Question

How can I remotely view processes running on a client from the Windows Command Line without using the LDMS Diagnostics tool?

• This is useful if you cannot remote into the machine for any reason and you don't want to rely on the Diagnostics tool built into the LDMS console.

Answer

Start by opening an administrative command prompt

• Enter tasklist /s "machine_IP" /u "username"

• When you press Enter, it should ask you for the password of the account you are attempting to use

• This will allow you to remotely view the running processes on a remote machine to assist in troubleshooting certain LANDesk functions (sdclient, vulscan, etc...)

• To kill a process, select the PID from the list of running processes. For this example, I will kill taskmgr.exe on the remote machine. To do this, I will modify the command I am using to taskkill /s "machine_IP" /u "username" /IM "PID or executable name"

• When you hit Enter, you may be prompted for the password for the account you are using. If so, please enter it and hit Enter. You should then see confirmation that the process is terminated.

• To verify, run the command Tasklist /s "machine_IP" /u "username" against the machine again to verify that the task has been terminated.

Introduction

Best known methods are only intended to be a starting point while finding what works best in any given environment. This guide will assist Ivanti Administrators with creating a software distribution package for Microsoft Office 365 Click-to-Run and deploying it with Ivanti EPM. When distributing Microsoft Office to multiple computers it is important to obtain the volume license for that product version. This document does not make reference to volume licensing.  For more information on Microsoft Volume licensing please go direct with Microsoft.

Installing Office 365 Click-to-Run

Download Office Deployment Tool (ODT) to a Network Share

There are (2) Deployment tools available. If you are managing Office 2016 product please use the 2016 version. For this example, the 2013 version was used.

• ODT_2013 Click-to-Run
• Office_2016 Deployment Tool
  

• The server this Network share is on does not have to be your Ivanti EPM Core server as long it has the correct NTFS and Share permissions. If you elect to use a server other than your Ivanti EPM Core you will need to ensure you have that server configured as an Ivanti EPM Preferred Server  (How to configure a Preferred Package Server)

For this example, the Core's LDLogon share was used and I created an Office sub-folder.

Run the Executable

• Run the downloaded .exe file as an administrator. The process will create a setup.exe and a configuration.xml

Customize the Configuration.xml

• Microsoft now offers a Configuration XML Editor which presents you with a GUI assisting in the creation of the xml file.

Below is an example of what the Configuration file will look. You can modify the attributes to your liking through the Configuration XML Editor tool or by manually editing the file.

<Configuration>     <Add SourcePath="\\share_server_name\share_folder" OfficeClientEdition="32" >          <Product ID="O365ProPlusRetail">                <Language ID="en-us" />          <Product ID="VisioProRetail">                <Language ID="en-us" />          </Product>  </Add><Updates Enabled="TRUE" UpdatePath="\\share_server_name\share_folder" /><Display Level="Full" AcceptEULA="TRUE" /><Logging Level="Standard" Path="%temp%" /><Property  Name="AUTOACTIVATE" Value="1" /></Configuration>    

Execute the Setup File

Now that your configuration xml file has been completed, open up an admin command prompt, navigate to your share and run the following:

setup.exe /download configuration.xml

This creates an "Office" folder with all the required files to complete your install.

Installing via Batch Distribution Package

• Create a batch file with the following command and save it to your share:

\\server_name\share_name\setup.exe /configure \\server_name\share_name\configuration.xml

   

Create Batch Distribution Package

• Create a distribution package to point to your batch file and distribute it out to your targets.

Installing via Executable Distribution Package

• Create a distribution package to point to the setup.exe file located in your share location.

• Select Install/Uninstall options and add the following command line switches:

/Configure configuration.xml

• Select Additional files, navigate to your share location and add the configuration.xml file and your Office folder to the additional files list.

• You can now Save your Executable package and schedule it out to your desired targets.

Related Articles:

• Ivanti Endpoint Manager and Endpoint Security - Software Distribution Landing Page

Overview

The purpose of this document is to outline how Bandwidth Throttling works in Ivanti EPM and to identify which network type is being used. In efforts to increase efficiency and be less network intrusive, Ivanti EPM utilizes a Burst/Sleep cycle which prevents total consumption of the network. The information contained in this document is intended for the advanced Ivanti Administrator but is comprehensible and advantageous for administrators at all levels to be aware of. This information is applicable to the design process for the 9.6 Management Suite version and newer.

Bandwidth Download  Routes

                                                                Click image for full size

When a client makes a file request, a broadcast message is sent over the network, asking "Who has what I'm looking for?" If the file is found on the peer or if the distribution is using multicast, the Local Area Network (LAN) bandwidth will be used. If the file is found on the preferred server or source, the Wide Area Network (WAN) bandwidth will be used.

Configuration Location

To set the total available bandwidth percentage used when data transmissions take place, navigate to the desired Distribution and Patch agent setting and adjust the bandwidth accordingly:

Tools | Configuration | Agent Settings | Distribution and Patch

• Right-click, select properties | Network settings

                                        Click image for full size

Burst/Sleep Cycle  Formula

Data transmissions are restricted to an Ivanti EPM block size of 1418-Bytes. These transmissions are predicated on a percentage of the available network bandwidth, not total network bandwidth.  Data transmissions (in relationship to file downloading) are sent on Burst/Sleep cycles. The burst equates to the amount of time it takes the "sender" to transmit a block of data. Sleep equates to the amount of time the "requester" will rest. All of this is based on the bandwidth configuration you set in your Distribution and Patch agent settings.

Bandwidth Throttling

                                                                Click image for full size

The bandwidth percentage is directly related to the number of packets sent per burst. For each percentage of bandwidth, 4 packet will be sent per burst.

For information regarding download failures please reference How to troubleshoot Download Failures in Software Distribution (Advanced)

This procedure can be used to set up a web repository with anonymous access for software distribution/Preferred Server using IIS 7.5

1. Start > Administrative Tools > Internet Information Services (IIS) Manager
2. Server name > sites, then right click the "Default Web Site" > "Add virtual directory" and fill in the name and the path to the directory to be shared
3. After the virtual directory appears under the Default web site tree, right click on it > edit permissions > Security > edit
4. Add:  the local IUSR, ANONYMOUS LOGON and NETWORK SERVICE they need at least "Read" and "List folder contents" rights
5. Switch to feature view, in the central pane double click "directory browsing" and click "enable" under the action pane on the right   (Be sure your newly created virtual directory is highlighted)
6. In Features View, double-click Authentication > On the Authentication page, select Anonymous Authentication.
7. In the Actions pane, click Edit to set the security principal under which anonymous users will connect to the site.
8. In the Edit Anonymous Authentication Credentials dialog box, select one of the following options:

•   Specific user, ( IUSR )
• Application pool identity, if you want IIS processes to run by using the account that is currently specified on the property page for the application pool. By default, this is the Network Service account.

If you are using IIS 7, please visit: HTTP Repository for SWD in IIS7

Please also review this document: How To: Distribute Software via CSA

Distribution and Patch Agent Settings

To adjust the frequency in which failed policies retry navigate to the following location:

Tools | Configuration | Agent Settings | Distribution ad Patch

  

Double-click or right-click and select properties on the desired Distribution and Patch Agent Setting. From this interface, under General Settings select Policy sync schedule:

*Note this is only applicable to REQUIRED policies, an optional or recommended policy will not follow this logic.

What is read in order for policy sync to know, "I failed and I need to retry"?

All client policy files are accompanied by a status file (.stat) contained in the following directory:

Programdata\landesk\policies 

The status file is not downloaded but created by policysync.exe. The status file is dynamically updated as sdclient.exe processes the client policy xml file. Upon process termination, the final result is written to the status file outlining the return code. If the return code value equates to a failure the policy file will be re-tried as dictated by the retry interval.The Status attribute in the .stat file will show 5 if failed, 4 if successful.

Example successful status file:

<?xml version="1.0" encoding="utf-8"?><PolicyStatusInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><TaskIdn>1054</TaskIdn><DownloadPercentage>0</DownloadPercentage><TotalDownloadSize>4203840</TotalDownloadSize><Status>4</Status><Result/><ReturnCode>229965824</ReturnCode><CurrentInstallingPackage>1</CurrentInstallingPackage><LastRunTime>1466182576</LastRunTime><Deferrals>0</Deferrals></PolicyStatusInfo>   

Example of a failed status file:

<?xml version="1.0" encoding="utf-8"?><PolicyStatusInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><TaskIdn>2070</TaskIdn><DownloadPercentage>0</DownloadPercentage><TotalDownloadSize>73</TotalDownloadSize><Status>5</Status><Result/><ReturnCode>1917512813</ReturnCode><CurrentInstallingPackage>1</CurrentInstallingPackage><LastRunTime>1466687545</LastRunTime><Deferrals>0</Deferrals></PolicyStatusInfo>   

Please reference  How to Interpret Client Policy .Stat file Status Codes to decipher the return codes.

There are a large number of ways to configure Ivanti EPM Content Replication to meet a variety of needs. Some examples of how Content Replication can be used are listed below. These are not necessarily in-use in a production environment nor specifically supported by Ivanti They are intended as ideas or starting points to create a Content Replication configuration to meet your needs.

For more information on Content Replication and Preferred servers see: How to use Ivanti EPM Content Replication

Single - Simple Replication

This scenario involves a single Source, Preferred server, and Replicator each configured as a separate device. This could be used when to locations are connected by a decent link, or simply to reduce traffic to the Source.

New Scenarios

If you have a Scenario that you have used and would like to share, please send me a private message with details and I will try to get it added here.

Issue

You are trying to deploy a package or advanceAgent (How do you deploy an Advance Agent with Peer Only checked? )  with a delivery method configured for peer download only and deployment fails.

• Standard networking test (telnet, netstat..) reveals no issue

When you look at the Tmcclnt.xlg log file (How To: Enable XTrace Diagnostic Logging for the Ivanti EPM Core and Clients ), you observe that your target machine 172.30.100.142 has found no peers.

dmcdll.cpp 3715 SAD Received file discovery reply for landesk_packages_common\Test\test.cmd, curSize=0, state=DownloadDiscovery, from 172.30.100.142
02/13/2014 13:37:03.250 6820 5016 McastReplySocket.cpp 885 172.30.100.142 IS our address
02/13/2014 13:37:03.250 6820 5016 sdmcdll.cpp 3914 Best is still DownloadDiscovery, but we were first to hear about this file, so putting ourselves as best connection
02/13/2014 13:37:03.250 6820 5016 sdmcdll.cpp 3926 SAD replacing best client with 172.30.100.142
02/13/2014 13:37:03.718 6820 6592 McastReplySocket.cpp 885 172.30.100.142 IS our address
02/13/2014 13:37:03.718 6820 6592 subnetawaredownloadtmcclient.cpp 220 Processing SDM_MT_SAD_NEED_FILE_REQUEST: bestClient (IpAddr=172.30.100.142, fileSize=0,fileState=DownloadDiscovery), curFileSize=0
02/13/2014 13:37:03.718 6820 6592 McastReplySocket.cpp 885 172.30.100.142 IS our address
02/13/2014 13:37:03.718 6820 6592 subnetawaredownloadtmcclient.cpp 262 Processing SDM_MT_SAD_NEED_FILE_REQUEST: just set state to DownloadingSource
02/13/2014 13:37:03.718 6820 6592 subnetawaredownloadtmcclient.cpp 288 Processing SDM_MT_SAD_NEED_FILE_REQUEST: about to send response for landesk_packages_common\Test\test.cmd, command=DownloadFromSource, ipaddr = 172.30.100.142
02/13/2014 13:37:03.734 6820 6592 subnetawaredownload.cpp 347 Leaving RunDownloadReceiveLoop
02/13/2014 13:37:03.750 6820 2212 subnetawaredownload.cpp 377 RunDownloadSendLoop: about to set event that we are finished with the threads
02/13/2014 13:37:03.750 6820 6592 sdmcdll.cpp 1450 SAD 1907048977: #End, Subnet aware download has completed.
02/13/2014 13:37:03.750 6820 2212 subnetawaredownload.cpp 379 Leaving RunDownloadSendLoop
02/13/2014 13:37:03.750 6820 2212 sdmcdll.cpp 1480 SAD 876: #End, sending Subnet aware download has completed.

Cause

Traffic is blocked for peer download

Resolution

Clear box in the agent settings " client connectivity " or adjust accordingly

How to

How to Install IE 11 on Windows 7 with Software Distribution instead of Patch Manager.

Instructions

• Prerequisites: If you want to save time in the actual IE 11 installation process, you can download the prerequisites for IE 11 and install them on the target machine first. Here's a list of the prerequisites for your reference. But in my case, I didn't install these before installing IE 11 installation package, the package just ran a bit longer and still got IE 11 installed.

• Download Internet Explorer 11 for Windows 7 from Official Microsoft Download Center
  

NOTE: Internet Explorer 11 (32-bit) may not work.

• Copy the file into the distribution package storage location. It is recommended to share via HTTP rather than UNC path, as many permission issues are seen when UNC sharing is not configured properly, yet HTTP is connected anonymously.
• Create a distribution package: The package download file was presented in the form of an executable, so in this case, I created an .exe package.
  1. Package information: The primary file path should point to the location where the IE 11 installation package resides. In my case http://Core_FQDN or_IP_address/patch/IE11-window6.1-x86-en-us.exe, double-click on the file to make sure you've selected it.
  2. In Install/ uninstall options:
     1. Enter command line or select options above and edit command line:  Enter:
        • /quiet /norestart
        • NOTE: To see a full set of accepted switches run the /? with the application from an administrative command prompt or consult with the vendor.
  3. Configure other settings if necessary. In my case, I just used local system for account setting.
  4. Save the package. (If you need to change any settings in a package, remember to reset hash before making another scheduled task.)
• Reboot the target machine first (before you need to install IE on any machine).
• Create a scheduled task, run the task. When the job ends with 'Complete', IE 11 should have been installed. Restart the target machine and you will see it updated.

Description

Local Scheduler command line parameters requires 3 quotes rather than the traditional 1 or 2 quotes.  This occurs in all versions from 8.7 and prior.

Certain command line parameters need quotes.  When such commands are called with local scheduler, they fail unless the correct number of quotes are used.  If one or two sets of quotes are added, the command line is cut off at the first space.  If a third set of quotes are added, it works.  This is the case regardless of whether the command line is built at an actual command line or in the console using the Local Scheduler Script wizard.

Example

The following command line will be used as an example.

wscript.exe "c:\program files\someapp\vbscript.vbs"

To have this run in Local Scheduler, the quotes need to be included in the Local Scheduler command prompt:

localsch.exe /exe="wscript.exe" /cmd="C:\Program files\vbscript.vbs" /taskid=1001 /freq=86400

Now look at the tasks by executing  localsch /tasks |more

wscript.exe C:\Program Files\vbscript.vbs     handle    : 1001     start    : Wed Dec 31 17:00:00 1969     frequency : 86400

Delete that task by executing the following command: localsch.exe /del /taskid=1001

Add quotes inside the quotes in the command line parameters and re-apply the local scheduler task:

localsch.exe /exe="wscript.exe" /cmd=""C:\Program files\vbscript.vbs"" /taskid=1001 /freq=86400

Look at the result by executing localsch /tasks |more

wscript.exe "C:\Program     handle    : 1001     start    : Wed Dec 31 17:00:00 1969     frequency : 86400

Delete that task by again executing: localsch.exe /del /taskid=1001

Finally, add a third set of quotes and re-apply the local scheduler task:

localsch.exe /exe="wscript.exe" /cmd="""C:\Program files\vbscript.vbs""" /taskid=1001 /freq=86400

Look at the result by again executing  localsch /tasks |more

wscript.exe "C:\Program Files\vbscript.vbs"     handle    : 1001     start    : Wed Dec 31 17:00:00 1969     frequency : 86400

Cause

The design has to do with the fact that the scheduler is parsing a command line that may contain multiple commands. While the previous example could be parsed with two quotes, like this:

localsch.exe /exe="wscript.exe" /cmd=""C:\Program files\vbscript.vbs"" /taskid=1001 /freq=86400

If the administrator needed to pass two parameters with spaces to local scheduler then the double quotes do not work, for example:

localsch.exe /exe="wscript.exe" /cmd=""C:\Program files\vbscript.vbs" "C:\documents and settings\allusers\somedata.file"" /taskid=1001 /freq=86400

Since this cannot be properly interpreted, the scheduler requires three quotes: one to indicate we are entering and then two to indicate an escaped quote.  So the command line with the two parameters appears as follows and can be interpreted:

localsch.exe /exe="wscript.exe" /cmd="""C:\Program files\vbscript.vbs"" ""C:\documents and settings\allusers\somedata.file""" /taskid=1001 /freq=86400

This results is an awkward looking command line when there is only one parameter that has a space in it as shown below:

localsch.exe /exe="wscript.exe" /cmd="""C:\Program files\vbscript.vbs""" /taskid=1001 /freq=86400

Resolution

Use a third set of quotes when passing parameters to the Scheduler.

Single Quoted Parameter

localsch.exe /exe="wscript.exe" /cmd="""C:\Program files\vbscript.vbs""" /taskid=1001 /freq=86400

Multiple Parameters with quotes

localsch.exe /exe="wscript.exe" /cmd="""C:\Program files\vbscript.vbs"" ""C:\documents and settings\allusers\somedata.file""" /taskid=1001 /freq=86400

Purpose

This document covers how to use Software Distribution with the package interface enabled. This can be useful when setting optional or recommended packages in Workspaces or the Portal, where the end user should have control over certain installation aspects (customization of the install).

Steps

Distribution and Patch Settings

To enable displaying the interface, a new Distribution and Patch setting will need to be used.

• In the Ivanti EPM Console select Tools | Configuration | Agent Settings
• Expand My Agent settings and select Distribution and Patch
• Click the Create New Setting button (green plus sign)
• Set the following:
  • General Settings: Set a name for the new setting
  • Notification: Set Progress Options | Show progress - Only when installing/removing
  • Distribution-only settings: Under Feedback check 'Display full package interface'
• Save the settings.

Software Distribution Package

Because the package is supposed to be running with the interface shown, in this circumstance there should be no silent switches defined on the packages properties.

• Open the Distribution Package properties
• Click Install/Uninstall Options
• Remove entries from within the 'Enter command line or select options above and edit command line for MSI package:'
• Click Save

Scheduled Task

• Schedule the Distribution Package
• Open the scheduled task properties
• Select Agent Settings
• Select the Distribution and patch row, and click on the settings column and select the previously created Distribution and Patch setting.
• Save the task properties
• Start the task

Client Side

When SDClient calls the primary file, it should provide a notice that it is beginning the install of the Distribution Package, and the Package interface should be made visible for the end user to navigate through.

SDClient will remain active while the installer GUI is still open, and a status will not return to the core until the Package GUI closes, and returns a code to SDClient to report to the core.

• • Purpose
  • Logs
  • Get the Task ID
  • Did the Policy xml download to client?
    • Yes
    • No
  • Did sdclient run the task?
    • Yes
    • No
  • Did sdclient_task## run the primary file?
    • Yes
    • No
  • Did sdclient_task## receive an exit code?
    • Yes
      • Common Exit Codes:
    • No
  • Did the task return a status?

Purpose

This article covers how to troubleshoot software distribution from the client side.

Logs

These logs will be used in diagnosing the issue:

• %ldms_local_dir%\..\..\shared files\proxyhost.log
• %ldms_local_dir%\sdclient.log
• %ldms_local_dir%\sdclient_task##.log
• %programdata%\landesk\log\policysync.exe.log
• %programdata%\landesk\log\policysync.log

Get the Task ID

Each scheduled task gets a unique Task ID value. We will use this value to track the task, and identify where the actions got to.

• Right-click the Scheduled task and choose Info
• Locate the number in the ID field

Example: Task ID 3601

Did the Policy xml download to client?

Check the Policies directory on the client to see if the policy xml for the task was downloaded. The xml will be named CP.{TaskID}.....xml.

Example: C:\ProgramData\LANDesk\Policies\CP.3601.RunNow._zJo9YNYzZGuoUqvHKI955qjYuB0=.xml

Yes

Go to: Did sdclient run the task?

No

Go to: How To Troubleshoot Policy Sync

Did sdclient run the task?

When Policysync executes an /enforce, it will run any unprocessed policies. The C:\Program Files (x86)\LANDesk\LDClient\Data\sdclient.log will indicate if it processes the task specific policy and a sdclient_task##.log file will get created.

Example:

RunAppMain: command Line : /policyfile="C:\ProgramData\LANDesk\Policies\CP.3601.RunNow._zJo9YNYzZGuoUqvHKI955qjYuB0=.xml"

Yes

Go to: Did sdclient_task## run the primary file?

No

Review C:\Program Files (x86)\LANDesk\LDClient\Data\sdclient.log for errors.

Did sdclient_task## run the primary file?

When sdclient processes a task specific policy, it will generate an sdclient_task log which contains the task ID:

Example: C:\Program Files (x86)\LANDesk\LDClient\Data\sdclient_task3601.log

When processing the policy, sdclient will call and execute the primary file in the distribution package with whatever switches are listed in the package.

Example:

Execute Msiexec.exe with command Line: "Msiexec.exe"  /quiet /norestart /i "C:\Program Files (x86)\LANDesk\LDClient\sdmcache\ldlogon\swd_packages\7zip\7z920.msi" REBOOT=ReallySuppress

Yes

Go to: Did sdclient_task## receive an exit code?

No

Review the sdclient_task##.log for errors.

Example: Primary file fails to download

Thu, 20 Aug 2015 07:43:24 DoDownloadFromSourceSteps: DOWNLOAD_ERROR_GENERAL_FAILURE

Thu, 20 Aug 2015 07:43:24 Download Error: err=1, path=\\96-core3\ldlogon\swd_packages\7zip\7z920.msi

Thu, 20 Aug 2015 07:43:25 processing of package is complete, result -1918107543 (0x8dac0069 - code 105)

Did sdclient_task## receive an exit code?

When a package finishes running, it will give a return/exit code to sdclient which will be logged in the sdclient_task##.log.

Example:

processing of package is complete, result 229392420 (0x0dac4024 - code 16420)

Yes

If an exit code was returned, this indicates that the package finished or terminated. Searching the exit code in the Ivanti community, or online can provide more information regarding the error.

Common Exit Codes:

• 0 - Success
• 3010 - Reboot Required

Other exit codes may have different meanings depending on the vendor of the application.

MSI packages use standardized exit codes which are listed here

.

No

If the primary file was listed as being executed, but no exit code has been returned, this typically means that the file is still 'running'.

• Open windows task manager, and view the list of running processes
• Right click the column headers and choose 'Select Columns'

• Check the box for Command Line and press Ok

• Look for the primary file as a running process
• Check under the Command Line column and see if it contains any switches

By default LDMS will install software hidden from view. This means that most applications require a silent/unattended switch to install without asking for any user interaction. If the software is called without switches, it will launch, and the software believes it is waiting for user interaction, however the windows are hidden which puts the software in a 'frozen' state of waiting.

To correct this:

• Terminate the stalled process on the client
• Provide necessary silent switches in the package on the Ivanti EPM Core
  • Switches can vary between software vendors. Consult programs whitepapers for info on silent installation. (typically you can search online for "{program name} silent install")

Note: MSI's are the exception to the switch rule.

MSI's are standardized and use the same switches for installing. As such, Ivanti EPM automatically provides necessary switches for MSI packages.

Did the task return a status?

Mon, 17 Aug 2015 10:05:54 Sending task status, cmd line -coreandip=96-CORE3.evdomain.local -taskid=3603 -retcode=229392442 "-ldap=CN=Nevans,CN=Users,DC=evdomain,DC=local" -pkgid=1089

Exec: Launch request <"C:\Program Files (x86)\LANDesk\LDClient\PolicySync.exe" -taskid=3601> (sync 0, timeout 2147483647)

Description

The following errors occur when deploying a batch file distribution package:

Incorrect function

Cause

The incorrect function error is the Microsoft Windows string for error 1.  This is not an Ivanti EPM error.

To see all Microsoft error codes, see this site:

https://msdn.microsoft.com/en-us/library/ms681381.aspx

Resolution

"Incorrect Function" indicates that LDMS is functioning properly, but there is a problem with the batch file.

1. Find the last line run in the batch file.  This line is returning an error 1 which is being translated to "Incorrect function" error.

2. Right-click on the error in the console and select "View log file," or open the sdclient_task##.log for the task on the client machine found in the ldclient\data directory. These logs will show where the batch file failed.

3. Some common causes of this error message:

   1. The batch file is trying to access files on a network share but the Local System account on the managed device does not have the appropriate share and file permissions.

   2. The batch file points to a mapped drive that exists for logged on users but does not exist for Local System.

   3. The batch file contains the "EXIT" statement.

4. Add any additional files that the batch file is trying to copy or install as additional files to the software package. This will cause them to be downloaded to the SDMCACHE folder on the client. An example of a batch file copy command is:
   
   

   copy /Y "file.exe" "C:\Program Files\file.exe"

    

    

5. Modify the batch file appropriately and reset the package hash.

Failed to Download and Hash All Additional Files

The "Failed to download and hash all additional files" error message can have several potential resolutions. This document is designed to provide a type of table of contents for this error and links to articles on the Ivanti Community to assist in troubleshooting.

Failed to Download All Additional Files

Error: "Failed to download additional files"

Failed to Download Additional Files -  Error 80070005

Error: "Failed to download additional files - (80070005)"

Failed to Download and Hash All Additional Files

Error: "Failed to download and hash all additional files" when running task

Description

There are some special considerations that need to be taken when sending a software distribution job to 64-bit Windows operating systems using Ivanti EPM. This applies to Windows 7, Server 2003 and later Operating Systems

What is going on

In order to run 32-bit applications, Microsoft created the Windows-on-Windows 64-bit (WOW64) subsystem. This creates an environment that allows 32-bit applications to run unmodified on 64-bit systems. More information about the WOW64 system can be found here: Running 32-bit Applications (Windows)

Part of the WOW64 system includes file-redirection. The %windir% directory is for 64-bit applications only, so 32-bit versions are located in %windir%\SysWOW64. The File System Redirector is used to redirect 32-bit process calls made to the %windir%\system32 directory to the %windir%\SysWOW64 directory. This is done seamlessly and by the WOW64 subsystem. More information about the File System Redirector can be found here: File System Redirector (Windows)

This is of concern for Ivanti EPM users and administrators who need to make use of applications contained in the %windir%\System32 directory. At this time, Ivanti EPM software distribution runs as 32-bit processes. This means that any batch file distributions, as well as custom scripts, will be run as 32-bit processes and any calls to the %windir%\System32 directory will be redirected to %windir%\SysWOW64 directory.

What to do

If the needed application is available in the SysWOW64 directory and running as a 32-bit process is acceptable, no changes need to be made to batch files or custom scripts. However, if the application is not available or must be run as a 64-bit process you will need to make some changes to the scripts. The recommended modification would be to use the Sysnative alias. Starting with Windows Vista, the Sysnative alias has been present in order to bypass the File System Redirector. The Sysnative alias can be used as if it were a directory. For example, instead of running %windir%\System32\wbadmin.exe you would run %windir%\Sysnative\wbadmin.exe. The wbadmin (Windows Backup) is not available in the SysWOW64 directory because it is a 64-bit application, but it can be accessed from a 32-bit process (Ivanti EPM software distribution) by using the Sysnative alias.

More information about the Sysnative alias can be found here: File System Redirector (Windows).

Additionally, Microsoft has created a patch for Windows 2003 x64 that adds the Sysnative alias. It can be found here: http://support.microsoft.com/?scid=kb;en-us;942589

Conclusion

If you are going to be running custom scripts or batch files that make use of applications in the %windir%\System32 directory, you will need to modify these scripts for 64-bit versions of Windows. The scripts should use %windir%\Sysnative instead of %windir%\System32.

Disable TaskQueue.exe for specific packages

To disable task queuing on a per package basis, a new option has been added to the distribution package properties in the 324 MCP. This will cause packages to fail if another operation is currently in progress (like it did before task queuing was available).

Use Case for disabling task queuing

• • Description
  • Cause
  • Solution
    • Check the PreferredServers.dat
    • Check ProxyHost.log
      • Common issues
    • Enable Additional Logging
      • Common issues

Description

Sometimes you may wish to know if your preferred servers are being used during software deployment actions.

Cause

In some cases evidence shows that the preferred server isn’t being used. In others it is necessary to check the functionality of the preferred server configuration.

Solution

We will collect some additional logs and see how they can be filtered for the most common problems.To do so we will perform the following steps (this will be explained a bit later in detail).

1. Check proxyhost.log if the agent downloads the preferred server list
2. Check the PreferredServers.dat for the preferred server the Agent will use
3. Activate XTrace log for the LD-Downloader to see if the agent really downloads via preferred server

Check the PreferredServers.dat

To check which preferred server(s) a client can use, open the PreferredServers.dat (C:\Program Files (x86)\LANDesk\LDClient\sdmcache) on your client machine with a text editor (e.g. notepad). The file should contain an entry such as:

1353591310?list_of_available_preferred_servers

 

The first number before the ‘?’-mark represents a time stamp in UNIX format. To decrypt such a time stamp use any UNIX time converter.

Note* If there is no PreferredServers.dat file see the next item on how to check the proxyhost.log.

Check ProxyHost.log

The proxyhost.log (C:\Program Files (x86)\LANDesk\Shared Files) records all Ivanti EPM initiated network activity started from the client itself. Examples of this is the sending of an inventory scan, but also requests to the core server to get the preferred server list.

If there is no PreferredServers.dat file the client will contact the core server for a list of the preferred servers when it first needs to download something such as a software distribution package. In the proxyhost.log there should be an entry reflecting the following:

"POST http://[NameOfCore]/LANDESK/ManagementSuite/Core/PreferredServer/preferredserver.asmx HTTP/1.1" 200 530 862

 

The first number (here 200) represents the HTTP return code. A value in the 200 range is associated to a  “Success”. A list of other possible error codes can be found in document IIS Status Codes. I f this entry doesn't exist in your proxyhost.log file attempt to manually browse to the website using the following syntax:

http://localhost:9592//LANDESK/ManagementSuite/Core/PreferredServer/preferredserver.asmx

 

This will force the route through proxyhost (9592) and should write an entry in the proxyhost.log file. If this is not occurring Wireshark the activity to review what's potentially blocking the traffic.

Note* The  preferredservers.dat file gets created not downloaded.

Common issues

1. The PreferredServers.dat doesn’t exist
   1. Check proxyhost.log if preferred server list got requested by the client
   2. Check directory permissions of “C:\Program Files (x86)\LANDESK\LDClient\sdmcache” to allow SYSTEM full control
   3. Push a software package to the client with a delivery method that uses download from source to cause a download, this will force the client to check for preferred servers.
2. PreferredServers.dat doesn’t get updated
   1. Check proxyhost.log if preferred server list got requested by the client
   2. Check if the “Date modified” attribute of the file is current
   3. Check if the Unix timestamp inside of the dat-file is current
   4. Delete the preferred server dat file and initiate an action that will download files like deploying software.
3. PreferredServers.dat doesn’t contain my configured preferred server(s)
   1. Check if your client can ping the name/ip of your configured preferred server. The Client will only insert a preferred server if the server can be pinged.
   2. Check the IP address of client and compare to list configured on the core server in the preferred server setup.

Enable Additional Logging

Enabling additional logging  (xTrace,Verbose) allows for more actions to be recorded in the corresponding log file. In this case, the additional logging will be contained in the  sdclient_taskXXX.log (XXX = TaskID) file.This file gets written to “C:\Program Files (x86)\LANDESK\LDClient\Data". The client-side file responsible for downloading files from a source to a client is lddwnld.dll. Please review the following document on how to enable additional logging: How To: Enable XTrace Diagnostic Logging for the Ivanti EPM Core and Clients.

Common issues

1. LDRedirectFilePathEx: serverList is empty
   1. The PreferredServers.dat is empty. Check explanations above
2. Hash error(s)
   1. Try resetting the hash of the package. See document Error: "Failed to download and hash all additional files" when running task.
   2. Try copying the files by hand with “xcopy /E /V /H / Z” to make sure that the files are the same as on the main download site.
3. Error code 5 while creating the file
   1. Error code 5 is the standard Microsoft Error code for “Access is denied”. Check that the configured credentials in the preferred server config are still valid.

The client machine deploy agent with portal manager.

The package cannot be shown on the portal manager when you click the 'refresh' button. There is no error happened but the package is not shown on the portal.

The policy.sync.exe called lddwnld.dll to download from core server. The lddwnld.dll may have error.

The policy.sync.exe updated the task to client machine local DB file LDClientDB.db3. The DB may have error.

You can go through the following steps how the package is updated to the portal manager. And confirm which step is failed.

You need to confirm the client agent patch level should be same with the core.

• The scheduled task is ready and wait status

• The file SDClientTask.<CoreName>.<TaskID>.xml in generated under folder on core:

.\Program Files (x86)\LANDesk\ManagementSuite\landesk\files

• When click refresh button on portal, the file SDClientTask.<CoreName>.<TaskID>.xml will be downloaded to client folder:
  • C:\Documents and Settings\All Users\Application Data\LANDesk\ManagementSuite\landesk\files (WinXP and Win2003)
  • C:\ProgramData\LANDesk\ManagementSuite\landesk\files (Win7 or Win2008 client machine)
  • The file is downloaded through lddwnld.dll, It is also be called by SDClient.exe and Vulscan.exe.
  • You may kill SDClient.exe and Vulscan.exe in task manager manually.

• The XML of task should be updated to the client machine local DB file LDClientDB.db3.
  • C:\Documents and Settings\All Users\Application Data\LANDesk\ManagementSuite\Database  (WinXP and Win2003)
  • C:\ProgramData\LANDesk\ManagementSuite\Database (Win7 or Win2008 client machine)
  • You can try to clean the database. How to resolve "Task Queued at Client for Execution"
  • And the  policy.invoker.exe should running in task manager always. The policy.invoker.exe will check the DB every 3 seconds to launch the task.
  • If it is not running, you can go to services to start the LANDesk Policy Invoker.

• You can collect the following log files to support team:
  • C:\Program Files (x86)\LANDesk\LDClient\policy.sync.log
  • C:\Program Files (x86)\LANDesk\LDClient\lddwnld.xlg  (This required the XTrace log of lddwnld: How To: Enable XTrace Diagnostic Logging for the LANDESK Core and Clients)
  • C:\Program Files (x86)\LANDesk\LDClient\Data\sdclient_task<TaskID>.log
  • C:\Program Files (x86)\LANDesk\LDClient\Data\SDClientTask.<CoreName>.<TaskID>.log
  • C:\Program Files (x86)\LANDesk\LDClient\Data\sdclient.log

If there is 'time out' error, you can go to this help document for help: Error: "Time out"  error when clicking 'refresh' on portal manager

Purpose

Method for remote unprovisioning of vPro clients, for troubleshooting and correcting issues that may require the client to be unprovisioned.

The Intel(R) AMT Unprovision Utility is a simple command line utility that allows users to remotely unprovision an Intel(R) AMT system without requiring a

separate management console.

     

Note: This test will make use of the free 3rd party application Intel Unprovision.exe. Ivanti does not endorse nor support any 3rd party software. Users assume all liability when working with 3rd party software.

Steps

1. Download the Intel UnprovisionEx.exe tool.
2. Unzip the files to your Software Distribution Storage.
3. In the Management Suite Console, create a new Software Distribution Executable package.
4. In the Package Information section use the UnprovisionEx.exe as the primary file.
5. In the Install/Uninstall Options section add the following switches into the install/uninstall options: -hostname %computername% -user admin -pass P@ssw0rd -full
   • For the password please use the admin password for your vPro clients.
   • The -hostname can be either the listed variable, FQDN or IP address.
6. Save the package and schedule it out to the vPro devices you would like to unprovision.
7. Once these machines are in the pre-provisioned state attempt to zero-touch provision these devices.

(To verify the provisioning state of the machine please reference https://community.landesk.com/support/docs/DOC-31903)

Related:How To: Unprovision vPro

Issue

You have just configured a new preferred server on your core server.

All the credentials you have provided for both the source, the preferred server and the replicator have been successfully tested in the preferred server configuration wizard.

However, when you run a content replication task, the job always fails with the following error code:

Failed to connect to the source  Code: 86 (0x56)

Additionally the replicate.log file shows the following entries:

Sat, 25 Jun 2016 15:51:56 Setting a proxy...

Sat, 25 Jun 2016 15:51:56 Setting socket timeout to 1000 * 60 * 4

Sat, 25 Jun 2016 15:51:56 Success

Sat, 25 Jun 2016 15:51:56 Core failed decrypt request.  See log for more information. Failed

Sat, 25 Jun 2016 15:51:56 Decrypt failure status code: CertPendingApproval

Sat, 25 Jun 2016 15:51:56 Last status: Done

...

Sat, 25 Jun 2016 15:51:57 ConnectToShare: '\\DC1\test\' as user 'LEFRANCUZ\administrator'

Sat, 25 Jun 2016 15:51:58 Failed to connect to share (\\DC1\test).

Sat, 25 Jun 2016 15:51:58 WNetAddConnection2 Error = (86).

Sat, 25 Jun 2016 15:51:58 Last status: Failed.  Error: 86 (0x56)

Sat, 25 Jun 2016 15:51:58 Reporting connection failure to core

Sat, 25 Jun 2016 15:51:58 Reporting status Failed to connect to share '\\DC1\test\'.  Code: 86 (0x56)

Cause

Despite what the error code suggests, this issue has nothing to do with the source machine.

Actually, this error occurs because the certificate of the computer being used as the replicator has not been approved yet on the core server.

Workaround

In order to fix this issue, you just need to approve the certificate that was issued for the replicator.

Here is how to proceed:

Step 1: open the Ivanti EPM console and connect to the core server

Step 2: select the "Manage Cloud Services Appliances" option in the "Configure" menu.

Step 3: click the "manage certificates" tab and locate the name of the computer being used as the replicator.

Step 4: approve the certificate that was issued for this computer during the install of the Ivanti EPM agent.

Now the replication content task should be successful.

If you migrate to a new Ivanti EPM Core Server, one of the challenges can be getting all of the SWD packages updated with the new server name.

If using CoreSync is not an option, then this query will help to update the package paths that are defined in the individual SWD packages.

As always, before running any query that could negatively impact your environment ensure the following.

1. You have a verified backup of your database.
2. Test in a non-production system before applying any changes to a production environment.

This is not a supported nor recommended method of updating these values, although it should work.  Ivanti is not responsible for any damage to the database, and cannot assist in resolving any errors that may arise from the use of this SQL Statement.

/****** Query to update package paths in all SWD packages  ******/

UPDATE dbo.PACKAGE_FILES_HASH SET FULL_PATH = replace

(FULL_PATH, 'OldServerName', 'NewServerName') WHERE FULL_PATH LIKE '%OldServerName%'

This query will update all of the paths for the Primary File in the SWD package as well as all Additional Files.

Here is the package after running the SQL command.