Direct Link to Document Here

" "

This document explains the capabilities of Role Based Administration in Protect.

You can assign different roles to different users of Shavlik Protect . This enables you to make the program available to a wide variety of people within your organization while maintaining control over its use. The role assigned to a user determines what that particular user can do.

When Shavlik Protect is launched it checks if role-based administration is enabled. If so, the program then looks to see if the current user has been assigned a role. If the user has been assigned a role, the program grants that user access to only those features allowed by their role. For example, you may have a number of users who are allowed to create reports, but only one or two users who have permission to deploy patches.  The following types of Role Definitions are available:

• Administrator: Full access to all features of the program. Only an administrator user can modify the roles assigned to other users.

CAUTION! If you assign the Administrator role to only one user, make sure you know how to log on to the console machine using that user. Otherwise it is possible to lock yourself out from certain features, with the only solution being to reinstall the program.

• Full User: Access to all features except for the ability to administer roles.
• Scan and Report Only: Can perform patch scans and can generate reports.
• Deploy and Report Only: Can perform patch deployments and can generate reports.
• Report Only: Can generate reports

Features that are not available due to role limitations will be either grayed out or removed from the interface. If a user has not been assigned a role they will not be able to start the program. It is not possible for a user to switch roles while within the program.

Role-based administration is initially disabled. Until you enable this feature, all users will have full access to the program. You enable and configure role-based administration via the Manage > User Roles Assignment menu. See Assigning User Roles and Enabling and Disabling Role-based Administration for detailed information.

Shavlik Protect 9.x
vCenter Protect 8.x

This document outlines how to setup Email Operations for email notifications in Shavlik Protect

In Protect choose Tools> Operations >Email.

The E-mail tab enables you to specify if you want to use the automatic e-mail feature and to define the properties of the SMTP server used for sending the automatic e-mail messages and alerts. (See E-mail Overview for more details). To use this feature, enable the Enable e-mailing of notifications and results check box and then specify the name or IP address of the SMTP server you use.

Shavlik Protect 9.x
vCenter Protect 8.x

This article is meant to provide information on obtaining and installing the SCAP Processor for use with VMware vCenter Protect Configuration Management (formerly Shavlik NetChk Configure). 

When a customer purchases a Government license for vCenter Protect - Configuration Management (Formerly Shavlik NetChk Configure), they are sent a download link for the SCAP Processor installation file. That link is as follows:

https://hfnetchk4.shavlik.com/downloads/SCAPProcessor_4.3.17.0.exe

vCenter Protect Configuration Management 4.3 can be downloaded at http://www.shavlik.com/downloads/VMwareProtectConfigMgmtSetup_4.3.19.0.exe. 

SCAP Processor

vCenter Protect Configuration Management 4.3

(Formerly Shavlik NetChk Configure)

The Scheduled Tasks Manager contains a list of machines that have been discovered in Protect.  This document outlines how to remove machines from that list to cut down on the overhead cost of Scheduled Tasks Manager trying to resolve machines that no longer exist and to make finding actively managed machines a little easier.

You can access the Scheduled Tasks Manager the following ways:

• Select Manage > Scheduled Tasks
• Select Start > All Programs > Shavlik Protect > Scheduled Tasks Manager

1. Open Protect and navigate to View > Machines.
2. Locate the machine(s) you wish to remove from the Scheduled Task Manager manually or by using the search field.
3. Right-click on the machine and choose Delete. (you can higlight more than one machine)
4. A popup box will appear where you can choose your next action.
5. Choose Delete Machine(s) to remove the machine from the list.

     5. Verify the machine has been removed from the Scheduled Tasks Manager.

  The machine will populate the View > Machine any time you scan it, install an agent or install the Shavlik scheduler.  You should remove the from any Machine Groups to ensure it is not scanned and do not install an agent on it if you do not wish to manage it anymore.

This will have no effect on your deployment seat count.

Shavlik Protect 9.x
vCenter Prtoect 8.x

• Scheduled scans fail to initate at its scheduled time.
• The Scheduled Tasks Manager Log tab shows an error in the Status column: -1066598274

Scheduled tasks are ran by the Local System Account, and utilize the Default Credentials defined within Protect to initiate a task. If the 'Default Credentials' are set as an account different than the account that created the credentials in question, the error will occur.

Example:
Admin1 logs into Protect, and defines a series of credentials. Admin1 then sets the credentials for Admin2 as 'Default'. The accounts that are showing for Admin1, that were made by Admin1, are only useable when accessed with User1's credential information. Because scheduled tasks are started by the Local System Account, which uses the 'Default Credentials' to try and decrypt credentials from the database, only User1's credentials will be able to succeed at this. By defining any other user (in this case Admin2) as the 'Default', the credentials cannot be decrypted from the database, and the task cannot succeed.

1. Log into Protect, and click Manage > Credentials.
2. Make sure your currently active windows account has been entered into the Credential Manager (what ever account you logged into windows with, make sure it is added to the Credential Manager).
3. Select your Currently Active Windows Account set of credentials, and select set as Default.

Now when a scheduled task initiates, it will use the default credentials (your Currently Active Windows Account) to decrypt the credentials you created. This will allow the scan to successfully initiate.

  To ensure that your scans can complete, define credentials to the machines within Machine Groups.

Shavlik Protect 9.x

If you have created your code signing certificate using an internal CA, the Shavlik Patch plugin gives you the ability to import this certificate via the Shavlik Patch Settings on the WSUS Server tab. However, to be able to use the Import function it is required to have an SSL connection to the WSUS server.

This document is meant to provide some details about how to configure IIS to use SSL on your WSUS server for use with Shavlik Patch for Micrososft System Center.

Shavlik does not provide support for Microsoft products such as Configuration Manager, WSUS, or IIS. If you face trouble in setting up these prerequisites to installing the Shavlik Patch plugin it would be best to work directly with Microsoft support.

The steps below show how to configure IIS on the WSUS Server to use SSL. You will need to have the IIS role and functionality working prior to performing these steps. This documentation was created using a Windows Server 2012 R2 environment.

1) Ensure that Server Manager is opened (run as administrator), and click Tools > Internet Information Services (IIS) Manager.

2)  Click the server node in the Connections tree. Double-click "Server Certificates".

3)  Click "Create Self-Signed Certificate...".

4)  Fill in the edit field “Specify a friendly name for the certificate”.  Select the “Web Hosting” certificate store.  Click OK.

5)  Click “WSUS Administration” in the Connections tree.

6)  Click “Bindings…” in the Actions column.

7)  Click “https 8531”.  Click “Edit…”.

8)  Select the SSL certificate you just created in the dropdown box.  Click “View…”.

9)  Note the FQDN of the “Issued to” server.  Click OK.

10)  Enter FQDN host name you remembered from the Certificate window.  Click OK.

11)  Click Close.

12)  Expand “WSUS Administration” in the Connections tree.  Click on ClientWebService.  Double-click “SSL Settings”.

13)  Click the checkbox “Require SSL”.  Click Apply.

14)  Repeat the last two steps for “DssAuthWebService”, “ServerSyncWebService”, and “SimpleAuthWebService”.  Close Internet Information Services (IIS) Manager.

15)  Start a command prompt in Administrator mode.  Change directory to C:\Program Files\Update Services\Tools.  Run WsusUtil.exe configuressl <FQDN>.  Make sure you get a similar URL response as shown.  Close the command prompt.

16)  Now you need to export the certificate. Run MMC in Administrator mode.  Click File->Add/Remote Snap-in…

17)  Click Certificates.  Click Add.

18)  Click the radio button “Computer account”.  Click Next.

19)  Click Finish.

20)  Click OK.

21)  Expand the Certificates (Local Computer) \ Trusted Root Certification Authorities and click on Certificates.  Right-click on the certificate that matches the FQDN of this server.  Click All Tasks > Export…

22)  Once you export the certificate, you will need to copy the certificate to your SCCM system(s) that will need to connect to the WSUS server, and ensure it this certificate is imported to the Trusted Root Certification Authorities > Certificates on any of those systems.

23) Once this is configured you should then be able to connect using SSL via the Shavlik Patch plugin settings. If you have the Shavlik Patch plugin installed in SCCM, go to Software Library > Software Updates > right click on 'Shavlik Patch', then choose Settings.

24) Go to the WSUS Server tab. You can now choose Port 8531 and check the box for 'Use Secure Sockets Layer (SSL) to connect to this server. Test the connection, and then click the 'Import' button to import your code-signing certificate.

For more information refer to the following resources:

Technet - Secure the WSUS 3.0 SP2 Deployment

Microsoft's documentation on System Center 2012 at http://technet.microsoft.com/en-us/library/hh546785.aspx

Shavlik Patch for Microsoft System Center Documentation

Shavlik Patch for Microsoft System Center

(Formerly Shavlik SCUPdates)

In Version 9.0 When performing a scan, a machine is skipped with theError Code: 4andStatus: Machine resolved multiple times; skipping this one.

In version 9.1 the error will show: Machine filtered in its Machine Group.

When scanning a Machine Group, an option is selected in theScan Onlysection that one or more machines in the group does not qualify for.

Example: When adding workstations, the optionScan Only Serversis selected.

Uncheck all options in theScan Onlyfield, or ensure options selected match the machines that are in the list.

Example: SelectScan Only Workstationsif workstations are the only machine types in the list.

Available Reports

The following reports are available in Shavlik Protect. The reports you have access to is dependent upon your current license level.

To choose a report, select Tools > Create report from the main menu and then select a report from the drop-down list at the top of the Report Gallery dialog. The list is divided by the different types of security programs available within Shavlik Protect.

This document is meant to provide information about how to patch all instances of SQL on one system with Shavlik Protect.

Microsoft allows multiple instances of SQL database engine to run side-by-side on a single system. This can lead to some odd behavior when patching, but in this document we will try to cover the best practice for applying patches to all instances and what to do if it seems there is any problem with detection of multiple SQL instances.

Best Practice for Deploying patches to all instances

For any given patch that affects Microsoft SQL Server, Shavlik Protect's detection will check all applicable files and registry keys for each instance of SQL that exists on the system. Note: The database engine services must be installed for an actual SQL instance to exist. Shavlik Protect will not detect or apply patches if the database engine services are not installed.

Based on this, the best practice is very simple. You should be able to patch all instances by peforming a Security Patch Scan or WUscan with Shavlik Protect, and then deploy all missing patches. This method is not using the /allinstances switch that Microsoft enables for SQL patches. This just means that Shavlik Protect is detecting each patch individually for every instance of SQL that exists on the target system(s).

Actions to take if all instances of SQL are not being patched

If a SQL patch was not applied to a certain instance on the initial deployment of all patches, you may need to do the following:

• Ensure that you are using the latest patch definitions. You can check this under Help > About. Help > Refresh Files will update definitions.
• If you know that you already attempted installation of the patch - try manually running the patch file on the target system. Does it error out?
• If this patch was not displayed missing previously - you can deploy again. This may be all it takes to resolve this.
• If patches are repeatedly shown missing or you believe there may be a detection issue it will be best to contact support and provide the following:
  • Full description of the current problem taking place
  • Logs from a scan of a single system that has the issue.
  • Any screenshots that you believe will be helpful
  • DPD Trace

The following resources may be helpful in learning more about patching SQL instances:

• Technet - Database Engine Instances
• Technet - Information about /allinstances Switch

Shavlik Protect 9.x

vCenter Protect 8.x

The Shavlik Protect Custom Content program enables you to receive detection and deployment logic for the Windows XP patches provided to you via Microsoft’s extended support program.

This document is meant to provide information about how to configure Protect to use custom content and processes surrounding the use of custom content.

Make sure you have your Custom Content Fulfillment letter. This letter contains the Custom Content URL that is needed when configuring Shavlik Protect.

If you have an extended support contract with Microsoft, but do not have a Custom Content Fulfillment letter from Shavlik, please send an email to Protect-Help@Shavlik.com.

1. Close Shavlik Protect.
2. Start Notepad as an administrator.
3. Open C:\Program Files\LANDESK\Shavlik Protect\STEnvironment.config.
4. Find the 'manifestUri' and modify the URL, substituting the existing URL with the one in the fulfillment letter.
5. Save the STEnvironment.config file.
6. Open Shavlik Protect.
7. Select Help > Refresh files.

Do not make the change by going into Tools > Operations > Downloads and changing the Definition download source. This will cause failures to obtain all necessary data files.

As part of the Custom Content Support Agreement you will need to submit to Shavlik the patches that were released by Microsoft. This will be the start of the process for generating and testing the custom content.

1. Download the patches from Microsoft.
   As part of your Premium Support Agreement with Microsoft, you should have received information on how to retrieve patches as they are released.
2. Open a Windows Explorer window and paste ftp://ftp.landesk.com/incoming into the address bar. No authentication is needed. You can then paste the file into the Windows Explorer window.This process may be updated later.
3. Paste the patch file(s) into the /incoming folder.
4. Send an email to CustomContent@shavlik.com to notify the Content Team that the files have been uploaded. Include the file names that were uploaded.
5. Move a copy of the patches into the Shavlik Protect patch repository so they are ready when the Custom Content is released.
   Note: You can verify the location of your patch repository by checking the settings of Tools > Operations > Downloads > General patch download options > Patch download directory.

Custom Content issues can be submitted through the normal support process.

• Shavlik Community

• Shavlik Support

Shavlik Protect 9.x

This is a list of highly recommended documents for improving general knowledge of the Shavlik Protect product. This article is not a comprehensive list of documents.

• Download Site
• Protect 9.1 Installation Guide
• Protect 9.1 Upgrade Guide
• Protect 9.1 Online Help
• Shavlik Protect Requirements Guide
• Firewall & Proxy Exception White-List
• Installing Prerequisite Software

• How to Activate Shavlik Protect
• Managing License Seat Usage
• Offline Activation Process
• Sales/Licensing Contact Information

• Best Practices Guide (9.1)
• Best Practices: Java Deployment
• Best Practices: Software Distribution
• Best Practices: Agentless Scanning & Deployment of Service Packs
• Best Practices: Using Security Tools
• Best Practices and FAQ on using Threat protection with Shavlik Protect agents
• How To Configure Windows Firewall for Protect
• How to Create a Custom Patch
• How to manage Shavlik in an Offline network
  • Offline Environment: How To Manually Update patch data files
  • Offline Environment: How to Manually Update threat definitions

Installation & Upgrade

• Preparing for Upgrade of Protect and Resolving Common Upgrade Issues
• Data Conversion error during Upgrade
• Cleaning up broken installs of Protect
• Resolving database upgrade timeout failures

Obtaining Trace Logs

• Console, Client Side (agentless), and Agent log files
• Console Install and Setup Logs
• DPD Trace (for scan detection issues)
• Listing & Purpose of All Log Files

Scanning & Detection

• Troubleshooting Patch Scan Error Codes
• Scans running slow or taking long time to complete
• Scan Results fail to import (Incomplete results)
• Why Shavlik Protect scan results may differ from Windows Update
• Java patches not shown missing or installed
• How to include or exclude specific patches in scan
• Adobe & Mozilla Incremental Updating process
• Patch install/uninstall loops (patches that always show missing)

Patch Deployment & Shavlik Scheduler

• Deployed patches appear as missing
• Deployment Tracker Status Message Values
• How to Troubleshoot A Failed Patch Install
• Service Pack Deployment Guidelines
• Reinstalling the Shavlik Remote Scheduler Service

Database Related

• SQL Database Maintenance Recommendations for Protect
• Cleaning up (purging) a Protect Database
• Increasing database timeout period
• Moving/migrating Protect database

Agents

• Agent Diagnosis Commands
• Agent Install failing at 67% (registration failure)
• How to fully uninstall and reinstall an agent

Other

• Issues adding machines to a group via Active Directory/OU
• Verifying Proxy Settings for Download Issues
• Role Based Administration Lockout Fix
• Understanding the Machine Groups and the Machines View

• XML (Patch Definitions) Update Information
• List of Currently Supported Products
• Feature or Change Requests

Review the behavior of KB983509 Visual Studio 2010 Service Pack 1

Deployment fails for machines disconnected from the Internet.

This is expected behavior as an Internet connection is required during the installation. 

Microsoft does provide an ISO image for disconnected environments, however ISO deployment is not supported by Shavlik at this time. If you would like to see this functionality you can submit a feature request by going to http://shavlik.featureidea.com

Microsoft's KB - http://support.microsoft.com/kb/983509

Download patch/ISO - http://www.microsoft.com/en-us/download/details.aspx?id=23691

Protect 9.x

Protect 8.x

-You are able to successfully scan a machine, but when you attempt to deploy to the machine it fails.

This can happen because when you scan the machine it will use the default credentials - which are valid. Then when you attempt a deployment it will use the credentials assigned in the Machine Properties. If the Machine Properties credentials are no longer valid the deployment will fail.

Change machine property credentials.

• Click View > Machines.
• Right click one of the selected machines and choose Machine Properties.
• In Machine Properties select 'Assign credential for the selected machines' then choose the desired credential.

You can also choose to leave the Credential in Machine Properties left blank. This way the deployment will use default credentials or credentials assigned via machine group when performing the deployment.

Protect Version: All

The Protect Console expiration date is different than the expiration date shown in the Protect Agent.

(Example of Protect Console Expiration Date)

(Example of Protect Agent Expiration Date)

Agent seats are held for 45 days from the last time they successfully checked in. This is to allow a seat to be reclaimed by the Console in the event an Agent goes unused for a prolonged period of time. The Agent's expiration date will be 45 days from the last time it successfully checked in.

If the Agent has an expiration date older than 45 days from today, initiating an Agent check-in should refresh its expiration date.

Shavlik Protect 9.x
vCenter Prtoect 8.x

Certain Hot Fixes are missing from Protect.

One of the criteria for a patch to be added to the Protect data is it must have a publicly available download URL.

Certain Hotfixes from Microsoft are only offered by request.

Example of Microsoft Hotfix Request Form

These patches/hotfixes do not offer a publicly available download URL, and therefore are unable to be added to Protect.

Here are some known hotfixes that this article applies to:

• KB2406705
• KB2522766
• KB968287
• KB2597051
• KB2935092

Protect Version: All

This document is meant to explain why some patches do not have a "Download" indicator next to it.

You find a patch in Patch View or a scan result, and there is now Download button in the patch information.

Not all patches are available to be deployed with protect but the scan information is still available to detect if the patch is missing. We refer to these as ‘scan only’ items.

In some cases the patch requires user intervention and the patch cannot be deployed silently, a good example of this would be with some service packs or rollups so we are not able to download the patch with Protect.

Other times the vendor has changed the url or the patch is no longer publically available. In those cases we leave the scan detection there but are unable to download the patch.

Additionally, the lack of download icon could be caused by out of date data files.  You should run a Help -> Refresh Files to ensure you have the latest files.

Shavlik Protect, All Versions

Upgrading to version 9 fails with errors.

• This installation package could not be opened.  Verify that the package exists and that you can access it, or contact the application vendor to verify that this is a valid Windows Installer package.

Errors located in the Protect Installer log files (ProtectInstall_20130903_204512.log) in the TEMP directory (%TEMP%)

• 2013-09-03T20:45:12.7989609Z 0b0c E BitsNotification.cpp:156 Error from BITS: The server does not support the necessary HTTP protocol. Background Intelligent Transfer Service (BITS) requires that the server support the Range protocol header.

Clicking the prompt from Protect to upgrade will download a no longer supported web installer.

The web installer is 1.15mb where the full installation file is 154mb.

*Note the Name and Size difference between the 2 files.

Download the full installation file from http://www.shavlik.com/downloads/.

*Note: Always read upgrade documenation prior to running the upgrade. Failure to do so increases likelihood of upgrade issues.

Shavlik Protect 9.0.x

When attempting to scan a Hosted Virtual Machine or virtual machine Template, You get the error "802: Unable to open Virtual Disk(*****)

Could not read boot.ini file in harddrive at '%s'. Unable to read the image's boot.ini file after successfully mounting the hard disk. There can be many causes.

Please familiarize yourself with our Online Documentation regarding Virtual Machines

http://www.shavlik.com/onlinehelp/Protect90HTMLHelp/HFN.htm

VM Template patching requirements:

http://community.shavlik.com/docs/DOC-23054

The first thing to try is to refresh your Hosted Virtual Machines in Protect. This can be done by opening Machine Groups, clicking on Hosted Virtual Machines and click Refresh. Please also verify your credentials are set correctly for the problematic machine. This will solve many errors.

Next, notice that there are a number listed after the words Virtual Disk.

Examples:

Error: 802 Unable to open Virtual Disk (14009)

Error: 802 Unable to open Virtual Disk (16064)

Please lookup the error listed here:http://www.vmware.com/support/developer/vix-api/vix110_reference/errors/errors.htmlThis can help you troubleshoot your issue.

If the error code is related to connectivity and you have verified your credentials are set correctly, It could be a port problem. Please see this documenthttp://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1012382for a list of necessary ports.

More information can be found in the HF.log (if your logging has been previously set to all in tools-options-logging)

This is located

• Windows 7, 8, 2008, 2012 & Vista: C:\ProgramData\LANDesk\Shavlik Protect\Logs
• Earlier OS’s:  C:\Documents and Settings\All Users\Application Data\LANDesk\Shavlik Protect\Logs

If you still cannot resolve this issue, please erase the logs, recreate the issue and gather the logs. This can be done by following this guide:http://community.shavlik.com/docs/DOC-22921

After you have gathered the logs, please open a support case athttp://support.shavlik.com/, or by calling into support and having them open a case for you. Here is the link to the contact information:http://www.shavlik.com/support/contact/

http://www.shavlik.com/support/contact/

If you receive scan error 802 - Unable to open virtual disk (4000) you can refer to this document.

Shavlik Protect 8.x
Shavlik Protect 9.x

.NET Framework will fail to install/deploy when scheduled by Shavlik Protect.  The same patch can be installed manually.

.NET Framework components are in use and cannot be modified.

Before proceeding with scheduled .NET Framework patch deployment troubleshooting, verify that the failed deployment of the patch is not caused by a corrupted .NET Framework installation and that the patch executable can be deployed manually from the worksation.  Also verify that scheduled patch deployment is working for non .NET Framework patches.

After these possible causes for patch installation failure have eliminated, Follow these two recommendations to release .NET Framework from its associated applications before patch deployment.

Recommendation 1.  - Deploy .NET Framework Patches with the Pre-deploy Reboot option selected in your Deployment Template

This will eliminate the problem with programs in use during your .NET Framework patch deployment.

Verify this by viewing your existing Deployment Templates by clicking Templates-My Deployment Templates.

If you do not have a previous Deployment Template with the Pre-deploy Reboot option selected, you may create a new Deployment Template by clicking on New-Deployment template. By doing a Pre-deployment Reboot, this will ensure that no programs will be in use during the deployment.

For extremet cases 2.  - Disable the auto startup of any programs that utilize .NET Framework. (Advanced Users only)

There are 2 ways to do this. Through Group Policy and on each machine.

*NOTE changes to Group Policy or System Configuration can cause problems to your machines. This guide is for informational purposes only. Shavlik Protect Support won't support any problems caused from changes to the Group Policy or System Configuration.

There are multiple places that startup applications are listed. See here for more information. http://technet.microsoft.com/en-us/magazine/ee851671.aspx

Through Group Policy - See this document http://support.microsoft.com/kb/314488

On Each Machine - You can Verify what programs are set to start on boot by using the System Configuration.

Please read this article for more information. http://windows.microsoft.com/en-us/windows7/using-system-configuration

Open the System Configuration by typing msconfig in a run command and clicking OK.

Next click on the startup tab. Uncheck any Programs that use Java. Click OK.

The next screen will Prompt for a reboot. Please reboot before .NET Framework deployment.

Failed deployment of the .NET Framework patches can also be caused by a corrupted .NET Framework installation.  If you are unable to perform a manual installation of the .NET Framework patch from the target workstation, the issue is most likely related to the .NET Framework installation.  To troubleshoot this and other non Shavlik related .NET Framework issues, please contact Microsoft Support.

Shavlik Protect 8.x
Shavlik Protect 9.x