When i run a security scan, it fails to run certain installers.

Last status:

Last status: Done

Wed, 01 Feb 2012 16:36:35 Performing TCP connection with a timeout of -1 milliseconds

Wed, 01 Feb 2012 16:36:37 Performing TCP connection with a timeout of -1 milliseconds

Wed, 01 Feb 2012 16:36:39 Performing TCP connection with a timeout of -1 milliseconds

Wed, 01 Feb 2012 16:36:41 Performing TCP connection with a timeout of -1 milliseconds

Wed, 01 Feb 2012 16:36:42 Performing TCP connection with a timeout of -1 milliseconds

Downloading http://CORESERVER/LDLogon/patch/Firefox Setup 10.0_ENU.exe

Failed to download http://CORESERVER/LDLogon/patch/Firefox Setup 10.0_ENU.exe.  Error code 1

Last status: Failed

Download Failure: Error 80004005 downloading http://CORESERVER/LDLogon/patch/Firefox Setup 10.0_ENU.exe

Last status: Failed: Could not download http://CORESERVER/LDLogon/patch/Firefox Setup 10.0_ENU.exe

Sending status to core

In SendRequest: Action = SOAPAction: "http://tempuri.org/SetPatchInstallStatus"

Wed, 01 Feb 2012 16:36:44 SendRequest: SOAPAction: "http://tempuri.org/SetPatchInstallStatus"

However other updates run, such as adobe reader x or firefox 9.0.1 correctly downloads and installs.  All the install files are in the same patch repository.  I don't understand why it would update firefox from 8.0.1 to 9.0.1 but not to 10.0.

Hello,

I have a problem on my client LanDesk

LanDesk is setup as a client on my server (Windows 2003 R2) and in the windows "Task Manager" there are 10 processes "vulscan.exe" that take almost 100% of the CPU !!

On the server there is local schedule task for vulscan :

vulscan.exe /norepair /noreboot

handle : 5556

Start : .............

freq : 86400

Filter : autodelay state : not ready Min: 0 Max=60

Do you know what I need to modify/to limit the number of vulscan.exe processes on the server ?

Thanks in advance for your help

Regards,

Noob question as I'm just switching over from WSUS to Landesk 9.0SP3 for client patch management. I've gone through numerous documents explaining patching, all of which cover the 9.0 SP1 or older version and don't explain what the 3 folders ("Replaced", "Paritally replaced" and "Replacement not Enabled Folders") under the Scan folder do.

Specifically, am I supposed to be moving patches around in these folders or are they positioned there by Landesk?

Also, when I grab patches to put into my custom group folders to create my repair (patch) task, am I copying the patches just from the "Scan" folder or do I also have to grab them individually also from the 3 subfolders too?.

I think I've got the rest down, these folders just make me wonder as they're not mentioned in the documents I've gone through. Searching the forums I wasn't able to find anything useful on them as well.

Thanks

Pete

Landesk 9.6 SP2, this used to work just fine but it was maybe after an update that it stopped working? I'm not entirely sure. I can't connect using any of the patch servers. Small part of the error log below. Note that I can navigate to the file in IE and download it just fine. Same error for every single file it tries to download

06/12/2015 06:00:34 INFO  17552:1     : Downloading Latitude_E6400.xml (0 KB)...

06/12/2015 06:00:35 INFO  17552:LoadingPatchSources : GetStreamForPath http://downloads.dell.com/FOLDER02045533M/1/E6400-VISTA-A03-RW93N.CAB failed The underlying connection was closed: An unexpected error occurred on a receive.

06/12/2015 06:00:36 INFO  17552:LoadingPatchSources : GetStreamForPath http://downloads.dell.com/FOLDER02045533M/1/E6400-VISTA-A03-RW93N.CAB failed The underlying connection was closed: An unexpected error occurred on a receive.

06/12/2015 06:00:36 INFO  17552:1     : Failed to download file E6400-vista-A03-RW93N.CAB

06/12/2015 06:00:36 INFO  17552:1     : Connection to http://downloads.dell.com/FOLDER02045533M/1/E6400-VISTA-A03-RW93N.CAB failed. Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.

Proxy settings: Not using a proxy server.

06/12/2015 06:00:36 INFO  17552:1     : Failed to download E6400-vista-A03-RW93N.CAB.

06/12/2015 06:00:36 INFO  17552:LoadingPatchSources : GetStreamForPath http://downloads.dell.com/FOLDER02067077M/1/E6400-XP-A09-R60F7.CAB failed The underlying connection was closed: An unexpected error occurred on a receive.

06/12/2015 06:00:37 INFO  17552:LoadingPatchSources : GetStreamForPath http://downloads.dell.com/FOLDER02067077M/1/E6400-XP-A09-R60F7.CAB failed The underlying connection was closed: An unexpected error occurred on a receive.

06/12/2015 06:00:37 INFO  17552:1     : Failed to download file E6400-xp-A09-R60F7.CAB

06/12/2015 06:00:37 INFO  17552:1     : Connection to http://downloads.dell.com/FOLDER02067077M/1/E6400-XP-A09-R60F7.CAB failed. Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.

Proxy settings: Not using a proxy server.

We are trying to get one of our Windows 2003 Standard Server - x64 to patch through landesk but we can't get pass the Applying settings (the fourth step), it fails and then stops trying anything else.  It works fine on our 32 bit servers, but not our 64 bit servers.

Any ideas?

Thanks,

Michael

Why when I have this line :

Set WshShell = WScript.CreateObject("WScript.Shell")

in my script the Repair Task allways come back with ERROR 412

If this line is comment out It execute the script

The Script:

const HKEY_LOCAL_MACHINE = &H80000002
strComputer = "."
Set WshShell = WScript.CreateObject("WScript.Shell")
Set fso = CreateObject("Scripting.FileSystemObject")
'*********  MAIN  ****
On Error Resume Next
Const ForReading = 1, ForWriting = 2, ForAppending = 8
Set Flog = fso.OpenTextFile("c:\temp\JavaAutoUpdate.txt", ForAppending, True)
Flog.WriteLine("To Turn Off Java Auto UPdate")

WshShell.Regdelete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched"
Flog.WriteLine("After Regdelete")
ReportRepairResult true, "Repair Sucessfull"

Vulscan Log:

Last status: Done.  1 patches were found
No patch download required for *CD-Java Maurice Test_Remove Java Auto Updater
Checking for other instances of scanner or software distribution agent
Last status: Waiting
Last status: Done
got mutex
Running patch *CD-Java Maurice Test_Remove Java Auto Updater
ShouldScan *CD-Java Maurice Test_Remove Java Auto Updater before repairing returned: 0

Command Interpreter running
ERROR.  Microsoft VBScript runtime error: Object required: 'WScript' (line: 9, char: 0, text: )
Message returned from repair script was Unexpected error in custom script source.  See agent log for details
ERROR(RunVbScript) Failed to run command  - 80004005
DownloadPatch ERROR: Failed to run commands (80004005).
Last status: Failed

While attempting to patch workstations I have one which appeared to fail on only Windows patches but Office, Adobe etc patched correctly. 

The error details are - Error:"C:\Windows\system32\wusa.exe" returned failure code exit (2149842967)

I have attached the vulscan log.

If anyone has any recommendations, please let me know!

Thank you for reading.

Jonathan

Hey All,

Is anyone in the process of rolling out IE11 yet and managed to deploy it via patch and compliance in an efficient way? I'm currently trying to figure out a way to minimise reboots to the end-user.  As it stands there are pre-reqs for IE11 (which I've already deployed to the fleet), then you can send out IE11 itself, then the computer needs to scan again and apply some IE11 patches, then it appears to do another set which had dependencies on the previous patches (all with a reboot in between).

My end result is just IE11 with Enterprise mode, so for Win 7 that is IE11 with KB2929437.  I'm attempting to not resort to packaging the rollout as vulscan reboot is much better but it's poor service to deliver a browser that isn't fully functional until another scan occurs, followed by more updates being applied (could be up to 3 days).

I already have a couple of ideas, one of which is I'm considering cloning the patch and bundling the two minimum requirements together but thought I'd open the discussion to the community for other opinions.

Thanks,

Stewart

Hallo,

um Patches in vielen kleinen entfernten Außenstellen effektiv verteilen zu können, habe ich mit der Inhaltsreplikations auf lokale NAS-Geräte begonnen.

Das war die Empfehlung durch den LANDesk-Spezialisten, der unseren Core-Server aufgesetzt hat.

Als Replikator dienen die lokalen Dateiserver.

Entsetzt musste ich nun feststellen, dass parallel zu den Verteilungs-Shares auf den NAS auch noch ein lokales Cache-Verzeichnis mit gleichem Inhalt auf der System-Laufwerk der Replikator-Server angelegt wird.

Das sind über 20GByte Daten in der Systempartition! Wie kann ich diese merkwürdige Konfiguration ändern?

LANDesk Management Suite 9.6

MfG

Frank Morgner

Hi,

I have a core server Landesk 9 SP3 et agent are on SP3 too.

I have a lot of patch especially .NET patch ( ndp*****.exe ) that are detected by landesk but the installation failed.

When I try to install it by hand I have the following message :

-     KB***** does not apply, or is blocked by another condition on your computer.

          With this message I try to shutdown all the appz that run on server et reintall it. I got the same message

Here's some patches that are detected by Landesk but cannot be installed on the system :

MS11-100

MS11-044

MS11-066

MS12-016

...

I think that the problem come with the process of detection for these patches !

Do you have also these problems ? and have you find a solution to avoid it ?

Big Thanks !

We want to use LANDesk for all of our patching needs.  However, when we push a patch out to a Windows 7 machine that requires a reboot, the-end user always gets the Windows Action Center message pop up that says "Windows can't update important files and services while the system is using them.  Make sure to save your files before restarting."  Windows then gives the end-user the options to "Restart now" or "Postpone" and "Remind me in:  (default is 10 minutes)."

At the same time, LANDesk Security and Compliance Manager also comes up (when all patching is complete) and tells the user a similar message (a message we CAN control in LANDesk). 

We want to be able to control what options the end-user has.  For example, we want to be able to give the user the option of deferring a maximum of 3 times for no more than 4 hours at a time.  After that, we want to just force the reboot.  The problem arrises, particularly, when the end-user sees the Windows message and just clicks "Restart now" before LANDesk (vulscan.exe) actually finishes doing it's thing in the background.  This results in the task failing to install all the patches.  On the flip side of that, we don't want the user to just be able to keep "Postponing" forever.  We only want to give them a limited number of deferrels.

Basically, we don't want Windows to interact with the user at all with regard to Windows updates.  We want to control it all via LANDesk and LANDesk only.

Here's what we've tried so far:

Under the Windows Action Center, turning off basically everything:

After that didn't work, we tried to modify the following Group Policies as follows:

So far, we've still been unable to stop the Windows message from popping up.  Can anyone help us?  I find it hard to believe that no one has done this before.

Also, I forgot to mention we are running LDMS 9.5.  Thanks!

Kenny

We've been noticing a Windows 7 bug documented in this KBase article:

http://support.microsoft.com/kb/2486635

The hotfix only comes in MSU form though, and I'm not aware of a way to add this in using the typical distribution packages frame within LanDesk. Should we open a Enhancement Request or can this be done from SWD?

Almost all of our T410s have this issue. It only happens if Bluetooth Service is being disabled (as per the kb article).

Thanks,

Doug

I've found something interesting regarding maintenance windows and the regular scheduled vulscan task and how it can, seemingly, blow out a pending continue task for a repair and replace it with a continue task that doesn't seem to do anything.

Here is the scenario:

• Regular scheduled scan set to run once per day and scan all vulnerabilities but not configured to repair.
• High frequency scan set to repair vulnerabilities in a specific custom group, also scheduled to run daily.
• Maintenance window configured for 4 AM - 7 AM.

If the high frequency scan runs after the scheduled scan everything works as expected, all vulnerabilities set to scan are scanned and reported detected as appropriate.  The high frequency scan runs and attempts to repair detected vulnerabilities in specific group however maintenance window prevents actual patch installs and only allows for patch downloads then sets a continue task to defer the repair.  During the maintenance window the continue task fires and patches are installed.

HOWEVER.... if the scheduled scan runs after the high frequency scan the continue task during the maintenance window instead does nothing.  It appears that the scheduled scan is setting a continue task and overwriting the continue task set by the high frequency scan which is causing patches to not install during the maintenance window.

For the moment I've worked around this by setting time restrictions on the two scans so that the repair scan always runs after the regular scan.  The issue I can see with this is that it's very likely this would also impact any scheduled repair tasks from the core that happen to fire after the maintenance window but before the scheduled scan and it doesn't seem like the regular scheduled scan should need to be overwriting the continue task like this since it shouldn't have anything to do during the maintenance window to defer.  This has happened more than once on multiple machines so it doesn't look like a case of the scan wanting to perform a reboot, for example, especially given that the continue task it generates does not reboot or do anything else that would need to run during a maintenance window that I can detect.

we are trying to measure the number of servers that are patched at the moment for a particular vulnerability but for some reason there is no trending data for the particular vulnerability and the status doesn't match the history.  I have attached a few screenshots for reference.

Anyone have any ideas?

Hi Guys,

We have Preferred servers setup within our LD environment however when I am patching devices on subnets where a preferred server is specified the client is still pulling the patch from the core.

Is anyone aware of this? If so is there a fix?

Thanks

We are looking at using LDMS 9.5 SP2 Patch Manager to patch our servers as well as our workstations.

However I can see no options within the agent or the scan and repair settings to enabel us to download updates and patches and then manually install them on the servers!

I am unsure if this is correct or not.  I would imagine there must be the option somewhere as I can't believe people allow LANDesk to automatically patch servers without any control or idea as to which patch may have broken something.

Even using pilot groups we would still need to be able to control the patch process so that we could identify if a patch had casued an issue or not.

Is this option available or is it a completley automated process in LANDesk?

How do others patch servers with LANDesk?

Rob.

Does anyone know of an easy way to stop one approved update, which happens to ba a Java update, rolling out to just one of our PC's?

We go through a pilot testing phase with our pathcing and one of our testers has an issue where he needs an older version of Java.

The update is fine for everyone else but I need to work out how to stop this one PC from getting hte new update.

Anyone any thoughts?

Rob

Hello All,

I've noticed several definitions for for various Landesk Agent components (shown below) and I'm a bit confused about what changes they make and how detection works for them.

There is no description within the properties for these definitions but I assume it simply installs these components if they are missing. Since I use several agents with varying settings, how does detection work? For instance, I've excluded Power Management from the majority of my agents and have it configured on only a certain few. If I ran a repair, would this end up detecting and installing this particular feature on the agents that don't have it configured?

On LD 9.6 SP1 client I'm seeing issues with ISSUSER.exe running at 100% of one core and sometimes faulting.

Once suggestion was to replace the jscript.v55 file, but that has not resolved the issue.

Looking at the application errors  in the diagnostic data in inventory I'm seeing the following

So it appears the LIBEAY32MT.dll is where it's faulting at with an exception code of c0000005

Any advice?

Has anyone got this working? I followed the instructions at Agent Health - Install / Uninstall, Update and Repair the Agent components but have had no luck. The information returned from a security and patch scan for a device states the reason as "No affected products found on computer". I ran "sc delete ISSUSER" and also renamed "issuser.exe" for my testing. My expectation was that remote control would be repaired after following the instructions to test agent health.

Message was edited by: Charles Tank I was able to get this to work by modifying the LANDesk related patches. Attached is the resulting .ldms file.

Message was edited by: Charles Tank Update: While agent health is working to remediate agent components, it does not appear to work to remediate behaviors.

Message was edited by: Charles Tank I was finally able to get the behaviors to work with agent health.  The  problem was with one of the behaviors. It is important to note that if you are trying to enforce multiple behaviors and one of them is not setup correctly, none of the other behaviors will get updated or set as expected.