How to create a basic Repair task using EPM

Version 6

    Verified Product Versions

    Endpoint Manager 9.6Endpoint Manager 2016.xEndpoint Manager 2017.xEndpoint Manager 2018.x


    The purpose of this document is to teach you how to create a simple repair tasks using Ivanti Endpoint Manager, formally Landesk. In some situations you may find you have an employee or yourself who doesn't have the training or knowledge with the product enough to perform a basic repair task on a specific vulnerability when asked to. This document is a step by step guide to create a single repair task for one or more vulnerabilities.




    If you are reading this they it is assumed that your licensing and vulnerabilities are already setup and you are ready to repair a client. You also know the name of the vulnerability that you are wanting to patch.


    For additional information on assumed expectations please visit these links:

    How to get Started with Patch and Compliance Manager

    About Ivanti EPM Distribution and Patch settings



    Step 1: Creating the repair task

    The first step to creating a repair task is locating the patch in question. Once the patch you desire is found simply right click on the vulnerability and select "Repair..."



    Selecting this will bring up the scheduled task window where we configure the parameters for the task.

    You can select more than one patch at a time.

    Step 2: The Scheduled Task Window

    In this step I will go over a basic overview of the settings for a simple repair task, I will not go to far into detail. For and in depth understanding of the different options and configurations selecting the "Help" button at the bottom of the scheduled task window will give more information on what those options do or visit our community for more information. I will make important notes for settings to be aware of.


    Repair settings

    This is the first window that you'll see when the window opens. This contains options to add target clients, overrides to the Preferred Server and Maintenance windows. This is also where you can name the task that is about to be created.

    "Ignore maintenance window if specified" This is an important setting to take note of, if your client fails the repair with a 491 "Deferral until next maintenance window." Selecting this option will bypass that maintenance window and attempt the repair.

    For this example we are going to leave everything here blank. We are also going to leave the name of the task as the default name.

    window 1.PNG


    Task Settings

    Next you'll see Task Settings, it is here you will see the Task type, Action type (Opens Portal settings window), Frequency, Additional Push options, And Download option.


    Task type: This will change how the task will interact with the clients.

    Frequency: This will change how often the task will run.

    Additional Push options: These are additional parameters the task will apply to the task.

    Download options: Changing this option will allow for different methods of download and execution for the task.


    For this example we are going to use the default settings

    window 2.PNG

    Portal settings

    This is an optional setting, for more information please visit our community on Portal Manager here.


    Agent Settings

    This is one of the more important windows in the process. Here you will configure the Distribution and Patch and Reboot settings the task will use. Configuring these will alter how the task behaves when it comes to scanning and reboots.


    You can alter what setting is used by selecting where it says "Keep agent's current settings" this will bring a drop down that will allow to you to select which setting will be used for the task. Keep agent's current settings refers to the setting that is applied to the client by default. After selecting an alternative setting you can select "Edit.." to look more in depth at what that particular setting and it's behavior.


    For the example I will use the default settings.

    window 3.PNG




    This window gives an overview of the definitions that have been selected for the task. This window gives the option to add any prerequisites and dependencies any of the patches require for a successful patch install. There is nothing to change in this window so we can move on.

    window 5.PNG


    It is safe to have patches that aren't needed by the client. The scanner is designed to only attempt to apply patches that are applicable and detected to the client. If a patch is not applicable or detected to the client it will simply scan the vulnerability then disregard as not applicable and move to the next vulnerability in the list.


    Patch list

    Here you will be able to get an overview of the list of patches that will be used in the task. Looking at this you can double check the amount of patches and download status of the patches. In this example, I have not downloaded the patches yet as indicated by the "Downloaded" column. I know I am able to download because the "Can Download" column indicates that I can.


    I can download the required patch by highlighting the patch and this will allow for the "Download" button to become available. Selecting this option will download the patch.

    There are other methods to downloading the patch, we are using this option as an example.

    The Patch list doesn't populate when repairing a custom patch group, you'll need to ensure patches are downloaded before continuing. The task will fail if patches are not present on the core/preferred server.

    window 4.PNG



    Here you can assign what clients will receive this task. There are many options to choose from which option will depend on the method of choice. Most of these options are for groups that once the specific group or query is selected for the task it will pull all clients in those groups into the task.


    Targeted Devices: Selected individual clients in the environment.

    Targeted LDAP objects: Clients that are associated with an LDAP objects.

    Targeted queries: Clients that are assosiated with a custom built Landesk Query.

    Targeted LDAP quries: Clients that are assosiated with an LDAP query.

    Targeted device group: Clients that have been placed in a custom device group in the Network View.

    Targeted scopes: Clients that have been placed in a scope in the network view.

    Targeted email addresses: Clients who have had an email address associated with the machine.

    Targeted time zones: Informational only. Displays clients time zone as well as how many of those clients in that zone.


    Simply select the option you want and press "Add" this will bring up a list of options available that fall under that particular group.

    For this example I have selected Targeted devices. Notice the PC "Elexi" under Targeted Devices.

    window 6.PNG

    There are other methods to adding clients to the task, such as dragging the clients into the task from the Network view right on top of the task in the Scheduled task window.


    Schedule task

    Now that we have our clients selected and the task configured it is now time to schedule it. Here you are given 3 options, Leave unscheduled, Start now, and Start later.


    Leave unscheduled: This will leave the task unscheduled for you to either come back later to reschedule or for you to manually start later at a time that works best.

    Start now: Once the "Save" button is selected the task will begin processing.

    Start later: Allows you to schedule it to start the task at a specified time. This has additional options for clients in different time zones as well the option to make it repeat at certain intervals.


    For the example we will leave it unscheduled.

    window 7.PNG


    Step 3: Launching the task

    Now that we have the task configured how we want, and assuming we haven't already started it, you will see that the application has taken you to your scheduled tasks window. Here you can monitor the status of the task. The display shows 4 different statuses, Active, Pending, Successful, Failed. When a task is left unscheduled the clients will be in a pending state. In order to launch the task from the console simply right click on the task and select "Start Now" this will give you options on what you want to start we are going to select "Devices that did not succeed." From there the task will start and Endpoint Manager will do the rest. The console will periodically update with it's status.


    window 8.PNG


    Now that the task is started, simply wait for the return which will display. If it is successful congratulations you just launched your first repair task. If you're getting failures, take a look at the pane on the right side and it will give a brief report of the reasons for failure in the form on an associated return code. Some may require Technical Support to assist you with but our community is full of troubleshooting steps.


    Useful Links:

    Ivanti Endpoint Manager and Endpoint Security - Security and Compliance Frequently Asked Questions

    How to Effectively open a patch related Support ticket

    How to use Reboot Settings

    About Ivanti Patch and Compliance Manager and Ivanti Antivirus return codes

    Patch Definitions with Detect in the name

    How to Effectively open a patch related Support ticket