedException: The transaction has aborted. ---> System.TimeoutException: Transaction Timeout

ScanSummaryPresenter.IsRecoverable|A SQL Server query operation timed out. Consider increasing the command timeout in the configuration file

 

Resolution

 

You need to increase the database timeout period:

Close the Patch for Windows application before proceeding.

 

1.Navigate to C:\Program Files\LANDesk\Shavlik Protect.

2.Locate the ST.Data.Config file and open it using a text editor.

3.Change this entry: st.data commandTimeout

From: st.data commandTimeout="30"To:
To: st.data commandTimeout="3600"

This increases the timeout period allotted for transactions with the database. This number is in seconds and you can set the number to a higher value as required. 3600+ is the recommendation value for most timeout issues.

 

4. Save the changes for the ST.Data.Config file.

5.Re-open your Patch for Windows console, and test to see if the issue is resolved.

This setting is not maintained during a re-install or upgrade.  Also, running the Database Setup Tool will revert this setting to 30 seconds.

 

Affected Products

 

Patch for Windows

Patch for Windows Landing Page

January 17, 2019, 10:07 am
$
0
0

Overview

 

Welcome to Ivanti Patch for Windows, a unified IT management platform used for managing and protecting Windows-based machines and VMware ESXi Hypervisors. Ivanti Patch for Windows Server provides you with one centralized and common interface that you can use to perform several essential IT management functions. In 30 minutes or less, start managing your physical and virtual machines, software, patches, ITScripts and energy costs.

 

Ivanti Patch for Windows Servers

(Previously known as Shavlik Protect)

 

Software and Technical Documentation

 

Patch for Windows:

 

Licensing Information

 

Patch for Windows:

 

Best Practices & How To's

 

Patch for Windows:

 

Troubleshooting Common Issues


Patch for Windows: Installation & Upgrade

 

Patch for Windows: Obtaining Trace Logs

 

Patch for Windows: Scan & Detection

 

Patch for Windows: Patch Deployment & Shavlik Scheduler

 

Patch for Windows: Database Related

 

Other Useful Information

 

Patch for Windows:

Shavlik Community Migration

December 12, 2018, 12:17 pm
$
0
0

As a part of our commitment to continuous improvement of self-help and online support, we wanted to give you advance notice of some upcoming changes.  We are currently migrating our Ivanti Communities (community.ivanti.com & community.shavlik.com) to a new site.  The migration is to help facilitate a seamless customer experience between our systems, as well as help unify our products under the Ivanti brand.

 

Update 20th January 2019- Site is now read only and migration has started.

 

Webinar Introduction to New Community

Soon to be scheduled - watch out for the announcement!

 

 

What does this mean for me as a customer?

  • You will use your same credentials to continue accessing forums, knowledge base, and the support/success portal.
  • Your access to support does not change.
  • Notifications from the community will now be sent to the registered email address (the one you log into the site with). Previously some users established a secondary email to receive emails at –this feature will no longer operate that way.
  • The look of the site and the structure of certain things will be different, so we will be hosting webinars to discuss some of these changes.
  • Please watch Community.Ivanti.Com for information about when these will occur.
  • (Recordings of these webinars will be available for on demand access)

When will the new site be live?

Currently scheduled for Monday 21st Jan 2019

During the migration process, Community.Shavlik.Com will be placed in read only mode. This will leave the site accessible to search, and read kb's and forums, but no new data will be permitted for submission until the migration is complete and we are on the new site.

Do I need to register for this new site?

If you are already registered for any of our existing support sites – you do not need to re-register.

This includes:

  • Community.Ivanti.com
  • Community.Shavlik.com
  • Success.Ivanti.com
  • Support.Ivanti.com

 

If you are not registered, you can choose to register with the site at any time to gain access to features such as downloads and support.

Viewing all 1352 articles
Browse latest View live
Search