Note: No other patch is needed on the core server as this patch includes the contents of the Additional Console, Web Console and Rollup core patches.

LANDesk Software Version 8.80 SP3

May 2009

This readme describes the main issues addressed in LANDesk Software 8.8 SP3. This service pack also includes all fixes made in SP1 and SP2.

EXCEPT AS RESTRICTED BY LAW, THE SOFTWARE PROGRAMS CONTAINED IN THE FILE ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, TITLE OR FITNESS FOR A PARTICULAR PURPOSE.

This readme is divided into the following sections:

• Installing this service pack
• Important changes and additions
• Additional SP3 information
• Additional SP2 information (this still applies to SP3)
• Additional SP1 information (this still applies to SP3)

Installing this service pack

You need to install this service pack on all clients, core servers, additional consoles, Web console servers, rollup core servers, off-core inventory servers, and managed devices. The easiest way to update managed devices with the service pack is to use the Security and Patch Manager tool.

The service pack zip file contains multiple folders. Each folder patches a different Management Suite component. The LD88-SP3-Core folder will patch all components. There are individual component folders to save network bandwidth if you only want to patch a specific component.  Patch Manager also uses the individual folders to patch components via vulnerabilities.

• LD88-SP3-Core – For the core server and off-core inventory server.
• LD88-SP3-Client – For client workstations.
• LD88-SP3-Console – For remote Windows consoles only. This patch isn't needed on the core server since the core server patch includes this.
• LD88-SP3-Rollupcore – For the rollup core server.
• LD88-SP3-Webconsole – For off-core Web consoles. This patch isn't needed on the core server since the core server patch includes this.

Make sure you exit the Management Suite Windows console before applying this service pack to core servers and additional consoles. We also strongly recommend that you back up your core server and databases before applying this service pack.

The service pack installer included with SP3 now writes a detailed log that you can use to help troubleshoot problems. The log includes information about what files were copied or overwritten, what services were stopped/started, registry changes, and so on. After running Setup from the service pack, you can find the log in the ldmain share's log folder for core servers, and on other devices the log is in the \Program Files\LANDesk\LDClient\log folder.

Warning for customers with an off-core inventory server
Before applying this patch to the core server, make sure you stop the inventory service on the off-core inventory server. Failure to do this can result in possible database corruption. This patch updates the database tables and if an off-core inventory server inserts a scan into the database during this process, the update may fail.

Installing on the core server

1. Double-click on the self-extracting executable and extract it. It is recommended to extract to a permanent location.
2. From the extracted files, run Setup.exe from LD88-SP3-Core on the core server.
3. When Setup finishes, reboot the core server. A reboot is required.
4. After the core server reboots please re-activate your core using the Activation Utility. If you have not applied SP2 you will have to do this step in order to have access to the New Power Manager feature.
   

Optional Install steps:

1. If you are using the new integrated LANDesk Process Manager 4.1 you will need to run the LANDesk Process Manager Database Utility from the LANDesk Process Manager Start menu to update the database for the new "Download Patches" action and other fixes included in the Service Pack.
   
1. Select the Database Utility from the LANDesk Process Manager Start menu.
   
2. In the Configure Process Manager database dialog enter your username and password for your LPM database.
   
3. Click on the "Test Connection" button to connect to the database.
   
4. You will be prompted to update your database when you connect.
5. After the service pack updates Process Manager, you need to use the Database Utility to restart the Process Manager services to finish the update. If you don't restart the Process Manager services, the Process Designer won't launch and instead it will open the Database Utility.
   

Installing on off-core inventory servers

After you've applied this service pack to the core server, you must apply this service pack to all off-core inventory servers, if you have any.

1. If not already extracted, double-click on the self-extracting executable and extract it. It is recommended to extract to a permanent location.
2. From the extracted files, run Setup.exe from LD88-SP3-Core on the off-core inventory servers.
3. When Setup finishes, reboot the off-core inventory server.

Installing on additional (remote 32-bit) management consoles not physically located on the core server

Additional (remote 32-bit) consoles need to be updated to SP3 to connect to the upgraded core server and database. The console version is verified with the database. Historically the console did not check the service pack version and all versions were allowed to connect. This caused issues with old consoles being unable to handle the additional data or causing the console to corrupt data due to schema mismatches. This feature was implemented to enforce remote console updates.

After patching the core, choose ONE of the following methods for updating remote 32-bit consoles:

• Use the Security and Patch Manager tool to automate the remote 32-bit console update.
• Deploy the patch as a distribution package.
1. If not already extracted, double-click on the self-extracting executable and extract it.
2. Place the LD88-SP3-console folder on a UNC or web share.
3. Create a distribution package pointing to Setup.exe as the primary file, including all additional files and using the -S parameter to silence the install.
4. Deploy the distribution package.
• Manually install the patch.
1. If not already extracted, double-click on the self-extracting executable and extract it. It is recommended to extract to a permanent location.
2. From the extracted files, run Setup.exe from LD88-SP3-Console on each remote console.
3. When Setup finishes, reboot.

Installing on all Web console servers not physically located on the core server

1. If not already extracted, double-click on the self-extracting executable and extract it. It is recommended to extract to a permanent location.
2. From the extracted files, run Setup.exe from LD88-SP3-Webconsole on each addition off-core Web console.
3. When Setup finishes, reboot.

Installing on managed clients

After patching the core, choose ONE of the following agent update methods:

• Use the Security and Patch Manager tool to automate the client update.
• Deploy the patch as a distribution package.
1. If not already extracted, double-click on the self-extracting executable and extract it.
2. Place the LD88-SP3-client folder on a UNC or web share.
3. Create a distribution package pointing to Setup.exe as the primary file, including all additional files and using the -S parameter to silence the install.
4. Deploy the distribution package.
• Use the Scheduled Tasks window to "push" a client configuration to client computers.
• Launch WSCFG32.EXE on selected client computers.
• Manually install the patch.
1. If not already extracted, double-click on the self-extracting executable and extract it. It is recommended to extract to a permanent location.
2. From the extracted files, run Setup.exe from LD88-SP3-client on each client workstation.
3. When Setup finishes, reboot.

Installing on Server Manager clients

After patching the core, choose ONE of the following agent update methods:

• Deploy the patch as a distribution package.
1. If not already extracted, double-click on the self-extracting executable and extract it.
2. Place the LD88-SP3-client folder on a UNC or web share.
3. Create a distribution package pointing to Setup.exe as the primary file, including all additional files and using the -S parameter to silence the install.
4. Deploy the distribution package
• Use the Scheduled Tasks window to "push" a client configuration to client computers.
• Launch SERVERCONFIG.EXE on selected client computers.
• Manually install the patch.
1. If not already extracted, double-click on the self-extracting executable and extract it. It is recommended to extract to a permanent location.
2. From the extracted files, run Setup.exe from LD88-SP3-client on each Server Manager client.
3. When Setup finishes, reboot.

Installing on the rollup core server

1. If not already extracted, double-click on the self-extracting executable and extract it. It is recommended to extract to a permanent location.
2. From the extracted files, run Setup.exe from LD88-SP3-Rollupcore on the rollup core server.
3. When Setup finishes, reboot.

Important changes and additions

• Added the ability to store only detected data in the computervulnerability table for security threats and spyware definitions.
• With the increasing number of spyware and security threats it is possible that the number of rows per computer of NON-detected data becomes large. To allow for better response times it is possible to store only the detected data.

This is enabled in the patch settings table.

PatchSettings Variables:
• DiscardUndetectedBlockedApps
• DiscardUndetectedSpyware

When these variables are set to a non-zero value scan results of that type will only record detected data. Nondetected data will not be recorded. This will shrink down the number of computerVulnerability records of type 1 and 5 that are not detected and that have a null patchInstallDate (only applicable to spyware) as each computer sends in in a scan result.

SQL STATEMENTS

To create the Patch setting variables:

• insert into patchsettings (Name, Value) values ('DiscardUndetectedBlockedApps', '1')
• insert into patchsettings (Name, Value) values ('DiscardUndetectedSpyware', '1')
• Set to value of 1 for on and 0 for off.
To Manually Delete all of the nondetected data. (this may be a very large delete and may require a where statement to limit the rows deleted per transaction) delete from computervulnerability where detected = 0 and patchinstalldate is null and vul_id in (select vul_id from vulnerability where type in (1,5)).
• Improved Dependent Package Sequencing - Provided Up and Down buttons on the Dependent Packages page to allow the sequencing of dependent packages.
• We now allow user to Reapply Policy - Added a checkbox in the Scheduled Task Properties page to tell this task to always allow a reapply.
• Create new task from package - Now provide a simple method (toolbutton and context-menu) to directly schedule a distribution package (done as part of Reapply Policy above).

Additional SP3 information

The following sections describe important changes SP3 makes that you may want to be aware of. This service pack includes SP1 and SP2, and important SP1 and SP2 changes are described later in this document.

• Agent changes
• Agent Deployment changes
• Alerting changes
• AMT changes
• Antivirus changes
• Application Policy Manager changes
• Connection Control Manager changes
• Console changes
• Distribution Package changes
• Host Intrusion Prevention changes
• Install/Uninstall changes
• Inventory changes
• Launchpad changes
• Linux changes
• Macintosh changes
• Management Gateway changes
• MBSDK changes
• Multicast changes
• Patch Manager changes
• Performance Monitoring changes
• Power Management changes
• Provisioning changes
• Remote Control changes
• Reporting changes
• Role Based Administration changes
• Rollup changes
• Scheduler changes
• Security changes
• Software Distribution changes
• Software Distribution Portal changes
• Software License Manager changes
• Trusted Access changes
• Unmanaged Device Detection changes
• Web Console changes
• XDD changes
• Updated documentation for installing HP-UX agents

Agent changes

• Fixed a problem where a CBAcleanup.exe error occurs because msvcr80.dll is not found.
• Several services that were left behind after an 8.8 Client uninstall are now removed.
• Fixed a problem in the agent configuration GUI in the Custom Variables section under Security and Patch manager where a string value was not found.
• Fixed a problem where agent configuration re-name from right click in console does not change the Agent Name in client registry.
• Fixed a problem with agent upgrade MS handle inheritance issues.
• Added support for Windows 2008 server as a client OS.

Agent Deployment changes

• Fixed the issue where WSCFG32.EXE did not reinstall CBA8INST.MSI when files were missing from the Shared Files folder on the client.
• Fixed the issue where pushing an agent with both LANDesk LaunchPad and HIPS caused policy.client.invoker.exe to crash.
• Fixed the problem that made it so that a self-contained agent did not build when AV was selected.
• Fixed a problem where a self-contained agent installation package would prompt "unable to find MSVCR80.dll file" on Chinese Win2k SP4 device.
• Legacy Agent: Changed Vulscan to not self update when installing.
• Fixed many agent upgrade issues.

Alerting changes

• Fixed an issue with Email alerts where description variable (%D) would get an incorrect value when the user received that email.
• Fixed the problem where an alert action, Log alert to local NT event log, was calling alertrender with bad parameter(s).
• Corrected the issue with Dell 2850 w/ RAID 5 LSI controller that did not fire storage adapter alerts.
• Corrected a problem where Alerts that were set up to occur at any time had incorrect starttime and endtime fields.
• Fixed the issue with ldselmon showing a slow memory leak on managed servers.
• Fixed the LDAV Failed Quarantine Alerts that were not working.
• Fixed the issue where the "Vul_ID" value was not displaying in "Definition was Superseded" alert.

AMT changes

• Added Remote Access (CIRA) feature for AMT 4/5, can be run periodically or BIOS initiated.
• Added user notification for System Defense and Enhanced System Defense triggers.
• Added Network Environment Detection support.
• Admin can now auto-synchronize password changes to all managed clients.
• Admin can set default System Defense, Enhanced System Defense, and Wireless Profile configurations to be automatically installed on newly managed clients.
• Added a configurable timeout value for AMT calls in UI.
• Added a vPro Status page to the right-click menu, allowing real-time viewing of various settings on the AMT machine.
• Removed the Disable Network, Enable Network, and Launch Vulscan menu options from the right-click menu.
• PID is now provided through a WebService call so as not to be 100% reliant on Hello packets for PSK (PID\PPS) vPro setup and configuration.
• Corrected many redundancies to provide better and more reliable configuration and communication to the vPro client.
• Corrected a problem where Hello packet receipt at core should invoke a full configuration and inventory update.
• Corrected a problem where Import/export PID/PPS in an LDMS additional console always failed.
• Fixed a problem where booting in to the BIOS generates an error that the call had failed and is not supported.
• Corrected an issue that after vPro provisioning the vPro/AMT Hostname was not always the same as the OS Host Name.
• Corrected a problem where vPro provisioning attempts that failed could leave many small files in windows/temp directory.
• Fixed an issue that occurred when setting vPro System Defense Policy to an un-provisioned AMT device, the Console.exe would crash.
• Fixed a problem where changing the AMT password dialog would cause the LDMS console to crash.
• Fixed an issue where the status of Enhanced system defense is always displayed as "on", even if it was turned off.
• Corrected the problem where an AMT miniscan could return bad data in the Storage size attribute.
• Fixed the problem with AMT miniscan showing Provisioned as true when it is not.
• Corrected the issue with vPro wireless Profiles always displaying a message of "a Profile with that name already exists" when trying to save.
• Corrected the problem where a core is trying too many times to communicate with an AMT client, and not limiting the number of tries.
• Corrected the problem where a MPS install did not state that a reboot was necessary at the end of the install.
• Corrected the issue with ServerSetup.asmx being vulnerable to an SQL injection attack.
• Corrected the issue where an AMT password could not be changed from an additional console.
• Corrected an issue that could occur when changing Intel vPro password on the additional console, causing the AMTProvMgr2.exe will crash on the additional console.
• Corrected an issue that would occur after using an AMT PID\PSK through the Web Service call, the PID\PSK was not being marked as used in the DB.
• Corrected the issue on the LDMS Console, where CIRA and NED functionality was missing that existed on the Core Console.

Antivirus changes

• Operating Systems supported by LANDesk Antivirus>
Desktop Operating Systems:

Windows 2000 Professional SP4

Windows XP Professional SP2, SP3

Windows XP Professional x64 Edition SP2

Windows Vista Business/Ultimate/Enterprise SP1 (32-bit)

Windows Vista Business/Ultimate/Enterprise SP1 (64-bit)

Server Operating Systems:

Windows 2000 Server, Advanced Server SP4

Windows 2003 Server Standard, Enterprise SP2 (32-bit)

Windows 2003 Server Standard, Enterprise SP2 (64-bit)

Windows Server 2008 SP1 (32-bit)

Windows Server 2008 SP1 (64-bit)

Antivirus information is Managed through the Management Suite or Security Suite consoles. It is not available in Server Manager Console.

LANDesk Antivirus is not a selectable component within the Server Agent configuration and is not installed as part of the LDMS Server agent.

LANDesk Antivirus must be installed after the Server Agent is installed using an "Install/Update LANDesk Antivirus" task from the Security and Patch tool.

The Management Suite (Desktop) agent can also be used to manage servers, but it does not have the real time health and status monitoring offered by the Server agent.

• Corrected the issue where a self-contained agent install did not install AV if machine could not contact the core.
• Added the ability to download antivirus definitions directly from the internet (bypassing the core).
• Added option to not show end user dialog when file is moved from quarantine.
• Fixed the problem where scheduled antivirus scans were behind by one hour in Brasilia time zone (GMT -3).
• Fixed the issue where AV client was removing CA single sign on Admin tools.
• Added the option so a user can "View as Report" in the AV Activity window.
• Included the content to support ESET nod32 antivirus.
• Corrected the problem that would cause the Channel_scan index's file to grow to a large amount and fill up hard disk during antivirus scan.
• Fixed the issue where that with AV a "Full computer scan would take more than 24 hours to complete".
• Fixed the problem where with real-time monitoring would not start with error "Unknown error attempting to control real-time protection".
• Corrected an issue so that right-click "Scan for viruses" would show up on x64 systems.
• Fixed a problem where LDAV would not scan removable media on systems.
• Corrected a problem where Vulscan would overwrite LDAV /SCANCOMPUTER task incorrectly.
• Updated the real time driver that was not installed with 8.8 SP1 and SP2.
• Fixed an issue where virus definition backups were not removed when a definition download does not complete and the kavset.xml file was not in the backup directory.
• Corrected an issue that made it so that Kido/Conficker/Downadup Remediation was possible with the current SDK.
• De-linked LDAV Extended DB from LDSS Spyware licensing.
• Corrected a problem where a self-contained agent was not built correctly when the Anti Virus component was selected.
• A problem was fixed where clients were detected as vulnerable, but the patch was not installed because of handle inheritance issues.
• Updated the Antivirus engine version to 95. This patch improves Kido/Conficker/Downadup cleaning and contains performance improvements.
• Resolved a problem where a CBAcleanup.exe error could occur on a fresh w2k machine because msvcr80.dll was not found.

Application Policy Manager changes

• Fixed an issue where all applications did not show up in the Software Deployment Portal.
• Fixed a problem where "Policy.Failed.RetryWait" option was not shown in DB Browser(SQLite) on client after install agent correctly.

Connection Control Manager changes

• Corrected the issue where PCMCIA devices were not allowed in Device control configuration.
• Fixed the issue where LANDesk Encryption Utility was not showing on Start Menu on Japanese client.
• Fixed the issue where CCM did not display the password prompt if the agent had been installed without the LANDesk components in the start menu.
• Corrected the problem where in the advanced USB settings the rules did not match the color of the entries.
• Fixed a problem where modified device control configuration was not applied to the clients.
• Fixed a problem where up to 15 "unauthorized device detected" pop-ups appeared on the device at the boot time if the floppy is blocked and the option "Block all unknown volumes" is selected.
• Corrected a problem that allowed the user to bypass read only setting on USB drives outside of encrypted folder when encArchive was loaded.

Console changes

• Updated console so that Package distribution groups are in alphabetical order.
• Corrected the issue that was caused when sorting on the "Gateway Certificates" page in the console based on "Last Session" the sorting wasn't always correct.
• Corrected the problem with a shutdown from the Win32 Console was showing the desktop for a short period of time prior to the actual shutdown.
• Corrected the issue with the scrollbar in the Security and Patch Manager being on the left instead of the right.
• The drop downs Type and Filter are now aligned on the right instead of on the left.
• Fixed the security issue with the proxy information showing username and password in clear text in the console.exe.log file.
• Fixed the problem in the Japanese OS with the rights for "Basic Web Console" and "Connection Control Manager" not being displayed.

Distribution Package changes

• Removed the checks for "authentic" LANDesk Application Virtualization in Software Distribution.
• Fixed a problem on Win2k8 Server and Windows Vista pushed clients, clicking on deploy in distribution portal would give an error that it can't display the web page.

Host Intrusion Prevention changes

• Fixed a problem where HIPS could not learn the application in a Chinese folder.
• Fixed the issue where HIPS would cause the client starting up to take a very long time.
• Fixed the problem where HIPS caused blue screen, when Rising Antivirus application upgraded a virus pattern file.
• Corrected issue that would happen if a corrupt entry got into the ActionHistory, the XML file would be allowed to grow without bounds.
• Fixed the problem with the HIPS install csrss.exe cpu utilization goes through the roof.
• Fixed the problem with the Password request window popping up again and again for every "Install" message appearing in Winrar371.
• Fixed the issue with HIPS causing floppy drive to be accessed without reason.
• Fixed the problem with HIPS 8.8 SP2 not coexisting peacefully with other vendor software.
• Corrected the issue where the end user could change protected mode to learning mode by changing date of OS.

Install/Uninstall changes

• Fixed the problem where LDPGP.SIG did not get replaced on a Service Pack install causing licensing to fail after SP2.

Inventory changes

• Corrected the issue where Inventory scanner did not use peer download for LDAPPL3 updates.
• Fixed the issue where PXE booting a PC was causing multiple duplicate devices to be added to inventory on core servers that are running more than one thread.
• Fixed the problem where Inventory scanner was only pulling the last IP address given to a single NIC when more than one IP address is assigned.
• Fixed the problem with the Inventory service leaking handles.
• Corrected the problem that when agents with LDAP enumeration would keep an unlimited number of users in the registry.
• Fixed the problem where secure post of inventory would break Intermediate File Extension feature of Inventory Service.
• Fixed the problem where a LoadProducts exception occurred when starting the Inventory Server Service.
• Corrected the problem with a hardware scan failing on HP 6735b model laptop without a data switch.
• Corrected the problem with the user unable to copy Windows user profiles after upgrading to 8.7 Sp5.
• Fixed the problem where some monitor information was missing from inventory.
• Corrected the problem where ldiscnn32.EXE ver. 8.80.2.15 would not read the "Custom Data" key correctly from the registry.
• Fixed the issue where the client would download ldappl3.baz and ldappl3.paz to sdmcache even when they are already in the folder.
• Fixed the problem where a delta Scans with a Deleted Section for Launchpad tasks would cause a 4100 Exception for the inventory server.
• Fixed the issue where the core server writes a debug output for every self scan appending to a ldiscn32.log. This would grow with no limit taking up disk space.
• Corrected the issue where Power Management policy would disappear from the inventory scan.
• Corrected the issue where inventory History would send a change alert on new node Insertions without a record in the database.
• Corrected the issue where when a registry entry containing a carriage return would cause the inventory scanner to write the value onto the next line.
• Fixed the problem where the inventory server would crash if it receives an uncompressed scan where the local users line contains more than 450 characters.
• Fixed a n issue

Launchpad changes

• Corrected the problem where the 32 bit console would crash when refreshing the LaunchPad tool if there was no link configured.
• Corrected the issue with the error message when submitting LPM request needing more clarity.
• Fixed the problem with Link Management not working with name more then 8 characters.
• Fixed the problem when you highlighted a link in the launchpad and then select the "enter" key everything would go blank for a long period of time in that window.
• Corrected the problem where if a LaunchPad task leverages an LDAP USER query and more than one person share a machine. The users that were not targeted for the task see the URL link.
• Corrected the issue where the custom icon was not showing up for web URL in launch pad.

Linux changes

• Corrected the issue where a Linux agent scanner detects the smbd service as stopped when it is running.
• Added the ability to have the Service Pack level of Suse Linux Enterprise Server in the inventory.
• Corrected issue where the HP-UX agent was missing important data.

Macintosh changes

The following sections describe important changes SP3 makes that you may want to be aware of.

Inventory changes

• Battery information is now reported correctly for Macintosh device.

Remote Control changes

• When Mac is set to Display Login Window as Name and Password with automatic login disabled Remote Control to that device returns a black screen

Security/Patch Manager

• Updated Patch Manager so that APPLE-SP-Le4, APPLE-SP-Le5 and APPLE-SP-Le6 install correctly on MACs.

Software distribution changes

• MAC packages now handle .APP files for both Software Distribution packages as well as for Patches.
• Updated policy delivery to allow package sizes greater than 2gig.
• Updated policy checking routine and error reporting.

Management Gateway changes

• Fixed the problem where Policy downloads via the gateway were extremely slow.
• Fixed the problem when using Remote Control and Proxy Settings are used in Brokerconfig.exe or I.E. the agent would fail to attempt to connect directly to the Management Gateway.

MBSDK changes

• Fixed the issue where each time a scan/repair action launched, the mbsdk.log showed an exception.
• Fixed the problem where DeleteTask returned false invariably.
• Fixed the problem where LPM incorrectly showed some patch deployments as failed when they were successful.
• Corrected an issue that would not allow a user with a Patch Manager only license to create tasks through the MBSDK.

Multicast changes

• Fixed the problem where software distribution tasks with TMC hung up by shutting down Representative PC in LDMS 8.7 SP5.
• Fixed the issue where the tmcsvc.exe would go to and stay at 100% CPU after running a Retina(r) Network Scan.

OS Deployment changes

• Corrected problem with Secure PXE not accepting password.
• Fixed the issue where the Setupapi.log was continually being written to which causes the ramdisk free space to fill up.
• Fixed a problem where an OSD job would fail with a error message of "No status was received".

Patch Manager changes

• Added the ability to store only detected data in the computervulnerability table for security threats and spyware definitions.
• With the increasing number of spyware and security threats it is possible that the number of rows per computer of NON-detected data becomes large. To allow for better response times it is possible to store only the detected data.

This is enabled in the patch settings table.

PatchSettings Variables:
• DiscardUndetectedBlockedApps
• DiscardUndetectedSpyware

When these variables are set to a non-zero value scan results of that type will only record detected data. Nondetected data will not be recorded. This will shrink down the number of computerVulnerability records of type 1 and 5 that are not detected and that have a null patchInstallDate (only applicable to spyware) as each computer sends in in a scan result.

SQL STATEMENTS

To create the Patch setting variables:

• insert into patchsettings (Name, Value) values ('DiscardUndetectedBlockedApps', '1')
• insert into patchsettings (Name, Value) values ('DiscardUndetectedSpyware', '1')
• Set to value of 1 for on and 0 for off.
To Manually Delete all of the nondetected data. (this may be a very large delete and may require a where statement to limit the rows deleted per transaction) delete from computervulnerability where detected = 0 and patchinstalldate is null and vul_id in (select vul_id from vulnerability where type in (1,5)).
• Corrected the problem where a Repair task with scan and repair settings set to prompt user before reboot would give a CBA error in the console.
• Fixed the problem where when using vaminer.exe /exportstatus=filename.xml to export the patch status from 8.7 or 8.8 core and then using vaminer /importstatus=filename.xml to import it into 8.8 core the autofix status of the patches was not set.
• Corrected the issue where Check-sum value changed from imputed value during scan.
• Added the ability to use an alternate scripting language than VBScript in the custom vulnerabilities if the platform is not a Microsoft OS.
• Added Lavasoft SDK 2008 Integration for LDMS8.8.
• Fixed the problem where the property of each vulnerability definition does not open and a custom definition was not created.
• Corrected the issue where Vista Firewall added the custom exception to the firewall list every time vulscan ran.
• Changed the default timeout when running an application during a patch install/remove to one hour to prevent possible timeout problems.
• Fixed the problem where a MSI path would not work when running Office uninstall command via Patch Manager.
• Corrected the issue where Patch Manager table was very large and kept data forever.
• Corrected the issue where Regularly scheduled Antivirus Definition update task starts downloading Microsoft Vulnerabilities.
• Fixed the issue where New spyware content could not be updated in "scan list" after every download of spyware updates.
• Fixed the problem where a Custom Reboot message in Security and Patch Manager displays "&" as "& amp;" on end-user device.
• Made it possible to not store non-detected data in the computervulenrability table on non detected definitions.
• Fixed the issue with Vulscan 8.80.2.31 not working on Vista with a locked down user

Performance Monitoring changes

• Fixed the problem where LDregmon was causing the system to log users in as System.

Power Manager changes

• Fixed the problem where not all the queries available are displayed when pressing the button near "Apply policy to" in the Savings report GUI of Power Management.
• Fixed the inappropriate localization in Power Management Window.
• Fixed the problem where clicking on the "..." button to select a query to base a report on resulted in the console hanging for minutes, the console.exe process taking up 1.4 GB of memory, and eventually seeing a "system out of memory" error.
• Fixed the problem where if a power policy has Hibernate set to 2 hours or more, the power reports do not compute the power savings.
• Corrected the issue where the Dell Custom Wattage information in the database has "_" in the model.

Provisioning changes

• Fixed the problem where the USMT takes long time with ExecuteHandler.
• Fixed the problem where the Bare Metal server process will fail through the console if the console user is not explicitly defined in the LANDesk Management Suite group on the core.
• Corrected the problem with Deploy Image wizard in Provisioning does not support Imagew 2.0.
• Fixed the problem where the CTOS action fails if customer is using custom cmdlines.txt.
• Corrected the issue where the user is unable to use serial number to target machine for provisioning job in 8.8.
• Fixed the problem where when adding new lines to the Unattend.txt file in the GuiUnattended section the scripted install fails with error -2147478271.
• Fixed an issue where the "Schedule Provisioning template" action of Process Manager was not working as expected.

Remote Control changes

• There is a problem Remote Controlling clients that are not using a standard screen resolution. The screen will be slanted if not using a standard resolution. This is an existing problem that will be addressed in 9.0.
• Fixed the problem where the user was unable to copy files from client to Windows Vista console.
• Fixed the problem where right-clicking on the remote control icon on the client and selecting stop session does nothing.
• Fixed the issue where the Users were getting kicked out of Remote Control when using "Local Template" security. Another user attempts to remote control the same machine and results in both users getting kicked out.
• Fixed the problem where Nessus Scan caused the Remote Control Service to stop.
• Fixed the issue where video is choppy when remote controlling, especially at higher resolutions.
• Fixed the problem where the console did not show or enable Remote Control with a node that has the remote control service running.
• Corrected the problem with the "Continue Session After Reboot" option failing when using a Gateway Remote Control agent.

Reporting changes

• Corrected the issue where the itemized security report Detected Vulnerablity Content was not completely displayed in report.
• Fixed the problem where the GrandTotal count was not correctly displayed in a report if using bar chart or pie chart.
• Fixed an export error on French cores "ViewAsReportAjout/Suppression de Programmes est un nom de fichier non valide"

Role Based Administration changes

• Corrected the problem where users without the Agent Configuration RBA right were able to get to the Agent configuration tool via Scheduled task tool.
• Corrected the issue where it was not possible to set the Standard-webconsole user right because there was not this option available from the interface in the German version of LD 8.8 SP2.
• Fixed the problem where a console user could access power management without limitation.

Rollup changes

• Fixed the problem where during roll-up we were not taking version from FileInfo into account.

Scheduler changes

• Fixed the problem where ICMP Ping failed to determine bandwidth availability; Local Scheduler tasks would not run (inventory and security).
• Added Search/filter capabilities to the Scheduled Tasks UI when you click on one of the status nodes (i.e., Active, Failed).
• Added the capability to right-click on a device in the Scheduled Tasks UI to see the device's inventory.

Security changes

• Fixed the problem where Softmon.exe was causing unwanted alerts to fire.

Software Distribution changes

• Improved Dependent Package Sequencing - Provided Up and Down buttons on the Dependent Packages page to allow the sequencing of dependent packages.
• Corrected a problem where an Invoker crash would occur when deploying self-contained agent as a policy - Allowed time for invoker.exe to shut down nicely, but if not, the process is killed to allow install to progress.
• We now allow user to Reapply Policy - Added a checkbox in the Scheduled Task Properties page to tell this task to always allow a reapply.
• Allow Policy Sequencing - Forcing queued policies (tasks) to install in alphabetical order. This was to re-provide assumed 8.7 functionality that some customers relied on.
• Create new task from package - Now provide a simple method (toolbutton and context-menu) to directly schedule a distribution package (done as part of Reapply Policy above).
• Fixed the issue where the user could not run xcopy command silently by startasuser.exe.
• Fixed the problem where the user was unable to deploy a uninstall package that has another uninstall package as a dependency.
• Fixed the problem when using the tasks WOL option resulted in the wrong device being shut down if the target device is off and a non-targeted device that is on has the same IP address.
• Fixed the Qip Server Service vulnerability.
• Fixed the problem where scheduling a task that is in a user task folder (User tasks section) removed it from this folder.
• Fixed the issue where if an install file does not follow the 8.3 naming convention it caused policy.invoker to crash on the client system using LaunchPad.
• Fixed the issue where the pop-up windows for SWD status was displayed if this option is disabled.
• Fixed the problem where the Poweroff.exe was not rebooting machine when local user and remote user is logged in at the same time.
• Corrected the problem where the policy supported pushes didn't always start when choosing "Start now".
• Corrected the problem where if a machine is disconnected while software is being downloaded to it, checkpoint re-start did not behave properly.
• Fixed the problem where the policy didn't behave properly to re-install an app that was already installed once.

Software Distribution Portal changes

• Fixed the problem where some Web portals did not work with .NET 3.5 SP1.
• Corrected the issue where if one of the XML's as part of a client's policies cannot be downloaded, the Software Distribution portal did not display any new policies.
• Fixed the client portal showing the wrong status if there was more than one package in the list to be deployed.

Software License Monitoring changes

• Fixed a problem where renaming executables would allow them to run a couple of days later when it was blocked.
• Corrected and issue where SLM was reporting files discovered with a size of 0 (zero) bytes.
• Corrected the issue where Softmon would stop collecting usage information.
• Fixed the problem where application blocking did not block renamed applications in Windows Vista.
• Zero byte file records are added when a delta scan is received with the last entry in the deleted section being a software package. This can happen quite often and so there may be a very large number of those dummy file records in the fileinfo table. The new inventory service will prevent those records from being created but it won't remove the records you already have.
• To see how many you have, run the INNER query below. To remove the records, run the full statement.

Delete from fileinfo where fileinfo_idn in

(

select distinct a.fileinfo_idn

From fileinfo a left outer join fileinfoinstance b on a.fileinfo_idn = b.fileinfo_idn

left outer join productfile c on a.fileinfo_idn = c.fileinfo_idn

where a.filesize = 0 and b.fileinfo_idn is null and c.fileinfo_idn is null

)

Trusted Access changes

• Fixed the problem where the 802.1x option was not selected in client configuration with an LDSS only licenses.
• Corrected the problem where Visitor.exe did not include curllib.dll.
• Fixed the problem where some software took several minutes to run.

Unmanaged Device Detection changes

• Fixed the problem where SNMP Community Name Passes 'Public' Before Passing the name specified in the UDD Scan.

Web Console changes

• Fixed the issue where Linux real-time information was slow for LDSM Server Information View.
• Fixed the problem where when editing a query in the Web console and then using the "Back" button to edit another query an error is produced and editing did not take place.
• Fixed the problem that when access to core via web console by certain user who has scope based on query, no device is listed in network view.

XDD changes

• Fixed the problem where XDD Discovery was detecting managed nodes as unmanaged if CBA is not started, even if the node is managed in the database.

Updated documentation for installing HP-UX agents

The following installation instructions replace the information in the "Configuring device agents" chapter of the user’s guide, under the heading "Installing UNIX agents".

Instructions for installing HP-UX agents

You must be logged in as root on the HP-UX machine to perform the installation.

1. From the LDLogon share on the core server machine (c:\Program Files\LANDesk\ManagementSuite\ldlogon), copy the following files to a temporary directory on the HP-UX machine:
• Default HP-UX Server Configuration.sh -- rename file to install.sh
• Default HP-UX Server Configuration.ini -- rename file to install.ini
• certificate file -- this file will have the extension ‘.0’. You can search the ldlogon directory for files matching ‘*.0’ to find the certificate file.
• unix/hpux/baseclient.tar.gz
• unix/hpux/vulscan.tar.gz
2. Change the file access permissions by running the following command:

   chmod +x install.sh

3. Open install.ini and look for the ServerFQDN line. Take note of the name and exit. Ping the ServerFQDN from the command line to make sure the core server is visible to the client machine with the following command:

   ping ServerFQDN

   If you can’t ping the machine, an entry for the core server may have to be added to the /etc/hosts file.
4. Run the install using the following command:

   ./install.sh install.ini

5. Modify the PlatformID line in the /etc/vulscan.conf file to match your OS and machine type. This will be necessary for vulnerability scans to properly identify the machine type when scanning. For example:

   platformid=HP-UX11.31:S800

6. If the machine is a NIS server, a new NIS services map needs to be generated. This can be done by running the following command:

   ypmake services.byname

   If the machine is a NIS client machine, the master server and slave servers will need to be updated to include pds and cba service entries inserted into the /etc/services file on the client machine.

Depot packages required beyond the standard OS installation include:
   openssl 0.9.8j: cryptography toolkit implementing SSL
   expat 1.95.8: a C library for parsing XML

Required software dependencies for cba:
   OS-Core.CORE-SHLIBS: /usr/lib/libdld.2
   OS-Core.CORE-SHLIBS: /usr/lib/libc.2
   OS-Core.CORE-SHLIBS: /usr/lib/libcl.2
   OS-Core.CORE-SHLIBS: /usr/lib/libCsup_v2.2
   OS-Core.CORE-SHLIBS: /usr/lib/libstd_v2.2
   OS-Core.CORE-SHLIBS: /usr/lib/libpam.1
   COMPLIBS.LIBISAM-PS32: /usr/lib/libisamstub.1
   COMPLIBS.LIBISAM-PS32: /usr/lib/libm.2
   openssl.OPENSSL-LIB: /usr/lib/libcrypto.sl.0
   openssl.OPENSSL-LIB: /usr/lib/libssl.sl.0

Required software dependencies for pds2d:
   OS-Core.CORE-SHLIBS: /usr/lib/libdld.2
   OS-Core.CORE-SHLIBS: /usr/lib/libc.2
   OS-Core.CORE-SHLIBS: /usr/lib/libcl.2
   OS-Core.CORE-SHLIBS: /usr/lib/libCsup_v2.2
   OS-Core.CORE-SHLIBS: /usr/lib/libstd_v2.2
   OS-Core.CORE-SHLIBS: /usr/lib/libpam.1
   COMPLIBS.LIBISAM-PS32: /usr/lib/libisamstub.1
   COMPLIBS.LIBISAM-PS32: /usr/lib/libm.2

Required software dependencies for ldiscan:
   OS-Core.CORE-SHLIBS: /usr/lib/libdld.2
   OS-Core.CORE-SHLIBS: /usr/lib/libc.2
   OS-Core.CORE-SHLIBS: /usr/lib/libcl.2
   OS-Core.CORE-SHLIBS: /usr/lib/libCsup_v2.2
   OS-Core.CORE-SHLIBS: /usr/lib/libstd_v2.2
   OS-Core.CORE-SHLIBS: /usr/lib/libpam.1
   COMPLIBS.LIBISAM-PS32: /usr/lib/libisamstub.1
   COMPLIBS.LIBISAM-PS32: /usr/lib/libm.2

Required software dependencies for vulscan:
   OS-Core.CORE-SHLIBS: /usr/lib/libdld.2
   OS-Core.CORE-SHLIBS: /usr/lib/libc.2
   OS-Core.CORE-SHLIBS: /usr/lib/libcl.2
   OS-Core.CORE-SHLIBS: /usr/lib/libCsup_v2.2
   OS-Core.CORE-SHLIBS: /usr/lib/libstd_v2.2
   OS-Core.CORE-SHLIBS: /usr/lib/libpam.1
   COMPLIBS.LIBISAM-PS32: /usr/lib/libisamstub.1
   COMPLIBS.LIBISAM-PS32: /usr/lib/libm.2
   expat.expat-RUN: /usr/local/lib/libexpat.sl

Additional SP2 information

The following sections describe important changes SP2 makes that you may want to be aware of. This service pack includes SP1, and important SP1 changes are described later in this document.

Additional documentation and updated online help for the new launchpad and power management features is available separately. You can download this from http://www.landesk.com/SolutionServices/documentation.aspx#ldms88. If you want the online help in a language other than English, scroll to the top of the page and select the language you want there.

• Agent changes
• Inventory changes
• OS deployment and provisioning changes
• Security and Patch Manager changes
• Software distribution changes
• Process manager changes
• Other changes

Agent changes

• Advance agent now installs if CBA exists on the device but isn't running.
• Agent deployment to RedHat 5 32-bit and 64-bit now works correctly.
• Improved Mac client stability.

Inventory changes

• Fixed problem where softmon could cause 100% CPU utilization when scanning for blocked applications.
• Inventory scanner now reports whether a Vista OS is 32-bit or 64-bit.
• Inventory scanner now runs correctly on Windows Server 2008.
• If the inventory record for a client didn't contain a value for the LANDesk client folder on the client machine, that data would default to the old c:\LDClient path. We now check the registry for a client path, and if there in no entry we default to the new c:\Program Files\LANDesk\LDclient folder.

OS deployment and provisioning changes

• WinPE deployment scripts with bad credentials for drive mappings will now return an error code rather than eventually timing out.
• Added WinPE drivers for:
• Dell Latitude D630
• Dell Optiplex 755/Dell Optiplex 745
• Thinkpad T61(p)/Lenovo T60
• Thinkcentre A60
• ICH9R Sata AHCI
• Intel 82566D NIC
• Improved Vista OSD imaging support.
• Fixed problem with provisioning when using scheduled tasks to execute a software distribution with packages that have dependencies. The task would work correctly the first time and then fail on subsequent runs.
• Scripted installs aren't supported for x64-bit OS's using LANDesk provisioning with WinPE. There is no workaround at this time.

Security and Patch Manager changes

• Various patch manager fixes for stability and performance.
• Added patch support for Symantec Endpoint Protection 11
• AV installs on Windows Server 2008 no longer trigger a blue screen
• Setting AV to scan all file types now includes binary files with a .CMD extension. AV used to ignore binary files with this extension.
• In CCM, Ctrl-Shift-Up now brings up the password bypass dialog correctly.
• In CCM, if you plug in a USB device that is disabled by CCM and then use CCM's password override feature, the device will still be disabled. After providing the password override, you must either remove and reinsert the device or use Windows Device Manager to scan for hardware changes.
• Spyware scanning now works on 64-bit platforms.
• Patch Manager workflows can now delete scheduled tasks.
• Fixed a problem where the vulnerability scanner wasn't peer downloading patches from computers managed by a different core.
• The required file curllib.dll is now included in the LANDesk DHCP NAC visitor.exe file that is installed to clientless machines, so running visitor.exe will no longer generate an error.
• You can no longer designate a Windows firewall setting or a Compliance security setting as a default setting that is automatically deployed by an agent configuration (or by the vulnerability scanner running on the device). Of course you can still configure and deploy these two settings to managed devices with an agent configuration or via a Change settings task. Also, you can now select to remove the current Windows firewall setting or Compliance security setting from target devices with a Change settings task.
• For LANDesk DHCP-based NAC, if you edit the LTAemployeesettings.xml file after installing an LDMS 8.8 service pack (SP1 or SP2), you must rebuild the LDDHCP server install package and re-install it on the server before publishing the new settings in order for them to be available during a compliance scan. The reason for this is because the settings XML file resides on the LDDHCP server, not on the core server, and during a compliance scan the vulnerability scanner pulls the new settings from the LDDHCP server. Alternatively, you could manually copy the rebuilt install DLLs to the LDDHCP server.)

Software distribution changes

• Improved software distribution peer download performance.
• Using the "Limit remote Downloads to one per subnet" option no longer causes multicast software distribution tasks to fail with "Failed to download and hash additional files".
• Tasks that finished with a reboot required status message were showing as failed in the console, causing the policy to be reapplied. We now treat MSI return code 3010 (reboot required) as installation succeeded with machine code to show reboot required.
• If you were logged into windows with a user name that has an apostrophe in it, policies would always fail.

Process Manager changes

• After the service pack updates Process Manager, you need to use the Database Utility to restart the Process Manager services to finish the update. If you don't restart the Process Manager services, the Process Designer won't launch and instead it will open the Database Utility.
• If you have a full license Process Manager installed on your core server and you install SP2, the installer will replace the full Process Manager license with the default SP2 license. To fix this you will need to re-import your full Process Manager license.
• For Process Manager to properly work with LDMS 8.8 through the LDMS message-based SDK, there are three service/items that have to be configured with domain logon credentials.
  1. The LPM service. Configure this in the LPM Database Utility.
  2. The LDMS Scheduler service. Configure this in on the core server in the LANDesk Configure Services utility (in the Management Suite console, click Tools | Configure Services).
  3. The LDMS COM+ application 'LANDesk'. Configure this on the core server in Windows Component Services (Start | Programs |Administrative Tools | Component Services, click Component Services | Computers | My Computer | COM+ Applications). Specify the user on the LANDesk item's Identity tab.
• If some Process Manager actions don't work correctly after applying SP2, check that the MBSDK service has been registered to ASP.NET 2.0. You can check this in Internet Information Services Manager. View the properties for the Default Web Site | MBSDKService. On the ASP.NET tab, the ASP.NET version must be 2.0. If it isn't, change it.

Other changes

• This service pack adds support for Windows XP SP3 and Vista SP1 as management consoles and managed clients. Windows Server 2008 is also supported as a client.
• You must reactivate the core using the server for power management to display in the console. Power management won't be visible in the console until you reactivate the core server using the Core Activation Utility.
• Monitoring doesn't work on supported ASIC motherboards running Windows Server 2008 (32-bit and 64-bit). The Intel SMBUS driver setup utility doesn't recognize Windows Server 2008 and won't install on it. The workaround is to install the SMBUS driver manually using the .INF file on Windows Server 2008.
• Removing a core server from the rollup database via the rollup utility UI failed to remove all the entries from the database if the core server's database and the rollup's database weren't located on the same physical DBMS server.
• The memory configuration alert is now editable and can contribute to health.
• Fixed a problem in Asset Manager where re-importing previously exported data from CSV files could corrupt the database.
• Fixed a problem in Asset Manager where deleting data types (such as "Mobile Phones") would cause database problems and prevent the asset interface from displaying correctly. Now, before deleting data types you are forced to delete reports referencing those types first.
• Fixed an AMT problem where discovered AMT machines without a valid host name were getting the same name assigned. The new automatic naming algorithm now creates unique names on the full IP address.
• Fixed a Vista remote control problem where after remote controlling a Vista computer, the computer's wallpaper would be set to default, overriding the wallpaper set by a group policy.

Additional Macintosh patch information

The following sections describe important Macintosh changes this patch makes that you may want to be aware of.

• Agent configuration changes
• Inventory changes
• Software distribution changes
• Miscellaneous changes

Agent configuration changes

• Agent configuration name disappears from inventory after installing another agent configuration over the current one.
• The name of the Agent Configuration that was installed on the client is now returned in inventory.

Inventory changes

• Inventory now collects the Sharename and stores it in the database as modeled data.
• Inventory scanner crashes when run after installing an agent configuration but not rebooting.
• Changed the Display Name in the console to show the Hostname of the agent machine.
• Power PC proxy setting are not being reported correctly.
• SLM Usage data not being collected by the inventory scanner for some applications.
• Fixed a problem where Power PC proxy settings weren't being reported to the core server by the inventory scanner.
• Fixed a problem where the Record Creation Date attribute data was removed when a sync inventory scan is run. Without this data you couldn't tell how long a device had been in the inventory database.

Software distribution changes

• Applications, packages, drivers, and plug-ins are gathered through System Profiler for consistency and speed.
• LANDesk Agent moved from System Preferences to Applications/Utilities.
• In some environments any scheduled tasks where communication is initiated from the core would fail with the error: "Failed. Machine is off (Different Agent Responded)".
• Sdclient will crash if downloading a very large file or cause the machine to run out of memory.

Miscellaneous changes

• The uninstall shell script is now located on the core to prevent users from removing the client.
• Security Updates.
• Fixed a remote control authentication problem that could occur if there were extra certificates in the shared files\keys folder on the core

Additional SP1 information

The following sections describe important changes SP1 makes that you may want to be aware of. SP2 includes changes that were part of SP1.

• Antivirus changes
• AMT changes
• Connection control manager changes
• LANDesk Host Intrusion Prevention System (HIPS) changes
• LANDesk Network Access Control changes
• LANDesk Patch Manager's changes
• LANDesk Process Manager's automated patch download workflow changes
• Inventory changes
• LANDesk Network Access Control changes
• Software distribution changes
• Software distribution policy management changes

Antivirus changes

This service pack adds support for additional third-party antivirus software that can be automatically removed from target devices when deploying LANDesk Antivirus, either during initial agent configuration or as a separate LANDesk Antivirus install/update task.

New supported antivirus software for detection and removal:

• Internet Security 2007 Trend Micro* PC-cillin (version 15.3) on Windows Vista 64-bit
• Trend Server* Protect 5.7, Internet Security 2008, and OfficeScan 8.0
• eTrust* Antivirus 7.x and 64-bit
• eTrust* Antivirus 8.0 and 8.1
• Symantec* Endpoint Protection 11

In addition, this service pack improves antivirus performance and stability.

AMT changes

Sometimes the AMT management software (LDMS / LDSM ) will time out waiting for the AMT 2.5 hardware to respond. A registry entry has been made available to the user to adjust the time out period. The registry entry is added once the administrator performs a task using AMT. The time out can then be adjusted to compensate for the delay. The time out is in milliseconds with the minimum being 5000 (5 sec) and the default 6000 (6 sec). The registry entry is:

HK_Local_Machine\Software\LANDesk\ManagementSuite\vPro\TimeoutInMilliSeconds.

Connection control manager changes

This service pack adds the following USB encryption feature enhancements in the connection control manager tool.

The Device control configuration dialog's USB devices page now includes an option called "Allow password hints" that lets the user enter a hint that can help them remember the encrypted folder password specified when they create the folder. The password hint cannot be an exact match to the password itself. The password hint cannot exceed 99 characters in length. Even if the password hint field is available to enter text, the user is not required to enter a hint. (Important: When a USB storage device is configured for file encryption, users must initially create an encrypted folder with the LANDesk Encryption Utility (Start | LANDesk Management | LANDesk Encryption | Advanced | Create encrypted folder) before they can copy files to the USB device.)

You now specify the amount of space on a USB storage device that can be used for encrypted files by megabytes instead of by device space percentage. Enter 0 if you want users to be able to use all of the available space on the USB storage device for encrypted files.

Inventory changes

This service pack adds a new command-line option to the inventory scanner. This option sends information about all executed software on the client. The new scanner option is /SAE.

LANDesk Host Intrusion Prevention System (HIPS) changes

This service pack adds the following HIPS feature enhancements:

• You can now set the value for Whitelist Learn Days to zero (0) in a HIPS configuration. The presumption is that one or more client machines have already learned all of the required file certifications and that this setting will be deployed to clients running the same OS, system configuration, etc. (Note that if there are no file certifications, then saving a configuration with Whitelist Learn Days set to zero will not be allowed.)
• A new option has been added to allow the administrator to disable the alert balloon pop-ups when the HIPS client blocks an action.
• Alerting has been implemented for HIPS. HIPS alerts can be selected and configured in the Alerting tool.

LANDesk Network Access Control changes

This service pack fixes the showui option in the LTAEmployeesettings.xml file for the LANDesk DHCP Network Access Control (NAC) solution.

When you enable the showui option in the LTAEmployeesettings.xml file, the security compliance scan now displays on the client. The updated settings file must first be published to the LDDHCP server in order for the modified setting to take effect.

LANDesk Patch Manager changes

The vulnerability scanner (vulscan.exe) can now place itself in the action.ini file when a reboot is required.

LANDesk Process Manager's automated patch download workflow changes

This service pack adds a new action in the LANDesk Process Manager workflow designer tool that will download patches for ALL of the vulnerabilities contained in a custom group. Previously, only patches for detected vulnerabilities were downloaded; however, the new action downloads all patches associated with all of the vulnerabilities in the group whether or not the vulnerability is detected on target devices.

Software distribution changes

Support for Visual Basic scripts has been added to software distribution. The 8.8 update patch includes an update application to enable this feature on managed nodes, PolicyUpdate.1.exe.

This application serves two purposes:

1. A self-contained and self-extracting package to update the needed portions of the managed node
2. Install the policy update on the core server

When installed on the core server, all agents will download and process the new policy update application when policy.sync is run.

To install this package on the core server run the following command line:

PolicyUpdate.1.exe -setup <url> <ldmainpath>

This should be run with the current working directory set to the ldmain directory (so the PolicyUpdate.1.exe application can find the lddwnld library).

The <url> should be the http location from which the policy update application is to be downloaded. For example, if the core server name was "myCore" and the update package was placed in ...ldmain\landesk\files the URL would be:

"http://myCore/landesk/files/PolicyUpdate.1.exe"

The <ldmainpath> is the path to which the ldmain share points (by default c:\Program Files\LANDesk\ManagementSuite).

If this update is not configured on the core server and a Windows Script Host package is deployed via policy, the policy invoker will not be able to create an instance of the remote operation object that handles Windows Script Host packages and the policy will fail.

Software distribution policy management changes

This service pack fixes the handling of interrupted policy downloads. Prior to this patch, policy downloads didn't continue if interrupted.

When the system is rebooted during a portal policy install, the invoker is aware that the problem has occurred, but the portal is not. As a result of this the portal kept the policy in a working state.

The service pack addresses this problem in two ways:

1. Handling the alert raised by the invoker to fail the policy in the portal
2. Timing out active installs

When a system is rebooted while the invoker is processing a policy, the policy is left in an invalid state. Once rebooting is complete the invoker will now recognize that the policy is in an invalid state, raise an alert, and then move the policy to complete.

The policy.client.failedpolicy.exe application is a new file that will capture the invalid state alert raised by the invoker and fail the active policy in the portal. This provides rapid failure when a policy is interrupted.

Support was also added to timeout installs after a specific period of inactivity. This is controlled by the "Policy.Portal.Install.Timeout" value. This value specifies the timeout in seconds and can be configured from 1 hour to 7 days (default timeout is 2 days) using the policy.client.config application, as shown in the following command line:

Policy.client.config.exe /set Policy.Portal.Install.Timeout <timeout>

Where <timeout> is specified in seconds.

When an active install is timed out the status does not change but the policy can then be re-deployed. Thus the alert handler is intended to be the normal mechanism for handling these policies, but the install timeout can be used for policies that have already failed.

Note that if a policy installation is interrupted (for example, by a reboot during an application download), by default the policy won't resume installation for 24 hours. This timeout is separate from the Policy.Portal.Install.Timeout.