Hello,

We have recently upgraded to LANDesk 2016.3 and are in the process of deploying the updated agent to all the machines. Im very new to this Certificate-based authentication.

Once the agent has been deployed i have been going into Configure > client access and approving all the  machines. There are a number of machines that show as Authentication failed and when checking the query the certificate validation result shows as either Pending approval or certificate not approved.

However when i check the approved list in Configure > client access those machines have been approved.

How can this be fixed so they all have valid certificates?

Thanks,

I am trying to locate unmanaged devices so I can push out the Ivanti Agent.

I am inputting the IP range and it is picking new unmanaged devices up (see below).

However, there is no device name and it is suggesting the OS is Linux (the devices are Windows 10 thin clients) and i cannot push out the Agent.

I just wondered if anyone can offer any suggestions as to why this is happening?

Cheers

Phil

Problems/Symptoms:

When creating a self-contained client installation package the executable

fails to create.

Cause:

A file is missing from you core server that is needed for the creation of

the self-contained client installation package.

Review the CAB.LOG file in the ldlogon directory. If the

self-contained client installation package does not create this file will log an

error and document the failure.

At the bottom of this log you will see an error as shown below:

FCIAddFile() failed(missingfilename.ext): code 1 Failure opening file to be
-- stored in cabinet--
Add File

http://missingfilename.extfailed!
MakeCAB
failed

 

Example shown is what would occur if the sdclient.exe file was missing:

FCIAddFile() failed(SDCLIENT.EXE): code 1 Failure opening file to be stored
-- in cabinet--
Add File

http://SDCLIENT.EXEfailed!
MakeCAB failed

 

Fix:

Locate a copy of the missing file and restore it to the ldlogon directory.

NOTE: Try searching the Core Server's hard drive and the Installation

CD. If you installed with the downloaded executable instead of the installation

CD, extract the executable using winzip, winrar, or a similar program to a

directory and search for the missing file in that directory.)

If the file that is missing is the LDAppl3.ini file follow these steps:

Re-Create the LDAppl3.ini In the 32bit console:

1) Go to Tools | Reporting/Monitoring | Software License Monitoring

2) Click the button "Make available to clients"

Once the LDAppl3.ini has been created you will be able to create the self-contained client installation package.

If you cannot locate a copy of the missing file, contact support for

assistance

</div>

Hello. I have a machine with complete agent install, but this machine does not visible in the console. The cert is ok, the agent files it´s ok.Thanks

Description

When trying to push a new agent configuration to unmanaged devices, the scheduled task fails with the following error message:

Unable to contact the specified machine. The machine may be off or unreachable.

Cause

1. The LANDesk Scheduler Service account does not have permissions to write to the clients C$ or Admin$ share.
   

   Note:For ease of user management for deployment, devices should be part of an Active Directory Domain.

2. Simple file sharing is enabled on the target workstation.

3. File and printer sharing for Microsoft networks is disabled on the target workstation.

4. The Windows Firewall (enabled by default in Windows XP with Service Pack 2) will block remote connections when enabled.

5. Other third party firewalls can block remote connections if enabled.

Resolution

Depending on the cause, different resolutions may be required.  Below is a list of possible resolutions to this issue.

1. Configure the Scheduler Service account on the Core Server to run as a user account that has administrative privileges on the target workstations.

   1. On the core server, open the LANDesk Management Suite console.

   2. Go to Configure | Services | Scheduler.

   3. Click on Change Login.

   4. Change the service login account to be that of a user with administrator permissions on the target devices of the scheduled task. This is normally a domain administrator account. Ensure all domain accounts use the format Domain\UserName. If some of your targets are not part of a domain, you may also specify additional accounts in the Alternate credentials section.

   5. Click OK.

   6. When prompted, restart the Scheduler service.

   7. Restart the Agent Deployment scheduled task.

2. If there is a Domain Policy (GPO) to Force Security Accounts enabled on the Domain Controller. Disable this to resolve the rights issue.

3. If the target workstation is not a member of a Domain, disable simple file sharing on the target workstation.

   1. Within windows on the target workstation, open Explorer.

   2. Select Tools | Folder Options | View.

   3. Scroll to the end of the list under Advanced Settings and remove the check mark from Use simple file sharing (Recommended).
      

      Note:To make the change from the registry, open regedit and browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa and edit the ForceGuest REG_DWORD and change the value to decimal 0.

4. If File and Printer Sharing for Microsoft networks is disabled, it must be enabled. 

   1. Within windows on the client machine open up properties on "My Network Places".

   2. Choose properties for the appropriate network connection.

   3. Ensure that File and Printer Sharing for Microsoft networks is checked. 

5. Install the agent manually by browsing to
   CoreServer\ldlogon and running WSCFG32.EXE.

6. Verify the problem isn't a firewall issue.

   1. Disable the Windows firewall on the XP machines.  Use a Domain GPO if needed.

   2. Deploy the Agent Configuration
      

      Note:Once the agent is installed, the agent services are automatically registered with the Firewall as exception.  The Firewall can now be enabled. 

7. Verify that access to the C$ and Admin$ shares is not being blocked.

   1. If access is being blocked to the and Admin$ shares, have them determine the reason this is so in their environment and test again once the issue is resolved. 
      

      Note:Have the administrator contact Microsoft or search the web for common reasons for why the C$ and Admin$ shares are unavailable.

This document has been written to specify what versions of .NET are deployed with the various currently supported versions of the Ivanti Endpoint Manager Agent and what versions are "supported" with those Agent versions. This effort is being made to help reduce conflicts with installed software in customer environments.

ENVIRONMENT

LANDESK Management Suite 9.6

DESCRIPTION

Agent Health is a new feature in LANDESK Management 9.6 and will allow you to do the following:

• Add or Remove one of the Agent's component without having to re deploy an agent or an update to the agent
• Ensure that your agent is properly installed and no files are missing or corrupted
• Repair your agent if a file is missing or corrupted
• Modify your components settings to meet the configuration you set in Agent Health
• Update your Agent files, components and settings if it is outdated

HOW IT WORKS

Agent Health is using the vulnerability scanner (vulscan) to check the following on a machine:

• Which components are installed
• How these components are configured
• Are they missing one or more file(s)
• Are the services running properly as required
• Are the files up to date

It will then compare this to the configuration you set in your agent health on the Core and adjust the settings accordingly on the clients.

VIDEO

    Youtube version: LANDESK Agent Health - How to use

BASIC SETUP OF AGENT HEALTH

I. Download the latest updates for Agent Health

Go to Agent Settings and click on the update icon:

Then go to: Updates - Windows - Software Updates - Check LANDESK 9.6 Agent Health and click Download now

You should then see the following in your Patch and Compliance window:

(You can find the Agent Health definitions in View by Vendor - LANDesk Software)

These are the definitions for Agent Health, they contain scripts to either install or uninstall a component like Remote Control or XDD.

II. Create a Query and Scope in order to enable AutoFix on it

In our example, we will create a Query, then a Scope based on this Query.

We will only target our Windows 7 machines for this lab.

In your Network View - Queries - My Queries, New Query

Once your Scope is created, go to Patch and Compliance, into View by vendor, and look for LANDESK Software to find your definitions. You will have to set the AutoFix enabled on the Scope you created earlier for each of the definitions you will be using (see How To Use Autofix in Patch and Compliance Manager)

Once done, you will only have to create and deploy your Agent Health Settings, then launch a Security Scan to have it applied to the machine.

SCENARIO: Install and/or Repair a component via Agent Health

In our example, we will install Remote Control to a machine that doesn't have it.

Go to Agent Settings - All Agent Settings - Agent Health - Right click and New

You will now set the configuration you want for this Agent Health Settings. In our case, we will add the Remote Control component.

I. Deploy your Agent Health settings

Once you have saved your Agent Health settings, you will have to deploy it. To do so, in Agent Settings - Create a task - Change settings

You will have to choose the Agent Health settings you created earlier, in our case: Agent Health - Install Remote Control

After your scheduled task is generated, apply it to the devices / groups / queries you would like, then start the task.

II. Apply your Agent Health settings using Vulscan

Once the task has completed successfully, you will have to run vulscan.exe through a Patch and Compliance Scan or a Security Scan from the machine for example.

When the scan is finished, and the autofix has been applied, you might then be able to see the changes:

You can then test that Remote Control is working on this client:

SCENARIO: Repair a component via Agent Health

If a third party software or a user deleted / modified the Agent files and/or folders, you would have had to troubleshoot until you realize that a file is missing and which one it is, uninstall then reinstall the agent.

This whole process might take at least 1 hour if everything is going perfectly, and could go up to many days if not.

With Agent Health, you will be able to check that your Agent is properly installed and functional. If not, then Vulscan will scan, detect, download and reinstall the missing files.

In our example, we cannot use the Inventory Scanner as the LDISCN32.EXE has been deleted:

I. Deploy your Agent Health settings

We set our Agent Health Settings to check our Base Agent and be sure that our Settings are the right ones (you can modify them as well with Agent Health), then we schedule it to push it to the device:

II. Apply your Agent Health settings using Vulscan

Once you have deployed your settings, and ensured that your Base Agent definition is configured to be AutoFix on a Scope that contains your targeted device, you can then launch a Security Scan on the machine:

After your Security Scan is done and you saw the Base Agent being fixed, you can try again to launch an Inventory Scan:

How to Build a Self Contained Executable for Installing Ivanti Endpoint Manager on a Legacy Operating System

Description

To maintain compatibility with legacy operating systems, a special agent must be created from older code sources.

A LANDESK EPM agent compiled from the older LDMS code branches is what must be used to continue using Ivanti EPM on these legacy Operating Systems. The Whitepaper attached to this article describes how to build/configure the "Legacy Agent".

The LDMS 2016.3 release and later no longer support the installation of the agent on Windows XP and Server 2003 systems. Existing agents on Windows XP/2003 will continue to function, but new features will not be available. If you have a large number of Windows XP devices and need to continue installing agents, it is recommended that you use LDMS 2016.0 with SU5. An agent installation can be created and preserved from the previous version, or Windows XP machines can be managed by a previous version of LDMS until they are updated to operating systems supported by Microsoft®.

REFERENCE: https://community.ivanti.com/downloads/Readme/Pages/LD2016.3.html

To create the LANDESK Agent 2016.0 that is compatible with Windows XP and/or Windows Server 2003, please perform the following.

1. Set up a Windows Server 2012 R2 server with the same computer name as the new later version core server and with the same IP address as the new later version core server in an isolated environment.
2. Install LDMS 2016.0* on the Windows Server 2012 R2* created in step 1 above.
3. Install Software Update 5 (SU5)** for LDMS 2016.0 on the Windows Server 2012 R2 created in step 1 above.
4. Create a new LANDESK Agent Configuration agent configuration with a unique name.
5. Create the self-contained LANDESK Agent executable(s).
6. Copy the executable(s) to the new later version core server.
7. Run %ldms_home%legacyagent.exe on the new later version core server.
   
   
8. Browse to the executable created on the 2016.0 core server.
9. Browse to the location you wish to save the updated self-contained executable.
10. Browse to the most recent file in "C:\Program Files (x86)\LANDesk\Shared Files\cbaroot\certs\*.0" and click "Add".
11. Check the box labeled 'Edit configuration file manually.'
12. After clicking "Update" the following message will appear:
    
13. Browse to the directory stated in this dialog, and locate the agent ini file. In this example, you would locate the file called 'Default Windows Configuration.ini'.
14. Edit the file, and locate the line ServerName='core name', and replace 'core name' with your new core's hostname.
15. Next, search for "REG45" and add the following line below that.
    

    REG46=HKEY_LOCAL_MACHINE, SOFTWARE\LANDesk\ManagementSuite\WinClient\Vulscan\CommandLine, /NoSelfUpdate, , REG_SZ

16. Click "OK" and the files will be processed and the Legacy Agent will be built in your desired target location.
17. Repeat steps 7-14 for any further Agent Configurations you wish to process.
18. After your legacy agent has been deployed, you will need to create a Change Settings task, and push the correct settings to your legacy agents.
    1. Do not use the option 'Schedule update to agent settings', found in agent configuration, as this will break the legacy agent.
    2. For more information on creating a change settings task, please view the following document:How To: Change Agent Settings

* Download LDMS 2016.0 from here .

** Download Software Update 5 ( SU5 ) for LDMS 2016.0 from here.

Hello,

I'm currently deploying Ivanti Endpoint Manager 2017.3 for one of my customers and the customer wants to have the ability to manage computers which are not on the domain and not on the LAN

We already deployed the Ivanti Gateway so we are able to have remote control on computers with the agent already deployed.

We installed the agent directly from the workgroup computers, agent is in Gateway mode, but the computer don't appear on the Ivanti console

Do we have a specific action to do in order to have this configuration working ?

Thank you,

Regards

I have an issue with some workgroup machines - Agent is down, I can remote control deploy etc all is well except the real time inventory and monitoring.

If i launch this from the core by right clicking a machine i am asked for credentials... we already have the local admin account listed in the scheduler service along with other accounts.. I am at a loss though as to where to add an account to stop real time Inv prompting for creds?? Any ideas anyone?

We recently had an upgrade to v2017.3 SU5

As part of this a new Ivanti Agent was provided.

This has been pushed out to some HP T630 thin clients to replace the older Agent.

It installs successfully but we have since started to get reports of issues.  The user receives an error message:

Warning: 70% of UWF overlay cache consumed - The UWF overlay cache has reached the warning level. You should remove some files from the overlay cache.

Is it better to not have an actual Agent on thin clients due to the overlay cache?  Or is having one normal?

Thanks

Phil

Hello,

just a quick question:

I created  an advance agent that works very well. Anyway, now when i'm deploying the agent the task first says it's a failure (impossible to locate the agent) but when i refresh it, it is successul.

The advance agent is in my ldlogon\AdvanceAgent folder.

Any idea?

Regards,

David.

We do some network analysis and we can see that computers are doing a lot off multicasting traffic on address: 239.83.100.109

The problem is all the computers do ARP request broadcast on the network and this causing issue on printers devices sensible to the broadcast.

How we can solve this ?

Regards

通过核心服务器分发URL链接能直接到终端门户管理器中的收藏夹选项里面吗？我应该怎样操作能实现此步骤？或者怎样操作可以使终端门户管理器中的收藏夹选项消失呢？帮帮我！

Landesk Management Suite 2016 / version 10.0)is using a new service called "Self-electing subnet services" (SESS): Self-electing subnet services

Under some specific circumstances SESS service may cause very high CPU usage in client machines and servers, sometimes intensive multicast network traffic is experienced as well (even if you have not configured your Agents to use Multicast).

Such incorrect behaviour can be identified by checking your Task Manager or Process Manager - you will see Targeted Multicast Client Service Executable (tmcsvc.exe) generating CPU load.

Solution:

Please first check the agent configuration settings for distribution and patch as 'tmcsvc.exe' can be used in multicast and peer-to-peer deployment, so on the agent settings set up for the agent configurations of the clients, you can disable "Attempt peer download" and "Use Multicast" (this can be found in Agent settings -> Distribution and Patch settings -> General settings -> Network Settings).

It will update all the clients at the next daily vulnerability scan run on the clients where this settings is configured.

If the above settings are not used (configured) then SESS can be deactivated in the agent "Client Connectivity Settings" set up on the agent(s) deployed on the clients.

To do that, go to Tools -> Configuration -> Agent Settings and then click  'Client Connectivity' settings and open 'Self-electing subnet services' tab and uncheck box "Enable self-elect subnet service", click 'Save'.
At the next daily vulnerability scan, on each computer having this settings, it will deactivate this option (alternatively you can create a task to deploy updated agent settings to the clients).

Once this is done please check if the the CPU load from tmcsvc.exe has decreased on the agents.

Additional information:

You can also go in the Management Console -> Tools -> Configuration -> Self-electing subnet services -> Select Extended Device Discovery on both LAN/Wireless -> Right-click each subnet and select disable (by default SESS is disabled for wireless networks but enabled for wired networks).

Some additional information on this topic can be find here: Agent 2016 - Targeted Multicast Client Service Executable - tmcsvc.exe very high CPU on all clients/servers

Hello,

at the moment I'am investigating a alarming situation on all of our 2016 Clients and Servers.

We have very high CPU usage on all of our systems for the tmcsvc.exe (Multicast Services). The Clients work halfway okay with that load - but on our servers I see real performance issues.

We did not even activated Multicast in our Distribution and Patch Settings - so I have no glue where the high cpu comes from.

Perfmon shows me high read/write Operations accompanied by the high CPU peaks.

I would be happy about any advice what is happening here, and what options I have to stop it.

Best Regards, Marco

I have take a copy of our database and upgraded it from 2017.3 to 2018.1.

One of the issues I am having is that when doing a "Rebuild All" of my agent configurations for every non-windows based agent I am getting failures with the errors "There is no available certificates." If I open the agent properties, no certificates are listed to check. If I open any of the windows based agents, the certificates are there.

The certificates are also in the directory at C:\Program Files (x86)\LANDesk\Shared Files\cbaroot\certs

We are moving from 2017.3 to 2018.1. We configure a windows agent with the PXE stuff turned on. We deploy these agents to specific devices and all other devices do not have them turned on. This way self electing subnet services can only elect these specific devices to serve as the PXE rep.

After recompiling the agents, ensuring the SESS PXE was turned on for the subnet, we noticed that the device was missing the 2 services required to act as a PXE rep. We reinstalled twice and the services did not return. We also checked the registry to make sure it was not marked as being in an error state and the score for this device was already at 100.

There is something broken with the agent install, which is failing to install the required services. Everything I have checked so far has not led to a root cause of the failure.

Rick

Hi there ,

I have several machines that fail when installing patches with the error message " status marked as detected because pre-req check failed."

I saw on a document provided by ivanti that the problem is due to the registry key "Common AppData"= "C:\ProgramData"

Is there any BAT or script that i can use to deploy this key to all my affected machines plzz !!!

Thanks for help

Description:

This article describes the steps involved in completely removing a remote console, agent, and other settings from a remote device. The article will include standard methods for removal but it will also include steps to thoroughly check and manually remove services, files, drivers, etc that may be left behind when an application becomes corrupted. These steps may be necessary when experiencing difficulties installing an agent or remote console.

Step 1: Use the pre-designed removal applications.

• Remote Consoles: Use Add/Remove Programs in Windows.
• Remote Control Viewer: Use Add/Remove Programs in Windows.
• Agent: The following applications will attempt to automatically remove the agent: Uninstallwinclient.exe, Uninstallmacagent.sh, and Linuxuninstall.tar.gz. (Uninstallwinclient.exe will have a switch /forceclean that will more thoroughly remove information) (Note: All of these applications will be located in the C:\Program Files\LANDesk\ManagementSuite folder on the core server). Please see doc: How to uninstall the Ivanti / LANDESK Agent for Windows for more detailed info on uninstalling windows agent.

Step 2: Manually Stop and Remove Services (if necessary)

• Open services.msc from the RUN line in Windows and search for any services that start with "LANDESK". If they are found attempt to stop them and manually delete the corresponding registry key from HKLM\System\CurrentControlSet\Services. (Searching this key for LANDESK/Ivanti is usually a good method)

Step 3: Delete files that may be left over.

• C:\Program Files\LANDesk
• C:\Documents and Settings\All Users\Application Data (hidden folder by default)
• The documents and settings path will vary on newer versions of Windows.

Step 4: Delete registry keys that may be left over

• HKLM\Software\Intel\LANDesk
• HKLM\Software\LANDesk
• HKLM\Software\Wow6432Node (same subkeys as noted before...this is for 64-bit OS's)
• KLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall and search for LANDesk from here and remove the non-msi product guid keys
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\ ( perform a search for the LANDesk Software and delete the key.

Step 5: Check for the Remote Control Mirror Driver

• A mirror driver for remote control usually installs with the agent and should be listed in Device Manager under Display Adapters. This can be removed manually or with setupmirror.exe or setupmirror64.exe located in the LDLogon folder on the core.

Additional Notes: At this time it may be a good idea to remove/reinstall pre-requisites for the Remote Console as well.