(LANDesk 8.8)

I started noticing slowness when running a Security Scan from a client machine, and also slowness in our 32-bit Consoles.

When I launch a Security Scan It just sits for 30-60 seconds at the "Verifying device ID with core ..." action, the status message shows "Contacting server...". Next, another "Verifying device ID with core ..." action starts and again sits inactive for 30-60 seconds. Usually, the scan will finally begin, but each step in the scan process that communicates with the Core begins with a long delay.

So, on the Core I checked out active processes, and there are three instances of W3WP.EXE running, and the one that consumes excessive CPU is running the LDAppVulnerability application pool in IIS. If i stop that application pool, the Core server CPU usage drops sharply and so does my SQL server CPU. Of course, now no computers can run a Security Scan.

Any ideas on how to troubleshoot this?

Thanks!

Hello all,

Trying to create a custom query to see the last successful patch installation date. What I mean by this is if you go to a machine and go to "Security and Patch Information"  then go to "Clean/repair History"  you'll see the last repair/install of a patch and the date. I'd like to create a query that will show me this.

So far all I've come up with is this:

"Computer"."Patch and Compliance Definitions"."Patch Install Date"  >  "GetDate() -31"

Which only shows me ones that HAVE updated in the past 31 days. Reversing the greater than sign actually gives me no results (EDIT: technically it gives some, I was also sorting by OS which originally gave me none), and I couldn't figure out a way to properly reverse things -- There are even some machines with nothing in the clean/repair log, which I expected to show. So, clearly something's a bit off with my thinking, and I can't figure out what it might be.

Also, in a means of sorting things, I'd like them sorted by date order. I tried adding in the same parameter (Patch Install Date) and sorting by that, but what it wound up doing was creating a seperate entry for each patch that was installed (so three patches installed means the machine was listed three times).

Any help in these areas would be greatly appreciated, though obviously the actualy query is more important than the sorting.

Thanks in advance!

While attempting to patch workstations I have one which appeared to fail on only Windows patches but Office, Adobe etc patched correctly. 

The error details are - Error:"C:\Windows\system32\wusa.exe" returned failure code exit (2149842967)

I have attached the vulscan log.

If anyone has any recommendations, please let me know!

Thank you for reading.

Jonathan

Hey everbody,

we are currently a little irritated about WoL with LDMS 9.5 SP1

My experience from the last years with LANDesk was, that if you schedule a task, in my case a Security Scan Task, with the option Wake Up Devices, all target machines will be powered off nevertheless the were powered on or off when the tasks starts.

Does anybody know if there was a change on this behavior?

The reason why I'm asking is, because our machines won't shut down, after the security scan task is completed.

Regards

Fabian

On LD 9.6 SP1 client I'm seeing issues with ISSUSER.exe running at 100% of one core and sometimes faulting.

Once suggestion was to replace the jscript.v55 file, but that has not resolved the issue.

Looking at the application errors  in the diagnostic data in inventory I'm seeing the following

So it appears the LIBEAY32MT.dll is where it's faulting at with an exception code of c0000005

Any advice?

Recently we have been seeing vulscan using 40-50%cpu usage with spikes to 100% and slowly machines to a crawl.  I have updated the local scheduler with the belownormal switch and the cpu usage stays below 10% but a couple of the machines still run slowly while being scanned.

If someone could provide a breakdown of the vulscan process, how and what it scans, it would be greatly appreciated.  We are on SP3 and the users having the issues have the updated clients.

Hello Guys,

When running the patch on windows systems we are getting the error Msg as (0x8dac0069 - code 105)

what may cause this issue please help us as soon as possible  it will be great help .

Processing package : Repair Group All Critical --------------

Wed, 24 Jul 2013 16:26:10 File (http://AAAAA/landesk/files/ldrunner.exe) is not in cache

Wed, 24 Jul 2013 16:26:10 About to call DownloadFiles (1 files) with these settings:

Wed, 24 Jul 2013 16:26:10 m_allowedBandwidthWAN: 100

Wed, 24 Jul 2013 16:26:10 m_allowedBandwidthLAN: 100

Wed, 24 Jul 2013 16:26:10 m_maxDiscoveryThreads: 15

Wed, 24 Jul 2013 16:26:10 m_discardPeriodSeconds: 604800

Wed, 24 Jul 2013 16:26:10 m_preserveDirectoryStructure: 1

Wed, 24 Jul 2013 16:26:10 m_bUseWanBWForPush: 0

Wed, 24 Jul 2013 16:26:10 m_bSynchronize: 0

Wed, 24 Jul 2013 16:26:10 m_downloadControl: AttemptPeer

Wed, 24 Jul 2013 16:26:10 m_preferredServerControl: NoPreferredServer

Wed, 24 Jul 2013 16:26:18 processing of package is complete, result -1918107543 (0x8dac0069 - code 105)

Regards

Rakesh

Hello,

I am pretty new with LANDesk, and I was wondering how and why the SDMcache folder (C:\Program Files\LANDesk\LDClient\sdmcache\) is not cleaned after the security and patch management.

I've now some workstations with 1 GB of cached packages, and this space should be released.

I am using the Management Suite 8.7 SP5, and until now, I've not been lucky on Google to answer this !

Any help is welcome !

Eric

When i run a security scan, it fails to run certain installers.

Last status:

Last status: Done

Wed, 01 Feb 2012 16:36:35 Performing TCP connection with a timeout of -1 milliseconds

Wed, 01 Feb 2012 16:36:37 Performing TCP connection with a timeout of -1 milliseconds

Wed, 01 Feb 2012 16:36:39 Performing TCP connection with a timeout of -1 milliseconds

Wed, 01 Feb 2012 16:36:41 Performing TCP connection with a timeout of -1 milliseconds

Wed, 01 Feb 2012 16:36:42 Performing TCP connection with a timeout of -1 milliseconds

Downloading http://CORESERVER/LDLogon/patch/Firefox Setup 10.0_ENU.exe

Failed to download http://CORESERVER/LDLogon/patch/Firefox Setup 10.0_ENU.exe.  Error code 1

Last status: Failed

Download Failure: Error 80004005 downloading http://CORESERVER/LDLogon/patch/Firefox Setup 10.0_ENU.exe

Last status: Failed: Could not download http://CORESERVER/LDLogon/patch/Firefox Setup 10.0_ENU.exe

Sending status to core

In SendRequest: Action = SOAPAction: "http://tempuri.org/SetPatchInstallStatus"

Wed, 01 Feb 2012 16:36:44 SendRequest: SOAPAction: "http://tempuri.org/SetPatchInstallStatus"

However other updates run, such as adobe reader x or firefox 9.0.1 correctly downloads and installs.  All the install files are in the same patch repository.  I don't understand why it would update firefox from 8.0.1 to 9.0.1 but not to 10.0.

Hi,

I have a core server Landesk 9 SP3 et agent are on SP3 too.

I have a lot of patch especially .NET patch ( ndp*****.exe ) that are detected by landesk but the installation failed.

When I try to install it by hand I have the following message :

-     KB***** does not apply, or is blocked by another condition on your computer.

          With this message I try to shutdown all the appz that run on server et reintall it. I got the same message

Here's some patches that are detected by Landesk but cannot be installed on the system :

MS11-100

MS11-044

MS11-066

MS12-016

...

I think that the problem come with the process of detection for these patches !

Do you have also these problems ? and have you find a solution to avoid it ?

Big Thanks !

Hello, I apologize for the basic nature of my questions and confusion, but I have been reviewing the manual and documentation and also viewing as many videos as I can find to watch.  However, I'm afraid after 2 weeks, I still have some basic questions and confusion.

We have recently purchased LANDesk 9.6 and I was asked to look into the Patch Management piece.  I've picked up some (very) basic knowledge in my efforts to learn, but have hit a bit of a stumbling block to continue learning and am at a point I need to show my lack of understanding of this product and ask for help.

My understanding is that in the Patch and Compliance area, after you download the updates, they are placed into the "\Unassigned" folder.  Then it is up to me to figure out what to do with them.  To get the vulnerability scan (vulscan.exe) to check if these updates are needed on our workstations, I must copy the desired updates into the "\Scan" folder.  And vulscan.exe will ONLY check the workstations for the updates in this \Scan folder.

I have many questions and items that are confusing to me in LANDesk, but my initial question & confusion is 'Which of the thousands of updates that were downloaded should I copy to the \Scan folder?'  Now I realized the obvious answer is "You dummy, copy the ones you want to scan for!", but that is the problem.  I don't understand how LANDesk is doing this check.  In my mind it should simply check for "Adobe Reader", yet there are numerous 'versions' of Adobe Reader updates that get downloaded and I don't understand why, and more importantly, how these different versions are used.

In a specific example, but questions and confusion is below.  Thank you for any help or pointers that will get this beginner past this initial hurdle.

1. We have thousands of computers and they all have Adobe Reader installed.  There are many updates downloaded that are listed for Adobe Reader and various versions.  Do I ONLY need to copy the very latest Adobe Reader update into the \Scan folder?  (I..e - Adobe Reader 11.0.10)  If I do that and a machine has Adobe Reader 9 or 10, will the fact that I copied just the Reader 11 update show those workstations as needing an update?
2. Also, there are currently 3 different updates that were downloaded for Adobe Reader v11.0.10.  Why, and which one should I copy to the \Scan folder?  (We don't want to be scanning for unnecessary things.)  This occurs with other products too where there are multiple items referencing the same version that were downloaded.  I guess I'm having a mental block as to why LANDesk does this?  I don't want to take a shotgun approach and just put "everything" in the \Scan folder, but how do I know which of the Adobe Reader (or JAVA, Flash Player, etc.) items are truly needed?
3. How does vulscan.exe flag what the 'fix' is?  In other words, I have machines with Adobe Reader v9.  Is LANDesk going to install the most current version as the fix?  (i.e. - LANDesk will tell me the fix for computers with Adobe Reader 9 is to install Adobe Reader 11.0.10.)  Is so, how do we control versioning?  Because we actually have some computers that require a specific version of Adobe Reader 9.  Thus, if LANDesk says those computers are vulnerable, how can you ensure that the 'fix' for those computers is to simply install the latest Adobe Reader 9 version, which is 9.5.5 and do NOT 'fix' them by installing Adobe Reader 11.0.10?
4. And finally, what if a machine did NOT have Adobe Reader installed?  Can I perform an installation of that product via LANDesk Patch Management?
   
   
   Keith Hemmelman

Hi,

I am writing a custom definition to upgrade software but am having issues with power shell running something.  I am getting:

Command Interpreter running

Content filename: 'FsecureUninstall.ps1'

Writing script content to file 'C:\Windows\TEMP\FsecureUninstall.ps1' starting at line 5

Launching external script processor: <powershell.exe>

args: <-executionpolicy bypass C:\Windows\TEMP\FsecureUninstall.ps1>

External timeout: 60

returned: 259

Stdout:

Message returned from repair script was External application 'powershell.exe' returned 259 and provided no message

ERROR(RunVbScript) Failed to run command  - 80004005

DownloadPatch ERROR: Failed to run commands (80004005).

Last status: Failed

The powershell script is very simple:

EXTERNAL APPLICATION

exe=powershell.exe

args=-executionpolicy bypass %filename%

filename=FsecureUninstall.ps1

(Start-Process -FilePath "C:\Program Files (x86)\LANDesk\LDClient\sdmcache\ldlogon\patch\FsecureUninstallTool\UninstallationTool.exe" -ArgumentList "--noreboot --NOGUI" -Wait -Passthru -NoNewWindow)

It works on some hosts but not others.  I can't find anything on the (presumed error code) 259.  Anyone know if this is a LANDesk thing or a powershell thing?

Thanks,

Brad

Hi,

I want to patch management on a slower link --(64k ,128 K) . I want to use preffered server. Can some one send me documented process for the same.

We are new to LANDesk and are running v9.6 SP1.  We're attempting a fairly simple repair task to update the FileZilla program to the most current.  When running the task, it fails on all 401 computers it is attempting to patch.  The error code being displayed is 412, which I looked for info on it and it simply states "All Patches Failed" and doesn't offer any useful information on why it failed.

This seems to be a simple task to run and I believe we have it setup correctly, but apparently we are missing something.  Are there others out there that have ran into this error 412 and are there some known things to look at to correct this problem?

LD 9.5 sp3

I have one server that is failing on applying patches via LANDesk.   When using Microsoft Update, all patches apply and the server is clean (verified with our internal Nessus tools).   However 10 recent patches fail and show failed when LANDesk attempts to patch.  The patches are identified through vulscan.

We thought this might be due to IE Enhanced Security Configuration (Server 2008r2) which was turned on by accident, but that makes no difference.

If I browse to the patches on the LANDesk server and attempt to apply, a message shows that the patch is either not needed or does not apply to this server.

Which log file will show me details on why the patches failed.   Anyone else see something like this?   Any suggestions?

Thanks

I have pushed the agent to new machines ,I am not getting any error .

What are best practices maintaining a consistent LANDesk patch management structure across 2 core servers?

In our environment we have 2 core servers, one for the East one for the West then a rollup server. We have been told in the past that we cannot use a rollup server for LANDesk patch management in the 9.5 release. LANDesk phone support didn’t have clear answers on this but ultimately I was told it couldn’t be done in 9.5. I would like to know is that really true in the 9.6 release?

Second question would be if this is true and there is no way to manage this from one central location then administration is a bit of a nightmare. Currently we have a separate administrator in the East and from the reports I am generating our patch levels are very inconsistent.

Not really worth describing how we are setup because I will change it shortly but here is how I am thinking we should be setup. Computers should scan for all vulnerabilities and not necessarily for items in a patch group like we currently are doing. All detected should be looked over and put in a pilot group first and then deployment group after tested. So now we are maintaining 2 groups in each location and the “Do Not Scan”, “unassigned” and scan groups. So how would I keep consistency in these groups in the most efficient manner? Should I export and import the groups every month? Even if I did that there would be inconsistencies in the “unassigned” and “do not scan” group. How would I keep them consistent? The margin of human error is very large especially with a language barrier.

We had been pulling reports from WSUS which were showing how badly patched the East is and the West isn’t bad however there are a few patches that need to be manually reconciled with WSUS. Apparently a few patches got declined that should not have been.  Anyone know the most effective way in reconciling this? If you do a search for the KB article number LANDesk typically returns nothing which is another source of frustration. What would be a good way to solve all these problems and make this product easier to use? Our current methods surely aren’t consistent with the set it and forget it email I received a few weeks ago regarding patch management and I would like to get back on track.

Has anyone got this working? I followed the instructions at Agent Health - Install / Uninstall, Update and Repair the Agent components but have had no luck. The information returned from a security and patch scan for a device states the reason as "No affected products found on computer". I ran "sc delete ISSUSER" and also renamed "issuser.exe" for my testing. My expectation was that remote control would be repaired after following the instructions to test agent health.

Message was edited by: Charles Tank I was able to get this to work by modifying the LANDesk related patches. Attached is the resulting .ldms file.

Message was edited by: Charles Tank Update: While agent health is working to remediate agent components, it does not appear to work to remediate behaviors.

I am trying to update windows patch released on 12/5/2015 but few of the KB's are not getting installed giving error like C:\Windows\System32\wusa.exe returned failure exit code (2147746132) / failed to launch C:\windows\system32\wusa.exe error code 0x80070013 and other same with different error code.

I tried manual installation of the same but no joy, even rebooting the machine didn't turned it successful. Below are the attached errors when installing and troubleshooting the patch manually.

Please help me on this as its the issue with many of my devices, but it same patch worked on few devices.

Thanks,
Praveen

Hello all,

I have been updating printer drivers on our print servers and I have been noticing lately that many of our end user clients are recieving reboot prompts as LANDesk sees the PendingFileRenameOperations registry entry. Appears that the new Lexmark C772 drivers are causing most of the events. When I reboot the entry is cleared but when I run a new vulscan the PendingFileRenameOperation entry appears and causes the reboot prompts. I do see some of the Xerox drivers causing the same issue as well. The registry entry is located here: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations

Just curious if anyone has had a simlar experience.

Much appreciated,

Jason