Manual-Updates

IvantiEndpoint ManagementPatching
Written By BOZ
Context -
This was designed to accommodate what I will call mission critical systems / highly available / etc. The kind of servers whose downtime is an unknown. Its based off of production or lack thereof. It puts the power of patching in the application owners hand.
— Oz

posted Apr 17, 2018, 11:06 AM 

The following process will allow you to Manually Scan, Deploy  and or Preview Updates for the PilotCurrent Month, Past Due, and On Hold distributions.  Why is this necessary you ask?  This is for that 10-20% that cannot afford an interruption on a scheduled basis.  Production or lack thereof dictates a maintenance window.  The process is fairly simple so lets get started.

Preview

Before an actual Deployment you do have the option of doing what’s called a Preview.  This will Scan and display a listing of updates that were Detected.  It will NOT however install any updates .  Think of a scenario where an application owner has concerns about some updates breaking production, etc.  The Preview affords them the option to identify these applicable updates.  The application owner can then in turn review these updates using the Updates sheet.  An example is shown below. This is taken from a SQL query / export.

2020-05-14_14-43-10.png

Selecting the appropriate Sheet / link in the More Info URL column will allow u to review any potential Known Issues with the associated update.  As we can see below there is the possibility of a Memory Leak when installing KB4019213.

2020-05-14_14-44-02.png

Depending on what you are trying to achieve, you have 4 Preview options available to you.  Pilot (Only available the 2nd Wednesday-Thursday of the month) / Current Month / Past Due / On Hold.  Below are the commands you can use:

  • Pilot (Only available 2nd Wednesday-Thursday of the Month) - Create a shortcut using the following parameters:"C:\Program Files (x86)\LANDesk\LDClient\vulscan.exe" /AgentBehavior=HSV1SECIVAW01_v4893 /ShowUI /AllowUserCancelScan /AutoCloseTimeout=5400 /ob:RebootBehavior=HSV1SECIVAW01_v4894

  • Current Month - Create a shortcut using the following parameters:"C:\Program Files (x86)\LANDesk\LDClient\vulscan.exe" /AgentBehavior=HSV1SECIVAW01_v4734 /ShowUI /AllowUserCancelScan /AutoCloseTimeout=5400 /ob:RebootBehavior=HSV1SECIVAW01_v4527Past Due - Create a shortcut using the following parameters:"C:\Program Files (x86)\LANDesk\LDClient\vulscan.exe" /AgentBehavior=HSV1SECIVAW01_v4749 /ShowUI /AllowUserCancelScan /AutoCloseTimeout=5400 /ob:RebootBehavior=HSV1SECIVAW01_v4706 

  • On Hold - Create a shortcut using the following parameters:"C:\Program Files (x86)\LANDesk\LDClient\vulscan.exe" /AgentBehavior=HSV1SECIVAW01_v8426 /ShowUI /AllowUserCancelScan /AutoCloseTimeout=5400 /ob:RebootBehavior=HSV1SECIVAW01_v8428

The following illustration is what u can expect to see.  A 90 minute countdown follows.

AMD-FPS-W2K8R2 - Remote Desktop Connection Manager v2.7 2018-04-20 11.58.51.png

Deployment

1.  Depending on what you are trying to achieve, you have 4 Deployment options available to you.  Pilot (Only available the 2nd Wednesday-Thursday of the month / Current Month / Past Due / On Hold.  For a complete listing of what each of these commands scan against, you can reference the updates sheet mentioned earlier..  Either of these options will most likely require a Restart so Plan Ahead!  Below are the commands you can use for a Deployment.

  • Pilot (Only available 2nd Wednesday-Thursday of the Month) - Create a shortcut using the following parameters:"C:\Program Files (x86)\LANDesk\LDClient\vulscan.exe" /AgentBehavior=HSV1SECIVAW01_v8429 /ShowUI /AllowUserCancelScan /AutoCloseTimeout=5400 /ob:RebootBehavior=HSV1SECIVAW01_v4894

  • Current Month - Create a shortcut using the following parameters:"C:\Program Files (x86)\LANDesk\LDClient\vulscan.exe" /AgentBehavior=HSV1SECIVAW01_v4525 /ShowUI /AllowUserCancelScan /AutoCloseTimeout=300 /ob:RebootBehavior=HSV1SECIVAW01_v4527

  • Past Due - Create a shortcut using the following parameters:"C:\Program Files (x86)\LANDesk\LDClient\vulscan.exe" /AgentBehavior=HSV1SECIVAW01_v4707 /ShowUI /AllowUserCancelScan /AutoCloseTimeout=300 /ob:RebootBehavior=HSV1SECIVAW01_v4706 (WARNING - This scans for and applies All UPDATES that have passed through Pilot and Current so if there is any RISK do your research and proceed WITH CAUTION.) 

  • On Hold - Create a shortcut using the following parameters:"C:\Program Files (x86)\LANDesk\LDClient\vulscan.exe" /AgentBehavior=HSV1SECIVAW01_v8430 /ShowUI /AllowUserCancelScan /AutoCloseTimeout=5400 /ob:RebootBehavior=HSV1SECIVAW01_v8428 (WARNING - This scans for updates deemed Potentially Disruptive so if there is any RISK do your research and proceed WITH CAUTION.) 

2. Save to your Desktop (Or wherever you like).

3. Execute the shortcut (at a time your prepared to potentially restart).  Upon doing so u should see a graphic similar to the one below.  

AMD-FPS-W2K8R2 - Remote Desktop Connection Manager v2.7 2018-04-17 10.52.08.png

4.  This will check in with the Core server and determine what Updates are missing, then present a Prompt for u to install them.  If after 15 minutes u have not made a selection the Installation will initiate.

AMD-FPS-W2K8R2 - Remote Desktop Connection Manager v2.7 2018-04-17 10.50.25.png

5.  Once the installation has completed; if a Restart is required, u will see the following Prompt.  If after 20 minutes u have not made a selection the Restart will initiate.

AMD-FPS-W2K8R2 - Remote Desktop Connection Manager v2.7 2018-04-17 10.52.41.png

That's pretty much all there is to it.  Like I said its a fairly simple but powerful process.  This puts the power back in the Owners hand, makes the deployment On-Demand at a time of their choosing.  Once you start factoring in High End / Mission Critical systems to the business, then the need for this starts to make much more sense.  

FAQ

  • Q - I would like to be able to remotely execute these scripts, can u show me the way?

    • A - invoke-command -ComputerName <Name> -ScriptBlock {start-process -filepath "C:\Program Files (x86)\LANDesk\LDClient\vulscan.exe" -argumentlist '/AgentBehavior=HSV1SECIVAW01_v4707','/AllowUserCancelScan','/AutoCloseTimeout=300','/ob:RebootBehavior=HSV1SECIVAW01_v4706' -wait}

    • Change the -argumentlist to reflect the scan u want. I have removed the /showui option since it is not necessary. 

    • Be sure u have proper permissions to the remote system

  • Q - Each time I run the command  I see the following brief message and the process disappears.

2019-04-12_16-41-34.png

  • A - This behavior is due to the highlighted message above.  Actions (installation and restart) have been Deferred until the assigned Maintenance Window.  This can be Overridden by inserting "/maintEnable=false" into the command line as shown in the example below.  Just remember you will typically have a restart so plan accordingly. 

"C:\Program Files (x86)\LANDesk\LDClient\vulscan.exe" /AgentBehavior=HSV1SECIVAW01_v4525 /ShowUI /AllowUserCancelScan /AutoCloseTimeout=300 /maintEnable=false  /ob:RebootBehavior=HSV1SECIVAW01_v4527

  • Q - What if I would like to provide this shortcut to home users, and how would this work across the CSA?

  • A - 

    • Current - "C:\Program Files (x86)\LANDesk\LDClient\vulscan.exe" /AgentBehavior=HSV1SECIVAW01_v24394 /ShowUI /AllowUserCancelScan /AutoCloseTimeout=300 /ob:RebootBehavior=HSV1SECIVAW01_v24392

    • Past Due - "C:\Program Files (x86)\LANDesk\LDClient\vulscan.exe" /AgentBehavior=HSV1SECIVAW01_v24408 /ShowUI /AllowUserCancelScan /AutoCloseTimeout=300 /ob:RebootBehavior=HSV1SECIVAW01_v24410

BOZ
Previous

Windows 10 Professional 1803 Upgrade
Next

Vulnerability Scan Remediation’s