Question(s):

This document will try to address the following questions:

• What ports does LANDESK Management Suite use?
• What ports need to be opened in my firewall?
• What port(s) does component X use?
• Does LANDESK have a ports list?
• What TCP and UDP Ports must be open on a Linux Agent's Firewall?
• Do I need to open my firewall to let ICMP ECHO/ECHO REPLY packets pass?
  
• Where can I find a network port diagram?

Answer:

ICMP

Quite a few functionalities of LANDESK rely on ping (ICMP ECHO) to probe if the device or server is reachable. Disabling ICMP ECHO within the network might result in losing LANDESK functions, such as bandwidth awareness or usage of preferred server.

The network port information has been divided into the following sections.

• Core Server
• Agent - Linux
• Agent - Mac
• Agent - Windows
• Management Gateway
• Mobile Device Manager Server
• PXE Representative
• Remote Console

Additionally a graphical representation of the data is attached to this article.

Note: It is recommended that all ports for a specific component be opened for backwards compatibility. Failing to open listed ports is not tested.

Core Server	Port #	Direction	Notes
TCP	22		UDD
TCP	25		UDD
TCP	80		Activation, Client, Core Sync, Inventory, Patch Manager, Security Suite, Web Console
TCP	139		Console, UNC
TCP	389		LDAP
TCP	443		Client, Console, Inventory, SLM, Software Distribution
TCP	445		Console, UNC
TCP	1433		Database (MS SQL Server)
TCP	1521		Database (Oracle)
TCP	5007		Inventory
TCP	8092		Core, Console, AMT MPS Server
TCP	9535		Remote Management
TCP	9590		Console, SLM
TCP	9591		Console, SLM
TCP	9593		Software Distribution
TCP	9594		Software Distribution
TCP	9595		Agent Discovery
TCP	9971		Agentless AMT Discovery
TCP	9972		AMT Notification
TCP	9982		AMT Discovery (VPro)
TCP	12174		Remote Execute
TCP	12175		Software Distribution (Policy) [version 8.7 & Older]
TCP	12176		Software Distribution (Policy) [version 8.8 - Current]
TCP	16992		HTTP AMT Management
TCP	16993		HTTP AMT Management
TCP	16994		AMT Hello Packets
TCP	33354		Multicast
UDP	9595		Agent Discovery
UDP	33354		Multicast
UDP	38293		Agent Discovery

Linux Agent	Port #	Direction	Notes
TCP	25		UDD
TCP	80		Patch Manager, Inventory
TCP	443		Client, Core, Inventory
TCP	5007		Inventory
TCP	9535		Remote Management
TCP	9593		Software Distribution
TCP	9594		Software Distribution
TCP	9595		Agent Discovery
TCP	12174		Remote Execute
UDP	67		Imaging (PXE Broadcast)
UDP	68		Imaging (PXE)
UDP	69		Imaging (PXE TFTP)
UDP	1759		Imaging (PXE MTFTP)
UDP	4011		Imaging (PXE Unicast)
UDP	9595		Agent Discovery

Mac Agent	Port #	Direction	Notes
TCP	25		UDD
TCP	80		Patch Manager, Inventory, Software Distribution
TCP	443		Client, Core, Inventory, Patch Manager, Software Distribution
TCP	4343		HTML 5 Remote Control
TCP	5007		Inventory
TCP	9535		Remote Management
TCP	9593		Software Distribution
TCP	9594		Software Distribution
TCP	9595		Agent Discovery
TCP	12174		Remote Execute
TCP	12175		Software Distribution (Policy)
TCP	12176		Software Distribution (Policy)
TCP	33354		Software Distribution (Peer Download, Multicast)
UDP	9595		Agent Discovery
UDP	33354		Software Distribution (Multicast)
UDP	33355		Software Distribution (Multicast)

CSA (Management Gateway)	Port #	Direction	Notes
TCP	22		SSH Administration
TCP	25		Email Notification
TCP	80		Activation, Patching
TCP	443		Administration, Client, Core
TCP	444		DEP for IOS MDM

Mobile Device Management Server	Port #	Direction	Notes
TCP	80		(Core Only)
TCP	443		Enrollment
TCP	2195		APNS (Apple)
TCP	2196		APNS (Apple)
TCP	5223		APNS (Apple)
TCP	5228		C2DM (Google)
TCP	444		DEP (Apple)

PXE Rep	Port #	Direction	Notes
UDP	67		Imaging (PXE Broadcast)
UDP	68		Imaging (PXE)
UDP	69		Imaging (PXE TFTP)
UDP	1758		Imaging (PXE MTFTP)
UDP	1759		Imaging (PXE MTFTP)
UDP	4011		Imaging (PXE Unicast)

Remote Console	Port #	Direction	Notes
TCP	80		Console, Core, HTTP Management
TCP	139		Console, Core
TCP	443		Console, Client, Core, SLM
TCP	445		Console, Core
TCP	8092		Console, Core, AMT
TCP	9590		Console, Core, SLM
TCP	9591		Console, Core, SLM
TCP	9595		Agent Discovery
UDP	68		Imaging (PXE)
UDP	69		Imaging (PXE TFTP)
UDP	1758		Imaging (PXE MTFTP)
UDP	1759		Imaging (PXE MTFTP)
UDP	4011		Imaging (PXE Unicast)
UDP	9595		Agent Discovery
TCP	1433		Database (MS SQL Server)

Windows Agent	Port #	Direction	Notes
TCP	25		UDD
TCP	80		Patch Manager, Security Suite, Software Distribution, Inventory
TCP	137		NetBIOS (non-domain clients)
TCP	139		UNC
TCP	443		Client, Core, Inventory, Software Distribution
TCP	445		UNC
TCP	4343		HTML5 Remote Control
TCP	5007		Inventory
TCP	9535		Remote Management
TCP	9593		Software Distribution
TCP	9594		Software Distribution
TCP	9595		Agent Discovery
TCP	9971		AMT Discovery
TCP	9972		AMT Notification
TCP	9982		AMT Discovery/VPro
TCP	12174		Remote Execute
TCP	12175		Software Distribution (Policy) [ver. 8.7 & Older]
TCP	12176		Software Distribution (Policy) [ver. 8.8 - Current]
TCP	16992		HTTP AMT Management
TCP	16993		HTTPS AMT Management
TCP	16994		AMT Hello Packet
TCP	33354		Software Distribution (Peer Download, Multicast)
UDP	67		Imaging (PXE Broadcast)
UDP	68		Imaging (PXE)
UDP	69		Imaging (PXE TFTP)
UDP	1758		Imaging (PXE MTFTP)
UDP	1759		Imaging (PXE MTFTP)
UDP	4011		Imaging (PXE Unicast)
UDP	9535		Device Discovery, XDD
UDP	9595		Agent Discovery
UDP	33354		Software Distribution (Multicast)
UDP	33355		Software Distribution (Multicast)
UDP	38293		Agent Discovery

Rollup Core	Port #	Direction	Notes
TCP	1433		Rollup Core to SQL Servers
TCP	1433		SQL server to SQL server replication

**Note that if you are using Preferred Servers and replicators in your environment, the same ports that are used from the client to the Core and from the Core to the Client are used. As the Preferred Server must be an agent, and as some of the Core's tasks are off-loaded to the Preferred Server, the other clients will talk to it across the same ports they talk to the Core Server on.

• • DESCRIPTION
  • PROCESS OVERVIEW
  • WARNINGS
  • I. Backup your existing Core Server
  • II. Backup your existing database
  • III. Backup Critical Core Server Files
  • IV. Backup Other Needed Files and Information
  • V. Prepare your new Microsoft Windows 2012 Server
  • VI. Install Microsoft SQL Server 2012
  • VII. Create, configure your new database and restore your old one
  • VIII. Import your certificates
  • IX. Install LANDesk Management Suite 9.6 (or the most current version)
  • X. Migrate your clients by deploying a new agent
  • Additional Considerations
  • Creating a Core DNS Redirect

DESCRIPTION

A side by side migration consists in having both your existing LANDesk Management Suite Core Server and your future Core Server running at the same time.

You can either use a new clean database or use your current database and have it upgraded to the new version.

I will cover here the second choice: migration using the current database.

    ATTENTION:Please note that this article covers a basic side by side migration, which means that if you have other LANDESK products like a CSA, then you will first have to think or ask about how to migrate it as well.

Environment tested:

• LANDesk Management Suite 9.5 SP2 to LANDesk Management Suite 9.6        [30.07.2014]

PROCESS OVERVIEW

1. Backup your existing Core Server (This is not covered in this article, you may want to have an image of your Core server copied on a media/server)
2. Backup your database
3. Backup Critical Core Server Files
4. Backup Other Needed Files and Information
5. Prepare your new Microsoft Windows 2012 Server for your future Core server (Installation and configuration of the server are not covered in this article as it depends on the infrastructure you manage)
6. Install your Microsoft SQL Server 2012
7. Create and configure your database
8. Restore your database to the new server
9. Install LANDesk Management Suite on the new server
10. Import your certificates
11. Migrate your clients by deploying a new agent
12. Additional Considerations
    1. Core Server DNS Redirect
       

WARNINGS

This article is not supposed to get you through the issues you may fix, but to give you a good starter guide if you want to do a side by side migration.

If you actually encounter any error, please contact us through the support portal or our community web site.If you have any customized settings, queries or files, please be aware that you should take screenshots of these configurations, and save the files that may not be saved by our CoreDataMigration tool.

If you plan on changing corenames, then you will need to use the DNS alias for MDM devices to still communicate to the core. Please see doc: Using a Core server DNS alias with the Cloud Service Appliance.

I. Backup your existing Core Server

You should have a snapshot/image of your Core Server in order to be able to roll back.

II. Backup your existing database

    VIDEO:Backup your LANDesk Management Suite 9.5

From Microsoft SQL Server Management Studio, go to Databases, Tasks, Back Upand check where this backup goes to copy it to your future Core Server.

In this case, it goes to:

    C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Backup\

    Remember to copy this ".bak" file as it is your future database.

III. Backup Critical Core Server Files

    VIDEO:Core Data Migration LDMS 9.5

LANDESK has created a tool to backup critical files to a share. This tool is called CoreDataMigration.exe.

Newer versions of CoreDataMigration.exe may backup files that were not backed-up in previous versions.

One of the Management Suite 9.6 installation files is an updated CoreDataMigration.exe and it may be better to use the Management Suite 9.6 version instead of the version that is currently on the Core Server.

NOTE: The Ivanti 2017.1 CoreDataMigration.exe will not work on previous versions. Instead, just use the CoreDataMigration.exe that is in the \landesk\managementsuite folder on the current core server. Please refer to the CoreDataMigration.exe document for further details. 

The new Management Suite 9.6 version of CoreDataMigration.exe can be found in the Management Suite 9.6 installation media under the:

    \LANDESK\PF\LD\MS\_non

If Management Suite 9.6 was downloaded, extract LANDESKSoftware.exe to access this file, situated in the Resourcesfolder:

Once you have copied the folder Resources on your 9.5 Core server, create a folder named CoreBackup, in this example:

    C:\CoreBackup\

Then open a Command Prompt (CMD) and browse to the folder where you extracted the Resources folder, in this example:

    cdC:\Resources extracted from 9.6\

And type the following command (in this example):

    CoreDataMigration.exe GATHER C:\CoreBackup\

It may be necessary in some situations to use a local backup directory to work around NTFS and share permissions.

You will be able to find in your CoreBackup folder the critical files you will need for your migration (your scripts, certificates, ldlogon folder with your application packages, etc.), if you want to use them in your new 9.6 environment, you can copy/paste them from this folder to your future Core Server once the full installation is done.

IV. Backup Other Needed Files and Information

    Some files will not be automatically saved, you must be careful in order to be sure you will have a backup of everything:

• Distribution Package installation files, if stored on a package share created on the Core Server

• The Patch directory, if it is stored on the Core Server

• \ldlogon\ldappl3.template, if modifications have been made to it

• \ldlogon\AgentWatcher\*.ini files

V. Prepare your new Microsoft Windows 2012 Server

In order to be sure that your Windows Server installation is going to match your infrastructure needs, please check the following articles:

• LANDESK Management Suite 9.6 Architecture - Overview

• Supported Platforms and Compatibility Matrix for LANDESK Management Suite/Ivanti Endpoint Manager

Ensure that your server has the latest updates.

    Then do not forget that the following items are NOT SUPPORTED for the Core Server installation:

• A Primary Domain Controller (PDC), Backup Domain Controller (BDC), or an Active Directory

• A Domain Controller

• A server that has been upgraded from a previous version of windows

• Servers running other third-party applications as their primary server function such as a SharePoint server

VI. Install Microsoft SQL Server 2012

    VIDEO:Install SQL Server 2012 for a Side by side migration of LMDS 9.5 to 9.6

The installation and configuration of Microsoft SQL Server 2012 is described in this document:

• Best Known Methods for installing Microsoft SQL Server 2012 for LDMS

You may also find these links useful:

• SQL Tuning and Performance

• Reindexing LANDESK Databases

VII. Create, configure your new database and restore your old one

    VIDEO:Database creation, configuration and restore for Side by side migration 9.5 to 9.6

    An important point here is not to install LANDesk Management Suite on the new server before you restore your old database as the installation process has to convert your old database into the new version.

First you will need to create a new database, so right click on Databases,New Database and put these settings:

Then create your database administrator by going into Security, right click Logins,New Login:

Now you need to restore your old Database into this new database we just created, to do so, right click your new database, Tasks, Restore, Database

• In the General tab, check Device and indicate the path of your old database backup file (*.bak) we made in the previous steps, after that double-check that the Destination Database is the one you created earlier

• In the Files tab, check the Relocate all files to folder option

• In the Options tab, check the Overwrite the existing database (WITH REPLACE) option

Then validate and you are now ready to install LANDesk Management Suite to the new server. Here is a good article as well about this Backup / Restore process:

• Backup and Restore Database: How to move the LANDesk database to another server

VIII. Import your certificates

    VIDEO:Import LDMS 9.5 certificates to your 9.6 Server for a side by side migration

In order to use some features on your new LANDesk Management Suite server with your old clients, you will need to have a certificate they already trust.

The files you will need have normally been saved during our CoreDataMigration done earlier except the keys directory.You will need to manually copy core certificate files. These files must be handled securely and should only be placed in a secure location. You can copy them into the CoreBackup folder, but they must be handled with care. You must copy the following files shown below.

You will find these files in the CoreBackup folder you created, in:

    C:\CoreBackup\landesk\Shared Files\keys\

You must copy the following files:

• C:\Program Files\LANDesk\Shared Files\Keys\*.key
• C:\Program Files\LANDesk\Shared Files\Keys\*.crt
• C:\Program Files\LANDesk\Shared Files\Keys\*.0     
• C:\Program Files\LANDesk\Shared Files\Keys\ldcryptoconfig.xml
• C:\Program Files\LANDesk\Shared Files\Keys\Compatible\*.xml(These files will only exists if client security mode is enabled)

Copy them into your new keys folder on your new server, it may look like this:    C:\Program Files\LANDesk\Shared Files\KeysYou also have to copy the *.0 file to your new ldlogon folder, which should be there:    C:\Program Files\LANDesk\ManagementSuite\ldlogon Once this is done, your new LANDesk Management Suite Server will be able to directly remote your clients, with the highest security features enabled. Please note that side by side migrations from 9.6 to 2017.3 requires a full agent reinstall due to the certificate changes in 2017.3. Copying the certificates from the old core to the new one will not allow remote control to function.

Here is an article that might be interesting:

• Moving a Core server to another Domain/Forest - Scenario

IX. Install LANDesk Management Suite 9.6 (or the most current version)

Before starting the install on the new core, you should first create the C:\Program Files\LANDesk\Shared Files\Keys directory and copy ldcryptoconfig.xml into it from your CoreBackup.  This will ensure data that was encrypted and written in the database will be decrypted properly.

If files were copied from C:\Program Files\LANDesk\Shared Files\Keys\Compatible, then they must also be restored back into this directory

    VIDEO: Install LANDesk Management Suite 9.6 for Side by side Migration from 9.5

First, download our 9.6 Core Server installation package from this page:

• LANDesk Management Suite / Security Suite 9.6 Download

Then extract the files on your server and the installation will begin.

    For this installation, you will only have to be careful with the following settings:

• How should LANDESK configure your database: Upgrade an existing 9.5 database

• Database information: Enter your Server name, Database name we created earlier, User we created earlier as well and its Password

Here are the articles you may find useful as well for this process:

• Best Known Methods for Installing LANDESK Management Suite 9.6

X. Migrate your clients by deploying a new agent

After having done all of this, you should have your infrastructure looking like this:

What we want now is to have our clients directly reporting to our new Server. In order to do that properly, you will have to create new agents (similar to your previous settings if you want) and deploy them gradually with pilot groups/computers.

    Keep in mind that once you have deployed an agent to your client, it may not be manageable anymore from your old server.

Once all of your infrastructure has been "moved" to your new LANDesk Management Suite Server, you can shut down your old server, which will look like this:

    You must be aware as well that a side by side migration can be pretty long and complex as you will have to manage both your old and new server until you are sure of your new settings.

Additional Considerations

Creating a Core DNS Redirect

Some administrators after following this document may encounter some issues where existing agents/agent functions are attempting to communicate with the old core rather than the new, despite the old core having already been removed from production. To avoid such issues, it is recommended as a best practice that administrators after performing a side-by-side migration setup a DNS redirect that will take all traffic intended for the previous core name/fqdn and route it to the new core. This can help to avoid complications and ensure that agent functions remain functional through the migration.

ATTENTION:Please note that DNS redirection is problematic for devices behind CSA (Cloud Services Appliance), reinstallation of the agent on these devices will be required to avoid communication issues.

You will need to manually copy core certificate files. These files must be handled securely and should only be placed in a secure location. You can copy them into the CoreBackup folder, but they must be handled with care. You must copy the following files:

• Description
• Common errors and description
  • Error: "Access Denied"
  • Error: "CommonCore.inf: (0xFFFFFFFF) OSD.Upgrade.exe,60000"
  • Error: "DirectoryNotFoundException"
  • Error: "Non-fatal error: FilterUnload failed, hr=0x801f0013"
  • Error: "System.ComponentModel.Win32Exception"
  • Error: "System.IO.IOException: Element not found"
  • Error: "System.UnauthorizedAccessException"
  • Error: "WAIK is not installed"
  • Error: "CommonCore.inf: (0xFFFFFFFF) OSD.Upgrade.exe,90000"
  • Issue: Upgrade fails at HII step
• Preparing to Re-Run OSD.Upgrade.exe

Description

OSD.Upgrade.exe is run during the installation of an Ivanti EPM Service Pack or any Ivanti patch that updates the WinPE image (boot.wim). It is responsible for configuring the image to function on a specific Core Server and migrating WinPE drivers from the boot.wim.bak into the new boot.wim. If OSD.Upgrade.exe fails, one or more of these steps may not be completed. This document will walk through re-running the OSD.Upgrade.exe installation step on the core server.

During the Service Pack or patch installation, there may be a failure with the OSD.Upgrade.exe process. The install error may be similar to CommonCore.inf: (0xFFFFFFFF) OSD.Upgrade.exe,60000.  Review the osd.upgrade.exe log file found in C:\Program Files (x86)\LANDESK\ManagementSuite\log to get more specific information about the error. If desired the osd.upgrade.exe.log file can be renamed prior to running osd.upgrade.exe again to make current errors easier to find.

A common cause of this issue can be that one of the .WIM files is already mounted from a prior process or through manual intervention by an administrator.

Common errors and description

• Error: "Access Denied"
  

  • Errors referring to access denied indicates that a folder path in the boot.wim is too long. Often this path will be for a driver that was injected into the WinPE image. There are two option for correcting this error. The first option is to just start with a clean boot.wim and add the necessary drivers after completing the OSD.Upgrade.exe process. In LDMS 9 Service Pack 3 the WinPE boot environment requires Windows 7 32-bit drivers. Updating those drivers is a manual process so starting with a clean boot.wim may be a good option. The second option would be to mount the backup of the boot.wim (boot.wim.bak) and rename the directories in the InstalledDrivers directory to use shorter names. After completing one of these options follow the steps outlined below to re-run OSD.Upgrade.exe.
    
    

• Error: "CommonCore.inf: (0xFFFFFFFF) OSD.Upgrade.exe,60000"
  

  • This is a general error indication. Review the log for additional errors.
  • Check to make sure the boot.wim is not mounted on the Core server.
    • The way to check this is running "dism /get-MountedWiminfo" from command prompt. This will show if wim's are mounted and where.
    • Check the OSD.Upgrade.exe.log file for any missing files. Then give it those missing files in the path that it is looking for them.
      • example: "09/06/2016 10:22:53 INFO  9680:1     RollingLog : File C:\Program Files\LANDesk\ManagementSuite\\ldlogon\provisioning\windows\Microsoft.VC90.CRT.manifest does not exist"

• Error: "DirectoryNotFoundException"
  

  • Errors referring to a .0 or an mpkg package indicate that a .0 file has been extracted to a sub-folder of the ldlogon folder. DO NOT delete any .0 files from the root of ldlogon. Navigate to the directory specified in the log (i.e. C:\Program Files (x86)\LANDESK\ManagementSuite\ldlogon\mac) and delete the .0 file. To prevent additional errors when re-running OSD.Upgrade.exe delete any additional .0 files that are found in sub-folders of the ldlogon folder leaving only the .0 files in the root of ldlogon. Follow the steps below to re-run OSD.Upgrade.exe.
  • Errors referring an ALL.REG file indicate that the wim file was still mounted when osd.upgrade.exe tried to execute. This is most likely due to errors in the previous attempt at running OSD.Upgrade.exe. Review the log and correct and additional errors found before following the steps below to re-run OSD.Upgrade.exe.
    
    

• Error: "Non-fatal error: FilterUnload failed, hr=0x801f0013"
  

  • This is normal and does not indicate a problem. Continue reviewing the log file for additional errors.
    
    

• Error: "System.ComponentModel.Win32Exception"

  • You are running the process as a restricted user. Either log in as an administrative user or right click OSD.Upgrade.exe and select run as administrator.
    • Make sure that you are either logged directly into the core server or using Remote Desktop with a /admin switch as a full administrator.
      
      

• Error: "System.IO.IOException: Element not found"
  

  • This error indicates that there is still a wim file mounted. Review the log for additional errors prior to this error. Follow steps below to re-run the OSD.Upgrade.exe process.
    
    

• Error: "System.UnauthorizedAccessException"
  

  • This error indicates either that there is still a wim file mounted, or that the bootmedia.wim.bak already exists. Bootmedia.wim.bak can be deleted as long as bootmedia.wim exists. Review the log for additional errors and then follow the step below to re-run OSD.Upgrade.exe.
    
    

• Error: "WAIK is not installed"
  

  • This is normal and does not indicate a problem. WAIK should have been uninstalled prior to upgrade. If WAIK is installed, uninstall it. Continue reviewing the log file for additional errors.
    
    

• Error: "CommonCore.inf: (0xFFFFFFFF) OSD.Upgrade.exe,90000"
  

  • Download Streams from Microsoft (https://technet.microsoft.com/en-us/sysinternals/bb897440.aspx). Go into properties of Streams an unblock the application. Run Streams against the folder the Ivanti EPM installer was xtraced to and run Streams against the folder LANDESK is being installed to (ie, \Program Files\LANDESK). Make sure the Ivanit EPM installer is being run locally (not networked drive), you are upgrading the machine locally (not RDP) and run the installer as Administrator.
    

• Issue: Upgrade fails at HII step
  

  • Log will displayRollingLog : HII: Setting driver repository path to "\\LDCoreName\ldmain\landesk\files\drivers" 08/05/2015 12:03:10 INFO 8732:1 RollingLog : HII: Initial driver file count to process:
  • In the \\LDCoreName\ldmain\landesk\files\drivers directory will be a db3 and db3 bak file. Rename the file to db3.old and db3 bak.old. Quit out of the installer and re-open and start install again
    .

Preparing to Re-Run OSD.Upgrade.exe

After reviewing your errors and completing the steps above perform the following steps:

1. Start an administrator command prompt (right click the command prompt and select run as administrator).
2. From the command prompt navigate to C:\Program Files (x86)\LANDesk\ManagementSuite\landesk\vboot.
3. Run the following command:
   
   DISM.EXE /Get-MountedWimInfo
   
   • The command should list all images that are currently mounted. There are instances however where a mounted image will not be listed. Check for the existence of the folder original_boot_wim and/or new_boot_wim in the C:\Users\logged in user \AppData\Local\Temp\imgtmp\ directory.
     
     
4. For each image listed and all folders found in the imgtmp directory listed in step 1, run the following commands:
   
   
   • DISM.EXE /Unmount-Wim /mountdir:"c:\path to dir(s) found in previous step" /discard  Where mountdir is the mount path listed from the dism.exe /Get-MountedWimInfo command or the folders specified in step 3.
   • DISM.EXE /Cleanup-Wim
   • Ensure that each unmount command completes successfully
   • Any errors that DISM may encounter will be logged in the %windir%\Logs\DISM directory.  (For further information see Understanding Failures and Log Files)
5. In Windows Explorer open the C:\Program Files (x86)\LANDesk\ManagementSuite\landesk\vboot directory.
   
6. Rename the existing boot.wim to boot.wim.bad.
7. Copy the backup boot.wim (the one from prior to upgrading) from C:\Program Files (x86)\LANDesk\ManagementSuite\backup\PatchName\ to the C:\Program Files (x86)\LANDesk\ManagementSuite\landesk\vboot directory.
   • If access denied errors occurred with drivers and a clean boot.wim file is desired, use the file listed in step 9 below.
8. Rename the restored boot.wim file in the vboot directory to boot.wim.bak.
9. Copy the boot.wim file from the installation package \image directory to the \vboot directory. You should now have a boot.wim and boot.wim.bak (either your backup or an additional copy from the patch) file in the vboot directory.
10. Run the OSD.Upgrade.exe from C:\Program Files (x86)\LANDesk\ManagementSuite\. This should take a few minutes to complete. If it exits quickly it is likely that there are additional errors.
11. Review the OSD.Upgrade.exe log found in C:\Program Files (x86)\LANDesk\ManagementSuite\logs to see if any additional errors were encountered. If additional errors were encountered, you must resolve each one and after resolving re-run OSD.Upgrade.exe.
12. If this still does not resolve the issue check "HKLM\SOFTWARE\Microsoft\WIMMount\Mounted Images" and remove any values in the key.

After OSD.Upgrade.exe has completed successfully you need to redeploy your PXE reps. Instructions for PXE deployment can be found at How to deploy PXE Representatives(step-by-step screenshots)

When a client machine boots into WinPE open a console to confirm the upgrade. The version shown in the console should be 6.1.7601 or higher.

OSD.Upgrade.exe.log

Issue

Remote console install fails during install with error "The Strong name verification system contains exclusion entries in the registry. Blocking access."

Resolution

1. Launch regedit on the computer that the console is being installed on.
2. Navigate to these two locations and delete additional folders beneath these keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\StrongName\Verification

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\StrongName\Verification

Problem:

1. LDMS setup creates a SA user with a random password if you select SQL Express database during installation. The password can't be recovered. It has to be changed.

2. Unable to log into the SQL Express server because of a lost SA password.

Solution / Workaround:

Follow the steps below to reset the lost SA password. You may need domain admin access on the Core.

1. Login to the server as the default user who installed the core
2. Locate SQL Management Studio in the start menu
3. Login with Windows Authentication
4. Once you are logged into the SQL Server use the Object Explorer and locate the SA user. (Security > Logins)
5. Right-click on the SA user and select properties.
6. In the Login Properties update the "Password" and "Confirm Password" fields and click OK

If that doesn't work or if you don't have access to the account that installed LDMS on the core server, try the following steps:

1. Turn off all LANDesk Services (Here is a document that has a PS script to quickly disable all LANDesk services: How to Stop/Start all LANDesk Services at Once? (now with PowerShell)
   
2. Open an admin CMD prompt and Stop IIS (Very important step)
3. Open the Registry and navigate to "HKEY_LOCAL_MACHINE\Software\Microsoft\MSSqlserver\MSSqlServer\LoginMode"
4. Change the value of LoginMode from 2 to 1
   
5. Open the "Services" applet in the Control Panel
6. Locate the “SQL Server (LDMSDATA)” entry and open its properties
7. Enter “-m” into the “Start parameters” field
   
8. Start the service
9. Open a Command Prompt as an administrator
10. Enter the command:
    
    osql -S CORENAME\LDMSDATA -E
    
    *Note* Be sure to change CORENAME to whatever your server name is or you will get a big long message saying you messed up.
    
    
11. At the next prompts enter the following commands:
    
    1> alter login sa enable
    2> go
    1> sp_password NULL,'new_password','sa'
    2> go
    1> quit
    
    
12. Stop the “SQL Server (LDMS)” service
13. Remove the “-m” from the Start parameters field
14. Open the Registry and navigate to "HKEY_LOCAL_MACHINE\Software\Microsoft\MSSqlserver\MSSqlServer\LoginMode"
    

    Depending on the SQL install version, the path may be different. You can try searching for "LoginMode" in regedit to find this key as well.

15. Change the value of LoginMode from 1 to 2
    
16. Start the service
17. At this point you should be able to login to Management Studio using the SA user account and the new password you gave it.
18. Once you confirm that you can log into SQL Server with the new SA password, launch LANDesk Configure Services and update the SA password on the General Tab

1) Run the EPM Tool.  EndPoint Manager (EPM) Tool

- Option B for Console removal.

- C to continue the un-install.

- This will also remove the agent from the machine.

- Restart the machine.

2) Run the install for the target version again.

- If the machine has .net 4.7 then you will need to run this script. (This is only for 2017.1 and earlier.  2017.3 and newer will not have this issue) Issue: Data Analytics Install Fails With .NET 4.7

- After running this script you will need to reboot the system. ( to reload the registry.)

- In some cases some of the software might be left over so you will want to run this tool to double check that there are not any entries for: Data Analytics, Landesk or Ivanti:

Microsoft fix it tool (This is just in case something did not get removed.) : https://support.microsoft.com/en-us/help/17588/fix-problems-that-block-programs-from-being-installed-or-removed

Click on uninstalling then it will populate a list for you.   After each program you run,  You need to run the tool again.

3) Run the install software.

4) Then apply any SU udpates.

5) Re deploy the Agent for the machine.

EPM 2017.3 Core Server setup / installation is failing on the step "Configuring system settings"

Failed

Configuring system settings

On the target EPM 2017.3 Core Server a log file C:\ProgramData\LANDesk\Log\LANDesk.LANDesk.Common.RunMethod_%DATE%%TIME%.log reports

2018-02-26 15:38:12 INFO: Path to assembly: E:\LANDesk\ManagementSuite\.\Install Only Files\IdentityServerConfig.dll

2018-02-26 15:38:12 INFO: Class name: Setup

2018-02-26 15:38:12 INFO: Method name: ConfigureStandalone

2018-02-26 15:38:12 INFO: Arguments

2018-02-26 15:38:12 INFO: Searching assembly for types: IdentityServerConfig.Class1

2018-02-26 15:38:12 INFO: Does class: class1==setup

2018-02-26 15:38:12 INFO: Searching assembly for types: IdentityServerConfig.IdentityServerClient

2018-02-26 15:38:12 INFO: Does class: identityserverclient==setup

2018-02-26 15:38:12 INFO: Searching assembly for types: IdentityServerConfig.Setup

2018-02-26 15:38:12 INFO: Does class: setup==setup

2018-02-26 15:38:12 INFO: Found class?: True

2018-02-26 15:38:12 INFO: Try to run method: ConfigureStandalone

2018-02-26 15:38:12 INFO: Run method: ConfigureStandalone

2018-02-26 15:38:12 INFO: Run method with: 0 parameters

2018-02-26 15:38:12 ERROR: Error running method: ConfigureStandalone Message: Exception has been thrown by the target of an invocation.

2018-02-26 15:38:12 ERROR: Error running method: ConfigureStandalone Message: Configuration file tps.config does not have root <configuration> tag (C:\ProgramData\LANDESK\ServiceDesk\My.IdentityServer\tps.config line 2)

SOLUTION

On the Core Server modified a file C:\ProgramData\LANDESK\ServiceDesk\My.IdentityServer\tps.config -- changed the the tags to <configuration> and </configuration> from <Configuration> and </Configuration> and clicked on the button "Try again".

Setup completed the step "Configuring system settings" successfully and moved on to the next step.

Description

In EPM 2017.3, the CBA8 Root Certification Authority still uses SHA1 as its signature algorithm.

This certificate is present on clients and may be noticed on communications to the EPM agent. This may be flagged by security scanners, however, it doesn't pose an inherent vulnerability.

This certificate is only used to sign the client's local client certificate, and not to secure any communications. The client certificate does use SHA256, and this is what is used to secure communications sent from the agent, not the CBA8 Root Certification Authority certificate.

Ivanti is looking into addressing this in a future release.

Issue

Installation fails during Configuring Datamart step. Error: Exception! Error calling ParseLocalConnectionString Parameter name: local_connection_string

Solution / Workaround

There two ways to solve this issue:

1. Change the proxy settings to bypass the local address under the
   Internet Explorer > Internet Options > Connections > LAN settings >
   
2. Launch Register editor (Start -> Regedit)
3. Change ISNTLM Value: HKLM\Software\LANDESK\ManagementSuite\Core\Connections\Local to "False"
4. TLS 1.0 and SSL3.0 were disabled for IIS, enabling it in Internet Options was not a fix.
5. Use IIS Crypto to enable both and rebooted the server, install went thru fine after that.

Errors in ...\landesk\managementsuite\ldmain\CoreDBUtil.exe.log as below:

System.Data.OleDb.OleDbException: Cannot drop the view 'ReplLENOVOBATTINFOV' because it is being used for replication.

  at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method)

  at System.Data.OleDb.OleDbCommand.ExecuteNonQuery()

  at LANDesk.ManagementSuite.Database.Database.ExecuteNonQueryP(String sql, Int32 timeoutSeconds, Object[] parameters)

  at LANDesk.ManagementSuite.Database.Database.ExecuteNonQuery(String sql, Int32 timeoutSeconds, ArrayList oleDbParameters)

There should be a lot of this kind of errors, all about cannot drop a view named "repl*" because it is being used for replication

Root cause

There are rollup core configured.

Solution

Disable replication following the article below:

https://community.landesk.com/support/docs/DOC-35699

Remove all repl views using scripts below:

declare @cmd varchar(4000)
declare cmds cursor for
select 'drop view [' + Table_Name + ']'
from INFORMATION_SCHEMA.VIEWS
where Table_Name like 'Repl%'

open cmds
while 1=1
begin
fetch cmds into @cmd
if @@fetch_status != 0 break
exec(@cmd)
end
close cmds;
deallocate cmds

After the upgrading is done, please manually set up the rollup configuration again.

Issue

When .NET is updated to an incompatible version on a Core Server, you may have any of these issues:

• Unable to launch core server activation utility
• Queries do not expand when starting tasks that target queries or scopes
  
• Unresponsiveness on the console
• Inventory Scans not processing
  
• Other issues
  

The most efficient and accurate way to determine which version of .NET is installed Navigate to the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Client\Version

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Version

Compatibility

	Supported: The version of .NET should not exhibit unstable and intermittent behaviors when installed on the corresponding Core version. Please contact Ivanti support if you experience issues specific to an supported version of .NET.
	Unsupported:The version of .NET has exhibited unstable and intermittent behaviors when installed on the corresponding Core version. Please take the listed steps below if if experience issues with this version of .NET installed.

Core Version	.NET 4.5	NET 4.6	.NET 4.7
LDMS 9.5
LDMS 9.6
LDMS 2016.0
LDMS 2016.3
EPM 2017.1
EPM 2017.3

Cause

If you are experiencing the activation issue, you may see:

"Unhandled exception has occurred in your application. "

 

Click details and you see the below errors:

 

"See the end of this message for details on invoking

just-in-time (JIT) debugging instead of this dialog box.

 

************** Exception Text **************

System.OutOfMemoryException: Array dimensions exceeded supported range.

at System.Diagnostics.TraceUtils.GetRuntimeObject(String className, Type baseType, String initializeData)

at System.Diagnostics.TypedElement.BaseGetRuntimeObject()

at System.Diagnostics.ListenerElement.GetRuntimeObject()

at System.Diagnostics.ListenerElementsCollection.GetRuntimeObject()

at System.Diagnostics.TraceInternal.get_Listeners()

at System.Diagnostics.TraceInternal.WriteLine(String message)

at LANDesk.ManagementSuite.Diagnostics.LogForNet.Init()

at LANDesk.ManagementSuite.Diagnostics.LogForNet.GetLogger(String loggerName)

at LANDesk.ManagementSuite.Licensing.ActivateCore.ActivateCoreForm.get_Log()

at LANDesk.ManagementSuite.Licensing.ActivateCore.ActivateCoreForm.ActivateCoreForm_Load(Object sender, EventArgs e)

at System.Windows.Forms.Form.OnLoad(EventArgs e)

at System.Windows.Forms.Form.OnCreateControl()

at System.Windows.Forms.Control.CreateControl(Boolean fIgnoreVisible)

at System.Windows.Forms.Control.CreateControl()

at System.Windows.Forms.Control.WmShowWindow(Message& m)

at System.Windows.Forms.Control.WndProc(Message& m)

at System.Windows.Forms.Form.WmShowWindow(Message& m)

at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)

 

 

************** Loaded Assemblies **************

mscorlib

Assembly Version: 4.0.0.0

Win32 Version: 4.6.1055.0 built by: NETFXREL2

CodeBase: file:///C:/Windows/Microsoft.NET/Framework64/v4.0.30319/mscorlib.dll

----------------------------------------

LANDesk.ManagementSuite.Licensing.ActivateCore

Assembly Version: 9.60.0.0

Win32 Version: 9.60.3.64

CodeBase: file:///C:/Program%20Files/LANDesk/ManagementSuite/LANDesk.ManagementSuite.Licensing.ActivateCore.exe

----------------------------------------

System.Windows.Forms

Assembly Version: 4.0.0.0

Win32 Version: 4.6.1055.0 built by: NETFXREL2

CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Windows.Forms/v4.0_4.0.0.0__b77a5c561934e089/System.Windows.Forms.dll

----------------------------------------

System

Assembly Version: 4.0.0.0

Win32 Version: 4.6.1055.0 built by: NETFXREL2

CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System/v4.0_4.0.0.0__b77a5c561934e089/System.dll

----------------------------------------

System.Drawing

Assembly Version: 4.0.0.0

Win32 Version: 4.6.1068.2 built by: NETFXREL3STAGE

CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Drawing/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll

----------------------------------------

LANDesk.ManagementSuite.Licensing.Activation

Assembly Version: 9.60.0.0

Win32 Version: 9.60.3.71

CodeBase: file:///C:/Program%20Files/LANDesk/ManagementSuite/LANDesk.ManagementSuite.Licensing.Activation.DLL

----------------------------------------

LANDesk.ManagementSuite.Database

Assembly Version: 9.60.0.0

Win32 Version: 9.60.3.68

CodeBase: file:///C:/Program%20Files/LANDesk/ManagementSuite/LANDesk.ManagementSuite.Database.DLL

----------------------------------------

LANDesk.ManagementSuite.Diagnostics

Assembly Version: 9.60.0.0

Win32 Version: 9.60.2.105

CodeBase: file:///C:/Program%20Files/LANDesk/ManagementSuite/LANDesk.ManagementSuite.Diagnostics.DLL

----------------------------------------

System.Configuration

Assembly Version: 4.0.0.0

Win32 Version: 4.6.1055.0 built by: NETFXREL2

CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Configuration/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Configuration.dll

----------------------------------------

System.Core

Assembly Version: 4.0.0.0

Win32 Version: 4.6.1055.0 built by: NETFXREL2

CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Core/v4.0_4.0.0.0__b77a5c561934e089/System.Core.dll

----------------------------------------

System.Xml

Assembly Version: 4.0.0.0

Win32 Version: 4.6.1064.2 built by: NETFXREL3STAGE

CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Xml/v4.0_4.0.0.0__b77a5c561934e089/System.Xml.dll

----------------------------------------

System.Web

Assembly Version: 4.0.0.0

Win32 Version: 4.6.1069.1 built by: NETFXREL3STAGE

CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_64/System.Web/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Web.dll

----------------------------------------

LANDesk.ManagementSuite.KeyValue

Assembly Version: 9.60.0.0

Win32 Version: 9.60.2.48

CodeBase: file:///C:/Program%20Files/LANDesk/ManagementSuite/LANDesk.ManagementSuite.KeyValue.DLL

----------------------------------------

System.Data

Assembly Version: 4.0.0.0

Win32 Version: 4.6.1055.0 built by: NETFXREL2

CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_64/System.Data/v4.0_4.0.0.0__b77a5c561934e089/System.Data.dll

----------------------------------------

LANDesk.ManagementSuite.Data

Assembly Version: 9.60.0.0

Win32 Version: 9.60.3.59

CodeBase: file:///C:/Program%20Files/LANDesk/ManagementSuite/LANDesk.ManagementSuite.Data.DLL

----------------------------------------

LANDesk.DataServices

Assembly Version: 9.60.0.0

Win32 Version: 9.60.3.50

CodeBase: file:///C:/Program%20Files/LANDesk/ManagementSuite/LANDesk.DataServices.DLL

----------------------------------------

LANDesk.ManagementSuite.Information

Assembly Version: 9.60.0.0

Win32 Version: 9.60.3.72

CodeBase: file:///C:/Program%20Files/LANDesk/ManagementSuite/LANDesk.ManagementSuite.Information.DLL

----------------------------------------

log4net

Assembly Version: 1.2.10.0

Win32 Version: 1.2.10.0

CodeBase: file:///C:/Program%20Files/LANDesk/ManagementSuite/log4net.DLL

----------------------------------------

 

************** JIT Debugging **************

To enable just-in-time (JIT) debugging, the .config file for this

application or computer (machine.config) must have the

jitDebugging value set in the system.windows.forms section.

The application must also be compiled with debugging

enabled.

 

For example:

 

<configuration>

<system.windows.forms jitDebugging="true" />

</configuration>

 

When JIT debugging is enabled, any unhandled exception

will be sent to the JIT debugger registered on the computer

rather than be handled by this dialog box."

           

Resolution

This problem is caused by .NET  You can remove .NET:

The .NET 4.6 update can often be found as KB 3045560 - https://support.microsoft.com/en-us/kb/3045560

• On Windows Vista SP2, Windows 7 SP1, Windows Server 2008 SP2, or Windows Server 2008 R2 SP1, Microsoft.NET Framework 4.6 is installed under Programs and Features in Control Panel.
• On Windows 8 or Windows Server 2012, Update for Microsoft Windows (KB3045562) is displayed under Installed Updates in Control Panel. (KB is for .Net Framework 4.6)
• On Windows 8.1 or Windows Server 2012 R2, Update for Microsoft Windows (KB3045563) is displayed under Installed Updates in Control Panel. (KB is for .Net Framework 4.6)

• On Windows 8 or Windows Server 2012, Update for Microsoft Windows (KB3045562) is displayed under Installed Updates in Control Panel. (KB is for .Net Framework 4.6.1)
• On Windows 8.1 and Windows Server 2012 R2, it's listed asUpdate for Microsoft Windows (KB3102467) Or KB4014510under theInstalled Updates in Control Panel (KB is for .Net Framework 4.6.1)
• On Windows 10 you can find this as Update for Microsoft Windows (KB3102495)under theInstalled Updates in Control Panel (KB is for .Net Framework 4.6.1)

• On Windows Server 2012 you can find this as Update for Microsoft Windows (KB3151804) under Installed Updates in Control Panel. (KB is for .Net Framework 4.6.2)
• On Windows 8.1 / Windows Server 2012 R2 you can find this as Update for Microsoft Windows (KB3151864) under Installed Updates in Control Panel. (KB is for .Net Framework 4.6.2)
• On Windows 10 you can find this as Update for Microsoft Windows (KB3151900) under Installed Updates in Control Panel. (KB is for .Net Framework 4.6.2)

.NET 4.7 Redistributable:

• .NET Framework 4.7 for Windows 7/Windows Server 2008 R2: KB3186497
• .NET Framework 4.7 for Windows Server 2012: KB3186505
• .NET Framework 4.7 for Windows 8.1/Windows Server 2012 R2: KB3186539
• .NET Framework 4.7 for Windows 10 Version 1607/Windows Server 2016: KB3186568
• .NET Framework 4.7 Language Packs for Windows Server 2012: KB4015882
• .NET Framework 4.7 Language Packs for Windows 8.1/Windows Server 2012 R2: KB3186606
• .NET Framework 4.7 Language Packs for Windows 10 Version 1607/Windows Server 2016: KB3186607

.NET 4.7.1

• On Windows 7 SP1 and Windows Server 2008 R2 SP1, the Microsoft.NET Framework 4.7.1 is listed as an installed product under the Programs and Features item in Control Panel.
• On Windows Server 2012, it’s listed as Update for Microsoft Windows (KB4033345) under the Installed Updates item in Control Panel.
• On Windows 8.1 or Windows Server 2012 R2, it's listed as Update for Microsoft Windows (KB4033369) under the Installed Updates item in Control Panel.
• On Windows 10 Anniversary Update, Windows 10 Creators Update and Windows Server 2016 it’s listed as Update for Microsoft Windows (KB4033393) under the Installed Updates item in Control Panel.

In addition, the removal of a .NET version may cause configuration issues for IIS, so it is recommended to check the following:

• Verify and re-enable services (run services.msc)
  • Set the World Wide Publishing Service to Automatic, then start IIS manager to verify
  • Applicable SQL services, depending on your configuration
  • Applicable LANDESK, Intel and Managed Planet services, depending on your configuration
• Verify IIS configuration affected by .NET
  • Application Pools should look like this:  (unless you have built custom app pools)

            *** If you have made any of the above adjustments, reboot your server ***

• Verify that the https binding on the Default Web Site has the appropriate certificate
• Check for ISAPI and CGI restrictions (set all to allow)

• We do not recommend the following registry tweak. This will fix the activation but doesn't fix the other issues known with .Net 4.6

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework

You'll probably find a useRyuJIT DWORD value of 1 there. Set it to 0.


Then, create a useLegacyJIT DWORD value into the same registry key and set it to 1.

Symptoms

Activating the Core Server results in the error:  "Unable to Build Core Server Activation File."

Causes

1. The Core Servers Device ID does not exist in the following registry location. HKLM\Software\LANDesk\Common Api
   NOTE: on Windows 2008 R2 server the relevant keys are under theHKLM\Software\Wow6432Node\LANDesk and the files are under the directory C:\Program Files (x86)\LANDesk\Shared Files

2. The .crt file referenced in the registry of the Core Server does not match the .crt in the Program Files\LANDesk\Shared Files\Keys folder.

3. Through the GPO the group policy "System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" has been enabled.

Resolution

1. The Core Servers Device ID does not exist in the following registry location. HKLM\Software\LANDesk\Common Api The device id should be created on install or during an inventory scan of the Core Server.
   If it is not copy this key from HLKM\Software\Intel\LANDesk\Common Api

1. Browse to the HLKM\Software\Intel\LANDesk\Common Api\UniqueID key.

2. Export the key.

3. Edit it to reflect the new path: HLKM\Software\LANDesk\Common Api

4. Import the modified key.

5. Retry to activate the core server

2. The name of the certificate created on install is referenced in the following registry key:HKLM\Software\LANDesk\ManagementSuite\Setup\CertName This file needs to exist in the C:\Program Files\LANDesk\Shared Files\Keys.

• For the activation process to work properly the original .crt and .key file have to be present in the C:\Program Files\LANDesk\Shared Files\Keys folder.

• If the server has been reinstalled it needs to be the Cert Created during the most recent install.

• It is possible that after the install the user may have deleted or renamed these files. If this is the case the files will need to be renamed back to the original name. If the original .crt, and .key files were deleted the core will need to be rebuilt.

Open the Core Server Activation Utility.  Click the Licenses button.  Check for anything that says something like "Upgrade-Sub". If its expired, or there, call the LANDesk Licensing queue to have the licensing team deauthorize the core server.
After its done, try to reactivate the core.

3. Disable the  group policy "System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" and reboot the core server before to retry the activation process.

    More details about this particular issue are availalbe here: http://community.landesk.com/support/docs/DOC-6382

Question

What virtual environments are supported for the LANDESK Core server ?

Answer

Ivanti supports core servers running in virtual environments.Product End Of Life | LANDESK

• VMware ESX/ESXi (any version)
  VMware GSX (any version)
• Microsoft Hyper-V
  

However, following conditions need to be applied.

• Must meet our hardware requirements in our deployment and BKM guides for both the Core Server and the database server.
• The VMware must use the VMswitch for network connections.
• Should not be sharing the allocated hardware with other VMs (Oversubscription can cause significant performance issues).
• Must have separate drives/sans allocated to the Core and Database.

Best Known Methods for Installing LANDESK Management Suite 9.6 (with videos)

Ivanti Endpoint Manager version 2017.3 setup / install reports Failed "Checking database upgrade prerequisites"

RESOLUTION

On the Ivanti Endpoint Manager version 2017.3 Core Server set the Windows Registry key Computer\HKEY_LOCAL_MACHINE\SOFTWARE\LANDesk\ManagementSuite\Core\Connections\local\lsNTLM to False from True. Then click on the button "Try Again" and the Ivanti EPM 2017.3 setup will / should move on to the next step of "Upgrading database".

Question

Can a Core Server be renamed once installed?

Answer

No. It is not supported to rename the Core Server.  If the Core Server must be renamed, the system should be rebuilt starting with a new installation of the Windows Server operating system from CD-Rom media or from a stable base image.

Question(s):

This document will try to address the following questions:

• What ports does LANDESK Management Suite use?
• What ports need to be opened in my firewall?
• What port(s) does component X use?
• Does LANDESK have a ports list?
• What TCP and UDP Ports must be open on a Linux Agent's Firewall?
• Do I need to open my firewall to let ICMP ECHO/ECHO REPLY packets pass?
  
• Where can I find a network port diagram?

Answer:

ICMP

Quite a few functionalities of LANDESK rely on ping (ICMP ECHO) to probe if the device or server is reachable. Disabling ICMP ECHO within the network might result in losing LANDESK functions, such as bandwidth awareness or usage of preferred server.

The network port information has been divided into the following sections.

• Core Server
• Agent - Linux
• Agent - Mac
• Agent - Windows
• Management Gateway
• Mobile Device Manager Server
• PXE Representative
• Remote Console

Additionally a graphical representation of the data is attached to this article.

Note: It is recommended that all ports for a specific component be opened for backwards compatibility. Failing to open listed ports is not tested.

Core Server	Port #	Direction	Notes
TCP	22		UDD
TCP	25		UDD
TCP	80		Activation, Client, Core Sync, Inventory, Patch Manager, Security Suite, Web Console
TCP	139		Console, UNC
TCP	389		LDAP
TCP	443		Client, Console, Inventory, SLM, Software Distribution
TCP	445		Console, UNC
TCP	1433		Database (MS SQL Server)
TCP	1521		Database (Oracle)
TCP	5007		Inventory
TCP	8092		Core, Console, AMT MPS Server
TCP	8321		Core, Command Service
TCP	9535		Remote Management
TCP	9590		Console, SLM
TCP	9591		Console, SLM
TCP	9593		Software Distribution
TCP	9594		Software Distribution
TCP	9595		Agent Discovery
TCP	9971		Agentless AMT Discovery
TCP	9972		AMT Notification
TCP	9982		AMT Discovery (VPro)
TCP	12174		Remote Execute
TCP	12175		Software Distribution (Policy) [version 8.7 & Older]
TCP	12176		Software Distribution (Policy) [version 8.8 - Current]
TCP	16992		HTTP AMT Management
TCP	16993		HTTP AMT Management
TCP	16994		AMT Hello Packets
TCP	33354		Multicast
UDP	9595		Agent Discovery
UDP	33354		Multicast
UDP	38293		Agent Discovery

Linux Agent	Port #	Direction	Notes
TCP	25		UDD
TCP	80		Patch Manager, Inventory
TCP	443		Client, Core, Inventory
TCP	5007		Inventory
TCP	9535		Remote Management
TCP	9593		Software Distribution
TCP	9594		Software Distribution
TCP	9595		Agent Discovery
TCP	12174		Remote Execute
UDP	67		Imaging (PXE Broadcast)
UDP	68		Imaging (PXE)
UDP	69		Imaging (PXE TFTP)
UDP	1759		Imaging (PXE MTFTP)
UDP	4011		Imaging (PXE Unicast)
UDP	9595		Agent Discovery

Mac Agent	Port #	Direction	Notes
TCP	25		UDD
TCP	80		Patch Manager, Inventory, Software Distribution
TCP	443		Client, Core, Inventory, Patch Manager, Software Distribution
TCP	4343		HTML 5 Remote Control
TCP	5007		Inventory
TCP	9535		Remote Management
TCP	9593		Software Distribution
TCP	9594		Software Distribution
TCP	9595		Agent Discovery
TCP	12174		Remote Execute
TCP	12175		Software Distribution (Policy)
TCP	12176		Software Distribution (Policy)
TCP	33354		Software Distribution (Peer Download, Multicast)
UDP	9595		Agent Discovery
UDP	33354		Software Distribution (Multicast)
UDP	33355		Software Distribution (Multicast)

CSA (Management Gateway)	Port #	Direction	Notes
TCP	22		SSH Administration
TCP	25		Email Notification
TCP	80		Activation, Patching
TCP	443		Administration, Client, Core
TCP	444		DEP (iOS)

Mobile Device Management Server	Port #	Direction	Notes
TCP	80		(Core Only)
TCP	443		Enrollment
TCP	2195		APNS (Apple)
TCP	2196		APNS (Apple)
TCP	5223		APNS (Apple)
TCP	5228		C2DM (Google)
TCP	444		DEP (Apple)

PXE Rep	Port #	Direction	Notes
UDP	67		Imaging (PXE Broadcast)
UDP	68		Imaging (PXE)
UDP	69		Imaging (PXE TFTP)
UDP	1758		Imaging (PXE MTFTP)
UDP	1759		Imaging (PXE MTFTP)
UDP	4011		Imaging (PXE Unicast)

Remote Console	Port #	Direction	Notes
TCP	80		Console, Core, HTTP Management
TCP	139		Console, Core
TCP	443		Console, Client, Core, SLM
TCP	445		Console, Core
TCP	8092		Console, Core, AMT
TCP	9590		Console, Core, SLM
TCP	9591		Console, Core, SLM
TCP	9595		Agent Discovery
UDP	68		Imaging (PXE)
UDP	69		Imaging (PXE TFTP)
UDP	1758		Imaging (PXE MTFTP)
UDP	1759		Imaging (PXE MTFTP)
UDP	4011		Imaging (PXE Unicast)
UDP	9595		Agent Discovery
TCP	1433		Database (MS SQL Server)

Windows Agent	Port #	Direction	Notes
TCP	25		UDD
TCP	80		Patch Manager, Security Suite, Software Distribution, Inventory
TCP	137		NetBIOS (non-domain clients)
TCP	139		UNC
TCP	443		Client, Core, Inventory, Software Distribution
TCP	445		UNC
TCP	4343		HTML5 Remote Control
TCP	5007		Inventory
TCP	9535		Remote Management
TCP	9593		Software Distribution
TCP	9594		Software Distribution
TCP	9595		Agent Discovery
TCP	9971		AMT Discovery
TCP	9972		AMT Notification
TCP	9982		AMT Discovery/VPro
TCP	12174		Remote Execute
TCP	12175		Software Distribution (Policy) [ver. 8.7 & Older]
TCP	12176		Software Distribution (Policy) [ver. 8.8 - Current]
TCP	16992		HTTP AMT Management
TCP	16993		HTTPS AMT Management
TCP	16994		AMT Hello Packet
TCP	33354		Software Distribution (Peer Download, Multicast)
UDP	67		Imaging (PXE Broadcast)
UDP	68		Imaging (PXE)
UDP	69		Imaging (PXE TFTP)
UDP	1758		Imaging (PXE MTFTP)
UDP	1759		Imaging (PXE MTFTP)
UDP	4011		Imaging (PXE Unicast)
UDP	9535		Device Discovery, XDD
UDP	9595		Agent Discovery
UDP	33354		Software Distribution (Multicast)
UDP	33355		Software Distribution (Multicast)
UDP	38293		Agent Discovery

Rollup Core	Port #	Direction	Notes
TCP	1433		Rollup Core to SQL Servers
TCP	1433		SQL server to SQL server replication

**Note that if you are using Preferred Servers and replicators in your environment, the same ports that are used from the client to the Core and from the Core to the Client are used. As the Preferred Server must be an agent, and as some of the Core's tasks are off-loaded to the Preferred Server, the other clients will talk to it across the same ports they talk to the Core Server on.

The below chart can be consulted to determine best practices for each .NET version.

	Supported: The version of .NET should not exhibit unstable and intermittent behaviors when installed on the corresponding Core version. Please contact Ivanti support if you experience issues specific to an supported version of .NET.
	Unsupported:The version of .NET has exhibited unstable and intermittent behaviors when installed on the corresponding Core version. Please take the listed steps below if if experience issues with this version of .NET installed.

Core Version	.NET 4.5	NET 4.6	.NET 4.7
LDMS 9.5
LDMS 9.6
LDMS 2016.0
LDMS 2016.3
EPM 2017.1
EPM 2017.3

• • Download the latest patch content
  • Preparing the Core Server for installing the update
  • Update the Core Server
  • Update Rollup Cores, Remote Consoles, and clients

Download the latest patch content

1. Login to the Ivanti/LANDESK Console.
   
2. In the Patch and Compliance tool, click the Download Updates icon.
   
3. In the Download Updates window, check the box under Windows | Software Updates | Ivanti 10.1.1 Software Updates.   The screenshot is from a 2017.1 Core Server. For 2016.3, the box to check is LANDESK 10.1 Software Updates.
4. Click the Download now button at the bottom of the screen.
   
5. When the download completes, click the Close button.
   
6. In the Patch and Compliance tool, click the filter on the upper left side (All types) and select the LANDESK update option from the list.
   
7. In the Patch and Compliance tool, click on LANDESK Updates (All items) folder on the left side.
8. Click on the Severity column at the top to sort the results by the severity.
9. Look for vulnerabilities/patches that have Service Pack in the Severity column. Find the service pack with the newest date in the Date published column. This will be the latest Service Update available.
   
   
   Note: Only the newest Service update is needed because all of the fixes in the previous updates are included in the newest one.
10. Double click the newest one to open its properties.
    
11. In properties of the patch, right-click the detection rule that has Core in the name at the end and select the Download Patch option. Do not select the one with RollupCore at the end of the name.
    
12. When the patch finishes downloading, remember the name of the patch file and the location it was downloaded to so you can get to it for later steps.
13. Click Close.
    
14. Right-click the detection rule with clientat the end of the name and download it.
15. When the client patch finishes downloading, close the download window then click OK to close the patch window.
16. In Windows Explorer, go to the folder where the Core patch was downloaded and find the file.
17. Right-click the patch file and select Properties.
    
18. On the General tab, if there is an Unblock button at the bottom near the Read-only check box, click the Unblock button to unblock the file.
19. Unzip the file in a folder on the Core Server.

Preparing the Core Server for installing the update

1. Backup the Core Server by following your Corporate policies for backing up servers.
2. Backup the Ivanti/LANDESK database. Get help from your Database Administrator if you do not know how to do this.
   
   
   Note: Do not skip the backup steps because they are your safety net in case something goes wrong during the install of the update.
   
   
3. Updates can fail if there are any mounted WIM files on the Core Server. The following community article has information on cleaning up the WIM files before installing the update:
   
   How To: Cleanup WIM Images Before Upgrading/Patching Core
4. Alternate Data Streams (ADS) on the Core Server or on the update files can cause the upgrade to not update all files and causes strange behavior after the upgrade is complete. Remove ADS on the Core Server before installing the update. The following community article has information on Streams and how to clean it up:
   
   Streams; and why you should remove them.

Update the Core Server

1. Reboot the Core Server.
2. Login to the Core Server with an admin account. If you are doing this through Windows Remote Desktop (RDP), make sure you use the /admin switch when starting the RDP session.
3. Close the Ivanti/LANDESK Console if it is running and close any other applications that are running on the Core Server.
4. Stop any Antivirus software and other Security software that is running on the Core Server so they cannot interfere with the update.
5. It is not required to stop the Ivanti/LANDESK services before installing the update but for best results, it is recommended that you manually stop all of the Ivanti/LANDESK services that are running to make sure they stop successfully.
6. In Windows Explorer, right-click the SETUP.EXE file in the folder where you unzipped the update and select the "Run as administrator" option.
7. After the update finishes installing, reboot the Core Server.

Update Rollup Cores, Remote Consoles, and clients

The Remote Consoles and Rollup Cores can be patched manually by running the same SETUP.EXE that was run on the Core Server to update it. The following steps show how to use Patch Manager to update the Rollup Cores, Remote Consoles, and Clients.

1. In the Patch and Compliance tool in the Console, right-click the update and select the Repair option in the list.
   
2. Click on Agent settings on the left side.
3. Select a different Distribution and patch setting or Reboot setting to be used for this task if the ones used in the Agent installed on the clients do not have the options you want for installing the patch.
4. Click Save. This will create the task and take you to the Scheduled Tasks tool.
   
5. Add targets to the task by dragging and dropping the computers from All Devices in the Console on the task or add queries to the task.
6. Right-click the task and select the Start | Now option to start the task immediately or set the start time that you want the task to start.
7. Wait for the task to complete.

Issue

Remote console install fails during install with error "The Strong name verification system contains exclusion entries in the registry. Blocking access."

Resolution

1. Launch regedit on the computer that the console is being installed on.
2. Navigate to these two locations and delete additional folders beneath these keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\StrongName\Verification

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\StrongName\Verification

This document covers how to install Ivanti Endpoint Manager 2017.3.

Ivanti Endpoint Manager was previously known as LANDESK Management Suite.