LANDesk Software Version 8.80 SP2

August 2008

This readme describes the main issues addressed in LANDesk Software 8.8 SP2. This service pack also includes all fixes made in SP1. A complete list of the fixes in this service pack is available at http://community.landesk.com/support/docs/DOC-3034.

Additional documentation and updated online help for the new launchpad and power management features is available separately. You can download this from http://www.landesk.com/SolutionServices/documentation.aspx#ldms88. If you want the online help in a language other than English, scroll to the top of the page and select the language you want there.

EXCEPT AS RESTRICTED BY LAW, THE SOFTWARE PROGRAMS CONTAINED IN THE FILE ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, TITLE OR FITNESS FOR A PARTICULAR PURPOSE.

This readme is divided into the following sections:

• Installing this service pack
• Additional SP2 information
• Additional SP1 information (this still applies to SP2)

Installing this service pack

You need to install this service pack on all clients, core servers, additional consoles, Web console servers, rollup core servers, off-core inventory servers, and managed devices. The easiest way to update managed devices with the service pack is to use the Security and Patch Manager tool.

The service pack zip file contains multiple folders. Each folder patches a different Management Suite component. The LD88-SP2-Core folder will patch all components. There are individual component folders to save network bandwidth if you only want to patch a specific component.  Patch Manager also uses the individual folders to patch components via vulnerabilities.

• LD88-SP2-Core – For the core server and off-core inventory server.
• LD88-SP2-Client – For client workstations.
• LD88-SP2-Console – For remote Windows consoles only. This patch isn't needed on the core server since the core server patch includes this.
• LD88-SP2-Rollupcore – For the rollup core server.
• LD88-SP2-Webconsole – For off-core Web consoles. This patch isn't needed on the core server since the core server patch includes this.

Make sure you exit the Management Suite Windows console before applying this service pack to core servers and additional consoles. We also strongly recommend that you back up your core server and databases before applying this service pack.

The service pack installer included with SP2 now writes a detailed log that you can use to help troubleshoot problems. The log includes information about what files were copied or overwritten, what services were stopped/started, registry changes, and so on. After running Setup from the service pack, you can find the log in the ldmain share's log folder for core servers, and on other devices the log is in the \Program Files\LANDesk\LDClient\log folder.

Warning for customers with an off-core inventory server
Before applying this patch to the core server, make sure you stop the inventory service on the off-core inventory server. Failure to do this can result in possible database corruption. This patch updates the database tables and if an off-core inventory server inserts a scan into the database during this process, the update may fail.

Installing on the core server

1. Double-click on the self-extracting executable and extract it. It is recommended to extract to a permanent location.
2. From the extracted files, run Setup.exe from LD88-SP2-Core on the core server.
Note: No other patch is needed on the core server as this patch includes the contents of the console and Web console patches.

Note: The status column for the patch update program may pause for a moment while updating large files. This is expected behavior, and progress will continue automatically as soon as these large files finish updating. Also, the percentage indicator updates on a per-component basis. Depending upon the number of components installed on the core server, the status can potentially update up to ten times for the patch.

3. When Setup finishes, reboot the core server. A reboot is required.

Optional Install steps:

1. If you are using the new integrated LANDesk Process Manager 4.1 you will need to run the LANDesk Process Manager Database Utility from the LANDesk Process Manager Start menu to update the database for the new "Download Patches" action and other fixes included in the Service Pack.
   
1. Select the Database Utility from the LANDesk Process Manager Start menu.
   
2. In the Configure Process Manager database dialog enter your username and password for your LPM database.
   
3. Click on the "Test Connection" button to connect to the database.
   
4. You will be prompted to update your database when you connect.
5. After the service pack updates Process Manager, you need to use the Database Utility to restart the Process Manager services to finish the update. If you don't restart the Process Manager services, the Process Designer won't launch and instead it will open the Database Utility.
   

Installing on off-core inventory servers

After you've applied this service pack to the core server, you must apply this service pack to all off-core inventory servers, if you have any.

1. If not already extracted, double-click on the self-extracting executable and extract it. It is recommended to extract to a permanent location.
2. From the extracted files, run Setup.exe from LD88-SP2-Core on the off-core inventory servers.
3. When Setup finishes, reboot the off-core inventory server.

Installing on additional (remote 32-bit) management consoles not physically located on the core server

Additional (remote 32-bit) consoles need to be updated to SP2 to connect to the upgraded core server and database. With the release of this service pack, the console version is verified with the database. Historically the console did not check the service pack version and all versions were allowed to connect. This caused issues with old consoles being unable to handle the additional data or causing the console to corrupt data due to schema mismatches. This feature was implemented to enforce remote consoles updates.

After patching the core, choose ONE of the following methods for updating remote 32-bit consoles:

• Use the Security and Patch Manager tool to automate the remote 32-bit console update.
• Deploy the patch as a distribution package.
1. If not already extracted, double-click on the self-extracting executable and extract it.
2. Place the LD88-SP2-console folder on a UNC or web share.
3. Create a distribution package pointing to Setup.exe as the primary file, including all additional files and using the -S parameter to silence the install.
4. Deploy the distribution package.
• Manually install the patch.
1. If not already extracted, double-click on the self-extracting executable and extract it. It is recommended to extract to a permanent location.
2. From the extracted files, run Setup.exe from LD88-SP2-Console on each remote console.
3. When Setup finishes, reboot.

Installing on all Web console servers not physically located on the core server

1. If not already extracted, double-click on the self-extracting executable and extract it. It is recommended to extract to a permanent location.
2. From the extracted files, run Setup.exe from LD88-SP2-Webconsole on each addition off-core Web consoles.
3. When Setup finishes, reboot.

Installing on managed clients

After patching the core, choose ONE of the following agent update methods:

• Use the Security and Patch Manager tool to automate the client update.
• Deploy the patch as a distribution package.
1. If not already extracted, double-click on the self-extracting executable and extract it.
2. Place the LD88-SP2-client folder on a UNC or web share.
3. Create a distribution package pointing to Setup.exe as the primary file, including all additional files and using the -S parameter to silence the install.
4. Deploy the distribution package.
• Use the Scheduled Tasks window to "push" a client configuration to client computers.
• Launch WSCFG32.EXE on selected client computers.
• Manually install the patch.
1. If not already extracted, double-click on the self-extracting executable and extract it. It is recommended to extract to a permanent location.
2. From the extracted files, run Setup.exe from LD88-SP2-client on each client workstation.
3. When Setup finishes, reboot.

Installing on Server Manager clients

After patching the core, choose ONE of the following agent update methods:

• Deploy the patch as a distribution package.
1. If not already extracted, double-click on the self-extracting executable and extract it.
2. Place the LD88-SP2-client folder on a UNC or web share.
3. Create a distribution package pointing to Setup.exe as the primary file, including all additional files and using the -S parameter to silence the install.
4. Deploy the distribution package
• Use the Scheduled Tasks window to "push" a client configuration to client computers.
• Launch SERVERCONFIG.EXE on selected client computers.
• Manually install the patch.
1. If not already extracted, double-click on the self-extracting executable and extract it. It is recommended to extract to a permanent location.
2. From the extracted files, run Setup.exe from LD88-SP2-client on each Server Manager client.
3. When Setup finishes, reboot.

Installing on the rollup core server

1. If not already extracted, double-click on the self-extracting executable and extract it. It is recommended to extract to a permanent location.
2. From the extracted files, run Setup.exe from LD88-SP2-Rollupcore on the rollup core server.
3. When Setup finishes, reboot.

Additional SP2 information

The following sections describe important changes SP2 makes that you may want to be aware of. This service pack includes SP1, and important SP1 changes are described later in this document.

• Agent configuration changes
• Inventory changes
• OS deployment and provisioning changes
• Process Manager changes
• Security and Patch Manager changes
• Software distribution changes
• Software distribution portal changes
• Miscellaneous changes

Agent changes

• Advance agent now installs if CBA exists on the device but isn't running.
• Agent deployment to RedHat 5 32-bit and 64-bit now works correctly.
• Improved Mac client stability.

Inventory changes

• Fixed problem where softmon could cause 100% CPU utilization when scanning for blocked applications.
• Inventory scanner now reports whether a Vista OS is 32-bit or 64-bit.
• Inventory scanner now runs correctly on Windows Server 2008.
• If the inventory record for a client didn't contain a value for the LANDesk client folder on the client machine, that data would default to the old c:\LDClient path. We now check the registry for a client path, and if there in no entry we default to the new c:\Program Files\LANDesk\LDclient folder.

OS deployment and provisioning changes

• WinPE deployment scripts with bad credentials for drive mappings will now return an error code rather than eventually timing out.
• Added WinPE drivers for:
  • Dell Latitude D630
  • Dell Optiplex 755/Dell Optiplex 745
  • Thinkpad T61(p)/Lenovo T60
  • Thinkcentre A60
  • ICH9R Sata AHCI
  • Intel 82566D NIC
• Improved Vista OSD imaging support.
• Fixed problem with provisioning when using scheduled tasks to execute a software distribution with packages that have dependencies. The task would work correctly the first time and then fail on subsequent runs.
• Scripted installs aren't supported for x64-bit OS's using LANDesk provisioning with WinPE. There is no workaround at this time.

Process Manager changes

• After the service pack updates Process Manager, you need to use the Database Utility to restart the Process Manager services to finish the update. If you don't restart the Process Manager services, the Process Designer won't launch and instead it will open the Database Utility.
• For Process Manager to properly work with LDMS 8.8 through the LDMS message-based SDK, there are three service/items that have to be configured with domain logon credentials.
  1. The LPM service. Configure this in the LPM Database Utility.
  2. The LDMS Scheduler service. Configure this in on the core server in the LANDesk Configure Services utility (in the Management Suite console, click Tools | Configure Services).
  3. The LDMS COM+ application 'LANDesk'. Configure this on the core server in Windows Component Services (Start | Programs |Administrative Tools | Component Services, click Component Services | Computers | My Computer | COM+ Applications). Specify the user on the LANDesk item's Identity tab.
• If some Process Manager actions don't work correctly after applying SP2, check that the MBSDK service has been registered to ASP.NET 2.0. You can check this in Internet Information Services Manager. View the properties for the Default Web Site | MBSDKService. On the ASP.NET tab, the ASP.NET version must be 2.0. If it isn't, change it.

Security and Patch Manager changes

• Various patch manager fixes for stability and performance.
• Added patch support for Symantec Endpoint Protection 11
• AV installs on Windows Server 2008 no longer trigger a blue screen
• Setting AV to scan all file types now includes binary files with a .CMD extension. AV used to ignore binary files with this extension.
• In CCM, Ctrl-Shift-Up now brings up the password bypass dialog correctly.
• In CCM, if you plug in a USB device that is disabled by CCM and then use CCM's password override feature, the device will still be disabled. After providing the password override, you must either remove and reinsert the device or use Windows Device Manager to scan for hardware changes.
• Spyware scanning now works on 64-bit platforms.
• Patch Manager workflows can now delete scheduled tasks.
• Fixed a problem where the vulnerability scanner wasn't peer downloading patches from computers managed by a different core.
• The required file curllib.dll is now included in the LANDesk DHCP NAC visitor.exe file that is installed to clientless machines, so running visitor.exe will no longer generate an error.
• You can no longer designate a Windows firewall setting or a Compliance security setting as a default setting that is automatically deployed by an agent configuration (or by the vulnerability scanner running on the device). Of course you can still configure and deploy these two settings to managed devices with an agent configuration or via a Change settings task. Also, you can now select to remove the current Windows firewall setting or Compliance security setting from target devices with a Change settings task.
• For LANDesk DHCP-based NAC, if you edit the LTAemployeesettings.xml file after installing an LDMS 8.8 service pack (SP1 or SP2), you must rebuild the LDDHCP server install package and re-install it on the server before publishing the new settings in order for them to be available during a compliance scan. The reason for this is because the settings XML file resides on the LDDHCP server, not on the core server, and during a compliance scan the vulnerability scanner pulls the new settings from the LDDHCP server. Alternatively, you could manually copy the rebuilt install DLLs to the LDDHCP server.)

Software distribution changes

• Improved software distribution peer download performance.
• Using the "Limit remote Downloads to one per subnet" option no longer causes multicast software distribution tasks to fail with "Failed to download and hash additional files".
• Tasks that finished with a reboot required status message were showing as failed in the console, causing the policy to be reapplied. We now treat MSI return code 3010 (reboot required) as installation succeeded with machine code to show reboot required.
• If you were logged into windows with a user name that has an apostrophe in it, policies would always fail.

Software Distribution Portal

• Pushing an agent with both LANDesk LaunchPad and HIPS caused policy.client.invoker.exe to crash.
• Pushing an Updated SP2 Agent to an SP 1 agent will cause the invoker service to crash.
• Policy.client.invoker.exe crashes with a Disk I/O error.
• "Policy.client.invoker.exe application error at xxxxxxxxx referenced memory at xxxxxxxxxx" popup window on client when installing SP2 agent on device that also has console with SP2 installed.
• On a Win2k8 Server and Windows vista with client pushed, clicking on deploy in distribution portal gives error that it can't display the webpage.
• Launching some JIT links in Launch Pad could cause the invoker service to crash.
• The Community Article is located at http://community.landesk.com/support/docs/DOC-3505

Other changes

• This service pack adds support for Windows XP SP3 and Vista SP1 as management consoles and managed clients. Windows Server 2008 is also supported as a client.
• You must reactivate the core using the server for power management to display in the console. Power management won't be visible in the console until you reactivate the core server using the Core Activation Utility.
• Monitoring doesn't work on supported ASIC motherboards running Windows Server 2008 (32-bit and 64-bit). The Intel SMBUS driver setup utility doesn't recognize Windows Server 2008 and won't install on it. The workaround is to install the SMBUS driver manually using the .INF file on Windows Server 2008.
• Removing a core server from the rollup database via the rollup utility UI failed to remove all the entries from the database if the core server's database and the rollup's database weren't located on the same physical DBMS server.
• The memory configuration alert is now editable and can contribute to health.
• Fixed a problem in Asset Manager where re-importing previously exported data from CSV files could corrupt the database.
• Fixed a problem in Asset Manager where deleting data types (such as "Mobile Phones") would cause database problems and prevent the asset interface from displaying correctly. Now, before deleting data types you are forced to delete reports referencing those types first.
• Fixed an AMT problem where discovered AMT machines without a valid host name were getting the same name assigned. The new automatic naming algorithm now creates unique names on the full IP address.
• Fixed a Vista remote control problem where after remote controlling a Vista computer, the computer's wallpaper would be set to default, overriding the wallpaper set by a group policy.

Additional Macintosh patch information

The following sections describe important Macintosh changes this patch makes that you may want to be aware of.

• Agent configuration changes
• Inventory changes
• Software distribution changes
• Miscellaneous changes

Agent configuration changes

• Agent configuration name dissapears from inventory after installing another agent configuration over the current one.
• The name of the Agent Configuration that was installed on the client is now returned in inventory.

Inventory changes

• Inventory now collects the Sharename and stores it in the database as modeled data.
• Inventory scanner crashes when run after installing an agent configuration but not rebooting.
• Changed the Display Name in the console to show the Hostname of the agent machine.
• Power PC proxy setting are not being reported correctly.
• SLM Usage data not being collected by the inventory scanner for some applications.
• Fixed a problem where Power PC proxy settings weren't being reported to the core server by the inventory scanner.
• Fixed a problem where the Record Creation Date attribute data was removed when a sync inventory scan is run. Without this data you couldn't tell how long a device had been in the inventory database.

Software distribution changes

• Applications, packages, drivers, and plug-ins are gathered through System Profiler for consistency and speed.
• LANDesk Agent moved from System Preferences to Applications/Utilities.
• In some environments any scheduled tasks where communication is initiated from the core would fail with the error: "Failed. Machine is off (Different Agent Responded)".
• Sdclient will crash if downloading a very large file or cause the machine to run out of memory.

Miscellaneous changes

• The uninstall shell script is now located on the core to prevent users from removing the client.
• Security Updates.
• Fixed a remote control authentication problem that could occur if there were extra certificates in the shared files\keys folder on the core

Additional SP1 information

The following sections describe important changes SP1 makes that you may want to be aware of. SP2 includes changes that were part of SP1.

• Antivirus changes
• AMT changes
• Connection control manager changes
• LANDesk Host Intrusion Prevention System (HIPS) changes
• Inventory changes
• LANDesk Process Manager's automated patch download workflow changes
• LANDesk Network Access Control changes
• LANDesk Patch Manager's changes
• Software distribution changes
• Software distribution policy management changes

Antivirus changes

This service pack adds support for additional third-party antivirus software that can be automatically removed from target devices when deploying LANDesk Antivirus, either during initial agent configuration or as a separate LANDesk Antivirus install/update task.

New supported antivirus software for detection and removal:

• Internet Security 2007 Trend Micro* PC-cillin (version 15.3) on Windows Vista 64-bit
• Trend Server* Protect 5.7, Internet Security 2008, and OfficeScan 8.0
• eTrust* Antivirus 7.x and 64-bit
• eTrust* Antivirus 8.0 and 8.1
• Symantec* Endpoint Protection 11

In addition, this service pack improves antivirus performance and stability.

AMT changes

Sometimes the AMT management software (LDMS / LDSM ) will time out waiting for the AMT 2.5 hardware to respond. A registry entry has been made available to the user to adjust the time out period. The registry entry is added once the administrator performs a task using AMT. The time out can then be adjusted to compensate for the delay. The time out is in milliseconds with the minimum being 5000 (5 sec) and the default 6000 (6 sec). The registry entry is:

HK_Local_Machine\Software\LANDesk\ManagementSuite\vPro\TimeoutInMilliSeconds.

Connection control manager changes

This service pack adds the following USB encryption feature enhancements in the connection control manager tool.

The Device control configuration dialog's USB devices page now includes an option called "Allow password hints" that lets the user enter a hint that can help them remember the encrypted folder password specified when they create the folder. The password hint cannot be an exact match to the password itself. The password hint cannot exceed 99 characters in length. Even if the password hint field is available to enter text, the user is not required to enter a hint. (Important: When a USB storage device is configured for file encryption, users must initially create an encrypted folder with the LANDesk Encryption Utility (Start | LANDesk Management | LANDesk Encryption | Advanced | Create encrypted folder) before they can copy files to the USB device.)

You now specify the amount of space on a USB storage device that can be used for encrypted files by megabytes instead of by device space percentage. Enter 0 if you want users to be able to use all of the available space on the USB storage device for encrypted files.

Inventory changes

This service pack adds a new command-line option to the inventory scanner. This option sends information about all executed software on the client. The new scanner option is /SAE.

LANDesk Host Intrusion Prevention System (HIPS) changes

This service pack adds the following HIPS feature enhancements:

• You can now set the value for Whitelist Learn Days to zero (0) in a HIPS configuration. The presumption is that one or more client machines have already learned all of the required file certifications and that this setting will be deployed to clients running the same OS, system configuration, etc. (Note that if there are no file certifications, then saving a configuration with Whitelist Learn Days set to zero will not be allowed.)
• A new option has been added to allow the administrator to disable the alert balloon pop-ups when the HIPS client blocks an action.
• Alerting has been implemented for HIPS. HIPS alerts can be selected and configured in the Alerting tool.

LANDesk Process Manager's automated patch download workflow changes

This service pack adds a new action in the LANDesk Process Manager workflow designer tool that will download patches for ALL of the vulnerabilities contained in a custom group. Previously, only patches for detected vulnerabilities were downloaded; however, the new action downloads all patches associated with all of the vulnerabilities in the group whether or not the vulnerability is detected on target devices.

LANDesk Network Access Control changes

This service pack fixes the showui option in the LTAEmployeesettings.xml file for the LANDesk DHCP Network Access Control (NAC) solution.

When you enable the showui option in the LTAEmployeesettings.xml file, the security compliance scan now displays on the client. The updated settings file must first be published to the LDDHCP server in order for the modified setting to take effect.

LANDesk Patch Manager changes

The vulnerability scanner (vulscan.exe) can now place itself in the action.ini file when a reboot is required.

Software distribution changes

Support for Visual Basic scripts has been added to software distribution. The 8.8 update patch includes an update application to enable this feature on managed nodes, PolicyUpdate.1.exe.

This application serves two purposes:

1. A self-contained and self-extracting package to update the needed portions of the managed node
2. Install the policy update on the core server

When installed on the core server, all agents will download and process the new policy update application when policy.sync is run.

To install this package on the core server run the following command line:

PolicyUpdate.1.exe -setup <url> <ldmainpath>

This should be run with the current working directory set to the ldmain directory (so the PolicyUpdate.1.exe application can find the lddwnld library).

The <url> should be the http location from which the policy update application is to be downloaded. For example, if the core server name was "myCore" and the update package was placed in ...ldmain\landesk\files the URL would be:

"http://myCore/landesk/files/PolicyUpdate.1.exe"

The <ldmainpath> is the path to which the ldmain share points (by default c:\Program Files\LANDesk\ManagementSuite).

If this update is not configured on the core server and a Windows Script Host package is deployed via policy, the policy invoker will not be able to create an instance of the remote operation object that handles Windows Script Host packages and the policy will fail.

Software distribution policy management changes

This service pack fixes the handling of interrupted policy downloads. Prior to this patch, policy downloads didn't continue if interrupted.

When the system is rebooted during a portal policy install, the invoker is aware that the problem has occurred, but the portal is not. As a result of this the portal kept the policy in a working state.

The service pack addresses this problem in two ways:

1. Handling the alert raised by the invoker to fail the policy in the portal
2. Timing out active installs

When a system is rebooted while the invoker is processing a policy, the policy is left in an invalid state. Once rebooting is complete the invoker will now recognize that the policy is in an invalid state, raise an alert, and then move the policy to complete.

The policy.client.failedpolicy.exe application is a new file that will capture the invalid state alert raised by the invoker and fail the active policy in the portal. This provides rapid failure when a policy is interrupted.

Support was also added to timeout installs after a specific period of inactivity. This is controlled by the "Policy.Portal.Install.Timeout" value. This value specifies the timeout in seconds and can be configured from 1 hour to 7 days (default timeout is 2 days) using the policy.client.config application, as shown in the following command line:

Policy.client.config.exe /set Policy.Portal.Install.Timeout <timeout>

Where <timeout> is specified in seconds.

When an active install is timed out the status does not change but the policy can then be redeployed. Thus the alert handler is intended to be the normal mechanism for handling these policies, but the install timeout can be used for policies that have already failed.

Note that if a policy installation is interrupted (for example, by a reboot during an application download), by default the policy won't resume installation for 24 hours. This timeout is separate from the Policy.Portal.Install.Timeout.