Next Gen Microsoft Windows Vulnerabilities (beta) is not shown in the Patch Manager > Download updates > Windows > Vulnerabilities

To resolve the issue, click on and select "Microsoft Windows Vulnerabilites", click on button "Apply" and click on the button "Download now".

Once the download completes, go back to "Download updates" and the definition type "Next Gen Microsoft Windows Vulnerabilities ( beta ) will be shown.

EPM version 2017.3 Verification - Verify definition signatures/hashes before downloading option is enabled by default and it cannot be disabled.

EPM version 2017.3 Management Console > Tools > Security and Compliance > Patch and compliance > Download updates > tab Content > Verification

Verify definition signatures/hashes before downloading

NOTE: When checked, any definitions that do not have a valid SHA256 hash will not be downloaded. Also, any lists of definitions that do not have a valid signature will not be processed. The download progress form will show any download failures due to invalid/missing signatures or hashes.

This article describes how to use Ivanti Patch and Compliance to upgrade to Windows 10 Anniversary Edition

For information about upgrading to Windows 10 Creators Edition (1703) see How to upgrade to Windows 10 Creators Edition using Ivanti Patch Manager

Windows 10 Anniversary Edition is also known as Windows 10 RS1 or Windows 10 1607.

Goal

Upgrade the clients to Windows 10 version 1607.

Steps

These steps use the Ivanti Patch and Compliance Manager definition called "W10V1607". A prerequisite for installing this version to a client computer is that the target computer must have 2GB of memory or higher.  If the client computer does not have 2GB of memory or higher it will be detected but it will not attempt to install the update.

1. Download or otherwise acquire the Windows 1607 media for the version of Windows that you are updating (Education, Professional, or Enterprise)
   
   This can be done by following the instructions in this link.

* MediaCreationTool.exe from http://go.microsoft.com/fwlink/?LinkId=691209 can create only two editions: Windows 10 Professional or Windows 10 Home. There is no option to download and create editions Windows 10 Enterprise or Windows 10 Education. Also within a Windows 10 ISO file created using the MediaCreationTool.exe there is no ..\sources\install.wim file and the verification of what edition Windows 10 is, cannot be performed using dism.exe -- "dism.exe /get-wiminfo /wimfile:F:\sources\install.wim"

If using a copy from MSDN this is likely an all-in-one image, only the product key changes the version.

1. Place this .ISO into the \ManagementSuite\LDLogon\Patch\ directory on your core server.  If you have changed the patch storage location, place it in the equivalent directories.
2. Open the LANDESK Management Suite Console and go to the Security and Compliance Tool group
3. Open the Patch and Compliance Tool
4. Ensure that you have downloaded the latest updates in the Vulnerabilities category.
   
   
5. After downloading the vulnerabilities category, find the "W10V1607" definition.  This is the definition that we will be using to upgrade Windows.
   
   
   
   
6. Next, examine the properties of the definition by double-clicking it.
   
   

   You will notice that there is a list of rules in the definition.  You need to select the correct rule that matches the version of Windows you are trying to upgrade.

7. Note the following in the description tab of the definition:
   
   
8. Double-click the rule that matches the version of Windows you are trying to upgrade.  Be careful to choose the selectx86 or x64 version.
   
   
   
   
9. You will need to make sure that your .ISO file for the Windows upgrade matches exactly the filename within the rule in the Patch information section under Unique filename.  In order to do this highlight the filename and make sure to go all the way to the end just prior to ".ISO" and then press Ctrl-C to copy the file name except the extension.
10. Right-click and rename your .ISO file from step 1 and paste in the name you just copied from the definition rule.  Make sure it still has the .iso extension and that it is not named ".iso.iso" or anything like that.  It must match exactly with the Unique Filename in the rule.
11. Run Download Updates one more time to ensure that the "Downloaded" Yes/No column in the rule is updated to "Yes".  If it does not update, check your storage location and the name of the .ISO to make sure it matches.
12. Run a scan and repair as usual.

How to block automatic update to the Anniversary Edition of Windows on client systems

In order to block Windows 10 systems from automatically installing Operating System Upgrades, the following methods may be used:

Group Policy

Computer Configuration / Administrative Templates / Windows Components / Windows Update Policy

Setting: Turn off the upgrade to the latest version of Windows through Windows Update

Registry

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

DWORD value: DisableOSUpgrade = 1

Ivanti Patch and Compliance Manager Definition

The DISABLEWIN10UPGRADE can be sent as a repair job to turn off the Windows 10 auto-updates to newer OS versions.

This definition sets the Registry key listed above.

Overview:

Ivanti Patch and Compliance now provides support for Office 365 versions 2013 and 2016.  Patch and Compliance administrators can now scan, detect, and remediate client devices that have Office 365 installed. For Office 365 version 2013, Ivanti leverages the Microsoft Office Deployment Tool to perform the remediation tasks for updating Office 2013 installations. For Office 365 version 2016, Ivanti has developed an Office Com API to perform remediation tasks for updating Office 2016 installations. Ivanti provides a utility (Office365Util.exe) for you to use to download the Office installation data and to check the hash for Office 2016 installation data. When the Office patches are downloaded, Ivanti Endpoint Manager will check the hash on the pertinent files to ensure validity.

High Level Process

1. The Ivanti administrator downloads Office 365 definitions from the Ivanti global servers.
2. Once the Office 365 definitions are downloaded to the core, the Ivanti administrator can scan for those Office 365 vulnerabilities.
3. In order to remediate (apply latest patches) detected vulnerabilities, Ivanti administrator have to manually run, on the core machine, a new tool provided by Ivanti (Office365Util.exe). Using this tool, the Ivanti administrator can choose the Office 365 versions that are relevant to the environment. The Ivanti Office 365 utility will download the patch binaries and the Microsoft Office deployment tool from the Microsoft cloud.
4. Once the patch binaries are downloaded to the core, the Ivanti administrator can apply the patches to all vulnerable endpoints using the standard method of applying patches.

Step 1: Download Content

Customers download the Office 365 vulnerability definitions, the O365Util.dll, and the Office365Util.exe from the Ivanti Global Host Content Server by downloading the latest Microsoft Windows Vulnerabilities.

Download Updates (Microsoft Windows Vulnerabilities)	Updating Definitions (Office365Util.exe/O365Util.dll)

Updating Definitions (MSO365)MSOFFICE 365 (Vul_Defs)	MSO365 (Vul_Defs)

Step 2: Launch Office365Util.exe

Upon successful content download, an Office365Utility folder is created under the LDLogon share and will contain the Office365Util.exe file provided by Ivanti.

\\Core_Server\LDLogon\Office365Utility

This utility will allow you to select the specifics regarding the Office 365 product you are patching. Launch this utility directly from C:\Program Files\LANDesk\ManagementSuite\ldlogon\Office365Utility\ by double-clicking on Office365Utility.exe
(do not try to run it via the network share \\Core_Server\LDLogon\Office365Utility or \\localhost\LDlogon\Office365Utility as you will get an error).

Step 3: Select Options from Office365Util

The view provided below displays the available options inside of the Office365Util application (Ivanti Office 365 Utility for Patch and Compliance):

Platforms	Deployment Tools

Channels	Office 365 (2013) Product List View

In order to successfully patch Office 365, select which Office 365 patch product updates to download in order to support client remediation. After selecting the desired product updates from the Ivanti Office 365 Utility for Patch and Compliance application, click START.

Office 365 Tool

The START action will do (2) things:

1. Create an Office365Tool folder under the LDLogon share and process the Microsoft setup.exe file
   
   

   \\Core_Server\LDLogon\Office365Tool

The contents of this folder will contain the Deployment Tool Type (2016 or 2013) selected during the download and all relative installation data applicable to the options selected in the Ivanti Office 365 Utility for Patch and Compliance
application. The display below will outline the contents of both Deployments Tools (2016 and 2013).

Office365Tool	Deployment Tool Options

2016 Content	2013 Content

   
      2. Create an Office365 folder under the LDLogon\Patch share that contains the patch files(s):

\\Core_Server\LDLogon\Patch\Office365

Patch Location

^Updated Office 365 patching is not designed to take advantage of our download technology. The client device will NOT download o365 patch files from a preferred server or peer device. The files will be retrieved from the default or non-default patch location.

Non-Default Patch Location

This section is only applicable to those who have changed the default download location for patches. After downloading the Office 365 patch updates and installation data with the Ivanti Office 365 tool, the following SOURCE will be in the vulnerability definition:

Office 365 (2016)

 

httpSourcesURL="Core_Server/LDLogon/Patch/Office365/DeploymentToolType/Channel/Architecture"

 

Ex: httpSourcesURL=http://2016E/ldlogon/patch/office365/2016/current/x64

Office 365 (2013)

httpSourcesURL=http://Core_Server/LDLogon/Patch/Office365/DeploymentToolType

 

Ex: httpSourcesURL= http://2016E/ldlogon/patch/office365/2013

In order for the Patch Install Commands in the vulnerability definition to interpret the correct patch location, the Custom Variable will have to be set in every MSO365 vulnerability definition.

To do this open the properties on the definition and select the Custom Variables tab. By default the value specified will resolve to the default patch location.

You will need to explicitly set the value to reflect the location your patches reside.

The Patch Install Commands section of the definition utilizes a script that resolves the Custom Variable.

References

How to change the default Patch Location for Security and Patch Manager

Microsoft Office 2016 Deployment Tool

Microsoft Office 2013 Deployment Tool for Click-to-Run

Issue:

Security and Patch option is missing when right-clicking computers in the Scheduled Tasks tool in the Console.

Solution:

Install SU2 or newer for 2017.3.

Overview

Starting with the April 11th 2017 Patch Tuesday, Microsoft no longer uses a traditional naming format for Security Bulletins. To help our customer's, we created our own naming format as follows:

The new Security Bulletin mappings our products will be using: MS[YY]-[MM]-[PP(P)]

• MS = Microsoft
• YY = Year
• MM = Month Released
• PP =  Product

Here are examples from Patch Tuesday December 12, 2017:

• MS17-12-OFF
  • All Office patches
• MS17-11-O365
  • Security Only Updates for Office 365
• MS17-12-IE
  • All IE patches
• MS17-12-AFP
  • All Microsoft released Flash patches
• MS17-12-W10
  • All Windows 10 patches, rollups and Deltas
• MS17-12-2K8
  • All Vista and 2008 patches
• MS17-12-SO7
  • Security Only Update for Windows 7 and Server 2008 R2
• MS17-12-SO8
  • Security Only Update for Server 2012
• MS17-12-SO81
  • Security Only Update for Windows 8.1 and Server 2012 R2
• MS17-12-MR7
  • Monthly Rollup for Windows 7 and Server 2008 R2 (this is the rollup that includes non-security fixes)
• MS17-12-MR8
  • Monthly Rollup for Server 2012 (this is the rollup that includes non-security fixes)
• MS17-12-MR81
  • Monthly Rollup for Windows 8.1 and Server 2012 R2 (this is the rollup that includes non-security fixes)
• MS17-12-SLV
  • All Microsoft Silverlight patches
• MS17-12-2K3
  • All Server 2003 patches for the customers that subscribe to them (Extended support)
• MS17-12-XPE
  • All Microsoft XP Embedded patches

.NET Patches will follow a slightly different naming scheme:

• MS[YY]-[MM]-[TT][PP]-[KB]
  • YY = Year
  • MM = Month
  • TT = Type (Security Only or Monthly Rollup)
  • PP = Product (.NET)
  • KB = Parent KB
• MS17-12-SONET-1234567
  • Security only patches associated with that parent KB
  • Security patch type
• MS17-12-MRNET-1234567
  • Monthly Rollup associated with that parent KB
  • Non-Security patch type

Non-security .NET Patches also have a slightly different naming scheme:

• MSNS[YY]-[MM]-[TT][PP]-[KB]
  • YY = Year
  • MM = Month
  • TT = Type (Quality Preview or Quality Rollup)
  • PP = Product (.NET)
  • KB = Parent KB
• MSNS17-12-QPNET-1234567
  • Quality Preview patches associated with that parent KB
  • Non-Security patch type
• MSNS17-12-QRNET-1234567
  • Quality Rollup associated with that parent KB
  • Non-Security patch type

Additional Information

Additional Naming Conventions

• QP = Quality Preview
• NS = Non-Security

Microsoft released the following article for FAQ on the changes made: Security Updates Guide dashboard and API:

Q: Why is the security bulletin ID number (e.g. MS16-XXX) not included in the new Security Update Guide?

A: The way Microsoft documents security updates is changing. The previous model used security bulletin webpages and included security bulletin ID numbers (e.g. MS16-XXX) as a pivot point. This form of security update documentation, including bulletin ID numbers, is being retired and replaced with the Security Update Guide. Instead of bulletin IDs, the new guide pivots on vulnerability ID numbers and KB Article ID numbers.

Information

Microsoft released KB4058702 late the night of 1/3/18 (out of band) to address an Intel CPU firmware vulnerability.  The patches released will be added to our patch definition update to be released later today, 1/4/18.

List of patches from Microsoft:

https://www.catalog.update.microsoft.com/Search.aspx?q=2018-01

Additional Information

Important information on detection logic for the Intel 'Meltdown' security vulnerability

Overview

Microsoft has identified a severe compatibility issue with a small number of anti-virus software products.

We highly suggest all customers review these issues here:  https://support.microsoft.com/en-us/help/4072699

Due to to possible BSOD issues that may occur when installing this update on system with out of date AV software, we will be adding a detection prerequisite as Windows Update does:

Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat"

Value="cadca5fe-87d3-4b96-b7fb-a231484277cc"

Type="REG_DWORD”

If key does not exist you will be offered the detection only version of this patch.

This means that the associated patch for a system will not be remediated unless the Registry key is present. This mirrors how the patches are handled by Microsoft. Full details regarding the offering of the patch, and options if the Registry key is missing, are located in the Microsoft article here: https://support.microsoft.com/en-us/help/4072699/important-information-regarding-the-windows-security-updates-released

The patches will be offered for deployment if the key exists.

Affected patches:

• MS18-01-IE Q4056568
• MS18-01-SO7 Q4056897
• MS18-01-SO8 Q4056899
• MS18-01-SO81 Q4056898
• MS18-01-W10 Q4056888, Q4056890, Q4056891, Q4056892, Q4056893

Affected CVEs:

• CVE-2017-5753
• CVE-2017-5715
• CVE-2017-5754

Link to Security bulletin advisory:  https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002

Purpose

The Global Autofix and Reboot settings can be set up in the Agent configuration> Standard LANDesk Agent page, but once configured it seems there is no way to update it by a Change Setting task, or by simply updating on the Agent configuration and save the setting. Some believe that the Agent will need to be redeployed in order to overwrite the existing Global Autofix and Reboot settings. This document provides a way to update those settings without having to redeploy the Agents.

Step by Step

1. First it will be useful to get an idea of which Agents have used the Global Autofix and Reboot settings. Follow this article: Displaying the Settings "Never Reboot" and "Never Autofix" in Your Inventory

2. After the above step, an inventory scan will have to be run successfully in order for the inventory information to be synced back to the core server. Then you should be able to see an entry like the following in the Agent's inventory:

NOTE: If the Agent doesn't have the Global Settings configured, the inventory will simply look like this.

3. Locate the Agent configuration that your Agent has been using, modify the Global Autofix and Reboot settings as needed, save the configuration.

4. Right click on the Agent configuration, and select Schedule Update to Agent Setting to create a scheduled task.

5. Drag and drop the Agents you need the setting to be modified and start the task.

6. When this is done, start an inventory scan on the Agent machines and you can see that the above entry in the inventory value has changed.

Relevant Articles

Displaying the Settings "Never Reboot" and "Never Autofix" in Your Inventory

Affected patches:

How to Scan and/or Repair against a custom group

Additional Information

Due to to possible BSOD issues that may occur when installing this update on system with out of date AV software, we will be adding a detection prerequisite as Windows Update does:

Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat"

Value="cadca5fe-87d3-4b96-b7fb-a231484277cc"

Type="REG_DWORD”

If key does not exist you will be offered the detection only version of this patch.

This means that the associated patch for a system will not be remediated unless the Registry key is present. This mirrors how the patches are handled by Microsoft. Full details regarding the offering of the patch, and options if the Registry key is missing, are located in the Microsoft article here: https://support.microsoft.com/en-us/help/4072699/important-information-regarding-the-windows-security-updates-released

An Example of the detection only definition being returned will contain "DETECT" in the definition name and under Patch Required it will say: No repair action specified There is also no patch information provided

An Example of the definition where the regkey is detected and you will be able to remediate

Support for the Intel 'Meltdown' security vulnerability KB4058702

Important information on detection logic for the Intel 'Meltdown' security vulnerability

Purpose

This article explains how our detection the Delta or Cumulative version of the patch is offered.

Description

Our detection logic will verify the  'UBR' value from the registry to determine if the Delta or the Cumulative update will be offered.

HKLM" Key="SOFTWARE\Microsoft\Windows NT\CurrentVersion" Value="UBR" (Update Build Revision)

• The Delta is offered if build version equals N-1. (N= Latest Build. Current build being offered minus one version level)
• The full Cumulative update is offered if build version is N-2 or less.

You will only be offered one or the other and never both.

Related Documentation

Windows 10 release information

Issue:

Getting messages like the following in the Security and Patch Information for clients on the History page:

String not found Patch Action 46

String not found Patch Action 47

Solution:

The messages are cosmetic and can be ignored. They will go away if you upgrade to 2016.3 with the latest update or 2017.3.

If you are like me living a country that does not have a localized version of LANDESK, you might run into this issue.

You start the Vulnerability Scan and when the message should appear that the vulscan detects a vulnerability, you only get the message: Unable to find string with ID...

This happens because LANDESK doesn't support the language of your OS but builds a XXXvulscan.dll with your language code. In the case of The Netherlands, we would see a NLDvulscan.dll. This 'localized' dll unfortunately doesn't contain the all of the strings the vulscan UI asks for.

To remedy this, go to the LDLogon share on the Core Server. Copy the ENUvulscan.dll and rename the copy to XXXvulscan.dll, XXX being your country ID. If the localized DLL exists already, delete it before you rename the copy.

That's it. Your vulscan running on the workstation will detect a newer DLL on the server and automatically download it. And you will have all the strings available from the English languange DLL, showing you exactly what is detected and more.

In addition this can occur if not all Vulscan related files are up to date and there is a mismatch. 

As the Enterprise Ivanti Endpoint Manager Administrator of a large company that has had over 15 Core Servers with over 12,000 systems and over 20 other Ivanti tech's to support I have found "how should I patch" to come up often at my location as well as on this forum.

Like Windows, there are 3 or more ways to do most anything in Ivanti Endpoint Manager patching being one of those, and I have re-written the way I advocate our techs patch in Ivanti from the way I recommended a few years back and thought I would post it here for other to use as needed. It is not the only way, nor am I saying it is the best way.

Please keep in mind that this is a basic method, simple and effective.  I did not go into Auto-Fix, some of our advanced tech's use it, others don't.  I wanted something a newbie could pick up, read and begin patching in a very short amount of time.

Picking what patches to patch can be a political nightmare depending on your companies policies.  Ours went from 12 groups doing it all differently, some patching critical's only, some not patching, others patching everything possible to a reduced number of groups that all now have a "baseline" that is set from up above that is pretty in-depth and aggressive deadlines to have them patched by.

In short, we patch all security related items with few exceptions that are patchable via Ivanti and we do it aggressively as you must nowadays in this world of exploits.

If you are not patching, I strongly suggest you start.

Attached is the method I recommend, it uses two tasks, one a "Push" the other a straight "Policy".  Why not a "Policy Support Push" you ask?  We were doing that but are finding that some systems will stick in the "active" bin of the scheduled tasks for some reason (being researched) and thus the task will not become a policy.  If you restart the task, some of those systems will clear, but then others will stick... and so on.

It goes over creating a group of patches, creating the tasks, targeting the systems and scheduling the deployment.

I look forward to your feedback and I hope this helps some of you.

How to set up your Dark Network Core: Step by step

• How to set up your Dark Network Core: Step by step
• Description
• Assumptions
• Process
  • Step one: Prepare both core servers to have accurate data
  • Step two: Prepare the Dark Core folder structure
  • Step three: Retrieve content on the "Light Core"
  • Step four: Copy PatchSources file to patch directory on Source (Light) Core
  • Step five: Prepare the ENU_PatchSourcesXXX.xml on the Dark Core
  • If automating the copying of Data from the light core to the dark core:

Description

This document details the procedure for copying definitions from a "light core" (A core that is connected to outside networks) and a "Dark Core" (a core that is not connected to outside networks)  This is often done for security purposes or lack of connectivity.

Assumptions

• The user has a familiarity with Ivanti Endpoint Manager and associated files and functions
• The user has 2 servers, one "Light" and one "Dark" (One with Internet connectivity and one without internet connectivity)
• The user has Ivanti Endpoint Manager installed with default parameters, file and drive locations, etc.

Process

Step one: Prepare both core servers to have accurate data

In order to download a complete set of data to transfer from the light core to the dark core, the database tables related to Patch Manager must be reset.  This must occur on any core server that has previously downloaded patch data, otherwise a complete set of data will not be downloaded.

This can be done on both core servers by doing the following:

1. On each core server, open a command prompt on the server and change to the C:\Program Files\LANDESK\ManagementSuite folder.
2. Run "CoreDbUtil.exe /patchmanager".
3. Open the process list in Task Manager (right-click the taskbar and select "Task Manager) and watch for CoreDbUtil.exe to drop from the list to make sure it has finished.
   (The log for CoreDBUtil.exe is located in the main log location at \Program Files\LANDESK\ManagementSuite\Log)

Step two: Prepare the Dark Core folder structure

On the Dark Network Core Server, you will need to have a location for the vulnerability XML files and a location for the actual patches themselves to be stored in. For ease of use, we recommend using the already created patch folder structure that is set up when you install Ivanti EPM. By default, patches are stored in the \Program files\LANDESK\ManagementSuite\LDLogon\patch  folder. If a different location is desired this article can be used to set up the alternative location.

If patches have not been downloaded on the dark core previously the patch folder may not have been created and should be manually created.

Step three: Retrieve content on the "Light Core"

1. Within Security and Patch Manager open the Download Updates window and select all of the categories you want to download.
2. In addition select "Download patches for definitions selected above and also the radio button for "for all downloaded definitions" and click "Apply" and then "Close".
   
3. From a Command prompt, change to the LANDESK\ManagementSuite folder.
4. From a Command prompt, type "vaminer /noprompt /copy" and hit enter.  (If scripting this action to run regularly please add the /noui" switch to the vaminer command line switches).
5. Select the desired categories to download and click "Download now"
   
   (Vaminer.exe is the executable that runs to download content from the Ivanti patch content servers).
   
   The first time this is run it will take quite a while as it will not only be downloading vulnerability definitions but also all patches.  (Due to this you will need a large amount of storage space on the dark core server).  This will download updates and store them to a to the patch directory.  The default patch directory is \Program Files\LANDESK\ManagementSuite\LDLOGON\patch.
   

To verify further that this process has completed correctly, in \Program Files\LANDESK\Managementsuite\ldlogon\patch and it's subdirectories you should have .XML files that were generated by the Ivanti Content download to represent your vulnerability definitions.  Do not change the folder structure or files.

Step four: Copy PatchSources file to patch directory on Source (Light) Core

Copy ENU_PatchSourcesXXX*.xml (Where XXX equals the current LDMS version) from \Program Files\LANDESK\ManagementSuite\LDMAIN to \Program Files\LANDESK\ManagementSuite\LDLOGON\PATCH on the source core.  This step is necessary because Vaminer.exe (the program that is downloading the Patch Content) expects that file to be in that location.  Again, this needs to match the version you are running: 9.5 (ENU_PatchSources95.xml), 9.6 (ENU_PatchSource96.xml, 2016.3 (ENU_PatchSources101.xml) and so on.  Modification of the file is not necessary, it just needs to exist in that location.

Step five: Prepare the ENU_PatchSourcesXXX.xml on the Dark Core

In the \Program Files\LANDESK\ManagementSuite\LDMAIN folder there will be several files called ENU_PatchSources and then a numerical ending.  These stand for the current and prior versions of LDMS.   Choose the one that is the latest and matches your version on your core server.

For example: On a 2016.3 Core server you will likely see three ENU_PATCHSOURCESXXX files:

• ENU_PatchSources951.XML
• ENU_PatchSources961.xml
• ENU_PatchSources101.xml

We would select ENU_PatchSources101.xml as this corresponds to LDMS 10.1 (2016.3) and begin editing it.

If your core is not running in the English language you will want to select the XML file that matches your language prefix (ESP, JPN, etc)

Modify the Enu_PatchSourcesXXX.xml as modeled below:

Line #2 in the .XML will contain ‘/LDPM8/ldvul.php?%Credentials%KEYWORD=filename&FILENAME=’.  Replace it with  /ldlogon/Patch (or whatever directory you have defined as your patch storage directory).

Before:

PatchesSrcRelativePath>/LDPM8/ldvul.php?%Credentials%KEYWORD=filename&amp;FILENAME=patches</PatchesSrcRelativePath>
<LDAVRelativePath>/kvirus-8.0/mirror</LDAVRelativePath>
<CVEMoreInfo>http://cve.mitre.org/cgi-bin/cvename.cgi?name=%CVE_ID%</CVEMoreInfo>

After:

<PatchesSrcRelativePath>\LDLOGON\PATCH</PatchesSrcRelativePath>
<LDAVRelativePath>/kvirus-8.0/mirror</LDAVRelativePath>
<CVEMoreInfo>http://cve.mitre.org/cgi-bin/cvename.cgi?name=%CVE_ID%</CVEMoreInfo>

1. Next you will need to change the URL's for each Patch Content Server location.    These will be listed under the <Sites> tag.  Search for <sites> and you will see 3 sites, West Coast, East Coast, and EMEA.
   
   Delete two out of three sites leaving just one site. 
   
   You will change the hostname listed in the <URL> field and then the Description.
   
   

If you are using content that will be manually copied to the core server, put the name of your Dark Core server.  If there will be constant or periodic network connection between your light core and dark core, put the name of your light core here.

In the following section you will select the definition download category that you want to download to the dark core and you will edit that entry in the .XML.  We will replace the string that normally works with the LANDESK Patch server and replace it with a local path.

The following example is for the vulnerability definition category Windows Vulnerabilities  Again, you will modify the path from the patch server location to a local directory. You also will add the tag <Enabled>true</enabled>.  This is the same as ticking the checkbox next to the vulnerabilities category when bringing up the Download Updates tool.

Search for /LDPM8/ldvul.php?%Credentials%KEYWORD=filename&amp;FILENAME=Windows2 the correct section by searching for "Windows2".  Modify the section within the <URL> tags

The resulting line will be<URL>/LDLOGON/PATCH/Windows2</URL>. 

You also will add the tag <Enabled>true</Enabled>. This is the same as ticking the checkbox next to the vulnerabilities category when bringing up the Download Updates tool.  Without adding the <Enabled> tag you will need to select the categories every time Download Updates is opened.

When renaming these sections per component you wish to download, FILENAME=Windows2 will use the subdirectory name of "Windows2" under the Patch directory after you modify it.  For example, if I wanted to change the source for Ivanti Data Analytics updates, you would search for that category by searching for just that - "LANDESK Data Analytics Updates".

You would then modify the <URL>/LDPM8/ldvul.php?%Credentials%KEYWORD=filename&amp;FILENAME=LDDA</URL> to <URL>/LDLOGON/PATCH/LDDA</URL>.

 

     Before:
     <Source>

                     <URL>/LDPM8/ldvul.php?%Credentials%KEYWORD=filename&amp;FILENAME=LDDA</URL>

                   <Description>LANDESK Data Analytics Updates</Description>

                   <ShowInLDSM>true</ShowInLDSM>

                   <ShowInLSM>true</ShowInLSM>

            </Source>

 

     After:
     <Source>
                        <URL>/LDLOGON/PATCH/LDDA</URL>
                        <Description>LANDESK Data Analytics Updates</Description>
                        <ShowInLDSM>true</ShowInLDSM>
                        <ShowInLSM>true</ShowInLSM>
                        <Enabled>true</Enabled>
            </Source>

Once all of the edits have been made do a "Save as" and save it as "Patchsourcestemp.xml" and mark it as a read-only file.  (Right-click, go to properties and check the box "Read Only")

After you have marked it as read-only, rename it to "patchsources.xml".  Remember, all of this is taking place in the LDMAIN folder.

Step six: Import the vulnerability definitions into the "Dark Core"

1. Now you will need to move the data to the dark core for insertion into the database.   Copy the entire Patch directory and all new subdirectories and all contents to an external hard drive, network share or whatever method you prefer.  This will include the .XML files for the Vulnerability Definitions and also any patches that were downloaded to the light core.
   
   If the light core will have access to the dark core this can be done automatically through a file transfer process, automated or otherwise.  The key is to download content on the core server regularly using the "vaminer /noprompt /noui /copy" switch and then copy the updated data to the Dark Core.
   
   
2. When copying the Patch Directory from your Light Core to your Patch Directory on your Dark Network Core, ensure the directories look the same.
3. Run Download Updates on the Dark Core Server, if running via script simply run "VAMINER.EXE" from the main ManagementSuite folder.

If automating the copying of Data from the light core to the dark core:

If you are automating the copying of the vulnerability data from the light core to the dark core, ensure the following steps are taking place:

1. "Vaminer /copy /noprompt /noui" is run on the core server.
2. All files from the Patch directory and it's subdirectories are copied to the Patch folder on the dark core.  This can be done using content replication, robocopy or other preferred methods.
3. Vaminer.exe is run on the dark core (without switches).

This should be done on an automated schedule so that these steps take place in sequence and that there is enough time for each step to complete before the next one starts.

Overview

Microsoft has released an out of band Critical Update KB4078130 to disable mitigation against CVE-2017-5715.

MSNS18-01-4078130 / KB4078130 is a Critical Non-Security Patch that will disable the fix for variant 2 for stability issues.  The machine must reboot after installing the patch for it to apply on the system.

Additional Information

To enable the fix again you may reinstall the patch for your OS that remediates CVE-2017-5715

Note: Clicking on a photo will enlarge it.

This document will go over what to look for and do if you think you have a patch that is detecting incorrectly on your devices.  Incorrect detections can happen if the detection logic is incorrect and still reports as needed but the patch has already been installed, is not applicable to the system or other issues.  In this document, you’ll learn what to look for in the vulscan logs which are required to submit the incorrect patch detection for review.

This document assumes you know how to find individual patches, create a patch group and move patches to it in the console and create a repair task on a specific patch or group of patches in the console.  It also assumes you have an understanding of repair tasks and how to add target devices to them and run the task.

Prep the Client

As of January 2018 all new content created uses the new patching engine.  Additional logs are needed as well as the vulscan log to troubleshoot the false detection.

Diagnostic Tool

^Updated The "Get debug logs and zip (patch)" feature is only available in 2017.3 and newer product versions.

To retrieve logging remotely access the Diagnostic tool and select the Logs | Client option to view client-side logs. An additional option "Get debug logs and zip (patch)" is present for debug logging for all Next Gen definitions. This will only function if the Distribution and Patch agent setting has Enable security scan debug trace logselected.

To enable debug trace logs for versions 9.6 - 2017.1 run the following cmd locally on the endpoint or distribute a script to the desired device:

vulscan /enableDpdTrace=true /showui

The showui switch is optional.

This will generate additional logging in the Programdata\Landesk\DebugLog folder consisting of the following (2) files:

PatchManifestSyncSDK.log

PatchScanSDKDpdTrace.log

When the repair job finishes you will need the following files to give to support in a zip file:

C:\Programdata\landesk\log\Vulscan.log  (Make sure it is the correct one, see below)

C:\Programdata\landesk\log\stdeploy.log

C:\Programdata\landesk\log\stdeployercore.log

C:\Programdata\Landesk\DebugLog\PatchManifestSyncSDK.log

C:\Programdata\Landesk\DebugLog\PatchScanSDKDpdTrace.log

Run a Repair Task

Running a repair task for the specific patch(es) gives supports the best information.  The vulscan logs only showing one patch or two processing will show them detecting and installing and are more concise and easier to look over to find details.  General vulscan logs are not Ideal as many only show the patch detecting but not installing and have a lot of unneeded information.  Running a specific repair task with patches having the issue will provide the best logs.

You can create a repair task by going to Tools > Security and Compliance > Patch and Compliance.  Click the Scan folder and find your patch.  When you find the patch having the issue right click it and from the menu that appears click Repair.  If you have a patch group or several patches you can do the same and create a repair task for several patches at the same time.

The Repair task dialog will open.  Most settings you can leave as a defaults.  You can add a target device at this time as well.  If you have a maintenance window on your clients, be sure to check Ignore Maintenance Window if specified so the patch tries to install as well as scan in this repair task.

Once you have a target in your task run it and wait for it to complete.

Vulscan Log

The full vulscan log, created as a result of running the task, is needed for us to determine the issue of the false detection.  This log is located on the target devices in the C:\programdata\Landesk\Log folder. They are named vulscan.log.  Older logs have a number in the name.   The correct log file will have a line at the top with the task ID in the name as shown in the example.  This information changes with each task.

Thu, 26 Oct 2017 14:59:37 Command line: /policyfile="C:\ProgramData\LANDesk\Policies\CP.2353.RunNow._iOiXj4cedTDG&#474FOGYMztt+mWNQ=.xml"
Thu, 26 Oct 2017 14:59:37 client policy file: C:\ProgramData\LANDesk\Policies\CP.2353.RunNow._iOiXj4cedTDG&#474FOGYMztt+mWNQ=.xml
Thu, 26 Oct 2017 14:59:37 Reading policy parameters
Thu, 26 Oct 2017 14:59:37 scan=0
Thu, 26 Oct 2017 14:59:37 scanFilter=INTL_4049179_MSU;INTL_3089023_MSU
Thu, 26 Oct 2017 14:59:37 fixnow=True
Thu, 26 Oct 2017 14:59:37    maintEnable=False

Once you have found the correct vulscan log. Doing a search in the log file for the all capitals case sensitive “DETECTED” will yield the detection of the patch and the reason.  In our example case it show the file version is out dated and that is the reason the patch is needed.

Thu, 26 Oct 2017 14:59:45 VUL: '3089023_MSU' (windows8.1-kb3089023-x64.msu) DETECTED.  Reason 'File C:\Windows\System32\flashplayerapp.exe version is less than the minimum version specified.'.  Expected '18.0.0.232'.  Found '11.3.300.265'.  Patch required 'windows8.1-kb3089023-x64.msu'.
Thu, 26 Oct 2017 14:59:45    Patch is NOT installed

You can see in the example the patch was detected as needed due to a file being at a lower version than in the patch.  Now scroll down to the bottom of the log file.  You’ll see a “Patch Installation” header and below that you will find details of what happened when the device attempted to install the patch. In our example the patch returned the error code 2149842967 converted to a hex value that gives a result of  0x80240017 Looking on the list of WUSA codes the patch returned a “Not Applicable”.

Thu, 26 Oct 2017 15:03:21 Command Interpreter running
Thu, 26 Oct 2017 15:03:21 Setting current directory: C:\Program Files (x86)\LANDesk\LDClient\
Thu, 26 Oct 2017 15:03:21 Executing C:\Windows\system32\wusa.exe "C:\Program Files (x86)\LANDesk\LDClient\sdmcache\windows8.1-kb3089023-x64.msu" /quiet /norestart
Thu, 26 Oct 2017 15:03:23 Exit Code: -2145124329 (0x80240017)
Thu, 26 Oct 2017 15:03:23 Error: "C:\Windows\system32\wusa.exe" returned failure exit code (2149842967)
Thu, 26 Oct 2017 15:03:23 ERROR(EXECUTEFILE) Failed to run command - 80004005
Thu, 26 Oct 2017 15:03:23 DownloadPatch ERROR: Failed to run commands (80004005).
Thu, 26 Oct 2017 15:03:23 Last status: Failed
Thu, 26 Oct 2017 15:03:23 Stopping wuauserv service.
Thu, 26 Oct 2017 15:03:23 Stop service wuauserv
Thu, 26 Oct 2017 15:03:25 Successfully controlled the service.
Thu, 26 Oct 2017 15:03:25 DeferredReportAction: name 'windows8.1-kb3089023-x64.msu', code '1', type '-1', status 'Error: "C:\Windows\system32\wusa.exe" returned failure exit code (2149842967)'
Thu, 26 Oct 2017 15:03:25 Running post-install/uninstall script
Thu, 26 Oct 2017 15:03:25 RunPatches completed.  1 processed.  0 installed. 1 failures.  Thu, 26 Oct 2017 15:03:25 Sending previous action history to core

STdeployercore.log

In addition the STdeployercore.log will also show the patch being installed and the error code for the Next Gen definitions:

2018-01-26T21:15:53.2279239Z 134c I DeploymentPackageReader.cpp:783 Deploy package 'C:\ProgramData\LANDesk\timber\sandboxes\InstallationSandbox#2018-01-26-T-21-15-15\0001c460-0000-0000-0000-000000000000.zip' successfully opened unsigned for package IO
2018-01-26T21:15:53.2279239Z 134c I Authenticode.cpp:134 Verifying signature of C:\Program Files (x86)\LANDesk\LDClient\sdmcache\windows6.1-kb4056894-x64_tw1158080.msu with CWinTrustVerifier
2018-01-26T21:15:54.2534266Z 134c V UnScriptedInstallation.cpp:30 Executing (C:\Program Files (x86)\LANDesk\LDClient\sdmcache\windows6.1-kb4056894-x64_tw1158080.msu /quiet /norestart), nShow: true.
2018-01-26T21:19:19.4406288Z 134c V ChildProcess.cpp:140 Process handle 00000408 returned '3010'.

Windows Update(WUSA) Error Codes

Windows Update Agent Result Codes

Manually Testing the Patch

It is best practice that you download the patch to the device and manually run in in the GUI.  The patch should display a message giving the same reason for not installing in a dialog. Once you have verified why the patch will not install manually, contact support and be sure to upload the vulscan log from the repair task to the case.

Detection Issues That Support Likely Will Not be able to Resolve

Certain false detection issues can occur that support will likely be unable to troubleshoot or resolve.  The most likely of these is with our powershell scripts running on Windows 7 devices. The example from another vulscan log below shows a script error when trying to run on a device.

Mon, 23 Oct 2017 14:58:48 File OSVERSION version within specified
Mon, 23 Oct 2017 14:58:48 Prod Windows 7 Service Pack 1 (ID:WIN7SP1) verified OSVERSION, found: 6.1.7601.1
Mon, 23 Oct 2017 14:58:48 Prod Windows 7 Service Pack 1 (ID:WIN7SP1) verified C:\Windows\explorer.exe, found: C:\Windows\explorer.exe
Mon, 23 Oct 2017 14:58:48 Running detection script
Mon, 23 Oct 2017 14:58:48 Content filename: 'RollupFixB201710.ps1'
Mon, 23 Oct 2017 14:58:48 Writing script content to file 'C:\Windows\TEMP\RollupFixB201710.ps1' starting at line 5
Mon, 23 Oct 2017 14:58:48 Launching external script processor: <powershell.exe>
Mon, 23 Oct 2017 14:58:48 args: <-executionpolicy bypass C:\Windows\TEMP\RollupFixB201710.ps1>
Mon, 23 Oct 2017 14:58:48 External timeout: 60
Mon, 23 Oct 2017 14:58:48 Called CreateProcess: "powershell.exe"
Mon, 23 Oct 2017 14:58:48 Error 2 launching application <powershell.exe>
Mon, 23 Oct 2017 14:58:48 4041681_MSU detected
Mon, 23 Oct 2017 14:58:48 VUL: '4041681_MSU' (windows6.1-kb4041681-x86.msu) DETECTED. Reason 'Unexpected error in custom script source. See agent log for details'. Expected ''. Found ''. Patch required 'windows6.1-kb4041681-x86.msu'.

Mon, 23 Oct 2017 14:58:48 Patch is NOT installed
Mon, 23 Oct 2017 14:58:48 Last status: Done

You can see from the log that the script attempted to run but got a 'Unexpected error in custom script source. See agent log for details' error. In all cases where we cannot get a proper detection from our scripts Ivanti errs on the side of caution and will throw a DETECTED and will try and install the patch just to be safe.

Issues that arise from script errors are difficult to impossible for us to troubleshoot.  The likely cause is a security setting or Antivirus/Malware program that prevents the script from running.  GPOs and powershell policies can also interfere if they are enabled in the customers environment. Since issues like this are impossible to replicate in our teat labs and are unique to the customers environment, the customer is advised to do some troubleshooting and see if security settings and restrictions can be lowered on a test device to try and get the script to run properly before contacting support.

This document illustrates the files, registry, settings and other information necessary to effectively troubleshoot a vulnerability scan.

In addition, this document walks through the steps that a basic Patch and Compliance scan (otherwise known as a vulnerability scan) takes.

This article will not describe every single step that the Vulnerability Scanner takes, but those steps where a failure can occur.

For the purposes of this document a simple scan is performed by running the following at the client command line:

vulscan /scan=0 /showui

This command tells the vulnerability scanner to scan Windows vulnerabilities (type 0) and to show a user interface.

The name "LDMS2016" and "LDMS2016_v###" will be seen throughout this document.   This refers to the Core Server name of "LDMS2016" which is the name of the core server that the author had when creating the document.

Settings

The settings that control how the vulnerability scanner will behave are stored in the Distribution and Patch Settings within the Agent Settings tool.

These settings control behaviors such as user input options, Cloud Services Appliances patch options, scanner CPU utilization, etc.

These settings are stored in the Ivanti EPM Database in the AgentSettings table and physically on the core server in the

\Program Files\LANDESK\ManagementSuite\ldlogon\AgentBehaviors folder.  The Distribution and Patch Settings are stored in the AgentBehavior_(Corename)_v###.xml file within this folder.

                                                                            Example

Product Licensing

The categories available to scan and repair are controlled by the Product license that has been purchased and activated on the core server.

The following graphic shows the categories available within the Download Updates function within the Patch and Compliance tool for those with a license for all categories.

Click for full size

Registry Keys

Core

HLKM\Software\LANDESK\ManagementSuite\PatchManagement\WebServiceMaxThreads

This key does not exist by default and should only be created with an understanding of how this key works and the full ramifications of creating this key and changing the default value.  This changes the number of default threads

This key is documented here: https://community.landesk.com/docs/DOC-36027#jive_content_id_Increasing_the_Number_of_Web_Process_to_Database_Threads

Client

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\landesk\managementsuite\WinClient\Vulscan

This registry key contains the following information:

Note: The populated "Data' entries are provided as an example.  Yours will differ.

Gathering information for Ivanti Support

The vulnerability scan log files are located in the C:\ProgramData\LANDESK\log folder.

When in doubt just .ZIP up the entire folder and send it.

Otherwise, the following logs should be gathered:

• vulscan*.log
• statusdlg*.log

It is very useful to turn on Xtrace with the following enabled from the registry key prior to duplicating the problem and gathering logs:

From HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\landesk\managementsuite\LogOptions:

How To: Enable XTrace Diagnostic Logging for the Ivanti Core and Clients

Tips and Tricks

Vulscan can be used as a shortcut to open various folders.  The following should be run on the client command line:

Vulscan e - Open the folder where Vulscan resides

Vulscan c - Open the LDClient folder,

Vulscan log - Open the ProgramData\LANDESK\Log folder

Issue: Cannot open vulscan logs folder from the command line using "vulscan e"

Ivanti Patch and Compliance (vulnerability) Scan Process Flow

It is important to note that the following must all be able to take place:  Client contact to core through IIS and several web services.  Core contact to Database Server  Core Contact to client  Correct permissions on core ManagementSuite\Incoming directory and \ManagementSuite\LDLOGON\VulnerabilityData and VulscanResults folders.

Note that issues can come and go during a vulscan.  This would indicate intermittent issues.  Most of the time this occurs when the server or database has connectivity issues or are too overwhelmed to respond to requests.

This document serves to be a reference to assist with the following:

Overview of the Meltdown and Spectre vulnerabilities

For a further overview of both the Meltdown and Spectre vulnerabilities please see the following Ivanti Blog Post: https://www.ivanti.com/blog/meltdown-spectre-need-know/ 

Meltdown - CVE Notice # CVE-2017-5754                 More information from the National Vulnerability Database: NVD - CVE-2017-5754

Spectre Variant 1 - CVE Notice # CVE-2017-5753    More information from the National Vulnerability Database: NVD - CVE-2017-5753

Spectre Variant 1 - CVE Notice # CVE-2017-5715    More information from the National Vulnerability Database: NVD - CVE-2017-5715

These CVE and NVD entries contain lists of advisories, solutions, and tools regarding these vulnerabilities. CVE is a reference method for publicly known IT vulnerabilities and exposures.

Meltdown and Spectre are vulnerabilities that affect various computer processors including Intel x86 processors and some ARM-based processors.  Due to this, we will cover how to mitigate this through the features of Ivanti EPM.  Meltdown affects a very large range of computers, cell phones, tablets, etc.  Thus this touches some of the systems that you manage with Ivanti EPM.  (Examples are servers, desktops, cell phones and other mobile devices)  In January of 2018, it was disclosed along with another exploit called "Spectre" with which it shares some but not all characteristics.  Meltdown patches may introduce some amount of performance loss, however, it is not as high as initially reported.   On January 18th, 2018 unwanted reboots and other stability issues were reported due to patches applied for the mitigation of these vulnerabilities.  Due to this newer updates have been released.   All updates will be addressed later in the document underneath the OS Updates section.

OS Updates

^New 01/29/2018  Important update for all operating systems

Windows Updates

This section describes available Patch and Compliance definitions that can be delivered through the EPM Patch and Compliance tool.

01/29/2018

Microsoft has released an emergency out of band update that disables the mitigation for Spectre variant 2.  This was due to the fact that Intel's new microcode can cause higher than expected reboots that can result in data loss or corruption. 

Ivanti Patch News Bulletin: A tool to disable Mitigation against Spectre (KB4078130) has been released by Microsoft. 29/Jan/2018

Microsoft news about this patch release: https://support.microsoft.com/en-us/help/4078130/update-to-disable-mitigation-against-spectre-variant-2

This update adds two registry settings that “manually disable mitigation against Spectre Variant 2”:

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 1 /f

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 1 /f

The installation of this latest patch is optional, however, caution should be taken.  If the prior Spectre mitigation patches caused instability, you will want to install this patch (within definition MSNS18-01-4078130_INTL) in order to return to better system stability.

Remove Spectre Variant 2 fix

Windows 10

Windows 8.1 and Server 2012

* 01/24/2018 - Windows has issued a further update to mitigate stop errors caused by a spurious interrupt on systems with PIC and APIC controllers on systems that have previously been patched with the patches for KB4056898 amongst other patches.
(This is Ivanti Definition ID MSNS18-01-4077561_INTL)

Windows 7 and Server 2008

macOS and iOS updates

Apple included mitigations for macOS 10.13.2 and iOS 11.2 released in December.  It has since followed up with additional mitigations with the just-released Apple macOS Supplemental Update: About speculative execution vulnerabilities in ARM-based and Intel CPUs - Apple Support

Linux and Unix updates

Centos 6

Centos 7

Redhat Enterprise

Ubuntu

Browser Vulnerabilities

BIOS, Firmware and Driver updates

Ivanti EPM Patch and Compliance provides content for several vendor's BIOS and driver updates.  It is recommended to follow the advice of the vendor and to update your systems accordingly.

As a convenience we offer some links to vendor websites relating to this issue:

Dell: Meltdown and Spectre Vulnerabilities | Dell US

HP: HPSBHF03573 rev. 7 - Side-Channel Analysis Method | HP® Customer Support

Lenovo: Reading Privileged Memory with a Side Channel

Antivirus software and possible compatibility issues with OS patches

See the following article for information specific regarding antivirus compatibility including Ivanti Antivirus: About Antivirus products and the Meltdown and Spectre security vulnerabilities