Setting up Content Replication on a Preferred Server running Windows Server 2012 R2

Content replication can be used to move large amounts of data from the core server to a preferred server, and also to allow endpoints to contact their preferred server on the local network for content rather than the core.

HOW TO

Preferred Server Setup

Roles

Once your server OS is installed, you must add two roles:

• File Server
• IIS

Creating the file share

To replicate the “patch” folder from your core to the Preferred Server, you must have the same directory structure on your target as you do on your core from the ldlogon folder down. Create those directories on the Preferred Server.

Core

Preferred Server

Adding the Virtual Directory

Open IIS Manager on your Preferred Server. Right click on the Default Website and select “Add Virtual Directory”.

Give the directory an alias (I used “Patch”, as this is where my patches from the core will be replicated to) and select the physical path to that directory.

Click “Connect as…” and it should be set by default as “Application user (pass-through authentication)” – leave it that way.

Click “Test Settings…”. It should look like below (don’t worry about the warning at this time):

Editing Permissions on the Virtual Directory/Share

Now we will set the permissions for the shares. Right-click on the virtual directory and select “Edit Permissions…”

If the folder is not already shared it should show as shared here:

Click the “Security” tab. The following accounts should be listed especially:

• Everyone: Read & Execute, List folder contents, Read
• IUSR: Read & Execute, List folder contents, Read
• Network Service: Full Control, no “Special Permissions”
• Administrators: Full Control, no “Special Permissions”

To create the UNC share, click back to the “Sharing” tab and select “Advanced Sharing”. Check the “Share this folder” box, and click on the “Permissions” button at the bottom. Give one of the accounts from the last step full permissions to the share; This will be necessary for the Ivanti EPM Content replication tool to have rights to copy Antivirus pattern file content to the share. In this instance, I have used “Administrators”:

Once you have done that, click okay and exit out to your IIS Manager.

Allowing Directory Browsing of the Virtual Directory

Select your Virtual Directory and then open “Directory Browsing” in the right pane and enable it:

Core

Configure the Preferred Server in your Core Console

On your core, go into “Configure->Preferred Server”.

In the right pane, right click and select “New preferred server”

Fill in the “Server Name”, and “Username” and “Password” fields to start (The “Description” field is optional)

Click the “Test credentials…” button at the bottom, but we’re only going to test UNC credentials at this time (we have not set up the source in this pane yet):

Make sure you save this configuration now and re-open it.

The next item in the left column is “IP address ranges”. You can set these if you only want a specific IP range to use this share.

Select the Replicator

The next step is to select the replicator. In this example, I will use the Preferred Server itself to replicate the share.

Highlight the system you wish to use and press the “Select” button in the bottom right corner. Its inventory information should populate in the fields:

Schedule the Replication Process

You can set the “Run options and “Schedule” for when you want the replication process to run in the left column as well:

To set the replication schedule, select “Schedule” from the left column and then click the green plus icon on the toolbar in the resultant window:

For this example, I have selected the replication process to begin automatically on 10/4 at 1 AM, repeating every day at the same time, running until finished, and updating all preferred servers. You can change this to fit your needs. Hit save once you have the desired schedule set:

Set up Replication Sources

Now we will set up the sources for replication. Click the “New” button to add a new source for replication:

Enter the name of the source, a description of the source, the UNC path for the source, and the username and password you wish to use:

I always use UNC to test at this point, so just use UNC at this time (the warning is expected as I am using the same account I'm logged on to my core with):

Next, select “Preferred Servers (Targets)” in the left column. You should see the preferred server you set up earlier listed. Make sure it is in the “Included” pane at the bottom (if it’s not there, highlight and click “Include”):

The next column item is “Mirroring”. This option allows you to control what is in your shares on your Preferred Server.

The next item is “Source representative”. This option allows you to choose a Windows-based, managed node to build file lists from the source (core) to the replicator. It must be low-latency, and have UNC access to the source even if it is HTTP-based. To designate, select a node from the list and press “Select”. It will fill in the inventory information of the system in the fields. Save after this is done:

You should now see your source paths added to the preferred server:

You will now need to set up the “Write credentials”. Fill in the information and press “Test credentials”:

Press “Test” in the lower right hand corner to test:

At this point, you are ready to replicate. In your console window, check to make sure all of the items are listed:

Preferred Server:

Sources:

Replicators:

All Tasks (replication tasks):

If you want to check immediately to see if your replication is working, go to the “Pending Tasks” item. Right click on your item in the right pane, and select “Start content replication now…”.

The resulting window will allow you to watch the process and make sure it completes as intended:

At this point, you can physically check to make sure that the files copied from your core to the Preferred Server.

I'm running Ver 2016 SP3

Since upgrading to 2016 SP3 a year ago whenever I create a task for a Software Distribution package after starting all computers go active and then almost immediately a bunch go to Pending, some more are successful, and some fail. I checked the failed ones and they were all turned off. The pending ones were a combination of computers turned off and those that are on.

I was told this was the behavior caused by the Policy-supported push default setting in the task of Accelerated push.

I have changed the Task setting to Policy-supported push with the Accelerated Push unchecked. Tried it using Push with the Accelerated Push unchecked.

I get the same results.

Any suggestions?

Description

   Preferred Servers are a popular option when looking to minimize network traffic during deployment tasks. Preferred Servers can provide files over both UNC and HTTP shares, however, it is not a requirement that the Preferred Server have IIS for clients to get files from an HTTP address. When the Ivanti Agent is looking for a file on the Preferred Server it will automatically translate the path between UNC and HTTP.

   For example, if a distribution package lists the source file location as "http://server/share/file.exe", the agent will try to hit "http://preferredserver/share/file.exe" and if it fails to get the file through that method, it will try again with a UNC path "\\preferredserver\share\file.exe" without any extra configuration. However, it is important to remember that this auto-translation only happens when the Agent is trying to download from a Preferred Server. It will not do this when trying to download from a Source.

   When running Software Distribution, Patching, or Provisioning tasks the Ivanti agent will automatically run down a list of four locations it is allowed to download files from:

1. Verify if the file is already downloaded in the SDMCache.
2. Peers devices on the same multicast domain.
3. Preferred Servers.
4. Source.

  When an agent requests available preferred servers from the core it may write that information into a PreferredServers.dat file, or it may also write it into the verbose logging for the task making the request. When that request is made, the client does not send its identifying information to the core server. Instead, it sends a blank SOAP request, and whatever the IP address that IIS sees the request come from is what the list of servers is based on. This can lead to complications in NAT environments where the agents talk to the Core Server through a NAT connection as the NAT IP may be the address seen by IIS and responded to, instead of the client's IP.

Solution

Where to look to ensure you are downloading from the Preferred Server

Ivanti logs where we are downloading files from in multiple places the following files will help you determine where your files are downloading from. The following client-side logs will help determine where files are downloading from.

C:\Program Files (x86)\LANDesk\LDClient\CurrentDownload.log

After enabling XTrace the following logs become more verbose: How To: Enable XTrace Diagnostic Logging for the Ivanti EPM Core and Clients

Software Distribution: C:\Program Files (x86)\LANDesk\LDClient\Data\sdclient_task###.log

Patch Manager: C:\ProgramData\LANDesk\Log\Vulscan.log

Provisioning: C:\ProgramData\LANDesk\Log\MapToPreferredHandler.log

Verifying you are receiving the correct Preferred Servers

  Sometimes necessary to make a manual request to the PreferredServer.asmx web service outside of a task for troubleshooting purposes. Below is an explanation of how to do this using a popular web development tool called Postman. You can download Postman on Windows and MacOS as an extension for the Chrome browser, or from the Postman website as a stand-alone tool. The following instructions assume you have already downloaded Postman to the machine.

1. In PostMan, next to the URL field at the top of the tab change the Type from "GET" to "POST"
   
   
2. In the URL field enter: http://CoreNameOrIP/landesk/managementsuite/core/PreferredServer/PreferredServer.asmx
   
3. Go to the Body tab. Select the "raw" radio button.
   
   
4. To the right of "raw" click on the drop down arrow by "Text", select "XML (text/xml)".
   
   
5. Copy and paste the following into the text field (Do not change anything, as the servers response will be based off of the requesting machine's IP, not the content of the request, but the request does have the be properly formatted):
   

   <?xml version="1.0" encoding="utf-16"?>
   <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
   <soap:Body>
   <GetPreferredServers xmlns="http://tempuri.org/" />
   </soap:Body>
   </soap:Envelope>

6. Click the blue "Send" button.
   

1. Once you click the Send button, you will receive a response with the preferred servers for that device listed. You will need to verify this against your Preferred Server configuration to ensure you have the servers you are expecting to receive.

Post converted to PDF and attached for Migration.

Post converted to PDF and attached for Migration.

Post converted to PDF and attached for Migration.

Post converted to PDF and attached for Migration.

Description

New setting available in the Distribution and Patch Agent settings for Policy Sync Schedule.

This became available starting in 2017.3 Service Update 5 and 2018.1. Your agents will have to be at this minimum agent level to take advantage of this new option.

"Additional Settings" section:

Information

This new setting allows for better control when scheduling Policysync.exe. The setting allows for you to set a threshold in minutes when Policysync runs and a task is scheduled to run moments later it would be skipped previously until the next Policysync runs.

Example

If you had a recurring policy's next runtime for 10:15 and Policysync ran at 10:14 it would not execute the recurring policy until it ran at 11:14. This caused some tasks that were scheduled hourly to run once every two hours.

The new setting allows you to set a window so that every time Policysync runs it will run any recurring policy with a time that has already passed.

So if the setting is set for 10 minutes, and policysync runs at 10:14, it will also execute any recurring policy that has a run time before the set threshold. If a policy had a runtime of 10:23, and is executed at 10:14, its next runtime will be changed to 11:14. And from that point onward the run time will very closely match that of the policysync.

Description

   In some environments. You might run into an issue where you can run a script locally just fine but when you try to push the script out in a package, EPM shows the the script was launched but nothing happens.

   Some script actions and .vbs scripts will not execute if they are under C:\Program files, C:\Program Files(X86) or Remote execution. This behavior applies to both windows 7 and 10. You can also set the task to "Run from source" under The task settings. Most of the time this will get around the permissions issues in windows. However, there are still some actions that do not work remotely in which case the steps below have proven helpful.

Solution

Copying the script to C:\windows\temp, then executing from there.

• Go to Tools > Distribution > Distribution Packages.
• Create a new windows action package.
• Add a custom action. This will move the file into C:windows\temp

<#
Move a file
#>

Move-Item "C:\<PathtoFileinSDMcache>" "C:\windows\temp\Filename" -force

if ($? -ne $true)
{
    exit 1
}

• Create another custom action. For .ps1 or VBS you will need to use:

Set-location "C:\windows\temp";
Powershell.exe -execution bypass -nologo -file .\PS1 or .\VBS

if ($? -ne $true)
{
    exit 1
}

For Batch files you can use:

$A = Start-Process -FilePath "C:\Windows\temp\movefile.bat" -WindowStyle Hidden -Wait -passthru;$a.ExitCode

Add the file listed in step 3 as an additional file.

Hello guys

I'm struggeling with the task to create a simple and working Windows 7 64 bit Provisioning Template.

Based on that article http://community.landesk.com/support/docs/DOC-7556 I tried it many times but it always ends up with the following message:

I need some help from you.

I'm not sure if the problem is the Windows 7 x64 or the Management Suite Configuration, but a former Windows XP Provisioning worked perfectly!

Based on the Thread here http://community.landesk.com/support/thread/1678?start=15&tstart=0 I tried the mentioned things but nothing helped.

I can support you with more information/logs/whatever if necessary.

Once more to make it clear: I want to deploy Windows 7 in 64 bit version without creating an image. Only a "LANDesk-automated unattended install".

We are running LANDesk 9.0 on Windows Server 2003 R2 32 Bit.

Thanks a lot,

Norman

“Post converted to PDF and attached for Migration.

More details available here: https://community.ivanti.com/docs/DOC-71280”

Hi,

I have a landesk package which has 2 pre & 2 post installation tasks and the main package is an MSI. To install this, as we can't use the preliminary & final package concept with Policy-Supported-Push method and it's limited to only 3 tasks, I made the appropriate dependant package tree as below

Like: PostTtask2 => PostTask1  =>  MainTask => PreTask2  =>  PreTask1

So, the package instalaltion would be in reverse order, PreTask1  =>  PreTask2  =>  MainTask   =>  PostTask1  =>  PostTtask2

Since the last package PostTask2 is dependent on all other tasks, I created a task for this package (PostTask2) and scheduled it on a LDAP group (AD group).

I used the standard Policy-Supported-Push delivery method for this package.

I observed that a bunch of machines failed to get the package by throwing the error 16389.

Please have a look at the log from one of the problematic machines below.

------------------------------------------------------------------------

C:\local>tail -f "\\\\catmint\c$\Program Files\LANDesk\LDClient\Data\sdclient_task289.log"

Thu, 11 Feb 2010 10:51:05 processing package 'Citrix Client 11.2.12.1 - Install' 3 of 5 total packages
Thu, 11 Feb 2010 10:51:05 Checking recently used server path http://landesksource/ldpackages/Citrix/CitrixClient11_2_12_1/CitrixClient11_2_12_1.exe instead of http://landesknyc1.nyc.deshaw.com/ldpackages/Citrix/CitrixClient11_2_12_1/CitrixClient11_2_12_1.exe
Thu, 11 Feb 2010 10:51:07 File (http://landesknyc1.nyc.deshaw.com/ldpackages/Citrix/CitrixClient11_2_12_1/CitrixClient11_2_12_1.exe) is not in cache
Thu, 11 Feb 2010 10:51:07 Checking recently used server path http://landesksource/ldpackages/Citrix/CitrixClient11_2_12_1/CitrixClient11_2_12_1.exe instead of http://landesknyc1.nyc.deshaw.com/ldpackages/Citrix/CitrixClient11_2_12_1/CitrixClient11_2_12_1.exe
Thu, 11 Feb 2010 10:51:10 processing of package is complete, result -2147467259(0x80004005 - code 16389)

Thu, 11 Feb 2010 10:51:10 An error (-2147467259) occured installing package Citrix Client 11.2.12.1 - Install
Thu, 11 Feb 2010 10:51:10 processing of package is complete, result -2147467259
(0x80004005 - code 16389)

-------------------------------------------------------------------------------

Could you please help me in fixing this issue?

Thanks,
Chetan

I have created a Enhanced Package Builder package with a couple of DWORD registry settings.  I have "built" the package, but when I install the package instead of the values in package, I just have zero's.

Has anyone seen this before, or have any ideas as to what  I can do to resolve the issue?

“Post converted to PDF and attached for Migration.

More details available here: https://community.ivanti.com/docs/DOC-71280”

Scheduler task status codes

The LD_TASK table inside the LDMS database contains a TASK_STATUS column whose values are represent the status for each task.

Below are the code definitions for the TASK_STATUS column:

Machine Status

The LD_TASK_MACHINE table inside the LDMS database contains a MAC_STATUS column whose values represent the status for each machine targeted in a task.

Below are the code definitions for the MAC_STATUS column:

Policy Status

Whenever a task is run on a client we have a policy .XML and .STAT file that PolicySync.exe, SDClient, and Vulscan.exe use to know what the current status of a task is.

You can see these statuses on the client in the C:\Programdata\LANDesk\Policies folder. You will two files for each task, a .XML with task inf and a .STAT with results of the last time the task ran. Inside the .STAT is the <Status> value.

Im new to Ivanti EPM so this may be a dumb question. I am using EPM 2018 trying to host a software package within the portal manager. I like to run things through power shell using forms to display data to users. I have a script that works fine if I run it locally but it runs hidden when I push it through the portal. I know the script runs fine because the software gets installed as it should. the other thing I have found so far that seems odd is "PowerShell output: Inside Search" from sdclient_TASKID.log. Any push in the right direction would be greatly appreciated.

Hello,

We are currently settings up our endpoint manager and have been going with professional services. We have been able to capture one machine and push it to another. We had a SCCM and were using an image from that prior to Ivanti. We are in a bind now, since we took the SCCM PXE down so that Ivanti can work and need some machines re-imaged in the mean time. Can someone explain if it is possible to use Ivanti to push the SCCM image out?

Thanks!

Problem:

In some high secure environments, users can encounter an issue with PowerShell scripts distribution via Ivanti Endpoint Manager. This issue occurs mainly for Windows 10 build 1709. Error message in log file (sdclient_task{taskID}.log - C:\Program Files (x86)\LANDesk\LDClient\Data \ C:\Program Files\LANDesk\LDClient\Data):

Thu, 15 Mar 2018 11:39:58 PowerShell file Client Thread

Thu, 15 Mar 2018 11:39:58 Powershell install value is: [0]

Thu, 15 Mar 2018 11:39:58 Powershell version is: []

Thu, 15 Mar 2018 11:39:58 PowerShell is not installed in the client system

Cause:

The SDCLIENT process to detect PowerShell installation relies on two entries in the registry. According to information from Microsoft - PowerShell v2.0 (https://support.microsoft.com/en-us/help/4034825/features-that-are-removed-or-deprecated-in-windows-10-fall-creators-up) is deprecated for Windows 10 Fall Creator Updates. Due to security reasons following registry entries might be removed what causes mentioned issue.    

OS x64:

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\PowerShell\1 value Install

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\PowerShell\1\PowerShellEngine

OS x86:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1 value Install

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine

The following string values must be entered under the PowerShellEngine key

Working device:

Not-working device:

Solution/Workaround:

Until the SU's are released, the only immediate solution is restoring mentioned registry entries.

If you have any additional questions, please contact Ivanti Support.

The purpose of this document is to convey the process Ivanti EPM uses to handle Status Updates for Scheduled Tasks, and what to look for if things aren't working as desired.

What is SOAP and why does Ivanti EPM use it?

SOAP (Simple Object Access Protocol)is a protocol specification used for exchanging information for implementation by Web Services. SOAP features include:

• Extensibility, Neutrality, and Independence
• Uses Extensible Markup Language (XML) Information Set for its message format, which allows processes running on various Operating Systems (Windows, Linux, Etc.) to communicate freely.
• Relies on Application Layer protocols, usually Hypertext Transfer Protocol (HTTP) for message transmission.

For more information, please reference this Microsoft Document.

Ivanti EPM clients utilize SOAP actions to communicate Task Status updates to the core. The following is an example of a client doing so in the SendTaskStatus.exe log:

Sun, 32 Sep 2016 36:57:24 SendRequest: SOAPAction:http://tempuri.org/ResolveDeviceID

Task Start

When a task is first initiated from the console, the core is responsible for updating the status of the task until the policy has been made available. The applications involved are:

Console.exe

• Saves the task to the Ivanti EPM Database (LDTASK Table) in an "Active" state.

TaskHandlerProxy.exe

• Initiates PolicyTaskHandler.exe with the specified ID of the task being run.

PolicyTaskHandler.exe

• Attempts to resolve the devices within the Task and create Policies for each device. Once PolicyTaskHandler is finished, the client is responsible for updating the status going forward.

Send Task Status Flow (2016 - Current)

Send Task Status Process (2016 - Current)

Software Distribution:

• Resolve Device ID
  
  • Sdclient.exe > SendTaskStatus.exe > ProxyHost.exe - WSVulnerabilityCore/Vulcore.asmx.
    • The Web Method ResolveDeviceID is then invoked utilizing the COMPUTER table in the Ivanti EPM Database.
• Status Update
  • Sdclient > SendTaskStatus > ProxyHost - WSStatusEvents/EventHandler.asmx.
    • The Web Method SetPatchInstallStatus2 is then invoked utilizing the LDTASK table in the Ivanti EPM Database.

Patch Manager:

• Resolve Device ID
  • Vulscan.exe > ProxyHost.exe - WSVulnerabilityCore/Vulcore.asmx.
    • The Web Method ResolveDeviceID is then invoked utilizing the COMPUTER table in the Ivanti EPM Database.
• Status Update
  • Vulscan.exe > ProxyHost - WSStatusEvents/EventHandler.asmx.
    • The Web Method SetPatchInstallStatus2 is then invoked utilizing the LDTASK table in the Ivanti EPM Database.

Send Task Status Flow (9.6 and Older)

Send Task Status Process (9.6 and Older)

Software Distribution:

• Resolve Device ID
  • Sdclient.exe > SendTaskStatus.exe > ProxyHost.exe - WSVulnerabilityCore/Vulcore.asmx.
    • The Web Method ResolveDeviceID is then invoked utilizing the COMPUTER table in the Ivanti EPM Database.
• Status Update
  • Sdclient > SendTaskStatus > ProxyHost - WSVulnerabilityCore/Vulcore.asmx.
    • The Web Method SetPatchInstallStatus2 is then invoked utilizing the LDTASK table in the Ivanti EPM Database.

Patch Manager:

• Resolve Device ID
  • Vulscan.exe > ProxyHost.exe - WSVulnerabilityCore/Vulcore.asmx.
    • The Web Method ResolveDeviceID is then invoked utilizing the COMPUTER table in the Ivanti EPM Database.
• Status Update
  • Vulscan.exe > ProxyHost - WSVulnerabilityCore/Vulcore.asmx.
    • The Web Method SetPatchInstallStatus2 is then invoked utilizing the LDTASK table in the Ivanti EPM Database.

Troubleshooting

A client may occasionally fail to upload its status as it works through a task. This section can help pinpoint the location that the problem occurred.

Log Locations

IIS:

• C:\inetpub\logs\LogFiles
• C:\Windows\System32\LogFiles\HTTPERR

Core:

• WSVulnerabilityCore.dll.log - %ldms_home%\log
  
• StatusEvents.dll.log - %ldms_home%\log
• Console.exe.log- %ldms_home%\log
• PolicyTaskHandler.exe.log - %ldms_home%\log
• TaskHandlerProxy.log - %ldms_home%\log

Client:

• ProxyHost.log - C:\Program Files (x86)\LANDesk\Shared Files
• SendTaskStatus.log - C:\ProgramData\LANDesk\Log
• Sdclient_Task#.log(Distribution)- C:\Program Files (x86)\LANDesk\LDClient\Data
  
• Vulscan.log (Patch Manager)- C:\ProgramData\LANDesk\Log

IIS Manager

Internet Information Services (IIS) Manager can be used to verify that LANDESK Web Application Pools are up and running.

In terms of Task Status Reporting, the applicable Application Pools are LDAppStatusEvents and LDAppVulnerability . Ensure that they are both in a Started state. It might be worth "Recycling" each Application Pool as shown in the screenshot above.

IIS Reset

If IIS on the core is found to be unresponsive, sometimes running an IIS Reset can resolve the issue.

Open an administrative command prompt on the core and run "iisreset." Once this completes, attempt to produce the issue again.

Hi, we are having some issues where not all the drivers are being installed during the hii provisioning process - whilst we investigate further,  we have a script that will tidy up any missing hardware drivers.   Issue we have is that the script will not work as part of a distrubuted package or as a provisioning task.  Do any powershell or provisioning ninjas out there have a clean method to get the script running as required when part of an Ivanti automated task ? or have a working method to install missing drivers ?

Thanks in advance.

client os

all devices are win10 x64

script

Get-childitem  -recurse -include *.inf | foreach-object{C:\Windows\System32\PNPUtil.exe /add-driver $_.fullname /install}

logs

attached.

I am currently migrating to EPM 2018.3 with a side-by-side migration. I chose to start fresh instead of using our existing database. One of the changes I'd like to make is using HTTP for all packages instead of a combination of HTTP/UNC. Since Mac packages require HTTP and the CSA does as well, it seems to make the most sense.

Are there any caveats to only using HTTP?

Currently, the default HTTP settings leave everything accessible to any user on our network. Although users can't install software, they could easily find information that they shouldn't, such as license keys. Is there a recommended way to make this more secure without causing problems during package and patch deployment?

Thanks.

I have created a PowerShell package to install an Outlook Plug-in. The script runs and is reported as a success but installing the .VSTO package does not occur. We install a certificate and download all the required files to the local PC but the plugin is not installed. If I run the PS script directly on the PC the entire operation runs and the plugin is installed. Is there something I need to do to allow the .VSTO file to run?