we are trying to measure the number of servers that are patched at the moment for a particular vulnerability but for some reason there is no trending data for the particular vulnerability and the status doesn't match the history. I have attached a few screenshots for reference.
Anyone have any ideas?
I'm wondering if anyone else is seeing odd behaviour regarding "Replaced" patches.
For example:
Google Chrome
I currently have patches listed from 43.0.2357.130 thru 44.0.2403.107.
There are 10 patches in total, each an increment in version #. Each patch is listed as "Replaced by" the patch ahead of it.
However, nothing shows up in the "Replaced" folder under Scan.
I would expect that these "replaced" patches would be filtered into that folder so that I can disable scanning for them.
This makes me wonder if these Chrome patches have a dependence on previous patches or if my LDMS just stopped working properly in this regard.
Thanks.
-Brendan
Anyone have a direct link to this patch? I found all the others but this one is MIA....
Thanks!
As of 12/1/2014 we have a new icon and action showing up in clean/repair history for login/logout. Has anyone seen this, and if so what setting is tracking login/logouts?
LDMS 9.5 SP3
LDDA 9.6 SP1
Specifically, I would like to be able to disable and prevent the user from re-enabling Flash.
-Brendan
Hello, I apologize for the basic nature of my questions and confusion, but I have been reviewing the manual and documentation and also viewing as many videos as I can find to watch. However, I'm afraid after 2 weeks, I still have some basic questions and confusion.
We have recently purchased LANDesk 9.6 and I was asked to look into the Patch Management piece. I've picked up some (very) basic knowledge in my efforts to learn, but have hit a bit of a stumbling block to continue learning and am at a point I need to show my lack of understanding of this product and ask for help.
My understanding is that in the Patch and Compliance area, after you download the updates, they are placed into the "\Unassigned" folder. Then it is up to me to figure out what to do with them. To get the vulnerability scan (vulscan.exe) to check if these updates are needed on our workstations, I must copy the desired updates into the "\Scan" folder. And vulscan.exe will ONLY check the workstations for the updates in this \Scan folder.
I have many questions and items that are confusing to me in LANDesk, but my initial question & confusion is 'Which of the thousands of updates that were downloaded should I copy to the \Scan folder?' Now I realized the obvious answer is "You dummy, copy the ones you want to scan for!", but that is the problem. I don't understand how LANDesk is doing this check. In my mind it should simply check for "Adobe Reader", yet there are numerous 'versions' of Adobe Reader updates that get downloaded and I don't understand why, and more importantly, how these different versions are used.
In a specific example, but questions and confusion is below. Thank you for any help or pointers that will get this beginner past this initial hurdle.
I patch a server a server yesterday with roughly 40 Microsoft updates.
All were downloaded prior to the job.
Patch 34 patched just fine and I verified this on the server, but the Task in the Management Console shows All Patches Failed- Error 412.
This cannot be, but there it is as plain as day.
how can I achieve accurate results. is there a report I can run that show all the patches applied and failed patches?
Thanks in advance
Dave
Log file...
Running patch windows-kb890830-x64-v5.27.exe
Installing patch 34 out of 34 patches
Contacting server...
Contacting server...
Done
Running post-install/uninstall script
Sending previous action history to core
Contacting server...
Done
Sending status to core
...
http://192.168.46.134/LDLogon/patch/ie10-windows6.1-kb3087985-x64.msu
Failed
Failed: Could not download http://192.168.46.134/LDLogon/patch/ie10-windows6.1-kb3087985-x64.msu
Running pre-install/uninstall script
Running post-install/uninstall script
Sending previous action history to core
Contacting server...
Done
Sending status to core
We would like to remove all XP patches and just scan for Win7 updates? Is there an easy way to do this? I know there will be times when the updates applies to multiple OS's.
Hello, I want to start off saying I'm very new to LANDesk especially the patch manager portion. After some trial and error I got things up and running the way I want them, Autofix patches that dont require a reboot, and scheduled tasks for patches that do require rebooting. Well there hasn't been much of an issue, there are still a few computers on the network that are randomly being asked to reboot. I'm not pushing out any software and the patches that autofix say that they do not require a reboot. Can someone tell me whats going on? People seem to get frustrated when they are asked to reboot during the middle of the day. Thanks.
We've been noticing a Windows 7 bug documented in this KBase article:
http://support.microsoft.com/kb/2486635
The hotfix only comes in MSU form though, and I'm not aware of a way to add this in using the typical distribution packages frame within LanDesk. Should we open a Enhancement Request or can this be done from SWD?
Almost all of our T410s have this issue. It only happens if Bluetooth Service is being disabled (as per the kb article).
Thanks,
Doug
Landesk 9.5 SP2, Mix of Windows 7 Pro and Enterprise, 32 and 64 but.
We push software and patches out silently and follow up with a weekly reboot based on query of machines that require a reboot. Inventory, Landesk, reboot switch =1.The first several
weeks, I have done this during the day - and I see feedback regarding reboot like I would expect. Users defer (as we have allowed in out agent), machines rebooted, machines off. It
appears to work fine. BTW, most patches go out SILENTLY.
But now we have a question. We see the reboot happening with all the notifications we would expect. But I'm not sure if the Landesk switch is really resetting on a machine that gets
rebooted.
I assume something here - namely, A machine that needs rebooting according to this Landesk switch, if it's off, when the reboot is pushed out, will just clear this switch when it comes on and reports in.
But it's not just formerly off machines. it appears that machines that need a reboot get it, and the switch isn't clearing, so they will get it again . . . and again . . and again.
I expect to see some "unscheduled" activity that is part of a policy from a previous push. But it
looks like I am seeing machines that don't get this switch cleared.
Thanks for the help. BTW, I'm bad at closing out questions when answered. it's frustrating because in Firefox, I only see option to reply to a thread or mark a response helpful.
Hello everybody,
I am currently working on a script who makes a research in the LANDesk database, and I want to know which SQL statements I should use to give me the following informations : Patches Installed, Patches Missing. (On a single computer)
I counted the items in the field "All Detected" and "All installed" and can't retrieve the same numbers by querying the DB.
I hope my problem is clearly explained.
Thank you.
Hi,
I have a core server Landesk 9 SP3 et agent are on SP3 too.
I have a lot of patch especially .NET patch ( ndp*****.exe ) that are detected by landesk but the installation failed.
When I try to install it by hand I have the following message :
- KB***** does not apply, or is blocked by another condition on your computer.
With this message I try to shutdown all the appz that run on server et reintall it. I got the same message
Here's some patches that are detected by Landesk but cannot be installed on the system :
MS11-100
MS11-044
MS11-066
MS12-016
...
I think that the problem come with the process of detection for these patches !
Do you have also these problems ? and have you find a solution to avoid it ?
Big Thanks !
We have been handling our windows updates for servers by manual installation. Usually we wait at least two weeks after patch Tuesday, and then install updates, rebooting the servers off-hours. We would like to start using LANDesk for this, but I was curious about how it handles updates that have been rescinded by MS. For example, MS releases a patch, LANDesk downloads it (via scheduled task in our case), then a few days later they remove the patch because it causes massive issues. Does LANDesk detect this and remove the patch? We would set up a schedule to install the patches during a maintenance window, so we won't be just automatically installing anything that gets downloaded. Just want to be sure what happens with LANDesk, whether is removes the patch, marks it as not needed, or what.
Thank you!
As the title states "Gather Historical Information" is crashing during the task towards the end at "Removing historical information more than 30 days old ...".
The console crashes every time at this point. When I try to schedule the task for later, the task runs once then crashes, and then it fails to run again the next day. The error is "Failed, task handler exception".
This is preventing me from having accurate informaiton in the patch and compliance area. Any ideas?
In testing,
I have several computers here that are failing on patch Windows6.1-KB2835361-x64.msu. This is indeed a Win7 X64 SP1 computer. Installs works on most computer - just failing on a few... See pertinent log entry below.
\Command Interpreter running
Executing C:\windows\system32\wusa.exe "C:\Program Files (x86)\LANDesk\LDClient\sdmcache\Windows6.1-KB2835361-x64.msu" /quiet /norestart
ERROR: C:\windows\system32\wusa.exe "C:\Program Files (x86)\LANDesk\LDClient\sdmcache\Windows6.1-KB2835361-x64.msu" /quiet /norestart returned a bad exit code (2149842967)
ERROR(EXECUTEFILE) Failed to run command - 80004005
DownloadPatch ERROR: Failed to run commands (80004005).
Last status: Failed
SendPatchStatus: patch 'Windows6.1-KB2835361-x64.msu' status Failed at core. Result: 80004005. Adding to action history
Family Windows6.1-KB2835361-x64.msu, action 1, status Failed
Failed
RunPatches completed. 1 processed. 0 installed. 1 failures.
Reboot and rescan. Rescan set to false, so doing nothing.
Sending status to core
Thu, 25 Jul 2013 11:45:49 16784 18152 HTTP POST: http://OWGUSNY1LMS01.OWG.DS.CORP/incomingdata/postcgi.exe?prefix=ldlogon\VulScanResults\&name=idn2379_taskid3179.logz
Thu, 25 Jul 2013 11:45:49 16784 18152 Setting a proxy...
Thu, 25 Jul 2013 11:45:49 16784 18152 Setting socket timeout to 1000 * 60 * 4
Thu, 25 Jul 2013 11:45:50 16784 18152 Success
Freeing the compressed results.
In SendRequest: Action = SOAPAction: http://tempuri.org/SetTaskLogByFile
Manually running the patch returns this error: "The update is not applicable to your computer."
Extensive Google searching has found no useful solution. One possibility I ran across is for an errant Reg entry HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Buildlab, but the entry on these computers is consistant with other computers that install patch successfully.
Any ideas?
I downloaded Oracle Patch 9553040 from My Oracle Support (patch filename is p9553040_160_MSWIN-x86-64.zip). I extracted the two executables (jdk-6u91-windows-x64.exe and jre-6u91-windows-x64.exe) to the patch folder (right-click to"Open patch folder..."). They still show up as not downloaded. This worked just fine for the 32-bit binaries (ending in -i586.exe instead of -x64.exe). Any ideas what might be the issue?
Thanks,
Charles
I have the patches downloaded and placed in the proper patch folder on the core, yet they continue to fail. Here is info from log file:
Downloading http://osum-ldm/LDLogon/patch/jre-6u26-windows-i586.exe
Wed, 05 Oct 2011 09:52:20 Performing TCP connection with a timeout of -1 milliseconds
Wed, 05 Oct 2011 09:52:22 Performing TCP connection with a timeout of -1 milliseconds
Wed, 05 Oct 2011 09:52:25 Performing TCP connection with a timeout of -1 milliseconds
Wed, 05 Oct 2011 09:52:28 Performing TCP connection with a timeout of -1 milliseconds
Failed to download http://osum-ldm/LDLogon/patch/jre-6u26-windows-i586.exe. Error code 3
Last status: Failed
Download Failure: Error 80004005 downloading http://osum-ldm/LDLogon/patch/jre-6u26-windows-i586.exe
Last status: Failed: Could not download http://osum-ldm/LDLogon/patch/jre-6u26-windows-i586.exe
I have different error for update java update 27:
Download Failure: Error 80004005 downloading http://osum-ldm/LDLogon/patch/jre-6u27-windows-i586.exe
Last status: Failed: Could not download http://osum-ldm/LDLogon/patch/jre-6u27-windows-i586.exe
Sending status to core
These are the only patches that I have that fail, everything else installs fine. Any help is greatly appreciated!!!
thanks,
dan
Hello everyone! I hope everyone is enjoying the holiday season. I am relatively new to Landesk patching, and there is one big question that I have been meaning to ask but never got around to it, so I'll go ahead and ask it now.
I find that when I'm patching systems, often I will have multiple versions of the same patch. For example, I might have:
MS13-099 (46 machines detected)
MS13-099_MSU (369 machines detected)
The MSU patch usually shows more machines as needing the patch, but since the number of detected machines differs so greatly, I usually deploy both patches to ensure that all machines needing the patch get it. Is this neccesary? What is the difference between the MSU version of the patch and the non-MSU version? Should I be deploying both or just the one with the higher number of detections?
I also run into this situation where I'll have some patches that have an INTL version and then a MUI_ENU version. I only want to deploy English patches but again sometimes the number of detections differs so greatly that I deploy both anyway to be safe. Any insight into this that can help me optimize our patch deployment is much appreciated. Merry Christmas!
Josh
Hey All,
Is anyone in the process of rolling out IE11 yet and managed to deploy it via patch and compliance in an efficient way? I'm currently trying to figure out a way to minimise reboots to the end-user. As it stands there are pre-reqs for IE11 (which I've already deployed to the fleet), then you can send out IE11 itself, then the computer needs to scan again and apply some IE11 patches, then it appears to do another set which had dependencies on the previous patches (all with a reboot in between).
My end result is just IE11 with Enterprise mode, so for Win 7 that is IE11 with KB2929437. I'm attempting to not resort to packaging the rollout as vulscan reboot is much better but it's poor service to deliver a browser that isn't fully functional until another scan occurs, followed by more updates being applied (could be up to 3 days).
I already have a couple of ideas, one of which is I'm considering cloning the patch and bundling the two minimum requirements together but thought I'd open the discussion to the community for other opinions.
Thanks,
Stewart