This document contains the agent configuration and agent deployment best practices LDMS 9.0

The following is a list of Services and Executables run on the 9.0 SP2 LANDESK Agent.

SERVICES

LANDESK Message Service

LTAClientEnforcer

LANDESK Ping Discovery Service

LANDESK Remote Control Service

LANDESK Targeted Multicast

LANDESK (R) PXE MTFTP Service

LANDESK (R) PXE Service

LANDESK Policy Invoker

LANDESK (R) Antivirus

LANDESK (R) Management Agent

LANDESK (R) Software Monitoring Service

EXE

C:\WINDOWS\system32\msgsys.exe
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\LANDESK\LDClient\issuser.exe
C:\Program Files\LANDESK\PXE\System\PXEMTFTP.exe
C:\Program Files\LANDESK\PXE\System\PXESvc.exe
C:\Program Files\LANDESK\LDClient\LTAClientEnforcer.exe

C:\Program Files\LANDESK\LDClient\ActiveNotifyer.exe

Description: If it is determined that a local scheduler task should be removed from client computers it can be done through a script run as a scheduled task in the LANDesk Management Suite 32 bit console.

Resolution:

Create a Query

1) In the 32 bit console right click on My queries and click New Query

2) Under Machine Components go to Computer | Device Name

3) Click Exists and click Insert

4) Click the button labeled Select Columns

5) Under Machine Components go to Computer | LANDesk Management | Local Scheduler | Scheduled Tasks

6) Click on Handle and click the button labeled >>

7) Click on Executable Path and click the button labeled >>

8) Name the query "Local Scheduler Handles" and click Save

9) Run the query and find the Handle number for all of the local scheduler tasks you want to delete

Note: The default Handle number for Vulscan.exe (security and patch) is 555 and the default Handle number for ldiscn32.exe (inventory scan) is 777

Creating the script to delete the local scheduler tasks

1) In the 32 bit console go to Tools | Distribution | Manage Scripts

2) Right click on my scripts and click New Custom Script

3) Name the script and click OK

4) Select all and delete it

5) Paste the following into the script

[MACHINES]

REMEXEC0=<qt/>%LDMS_CLIENT_DIR%\LocalSch.exe<qt/> /del /taskID=HandleID

6) Change HandleID to the handle number you found in the query - The script in this example will delete the default security scan task

7) Save the script

8) Right click on the script and click Schedule

9) Drag computers into the task and start it

Cause

Locate the Computer Inventory Record from all devices and delete it. Then rerun the UDD Scan

The computer has a entry in Pending Unmanaged Client Deployments.

From the Network View | Configuration | Pending unmanaged client Deployment, delete the Computer record. Then Rerun the UDD Scan.

Description

When trying to push a new agent configuration to unmanaged devices, the scheduled task fails with the following error message:

Unable to contact the specified machine. The machine may be off or unreachable.

Cause

1. The LANDesk Scheduler Service account does not have permissions to write to the clients C$ or Admin$ share.
   

   Note:For ease of user management for deployment, devices should be part of an Active Directory Domain.

2. Simple file sharing is enabled on the target workstation.

3. File and printer sharing for Microsoft networks is disabled on the target workstation.

4. The Windows Firewall (enabled by default in Windows XP with Service Pack 2) will block remote connections when enabled.

5. Other third party firewalls can block remote connections if enabled.

Resolution

Depending on the cause, different resolutions may be required.  Below is a list of possible resolutions to this issue.

1. Configure the Scheduler Service account on the Core Server to run as a user account that has administrative privileges on the target workstations.

   1. On the core server, open the LANDesk Management Suite console.

   2. Go to Configure | Services | Scheduler.

   3. Click on Change Login.

   4. Change the service login account to be that of a user with administrator permissions on the target devices of the scheduled task. This is normally a domain administrator account. Ensure all domain accounts use the format Domain\UserName. If some of your targets are not part of a domain, you may also specify additional accounts in the Alternate credentials section.

   5. Click OK.

   6. When prompted, restart the Scheduler service.

   7. Restart the Agent Deployment scheduled task.

2. If there is a Domain Policy (GPO) to Force Security Accounts enabled on the Domain Controller. Disable this to resolve the rights issue.

3. If the target workstation is not a member of a Domain, disable simple file sharing on the target workstation.

   1. Within windows on the target workstation, open Explorer.

   2. Select Tools | Folder Options | View.

   3. Scroll to the end of the list under Advanced Settings and remove the check mark from Use simple file sharing (Recommended).
      

      Note:To make the change from the registry, open regedit and browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa and edit the ForceGuest REG_DWORD and change the value to decimal 0.

4. If File and Printer Sharing for Microsoft networks is disabled, it must be enabled. 

   1. Within windows on the client machine open up properties on "My Network Places".

   2. Choose properties for the appropriate network connection.

   3. Ensure that File and Printer Sharing for Microsoft networks is checked. 

5. Install the agent manually by browsing to
   CoreServer\ldlogon and running WSCFG32.EXE.

6. Verify the problem isn't a firewall issue.

   1. Disable the Windows firewall on the XP machines.  Use a Domain GPO if needed.

   2. Deploy the Agent Configuration
      

      Note:Once the agent is installed, the agent services are automatically registered with the Firewall as exception.  The Firewall can now be enabled. 

7. Verify that access to the C$ and Admin$ shares is not being blocked.

   1. If access is being blocked to the and Admin$ shares, have them determine the reason this is so in their environment and test again once the issue is resolved. 
      

      Note:Have the administrator contact Microsoft or search the web for common reasons for why the C$ and Admin$ shares are unavailable.

Environment: Various

Question:

How to uninstall the Ivanti / LANDESK Agent for Windows ?

WARNING: DO NOT use the switch /FORCECLEAN switch on a Core Server / Service Desk server when removing the Agent for Windows from the Windows Server as this will break the Core Server / Service Desk Server !!!!!!!!

Answer:

Run UninstallWinClient.exe. This program is located in the ldmain share on the Core Server by default (C:\Program Files\LANDesk\ManagementSuite\ldmain). It can be run from that share or copied to the local client and executed. It is a standalone program and does not rely on any other files in order to run. UninstallWinClient.exe removes the Agent for Windows only.

By design, UninstallWinClient.exe will remove:

• All Ivanti / LANDESK files except some in ‘all users\application data\’ such as the APM DB

• All Ivanti / LANDESK start menu shortcuts

• All Ivanti / LANDESK services

• All registry values and keys except the common API keys containing the LANDESK GUID

UninstallWinClient.exe has the following command-line options:

If you want to uninstall the agent remotely, UninstallWinClient.exe can also be deployed as an Executable Distribution Package.

• No additional files need to be added to the distribution package.

• It's recommended to use the /NOREBOOT switch in the package if there is an end user using the client so that the machine doesn't reboot and cause the user to lose work.

• When you distribute this package, the agent will be uninstalled ,but the status of the task will remain "active" until it times out and eventually fails. This is because the agent is no longer able to report status back to the core.

If UninstallWinClient.exe is failing to remove part of the agent and is causing problems:

• Try the version of UninstallWinClient.exe from the newest service pack.

• Notify customer support.

Related questions:

• How to uninstall the LANDESK client without rebooting?
• What are the UninstallWinClient.exe command line options?
• Is there a way to clean most of the Ivanti / LANDESK remnants after /ForceClean has been used?
  • Yes, merge the attached LANDESK Remnants Removal.reg to the machine(s) where the Ivanti LANDesk agent is removed with the swich /FORCECLEAN has been used.
    • To view the LANDESK Remnants Removal.reg contents, open the file with your favorite text editor.
    • To create your own registry removal.reg, please see Microsoft's article "How to add, modify, or delete registry subkeys and values by using a .reg file".https://support.microsoft.com/en-us/kb/310516

Related errors:

• Xtrace log shows : FAILED: bCriticalError is true. Setting exit code to ERROR_INSTALL_FAILURE

The cba_anonymous account is created by ServiceHost.exe which is run under the the LANDESK Management Agent (CBA) service whenever an anonymous connection is requested.  It is created as a member of the local machines Guest group.

**In the 2016.3 SU3 and 2017.1 release, CBA_anonymous has changed and no longer creates a cba_anonymous account. We have started using local account and GPO/permissions are no longer needed. The account can be deleted and will not be added when the new agent is installed.**

Q.  How does LANDESK manage client access?

A.  When a connection is made to CBA, the account will be created to provide the connection with guest account rights. You can manually make this request on the client by opening a web browser, then hitting url http://localhost:9595/allowed/ldping.

Q.  Who creates the password and where does it get stored?

A.  The password used by the account is randomly generated and stored securely in memory only. The generated password consists of multiple random generated sections using OpenSSL to meet even the most stringent password complexity requirements. Since the password is stored ONLY in memory it will be regenerated on reboot, service restart(then additional request), or if the current session has expired.  The password will include at least the following: Upper Case, Lower Case, Number, Special character, and a length of at least 28 characters.

Q.  Is there a way to remove the cba_annoymous account after an install and a log off?

A. The account is used with a randomly generated password for CBA communication.  If the account is removed it will be recreated when needed by ServiceHost.exe.

Q.  Is this account created on all Windows Operating Systems?

A.  All Windows NT based Operating Systems use this account.

Q.  Is this account created as a domain account?

A.   No. cba_anonymous is a local account.  The only time it will appear as a domain account is if the LANDESK agent is installed on a Domain Controller. Currently this is a supported configuration and should work. If you're having problems getting it to install, please open a case with support.

Q. Can I disable the cba_anonymous account?

A. No.  The LANDESK core server calls cba_anonymous to do an LDping function on the client web service to verify the client prior to executing any functions on the remote agent. The LDping returns the host name and LANDESK Device ID. These are verified prior to the execution of a task on a managed node by the core server using the cba_anonymous account. Without this information, you will not be able to manage any machines as they will appear to be “off” since they can’t be discovered.

• Adaptive settings - Agent settings
  • About the Edit trigger dialog box
• Service
• Logging

Adaptive settings - Agent settings

Tools > Configuration > Agent settings> Adaptivesettings

An adaptive setting is a list of one or more adaptivesettings rules ordered by priority. In the adaptivesettings agent configuration, you can select multiple rules from a list of available rules. The agent on the managed device will check the triggers for each rule in the selected rules list, starting at the top. The first rule the agent encounters with a matching trigger will be applied and rule processing stops. Only one rule can be active at a time. If no rules are triggered, the default settings specified in the agent configuration page will be applied.

Adaptivesettings allow agent settings to dynamically change on a device based on location (geofencing) or IP address. This is mainly oriented towards mobile devices and laptops. For example, you could have one set of agent settings while a device is connected to the corporate network, but when the device connects to an external network, the agent settings could be more restrictive.

For more information, see Adaptivesettings.

NOTE: Enabling adaptivesettings will cause .NET 4 to be installed with the agent.

The Adaptivesettings dialog box contains the following options:

• Name: The name for this adaptive setting.
• Rules: Move the rules you want to be applied from the Available rules list to the Selected rules list. Click Move up and Move down to change the order if necessary. Click New... to open the Edit adaptive setting rule dialog box.
• If no rules apply: If no rules apply, you can use the default agent configuration settings (in other words, don't change anything) or you can select a specific rule to apply from the Apply the following rule list.
• Lock windows session if location services are disabled: Click to lock the device when location services are disabled, such as when someone leaves your office building or if someone turns on airplane mode.
• Check GPS location every: The default is two minutes. Frequent checks will reduce device battery life.
• Set as default within agent config : Makes this adaptive setting the default for new agent configurations.

Clicking New or Edit in the Adaptivesettings dialog box shows the Edit adaptive setting rule dialog box. An adaptivesettings rule associates a trigger with one or more agent settings to override when the trigger activates, along with additional one-time actions, such as locking the screen. For more information, see Adaptivesettings.

The Edit adaptive setting rule dialog box contains the following options:

• Rule name: The name for this rule.
• Select trigger: Shows available triggers. Use New if there aren't any or if you want to make a new one. Triggers can be either geo fence or IP address range.
  • New... Opens the Edit trigger dialog box, where you can configure a new trigger.
  • Edit...Edits the selected trigger.
  • DeleteDeletes the selected trigger.
• Type/Settings: In the settings list, select the agent setting you want to use for each type.
• On rule activation, perform the following one-time actions: Adaptivesettings rules can have one-time actions that execute when the rule activates. Select any one-time actions that you want to be run for this rule.

• Apply HP's recommended locked-down security BIOS settings: This only works on HP devices. You'll need to provide the BIOS password.
• Lock Windows session: Locks the session so the user has to log back in. This can help prevent unauthorized access when the device leaves a secure area.
• Run security scan: Runs the security scan that you select. Click Configure and select a scan.
• Run a batch file or powershell script: Click Configure and select a batch file or PowerShell script.

About the Edit trigger dialog box

The Edit trigger dialog box contains the following options:

• Trigger name: The name for this trigger.
• Select Type: One of the following:
  • Geofence: Requires Windows 8 and a device with a GPS. Click and drag the map so the red cross-hair is over the location you want to geofence. Use the scroll bars to zoom in and out. The target radius circle defaults to 10 meters. Increase the Radius if you want it to include a corporate campus, city, and so on. The minimum device accuracy determines how accurate the GPS reading must be for the trigger to activate. If the GPS-reported accuracy exceeds the value you specify, the trigger won't activate.
  • IP address range: Works with any Windows device. The Verify core existence on the network option can help prevent network spoofing by making sure the Ivanti® Endpoint Manager powered by Landesk core server is visible to the device. Don't use this option with IP address ranges that won't have access the core server.

Service

The LANDESK Adaptive settings are controlled on the client by the "LANDESK Adaptive Settings Service" service.

This executable related to this service is "C:\Program Files (x86)\LANDesk\LANDesk.PolicyUpdater.exe

Logging

Creating the following registry key on the client will enable debug logging

SYSTEM\CurrentControlSet\Services\LDPolicyUpdaterSvc   Debug (DWORD) 1

Debug logging will be created in this format: C:\ProgramData\LANDesk\LANDesk.PolicyUpdater-2019-01-04-054736.log

This shows the date and time that the "LANDESK Adaptive Settings Service" started.

2019-01-04 05:56:14 [4252:12] [NOTICE] Network change detected - Current IP addresses:

2019-01-04 05:56:50 [4252:9] [NOTICE] Network change detected - Current IP addresses: [192.168.244.128]

2019-01-04 05:56:50 [4252:9] [NOTICE] test net 244: executing: C:\Program Files (x86)\LANDesk\LDClient\Vulscan.exe /changesettings

Hi,

on one of our Servers we see every 5 minutes recuring ESENT errors in eventlog.

services (484) An attempt to create the file "\\server.tld.org\ldlogon\new.sdb" failed with system error 5 (0x00000005): "Access is denied. ".  The create file operation will fail with error -1032 (0xfffffbf8).

services (484) Unable to write a shadowed header for file \\server.tld.org\ldlogon\new.sdb. Error -1032.

services (484) Database recovery/restore failed with unexpected error -1032.

We have uninstalled the landesk agent but no succes. We have no clue whats triggers this error every 5 minutes.

Thankful for any help

Best regards

Heino

We upgraded to EPM 2018.3 about a month ago from EPM 2017.3 SU5 and now users have lost the ability to edit agent configurations that they had created before the upgrade. I thought it was related to some permissions issue but they are able to create new agent configurations just not able to edit previously created ones. Is anyone else experiencing this?

This is the message that users getting trying to open the agent configuration. It does open but all of the options are greyed out.

Ivanti has identified an issue affecting a very small number of customers who upgrade to 2017.3 SU5.  In some cases the agent upgrade process encounters an error related to the resident agent that leaves the upgrade in a failed state and leaves the agent unresponsive.

Engineering is aware of this issue and is actively working on a code fix.  In addition, there is a workaround:

• Before executing setup.exe, stop the 'LANDesk Targeted Multicast' service...
• End Task on the 'SelfElectController.exe' process
• Execute setup.exe
• Start the 'Intel Local Scheduler Service' (this wasn't being automatically started)
• Start the 'ISSUSER' (this wasn't being automatically started)
• Start the 'LANDesk Targeted Multicast' service TWICE since it stops the first time after detecting the new cert (this wasn't being automatically started)

It is important to consider that this issue is only affecting a very small number of customers.  As you test the agent installer during pilot if you encounter the issue please use the workaround above.  You may also contact support and reference bug ID# 473782.  This thread will be updated when the issue is resolved.

UPDATE if you are affected by this issue please open a support ticket and ask your case owner to escalate as an automated work around is available on a case by case basis.