I have a computer that security required me to remove a hotfix on. Everyting I patch the server, it wants to re-add the hotfix because it no longer exists. All other computers need the hotfix, but I needed to turn off autofix so it wouldn't apply. How can I set it so just the one computer does not apply the patch.
John
I use SPM to push out JRE updates to my clients. It came to my attention today that the "Affected Platforms" for the 32-bit detection rules (ie jre-6u21-windows-i586.exe) does not have 64-bit Vista or Win7 included. I have the 32-bit java on my 64-bit clients because we use a 32-bit browser (mainly for flash compatibility). Is there a way to modify the detection rules? ...or is this something I'm just going to have to work around? (I'm pretty sure the answer is the latter.)
Thanks...
Hello,
Has anyone come across this error? Any help is much appreciated.
I am patching few servers this weekend, and some of them have the status - 'Failed' with Result - 'Unknown Status Code (0x4005,0:16389)'. I checked those servers randomly and noticed patches are installed successfully, but no idea what this error code means.
We are on LANDesk 9.0 SP3 and I am patching againist a Custom Group.
Thanks in advance for any hints, comments or suggestions.
Support is aware of the Java 7 Update 11 emergency update provided by Java. Our team is currently developing a patch manger definition for Java 7 Update 11 and we will have this released as soon as possible. I will update this thread as soon as this new content has been released. If you need to release this content to your environment immediatly you may do so by creating a custom definition for the patch that has been released by Java found here:
If I apply an update from patch manager for java or adobe products it will override previous settings that were created to stop the applications from trying to self update.
Does anyone know a way without using security Suite to make this happen. End users to not have the ability to install and this creates a lot of calls to the help desk.
Does anyone have any best practices for patch deployment when the only avaialble time that patches are going to be allowed is Saturday Evening through Monday Morning? I've tried using policies that do not prompt users or reboots however the microsoft updates trigger the windows update service to prompt the user for a reboot. We cannot use autofix for the same reason. However when I try just deploying patches on a weekend, I get about a 50% sucess rate, mostly due to pc's being off or asleep (despite our requesting users to not power off their pc's, and a lot of our equipment is older and doesn't support wake on lan). So a fairly large group are mostly caught up but some are lagging behind getting patches and management doesn't seem to understand that by using only a brief window the sucess rate isn't going to be 100%.
Has anyone figured out how to actually download the latest v.6 Java update? They only list the v.7 stuff now on their standard download page. I found a page where you can download old versions, but it only went up to the last v.6 version - Update 43. The LANDesk bulletin says: "login Oracle Technical Network to get these patches" but after mucking around on the Oracle site for 15 minutes, I can find no such logon.
Thanks!
Please Help
All devices are failing with a return code 412 . All patches i push to any computer on the network has failed I Reimage another machine to make sure it was not a MS update may have cause the issue.
See attached for Vulscan results. i do not know what else to do at this point. Please provide direction.
Thanks
Andre
Sending a patch to a machine using patch manager returns with a result of NO PATCHES AVAILABLE.
LANDesk Patch Manager will only apply a patch to a machine that reports that it is vulnerable and needs the patch. So if a machine has not scanned and reported back to the Core Server that it needs the patch it will not apply the patch when scheduled to it and will return the NO PATCHES AVAILABLE. The machine keeps a local record of what it has reported vulnerable to the core so when the task is ran on the machine it checks the local record to see if it needs it or not.
Repair task does not scan the machine until after the repair has happened on the machine.
Work around for this is to:
1- Create a custom group.
2- Add the Vulnerabilities to the group that need to be fixed.
3- Create a Scan and Repair settings that scans for the group created in step one.
4- Select the option under the scan for group to "Immediately repair all detected items"
This will first scan the computer then repair anything that it finds vulnerable.
Windows XP SP3 has a Dependency on 952287 being installed before LANDesk Patch Manager will remediate the patch. Looking in Security and Patch Manager information for a computer could show that Windows XP SP3 is vulnerable, but the Name column will state Dependency. If the XP SP3 Vulnerability is highlighted it will show what dependency is needed.
This has changed in content and 952287 is no longer set as a Dependency for XP-SP3 to be installed.
Does LANDesk have any plans to release the auto-upgrade patch & definition from v6 to v7 of Java? It would be nice to get that to run natively in LANDesk Patch Manager. Right now, we are prepping a script to uninstall v6 on all systems with software deployment, but I'd love to be able to use a LANDesk-provided patch to do it instead.
I would like to know how LDMS categorizes severity of the Vulnerabilities in Patch and Compliance Scan. For instance, our Security officer uses Nessus vulnerability scanner for PCI-DSS compliance scanning and Nessus reported that MS KB 2562937, MS KB 226937, MS11-046 as High, and MS KB 982316, MS KB 2524375 as Medium, whereas LANDesk Patch Compliance scan reports those KBs as Severity "NA."
My question is, which industry standards or guidelines does LANDesk use to categorize the vulnerability patches and does the LDMS use have the ability to change the Severity setting manually?
Also, if both tools LANDesk and Nessus are PCI-DSS compliant, then why does each product have their own unique categorization of these MS KB vulnerability patches?
I'm trying to get IE10 to push through Patch Manager and I'm having very little luck. At first I thought that it was because certain prerequisite patches were not installed, however, I have computers that show as needing the IE10 patch, and as having all of the prerequisite patches installed and when I attempt to run a scheduled task to install IE10 with the downloaded patch, it tells me that No Patches are Needed and it won't install IE10. Has anybody else run into this? Thanks for any assistance.
Hello,
just wanted to see if anyone else had this problem. When we pushed out 981374 to our machines with IE7 installed, no one could print from IE7 or Outlook. It caused a script error dialog box to come up. It affected every computer that has IE7 installed.This is what the script error looked like. Unfortunately, it is not an uninstallable patch 
Line: 1405
Char: 1
Error: Invalid argument
Code: 0
URL: res://ieframe.dll/preview.dlg
G'Day All,
I have recently rebuild my core after hardware failure. I took the opportunity to do a full fresh install of LD 8.7 SP5 with Security Patch Manager.
All is going very well, Client agents are back in the DB (using restored certificates from original build). The only thing I cannot get to work is LSSS.
The scan runs, but we get messages 'Server Busy, retrying' and it eventually fails.
It also does not register the scan in the list of Patches in the console. So far, I have detected no vulnerabilites or patches and the Scanned column also shows zero.
What have I missed in the config of the server to cause this issue?
Any help or suggestions would be greatfully accepted.
Regards
Mark
Hi all
I have been patching the critical update for Java 7u11 on LanDesk version 9.0.3.1 and have hit a few confusing problems.
The patch has worked on several machines - removing the idea that the exe isnt working or is in the incorrect place.
The patch is set to force update - closing any IE browsers or any Java apps.
The patch is being detected as needed by the devices during vulscan
However the patch shows as failing whilst running commands. Which ive looked at and found it may be due to IE/Java running, but this is contradicting the 'force update' option that is set (and works further to testing on own machine)
Please see a copy of the log below.
Any help appreciated
Cheers
Jez
As the title states "Gather Historical Information" is crashing during the task towards the end at "Removing historical information more than 30 days old ...".
The console crashes every time at this point. When I try to schedule the task for later, the task runs once then crashes, and then it fails to run again the next day. The error is "Failed, task handler exception".
This is preventing me from having accurate informaiton in the patch and compliance area. Any ideas?
I have the patches downloaded and placed in the proper patch folder on the core, yet they continue to fail. Here is info from log file:
Downloading http://osum-ldm/LDLogon/patch/jre-6u26-windows-i586.exe
Wed, 05 Oct 2011 09:52:20 Performing TCP connection with a timeout of -1 milliseconds
Wed, 05 Oct 2011 09:52:22 Performing TCP connection with a timeout of -1 milliseconds
Wed, 05 Oct 2011 09:52:25 Performing TCP connection with a timeout of -1 milliseconds
Wed, 05 Oct 2011 09:52:28 Performing TCP connection with a timeout of -1 milliseconds
Failed to download http://osum-ldm/LDLogon/patch/jre-6u26-windows-i586.exe. Error code 3
Last status: Failed
Download Failure: Error 80004005 downloading http://osum-ldm/LDLogon/patch/jre-6u26-windows-i586.exe
Last status: Failed: Could not download http://osum-ldm/LDLogon/patch/jre-6u26-windows-i586.exe
I have different error for update java update 27:
Download Failure: Error 80004005 downloading http://osum-ldm/LDLogon/patch/jre-6u27-windows-i586.exe
Last status: Failed: Could not download http://osum-ldm/LDLogon/patch/jre-6u27-windows-i586.exe
Sending status to core
These are the only patches that I have that fail, everything else installs fine. Any help is greatly appreciated!!!
thanks,
dan
Using LANDesk 9 SP3. I am running into an issue with systems that use Deep Freeze so I am trying to figuire out the best way of doing it whereas I just exclude all the PCs for now that have the application installed. I thought I would just amend the repair query to exclude PCs that have DFC.exe installed. But that seems like a long way around a short problem.
I thought about using filters to create a group but since it isn't dynamic it doesn't make sense. Plus it is a pain since you can't easily use a query to create a device group.
So is there an easier way to target using Patch Manager where it won't scan or exclude a group of PCs so I can do patching easier?
Noob question as I'm just switching over from WSUS to Landesk 9.0SP3 for client patch management. I've gone through numerous documents explaining patching, all of which cover the 9.0 SP1 or older version and don't explain what the 3 folders ("Replaced", "Paritally replaced" and "Replacement not Enabled Folders") under the Scan folder do.
Specifically, am I supposed to be moving patches around in these folders or are they positioned there by Landesk?
Also, when I grab patches to put into my custom group folders to create my repair (patch) task, am I copying the patches just from the "Scan" folder or do I also have to grab them individually also from the 3 subfolders too?.
I think I've got the rest down, these folders just make me wonder as they're not mentioned in the documents I've gone through. Searching the forums I wasn't able to find anything useful on them as well.
Thanks
Pete
Hi,
I want to patch management on a slower link --(64k ,128 K) . I want to use preffered server. Can some one send me documented process for the same.