Enhanced Vulscan Self-Update Feature

In LDMS version 2016.3 and later releases, the Self-Update feature that runs during vulnerability scans has been enhanced to grant additional capability and flexibility.

Vulscan Self-Update

In version 2016.0 SU5 and older, vulscan checks the ldlogon folder to see if any of the core-side self-update files are newer than those same files found on the client. If so, those files would get updated regardless of OS version and LDMS agent version.  In version 2016.3 and later, the self-updating process is smarter and vulscan includes the option to check for a minimum OS version and/or a minimum LDMS agent version if configured to do so.  If the core is not so configured, then self update will occur as usual.

The main benefit to this new system is that you can cause vulscan self-update to use one set of files for devices that meet or exceed your OS and Agent version specifications, and a different set of self-update files for devices that are below your specifications.  This is most helpful if you are still managing Windows XP or Server 2003 devices.

Which Files Are Updated?

The following files are monitored and can be updated:

• LDReboot.dll
• ldavhlpr.dll
• ldReboot.exe
• LDSystemEventCapture.dll
• localsch.exe
• ltapi.dll
• RollingLog.dll
• sendtaskstatus.exe
• softmon.exe
• softmon.sig
• vbscript.v55
• vulscan.exe
• vulscan.sig

Initial Setup and Configuration

If you wish to implement OS and Agent version checking for self-update, create a SelfUpdate subfolder in ldlogon and create an AppliesTo.ini folder within:

The appliesto.ini folder should have the following text:

[Requirements]

MinAgentVersion=10.1

MinOSVersion=6.1

In the example above it is configured for LDMS agent version 10.1 and OS version 6.1 (Windows 7) and is appropriate for the scenario of preventing XP devices from self-updating to the new agent version.  However you should change this to correspond to the actual versions you want to use if you have a different use case.

How it Works

When vulscan runs on a client, it will check with the core server to see if ldlogon\selfupdate folder exists and contains the appliesto.ini folder.  If found, vulscan will use the enhanced process and will use the files in the Self-Update folder for devices meeting or exceeding the versions specified.  Devices not meeting the agent and OS versions will self update from the ldlogon folder.  If the self-update folder or the appliesto.ini file are not found, vulscan will self-update all devices from the ldlogon folder.

Therefore, place the self-update files from your LDMS 2016.0 SU5 WinXP agent into the ldlogon folder, and place the updated files that match your upgraded core version into the self-update folder.  This will cause XP devices to retain self-healing properties through vulscan self-update, but use only the correct files for it's agent version of 2016.0 SU5.  Devices newer than XP will self-update using the correct and proper files that you have placed into the self-update folder.

Issue:

After the agent installation is complete, network connectivity to the workstation or server is lost.

Description:

In Windows Server 2008 and later versions,  the Windows Firewall service is an integral part of the operating system's network stack. As such, Microsoft no longer recommends stopping or disabling the service under any circumstances, and this is now an unsupported configuration. When the Windows agent is installed, it needs to make a number of changes to the Windows Firewall. To make these changes, the agent first enables the firewall service, and then disables it once the changes have been made. The problem we see is disabling the service will cause a number of network-related problems, including the following:

• The server will stop responding to ping requests.
• You will be disconnected from, and unable to connect to, the server via RDP.
• You will be unable to connect to shares on the server.

Although network operations initiated from that server will succeed for the most part, it will appear to other machines as though the server has been disconnected from the network.

Resolution:

Use at your own risk. These commands are provided as is, and are not supported by Ivanti. Please test thoroughly prior to use in a production environment.

Use the following commands in a batch file to properly enable and stop the Windows Firewall service, then properly disable the service again once installation in complete.

 

Enable, start, and turn off firewall:

sc config MpsSvc start= auto

net start MpsSvc

netsh advfirewall set domainprofile state off

netsh advfirewall set privateprofile state off

netsh advfirewall set publicprofile state off

Stop and disable Firewall:

net stop MpsSvc

sc config MpsSvc start= disabled

Advance Agent Creation

Two files are created when and Advance agent is created on the core server.

• <advance agent name>.msi
  • This is a ~1 MB MSI package. When this package runs on a device it installs the LANDESK® Advance agent service. The Advance agent service downloads the associated full agent configuration package and initiates the install.
• <advance agent name>.exe
  • This is the real agent installation file and it will call wscfg32.exe to install the LANDESK agent.

When creating an Advance agent, the dialog prompts for a path and a name for the Advance agent configuration. The path and name of the agent configuration are coded into the MSI along with the hash value of the EXE. The Advance agent service will use the name and hash to determine the package to download and install. In the Advance agent configuration window bandwidth-friendly distribution options can also be configured. All settings configured in the Advance Agent dialog are included in the Advance agent MSI and are used by the Advance agent service after the MSI is installed.

Deploying the Advance Agent

The Advance agent can be deployed a few different ways. One is to create an advance agent push job from the LANDESK Management Suite Console. This job can be created from the Scheduled Tasks pane.

Deployment Steps

1. When the Advance Agent Push scheduled task is started from the core server, the LANDESK scheduler service will create $LDDIR$ folder under C drive on the client and will copy AdvanceAgent.msi to this folder.
2. Msiexec.exe will run this AdvanceAgent.msi. This will create C:\Program Files\LANDESK\LDClient folder and will install AdvanceAgent.exe and other files to this folder.
3. AdvanceAgent.msi will install the advance agent registry keys,install the advance agent service, install the files to C:\Program Files\LANDESK\LDClient folder, open the firewall policy for AdvanceAgent.exe and so on. And the AdvanceAgent.exe will download <advance agent name>.exe
   Note: An AdvanceAgent.log for this particular step will be created on C:\Windows\TEMP\ folder.
4. AdvanceAgent.exe will create a service called "LANDESK Advance Agent". This service will create C:\Program Files\LANDESK\LDClient\sdmcache\ldlogon\AdvanceAgent folder and download <advance agent name>.exe to this folder.
   Note: Another AdvanceAgent.log will be created for this step under C:\Program Files\LANDESK\LDClient folder. This log file will log the download process.
5. After the <advance agent name>.exe is downloaded to the client machine, Explorer.exe will execute the file, then wscfg32.exe will install the agent.

Troubleshooting

There are two logs on the core that may be useful for troubleshooting advanced agents that fail coreside:

• \Program Files\LANDesk\ManagementSuite\log\core.secure.dll.log
• \Program Files\LANDesk\ManagementSuite\ldlogon\AdvancedAgent\(((AgentConfigurationName)))).exe.log

There are two log files on the client machine for advance agent deployment:

• AdvanceAgent.log under C:\WINDOWS\TEMP folder, this is the log file for advanceagent.msi. After the deployment, this log will not be deleted.
• AdvanceAgent.log under C:\Program Files\LANDESK\LDClient folder, this is the log file for LANDESK Advance Agent service, this will log the download of the EXE file. After the EXE file is downloaded successfully, this log file will be deleted. But if the EXE file is not downloaded successfully, the log file will be there.

Here is a screenshot of these files:

I have the process monitor capture file, IF anyone is interested in researching this, I can offer the file(It's huge, about 400mb, so I can't attach it in this article)

I also attached the AdvanceAgent.log file under C:\WINDOWS\TEMP folder for an example.

This document has been written to specify what versions of .NET are deployed with the various currently supported versions of the Ivanti Endpoint Manager Agent and what versions are "supported" with those Agent versions. This effort is being made to help reduce conflicts with installed software in customer environments.

Environment: Various

Question:

How to uninstall the Ivanti / LANDESK Agent for Windows ?

WARNING: DO NOT use the switch /FORCECLEAN switch on a Core Server / Service Desk server when removing the Agent for Windwos from the Windows Server as this will break the Core Server / Service Desk Server !!!!!!!!

Answer:

Run UninstallWinClient.exe. This program is located in the ldmain share on the Core Server by default (C:\Program Files\LANDesk\ManagementSuite\ldmain). It can be run from that share or copied to the local client and executed. It is a standalone program and does not rely on any other files in order to run. UninstallWinClient.exe removes the Agent for Windows only.

By design, UninstallWinClient.exe will remove:

• All Ivanti / LANDESK files except some in ‘all users\application data\’ such as the APM DB

• All Ivanti / LANDESK start menu shortcuts

• All Ivanti / LANDESK services

• All registry values and keys except the common API keys containing the LANDESK GUID

UninstallWinClient.exe has the following command-line options:

If you want to uninstall the agent remotely, UninstallWinClient.exe can also be deployed as an Executable Distribution Package.

• No additional files need to be added to the distribution package.

• It's recommended to use the /NOREBOOT switch in the package if there is an end user using the client so that the machine doesn't reboot and cause the user to lose work.

• When you distribute this package, the agent will be uninstalled ,but the status of the task will remain "active" until it times out and eventually fails. This is because the agent is no longer able to report status back to the core.

If UninstallWinClient.exe is failing to remove part of the agent and is causing problems:

• Try the version of UninstallWinClient.exe from the newest service pack.

• Notify customer support.

Related questions:

• How to uninstall the LANDESK client without rebooting?
• What are the UninstallWinClient.exe command line options?
• Is there a way to clean most of the Ivanti / LANDESK remnants after /ForceClean has been used?
  • Yes, merge the attached LANDESK Remnants Removal.reg to the machine(s) where the Ivanti LANDesk agent is removed with the swich /FORCECLEAN has been used.
    • To view the LANDESK Remnants Removal.reg contents, open the file with your favorite text editor.
    • To create your own registry removal.reg, please see Microsoft's article "How to add, modify, or delete registry subkeys and values by using a .reg file".https://support.microsoft.com/en-us/kb/310516

Related errors:

• Xtrace log shows : FAILED: bCriticalError is true. Setting exit code to ERROR_INSTALL_FAILURE

Description:

When pushing an agent, the status remains active. and shows return code 1165.

Unable to ping the affected device which ping test work properly prior to running the agent installation task.

Reason:

Windows firewall is turned on when the agent is installing, this issue only happen on domain-joined device

Resolution:

1,Restart the OS

2,Turn off the firewall via group policy(just stop windows firewall service no any help)

Problem

When the agent is installed on a domain controller, sometimes the LANDesk Management agent service gets disabled. This prevents agent status icons from displaying in the console, causing problems with other components such as remote control or software distribution.

Cause

In this case, the cause was a group policy that was being applied to the machine. The below policy was set to "Disabled" or "Not Defined". Most of the time "Not Defined" is fine as the device will manage that portion on its own, but if you run into this issue, set it to "Enabled" and Automatic.

Solution

On your domain controller, open gpmc.msc and Right Click>Edit the GPO your device is in.

Navigate to the following location: 

Computer Configuration\Policies\Windows Settings\Security Settings\System Services

Locate the LANDesk Management Agent service and set to Automatic. Now, run gpedit /force on the machine and make sure the service is set to automatic and is started.

If you continue to have issues with agent status, please check out the following documentation:

- Agent Status Icons Suddenly Not Appearing in Console

- Diagram of how Agent Discovery works

Description: Some time ago Microsoft .NET was included with the Ivanti Endpoint Manager (EPM) Agent installation for Windows devices. This document will help address general information and questions.

FAQ:

Question 1:

What version of .NET is included with the agent on version xxxx.xx? 

Answer: The easiest way to tell what version of .NET is included with the agent on a particular version of EPM is to look in the C:\Program Files\LANDesk\ManagementSuite\ldlogon folder. See the screen shot below. This is a 2017.3 core server and has .NET 4.0 and 4.5 included.

Question 2:

Can I disable .NET from installing with the agent?

Answer: No. You can change the way it installs but not IF it installs. See below. It is required for certain portions of the agent to function correctly. The help documentation (portion below) provide more details:

Help Doc Reference on Agent Configuration for .NET:

• .NET installation: When the agent is installed, you can select whether to install Microsoft .NET 4.0 on the managed device. This is a convenience that is useful for two new options that can be installed on devices: Portal Manager (the new version of Desktop Manager) and the Location Detection option (under Inventory settings), both of which require .NET 4.0. If you include either of these options in an agent configuration, select one of the following bundling options.
  • Include .NET in agent installation package: The .NET install is contained within the agent package and is always installed.
  • If .NET is not installed, download and install: .NET is not automatically installed. After the agent is installed, it checks to see whether the managed device already has .NET 4.0 installed. If it does not, the agent uses Vulscan.exe to download and install .NET 4.0. (Any earlier versions of .NET are not affected by this installation.)

Question 3:

I have applications on my client that utilize a lower version of .NET. Installing the agent causes those applications not to function correctly. Are there any other options for managing the device?

Answer: The next best option would be to utilize Agentless Scanning. The following document will help with how this works.

Steps to enable the agentless scanner in 2016.3 and beyond

Description:This article describes some general information on Embedded OS's and Endpoint Manager (EPM). It will cover configuring the two different types of write filters, setting up embedded OS's in a lab environment, and other information.

General Information - Embedded:

• Windows 10 IoT (formally Embedded) Core is not supported with a standard EPM agent. The core version only supports applications from the Windows Store. Managing the device with a mobility agent and MDM server would be recommended.
• Windows 10 IoT (formally Embedded) Enterprise is supported as it is the binary equivalent to Windows 10. Just to note...this version doesn't appear to be on MSDN subscriptions.
• If you are using a license from an MSDN (Microsoft Developer Network) subscription then licenses are trial and last only 180 days.

General Information - Write Filters:

General Notes:

• The commands in the screen shots below provide examples and switches as well as a quick definition of each write filter type.
• If you change the state of the write filter (Enabled to Disabled or Disabled to Enabled) it will take affect on the next reboot. See more examples below.

Enhanced Write Filter (EWF) = A component of Windows Embedded which stores volume changes on another medium instead of applying them to the original volume. Writes can then be discarded or committed to the original volume later.

Example screen shot when the command to disable the write filter is ran. Notice the "Boot Command" is now set to "Disabled". Note: Running this command without the "-disable" will report on the status of the write filter.

File Based Write Filter (FBWF) = Allows Windows Embedded to maintain the appearance of read and write access to write sensitive or read only storage. FBWF makes read and write access transparent to applications.

Lab Example 1: Setting up Windows 7 Embedded as a virtual machine

VM Specifications Used:

1. Create a virtual machine with the specifications above.
2. Use the ISO "Windows 7 Embedded Standard Runtime". The SP1 version of this ISO will work as well.
3. Boot the machine to the selected ISO
4. Select "Build an Image"
5. Accept the license agreement
6. Select "Thin Client" from the "Use a template" option.
7. Select a language
8. Select "Next" on the features page
9. Select "Next" on "Where do you want to install Windows?"
10. Walk through the Out of Box Experience (OOBE) screens.
11. Proceed to configure the write filter as instructed above.

Note: As noted above if you are using the MSDN license this will be a 180 day trial.

Lab Example 2:Setting up Windows 10 IoT (Formally known as Embedded) Enterprise version (As noted above "Core" version is not supported if using a standard agent)

COMING!!!

I – Introduction

The LANDesk Local Scheduler is a very powerful client-side component that is very popular and sees wide usage.

Yet at the same time, it is one of the most easily misunderstood components of the LANDesk Management Suite. The effects of such misunderstanding can range from being a negligible matter to being of serious impact indeed. Not to make too fine a point out of it - it is theoretically possible to configure your tasks in such a way as to ensure that they will never – EVER – run. Or, respectively, run without end.

With the Local Scheduler being such a powerful tool, informed caution is well advised. However, the focus here is not in cautioning, rather it is to inform, to educate.

This article aims to clarify one of the most commonly misunderstood processes of the Local Scheduler, and bring to attention the importance of using time-filter constraints – particularly in bandwidth/timing-sensitive environments.

That frequently misunderstood process is the timing and repetition of tasks.

II – Local Scheduler basics – how to read local scheduler tasks:

There are primarily two ways to read data concerning Local Scheduler tasks.

The first (covered in II.A) is centrally – on the Core, as part of a clients’ inventory. The second (covered in II.B) is to generate an output-file locally on the client itself which can then be read in your text-editor of choice.

Both are quite viable. Both are demonstrated here, as certain situations may call for one (or the other) to be more convenient or more effective when querying a client directly.

II.A – How to find/list Local Scheduler tasks on a Core:

For several versions now, LANDesk has been reporting all Local Scheduler tasks into inventory, and this information (individual to each locally scheduled task) can be found in any devices’ inventory as shown in the screenshot below.

In the screenshot below, the *RED* section serves to guide where in inventory this information can be found, whilst the *BLUE* square indicates the properties/details of that particular local scheduler task.

The meaning of the various task details will be discussed and clarified further below (in section II.C - HERE ).

II.B – How to find/list Local Scheduler tasks on a Client:

NOTE: To get an output of local scheduler tasks into a text file run the following from the LDCLIENT-directory (By default – "C:\Program Files\LANDesk\LDClient\" or - for 64-bit systems - "C:\Program Files(x86)\LANDesk\LDClient\" ).

Localsch.exe /tasks >mytasks.txt

II.C – What do those terms (handler, filter, frequency, etc.) mean exactly?

Some parts of a Local Scheduler task may be more intuitive than others – as a result, I will go through the various sections, and have highlighted the crucial bits of information in colour-code so as to match the screenshot presented in II.B.

II.C.1 – A complete Local Scheduler task

This is simply a “complete” Local Scheduler task entry from beginning to end. In the output-file, the separation can be simply done by the listed number in the first space of an entry.

II.C.2 – The task handle

This is a unique identifier for a task, which is used when a particular task needs to be deleted or modified, for example.

Certain task ID’s are treated as reserved (and task ID below 1,500 should be regarded as reserved), with “normal” user-generated tasks usually having six digit handles (so as to better separate them from “reserved” tasks).

One of the reasons we start with such high, six-digit numbers is to prevent any problems with legacy clients, where smaller numbers were used.

II.C.3 – The task frequency

The task Frequency is based on the number of seconds between repetitions of a task. Most tasks have a value of either 3600 (1 hour) or 86400 (1 day) as a frequency, but any sensible positive value is acceptable.

IMPORTANT NOTE– don’t panic when you see a frequency of “1” in the screenshot above. That particular task has got an additional filter (see below) that activates the task only when the IP-address changes.

II.C.4 – Task Filters

Task Filters are additional conditional clauses you can attach to a task to give you more control under which conditions a task is run. Most commonly this is a filter based on the time of day (i.e.: “only run between the hours of 01:00 – 04:00).

It is important to point out here that filters are purely based on the CLIENT’S perception of things – i.e. its own local system clock, and so on.

Additional filters such as “on IP change” or “when no user is logged on” are also popular, and for a full list, I would recommend that you go through the Local Scheduler task UI (In “Manage Scripts”, you can create Local Scheduler tasks) to get a taste for what is possible. The screenshot below should hopefully help with any remaining confusion on where this is.

Note:ALL filters must be true for a task to run. There’s a distinct AND logic here, and a task will not run until ALL filters’ conditions are satisfied.

Therefore, be thoughtful when applying filters. Ask yourself if this is what you truly want, what you truly need – it’s a simple enough thing to misconfigure oneself and end up in an undesired state.

Local Scheduler will do EXACLY as it is configured to by you, not necessarily as you intended!

II.C.5 - A “bad” example of using filters:

Since a task will ONLY trigger when ALL of its filters are true, let’s demonstrate how one can use filters badly, so as to never have a task running.

If you were to configure a task to run between 02:00 and 04:00 in the morning, and have an additional filter that REQUIRES a user to be logged in but this ends up being a condition that is never met (as people may not work in such late/early hours), you would end up with a task that never runs.

III – Task reruns and “the time creep”:

The most common misconception in relation to Local Scheduler is that the frequency of a task is based upon its START-time. In other words. – if a task is set to start at 10:00 on day 1, the expectation is that it will always start at 10:00, assuming a frequency of 1 day (86,400 seconds) is used.

Little could be further from the truth!

In fact, the frequency kicks in based on when a task has last FINISHED! So - if a task starts at 10:00, then has a 15 minute long random delay (10:00 => 10:15) and a 10 minute long runtime (10:15 => 10:25), the 1-day delay will apply to the end-time of 10:25.

This “time creep” is something of which you should be aware, as this will inevitably send tasks spiralling throughout all possible times. This is particularly likely if you’re combining long-running tasks with large, random time windows.

The best way to counter-act this is by confining tasks to run in a certain time-window. This shouldn’t be used too narrowly, as a long-running task with a narrow time window will cause loss of days very quickly.

As an example, the following table shows what can happen to a task with the following settings:

• Task must run between 10:00 and 11:00

• Task has a random delay of 0-60 minutes

• Task has a runtime average of 10 minutes

** Notice that we do NOT run the task on day 3, nor on day 6.

 

This is because 11:02 (Day 3) // 11:25 (Day 6) is ‘outside’ the TOD (Time Of Day) filter set to run the task between 10:00 and 11:00. What happens now is that whilst the task is “active”, we check every 20 seconds (default) to see if the filters are all OK. In other words, we wait until 10:00 am the next day to run/start it again.

IV - An Important clarification on START TIME:

* A task is deemed to have started as soon as its random delay kicks in. It doesn’t matter if the random delay pushes the task outside the time-constraint boundary (such as 11:25 for instance, in the above example, on day # 5). The task STARTED in the acceptable time-boundary, and the random delay is not deemed a factor here.

* A task that will END outside of the acceptable time-frame (such as 11:02, as on day # 2 in the above example), will still be checked on the next day for running conditions. However, since – in the above examples – there’s a constraint for a task to run from 10:00 to 11:00, the task will idle with the Local Scheduler continuously checking whether all filters can be satisfied.

* In this example, this is true on day # 4 at 10:00, since the task “started” (but was not LAUNCHED) on day 3 at 11:02 as the 10:00 – 11:00 filter was not satisfied … so the task was continuously active for just under 23:00 hours for all filters to be satisfied and finally being successfully launched.

* It is for this reason that one should be mindful not to use too many filters for a single task. The more filters that are used, the more conditions need to be simultaneously met, thus increasing the chances that one ends up with a task that will never run because all of the filter conditions CANNOT ever be all true at the same time.

IV – Conclusion:

With the information provided in this article, the reader should be more informed about some key points when using the Local Scheduler. It should be clear why task filters should be used with care, and why particularly the “Time Of Day”-filter is an important utility in overcoming the time-creep issue.

• Purpose:
• Resolution depends upon version of LDMS:
  • LDMS 2016.3 SU3+
  • LDMS 2016 (10.0) SU3+
  • LDMS 9.6 SP3
  • LDMS 9.6 SP2 May 2016 Component Patch
  • LDMS 9.6 SP2 - LDMS 9.6 SP2 March 2016
  • LDMS 2016 (10.0) flat - SU2
  • Additional Information:

Purpose:

This document will provide you with a potential fix for the following issues:

• Device not responding on 9595 (not network related)
• Agent status icons do not appear
• Communication issues with the device

The resolution involves modifying group policy in your domain.

On the client side, this can be done by opening gpedit.msc.

Resolution depends upon version of LDMS:

Note:If the status icons were working before and you have neither changed LDMS versions nor changed GPO settings, Please reboot your LDMS core server. If, after you follow the below steps, you continue to have this issue, it may indicate a deeper issue where we recommend working with support.

NOTE: If the following does not correct the icon issue, you may not be receiving inventory scans properly and seeing 4100 event IDs on your core server. Please see Database Exception: Error Committing on Table:

LDMS 2016.3 SU3+

NOTE:CBA account has been removed from these versions and future versions. We have started using local account and GPO/permissions are no longer needed. The account can be deleted and will not be added when the new agent is installed.

LDMS 2016 (10.0) SU3+

LDMS 9.6 SP3

LDMS 9.6 SP2 May 2016 Component Patch

NOTE: With these versions, cba_anonymous changed the way it authenticates and now uses Interactive Logon. It was also removed from the local Guests group for security reasons. Cba_anonymous need to have "Allow log on locally" for communication to work. The "Everyone" group could also be used. However, Landesk advises to add cba_anonymous explicitly.

DO NOT Forget that you need to allow log on locally for "Users" somewhere in the policy propagation structure to reach the machine or your users cannot login!

• Open (Group Policy Management) GPMC.msc on a domain controller
• Edit the policy for the machines to be controlled. This can be at the domain level or whichever OU level you desire.
  
• Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment

• Add the following user to the policy settings: cba_anonymous

• Apply the group policy.  Once the device gets this policy and is rebooted, the issue should be resolved.
• The cba_anonymous user cannot be present in the "Deny log on locally" policy, as it will override the policy specified above.
• A workaround has been found that deleting the cba_anonymous on the local PC. Deleting the user will force the LANDESK agent to rebuild the user and add the user to the correct policies and groups on that machine. This workaround will work until the domain policy overrides the local policy on the machine.

LDMS 9.6 SP2 - LDMS 9.6 SP2 March 2016

LDMS 2016 (10.0) flat - SU2

• Modify the following area of your domain policy: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment
• Modify the "Log on as a batch job" policy.  This policy is most likely manually set if you are experiencing this issue.  If it is set to "Not Defined", you may need to make the adjustments on the local security policy.

• Add the following user to the policy settings: cba_anonymous

• Apply the group policy.  Once the device gets this policy and is rebooted, the issue should be resolved.
• cba_anonymous also belongs to the Guests local group. To ensure proper function, the guests group, and the CBA_Anonymous user cannot be present in the "Deny log on as a batch job" policy, as it will override the other policy.
• A workaround has been found that deleting the cba_anonymous on the local PC. Deleting the user will force the LANDESK agent to rebuild the user and add the user to the correct policies and groups on that machine. This workaround will work until the domain policy overrides the local policy on the machine.

Additional Information:

When this policy is manually set, the cba_anonymous user cannot be accessed by the resident agent, causing some features to not function properly.  We need to allow this user to log on as a batch job to function.

The user cba_anonymous has always been a requirement for the LANDESK agent. CBA is used for communication back to the core from the client. CBA is responsible for showing the different icons. We found that with prior to 9.6 SP2, if the core couldn't communicate with the client using CBA, it would fail over to a local admin account on the machine. When we discovered this security hole, we patched it with SP2. Now, if the communication can't happen with CBA, the fail over doesn't happen and no communication takes place.The reason for the change at GPO level is that GPO will eventually override whatever settings the local machine has. As part of the install, we'll put the CBA user in the correct local policies and groups. This will allow the agent to work correctly until the GPO comes down and makes changes (such as removing from logon as batch or adding to the deny policy).

Environment

LDMS 9.x

Question

What are the agent install logs and where are they located?

Answer

Below is a list of log files and their locations that are related to agent install.

Client side logs are located in the Windows\Temp folder or the %temp% folder (depending on how the task was scheduled to run)

Core Side Logs are located in the \ManagementSuite\logs folder

NOTE -- ScheduledTaskHandler_*.log (* references a taskID and you should be sure that you find the one that corresponds with the agent install task) A good way to do this is to look at the time/date modified for the log.

Description

How to create and Deploy an Advance Agent

Resolution

To create an Advance Agent installation go through the following steps:

From the LDMS Console go to Tools | Configuration | Agent Configuration.

Right-click on the desired Agent Configuration profile and select Advance Agent.

Determine whether Standard or Peer Download will be used and select the appropriate option.

Click OK At the bottom of the screen, it will show the status "The packages are being created in a background process at the chosen location."

Once the package is successful, the message will change to the following:

This has now created a self-contained .exe and an .msi in the LDLOGON\AdvanceAgent folder on the core. The .msi can then be distributed via a login script or Group Policy to install on the target machines. The .msi file will then download the agent installation files to the machine.

You can also deploy the advanced agent via the console.

To deploy from the console, click schedule a push of an Advance Agent Configuration.

*Note, this will only show Agent Configuration's that have been created into Advanced Agents.

Click OK, and a scheduled task will be created.

Drag your machines from Unmanaged Device Discovery or from All devices and deploy.

A few things to consider:

• You will get a success message rather quickly. This is because the scheduled task is deploying an advanced agent service, and than having that service copy and starts the install of the agent. The success is from the success successfully getting installed. To verify that the agent is actually installed, check the following (The new agents will have an updated scanner version): How to: Easily determine LANDesk agent name and version using a query
• Advance Agent install process and troubleshooting tips
• Why Can't I install the Advance Agent over itself on a client?
• How do you deploy an Advance Agent with Peer Only checked?
• How To: Deploy an Agent via PUSH to Windows 10 in LDMS 9.6 SP2

Issue

You want to either hide or display the Agent / Remote Control icons on your deployed clients.

Cause

This is controlled from the agent configuration properties.

Resolution

1. Open the deployed agent configuration properties.

2. Click on the start tab on the left of the properties if it is not already displayed.

3. Then, look for "show start menu on end user device" towards the bottom.

4. Check or uncheck the box, depending on whether you wish to hide or display the agent icon.

5. Click Save

6. Push your new agent configuration out to the desired clients.

7. The change will take effect. No Reboot is necessary.

Scope

This document is intended to help you to narrow down or resolve agent installation problems in general.

Assumptions

You should have a basic understanding of how to create and push out LANDESK agents, and how to use the LDMS core.

Here are some basic troubleshooting questions and steps that will help you to narrow down the error(s) that you are seeing

Does the problem you are seeing happen on all systems across the board or just a few of them? Have you tried to run the same task on a fresh VM or PC to see if the issue still exists? If the problem happens on all devices and or fresh VM's or PC's then it is most likely an issue with the agent installation files on the core, and you should look at them more closely. Specifically, you should look at the following files on the core in the \ldlogon folder;

"Put your Agent Name Here".msi

"Put your Agent Name Here".ini

You can open, view, and edit the agent.ini file with your favorite text editor, I like notepad++. The agent.ini file will show you all of the configuration options that this agent will install with, so open it and make sure that it has the correct options. You could compare it to another agent.ini if you have one that is working and one that isn't.

You can open the agent.msi to see if everything looks good. When you are having problems, it is good to compare the agent.msi with the problems to one that is known to have succeeded. To view the agent MSI you will need an MSI editing tool, I like to use Orca from Microsoft.

Typical size for an agent.msi is about 310KB and anything smaller could indicate a problem. Most of the important actions will be stored in the CustomAction section of the MSI.

If you suspect problems with any of these core side files you could do a "Rebuild All" task from the core. This should rebuild all agent configurations including the agent.msi and agent.ini files so you should see the date and timestamp change for these files in the ldlogon folder.

If a rebuild all task is still not doing the trick you may want to try a rebuild all from a CMD prompt. In some rare cases we have seen issues with "Rebuild All" from the console so running this from a command prompt might help you.

To rebuild all from a command prompt, go to the \LANDesk\ManagementSuite folder, and run this command: CreateClientConfiguration.exe /rebuild

Note -- Check to see that the ldlogon directory on the core has updated time stamps for these files after doing the rebuild. If you see files that are NOT updating then rename the originals to *.OLD and then run the task again, new ones should be created.

If you are pretty confident the files on the core look good then let's move on to the client:

Right after you start the task on the core go to client and look for a $lddir$ or $ldcfg$ folder that gets created on the root of the C drive. If you don't ever see this share get created then most likely you have a communication or sharing problem. If this is the case verify the following;

a. Can you ping from the core to the client and the client to the core?

b. Does the hostname resolve to the correct ip address?

c. Does the scheduler user that is configured in the core have rights to that box? Remember an agent push task is ran by the scheduler service in the core. If this is on a domain it is usually best to make this account a domain admin.

e. Check that "Simple File Sharing" is enabled on the client.

As a test you could login to the core with the same user that the scheduler service is using, and try to map a drive to \\clienthostname\C$.

Moving on, if the core files look good, and you see the shares being created, then you will need to look at the agent install logs to see where it is failing.

The agent install logs would be in any of the following locations depending on how the task is being run;

Windows\Temp folder

%temp% folder

LDClient folder

Below are the key logs to look at. Note that these are NOT all of the logs, and in some cases you may need to look at others, but these are most likely to have problems.

agentmsi.log (the log file for the agent.msi)

wscfg32.xlg (the log file for the agent installer wscfg32.exe)

If the agent.msi has a problem, double check your agent.msi looks good on the core. You could also copy the agent.msi manually from the core and launch it manually from the client with the showui switch to see if the Windows installer is broken on your client. If your xlg log has errors then you may need to involve support for further help, or search the community for your specific error.

Additional quick troubleshooting tips:

Build a self-contained agent on your core and copy it to the client and manually run it. Does it work? If so then that will at least prove that the files in THAT exe are good. Be sure that the self contained EXE that you are using is current, if you are using a 2 year old exe then it will not have the same files that you are trying to push the agent with.

Does the client you are trying to install the agent on already have a LANDesk agent? If it does, as a test you may want to run the UninstallWinClient task on it, followed by another install attempt to see if the issue only occurs during the agent upgrade.

Follow this article for more on UninstallWinClient: How to uninstall the LANDesk Agent

Prior to running the agent install task, verify the Device Name is correct for the device(s) you are attempting to install to: Agent install fails because UDD didn't discover host name correctly

Verify UAC is turned off

Try installing the agent on a different OS? Maybe your issue is only related to a certain OS. Note that you need to build a separate agent configuration for Windows Server OS's, Windows OS's, and Windows Embedded OS's (WES).

Use Process Explorer and Process Monitor tools available from microsoft to diagnose problems. These should run on the client when the install is happening and could be monitored to watch the progress.

ENVIRONMENT

LANDESK Management Suite 9.6

DESCRIPTION

Agent Health is a new feature in LANDESK Management 9.6 and will allow you to do the following:

• Add or Remove one of the Agent's component without having to re deploy an agent or an update to the agent
• Ensure that your agent is properly installed and no files are missing or corrupted
• Repair your agent if a file is missing or corrupted
• Modify your components settings to meet the configuration you set in Agent Health
• Update your Agent files, components and settings if it is outdated

HOW IT WORKS

Agent Health is using the vulnerability scanner (vulscan) to check the following on a machine:

• Which components are installed
• How these components are configured
• Are they missing one or more file(s)
• Are the services running properly as required
• Are the files up to date

It will then compare this to the configuration you set in your agent health on the Core and adjust the settings accordingly on the clients.

VIDEO

    Youtube version: LANDESK Agent Health - How to use

BASIC SETUP OF AGENT HEALTH

I. Download the latest updates for Agent Health

Go to Agent Settings and click on the update icon:

Then go to: Updates - Windows - Software Updates - Check LANDESK 9.6 Agent Health and click Download now

You should then see the following in your Patch and Compliance window:

(You can find the Agent Health definitions in View by Vendor - LANDesk Software)

These are the definitions for Agent Health, they contain scripts to either install or uninstall a component like Remote Control or XDD.

II. Create a Query and Scope in order to enable AutoFix on it

In our example, we will create a Query, then a Scope based on this Query.

We will only target our Windows 7 machines for this lab.

In your Network View - Queries - My Queries, New Query

Once your Scope is created, go to Patch and Compliance, into View by vendor, and look for LANDESK Software to find your definitions. You will have to set the AutoFix enabled on the Scope you created earlier for each of the definitions you will be using (see How To Use Autofix in Patch and Compliance Manager)

Once done, you will only have to create and deploy your Agent Health Settings, then launch a Security Scan to have it applied to the machine.

SCENARIO: Install and/or Repair a component via Agent Health

In our example, we will install Remote Control to a machine that doesn't have it.

Go to Agent Settings - All Agent Settings - Agent Health - Right click and New

You will now set the configuration you want for this Agent Health Settings. In our case, we will add the Remote Control component.

I. Deploy your Agent Health settings

Once you have saved your Agent Health settings, you will have to deploy it. To do so, in Agent Settings - Create a task - Change settings

You will have to choose the Agent Health settings you created earlier, in our case: Agent Health - Install Remote Control

After your scheduled task is generated, apply it to the devices / groups / queries you would like, then start the task.

II. Apply your Agent Health settings using Vulscan

Once the task has completed successfully, you will have to run vulscan.exe through a Patch and Compliance Scan or a Security Scan from the machine for example.

When the scan is finished, and the autofix has been applied, you might then be able to see the changes:

You can then test that Remote Control is working on this client:

SCENARIO: Repair a component via Agent Health

If a third party software or a user deleted / modified the Agent files and/or folders, you would have had to troubleshoot until you realize that a file is missing and which one it is, uninstall then reinstall the agent.

This whole process might take at least 1 hour if everything is going perfectly, and could go up to many days if not.

With Agent Health, you will be able to check that your Agent is properly installed and functional. If not, then Vulscan will scan, detect, download and reinstall the missing files.

In our example, we cannot use the Inventory Scanner as the LDISCN32.EXE has been deleted:

I. Deploy your Agent Health settings

We set our Agent Health Settings to check our Base Agent and be sure that our Settings are the right ones (you can modify them as well with Agent Health), then we schedule it to push it to the device:

II. Apply your Agent Health settings using Vulscan

Once you have deployed your settings, and ensured that your Base Agent definition is configured to be AutoFix on a Scope that contains your targeted device, you can then launch a Security Scan on the machine:

After your Security Scan is done and you saw the Base Agent being fixed, you can try again to launch an Inventory Scan:

What is the CBA_Anonymous account, and what does it do?

The CBA_Anonymous account is a local guest account created on any Windows computer that has a Landesk Agent.  When your LDMS Core needs to communicate with an agent, it calls the CBA_Anonymous local account on the agent computer, to perform an LDPing on the client web service.  The LDPing returns the hostname and Landesk inventory ID of the Agent computer as xml.  This information is verified to authenticate the client before executing any task.

Will GPOs affect the CBA_Anonymous account?

In most cases, no.  The CBA_Anonymous account is created when a connection is made to CBA.  It is recreated, with a new password, anytime the computer reboots, the service is restarted, or the session expires.  While the account name remains the same, it's GUID changes when the account is recreated.  Group policy is generally applied at startup and user login.  If a GPO is applied to the CBA_Anonymous account, the account will soon be recreated with a different GUID.  GPO's will affect the CBA_Anonymous account if they apply to all local accounts.

One exception to this is any GPO that denies CBA_Anonymous the Logon as a Batch Job right.  CBA_Anonymous requires this right to function.

Is CBA_Anonymous secure?

The CBA-Anonymous account's password consists of multiple sections, generated using OpenSSL.  It is stored in RAM only, and the password is changed anytime the CBA_Anonymous account is recreated.

How to verify if CBA_Anonymous is functioning correctly?

If your core can communicate with the Landesk Agent, CBA_Anonymous is instrumental in this communication.  For a more specific test, follow these steps:

• From your core open a web browser
• Enter this url in your browser, replacing "clientIPAddress" with the actual IP address of a client computer: http://clientIPAddress:9595/allowed/ldping
• If CBA_Anonymous is working as designed, you will see a line of XML in your browser containing the correct Hostname and Landesk inventory ID of the client computer, similar to this: 

          <?xml version="1.0" encoding="utf-8" ?><pong><name>DKV-JSMITH-DC</name><osversion><platform>WIN32_NT</platform></osversion><inventoryid>{B29AE31B-F1CB-E241-8CD2-0714EAC87C21}</inventoryid></pong>

Problems/Symptoms:

When creating a self-contained client installation package the executable

fails to create.

Cause:

A file is missing from you core server that is needed for the creation of

the self-contained client installation package.

Review the CAB.LOG file in the ldlogon directory. If the

self-contained client installation package does not create this file will log an

error and document the failure.

At the bottom of this log you will see an error as shown below:

FCIAddFile() failed(missingfilename.ext): code 1 Failure opening file to be
-- stored in cabinet--
Add File

http://missingfilename.extfailed!
MakeCAB
failed

 

Example shown is what would occur if the sdclient.exe file was missing:

FCIAddFile() failed(SDCLIENT.EXE): code 1 Failure opening file to be stored
-- in cabinet--
Add File

http://SDCLIENT.EXEfailed!
MakeCAB failed

 

Fix:

Locate a copy of the missing file and restore it to the ldlogon directory.

NOTE: Try searching the Core Server's hard drive and the Installation

CD. If you installed with the downloaded executable instead of the installation

CD, extract the executable using winzip, winrar, or a similar program to a

directory and search for the missing file in that directory.)

If the file that is missing is the LDAppl3.ini file follow these steps:

Re-Create the LDAppl3.ini In the 32bit console:

1) Go to Tools | Reporting/Monitoring | Software License Monitoring

2) Click the button "Make available to clients"

Once the LDAppl3.ini has been created you will be able to create the self-contained client installation package.

If you cannot locate a copy of the missing file, contact support for

assistance

</div>

Description

When trying to push a new agent configuration to unmanaged devices, the scheduled task fails with the following error message:

Unable to contact the specified machine. The machine may be off or unreachable.

Cause

1. The LANDesk Scheduler Service account does not have permissions to write to the clients C$ or Admin$ share.
   

   Note:For ease of user management for deployment, devices should be part of an Active Directory Domain.

2. Simple file sharing is enabled on the target workstation.

3. File and printer sharing for Microsoft networks is disabled on the target workstation.

4. The Windows Firewall (enabled by default in Windows XP with Service Pack 2) will block remote connections when enabled.

5. Other third party firewalls can block remote connections if enabled.

Resolution

Depending on the cause, different resolutions may be required.  Below is a list of possible resolutions to this issue.

1. Configure the Scheduler Service account on the Core Server to run as a user account that has administrative privileges on the target workstations.

   1. On the core server, open the LANDesk Management Suite console.

   2. Go to Configure | Services | Scheduler.

   3. Click on Change Login.

   4. Change the service login account to be that of a user with administrator permissions on the target devices of the scheduled task. This is normally a domain administrator account. Ensure all domain accounts use the format Domain\UserName. If some of your targets are not part of a domain, you may also specify additional accounts in the Alternate credentials section.

   5. Click OK.

   6. When prompted, restart the Scheduler service.

   7. Restart the Agent Deployment scheduled task.

2. If there is a Domain Policy (GPO) to Force Security Accounts enabled on the Domain Controller. Disable this to resolve the rights issue.

3. If the target workstation is not a member of a Domain, disable simple file sharing on the target workstation.

   1. Within windows on the target workstation, open Explorer.

   2. Select Tools | Folder Options | View.

   3. Scroll to the end of the list under Advanced Settings and remove the check mark from Use simple file sharing (Recommended).
      

      Note:To make the change from the registry, open regedit and browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa and edit the ForceGuest REG_DWORD and change the value to decimal 0.

4. If File and Printer Sharing for Microsoft networks is disabled, it must be enabled. 

   1. Within windows on the client machine open up properties on "My Network Places".

   2. Choose properties for the appropriate network connection.

   3. Ensure that File and Printer Sharing for Microsoft networks is checked. 

5. Install the agent manually by browsing to
   CoreServer\ldlogon and running WSCFG32.EXE.

6. Verify the problem isn't a firewall issue.

   1. Disable the Windows firewall on the XP machines.  Use a Domain GPO if needed.

   2. Deploy the Agent Configuration
      

      Note:Once the agent is installed, the agent services are automatically registered with the Firewall as exception.  The Firewall can now be enabled. 

7. Verify that access to the C$ and Admin$ shares is not being blocked.

   1. If access is being blocked to the and Admin$ shares, have them determine the reason this is so in their environment and test again once the issue is resolved. 
      

      Note:Have the administrator contact Microsoft or search the web for common reasons for why the C$ and Admin$ shares are unavailable.