Purpose
Although this is more a SCCM issue, Ivanti Patch for SCCM is directly affected. This document will outline how to resolve Ivanti Patch for SCCM functionality issues caused when the SCCM user's Security Scope isn't set to: All instances of the objects that are related to the assigned security roles.
Overview
The requirements for Shavlik Patch are located here: How To: Verify your SCCM user is a member of the WSUS Administrators Group
In addition requirements from the document, the SCCM user must be assigned to the All instances of the objects that are related to the assigned security roles Security Scope.
This is an example of a SCCM Administrator who does not have All Instances Of The Objects That Are Related To The Assigned Security Roles set.
The AutoPublish.log located in this folder: C:\users\username\Shavlik\Shavlik Patch folder will contain these errors:
SMS Error: Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlQueryException You do not have security rights to perform this operation. AutoPublish 1/31/2017 3:14:14 PM 4 (0x0004)
Generic failure AutoPublish 1/31/2017 3:14:14 PM 4 (0x0004)
Your Configuration Manager security settings may be limited. Your security role should be 'Full Administrator' and your security scopes should be 'All instances of the objects that are related to the assigned security roles'. AutoPublish 1/31/2017 3:14:14 PM 4 (0x0004)
Error - AutoPublish returned code 18: Error cleaning up categories AutoPublish 1/31/2017 3:14:14 PM 1 (0x0001)
Resolution
1. Open SCCM and select Administration.
2. Expand Security and select Administrative Users.
3. Locate the user used to log into the SCCM server and open its Properties.
4. On the Security Scopes tab select 'All Instances Of The Objects That Are Related To The Assigned Security Roles'.
5. Select OK..
Additional Information
There are two known workarounds if the option 'All Instances Of The Objects That Are Related To The Assigned Security Roles' is greyed. (pictured above)
- Log into the Windows as the original user who installed the SCCM server. This is the only user able to change the Security Scope option.
- If all else fails, Microsoft advises to rebuild your SCCM environment.
Affected Product(s)
Ivanti Patch for SCCM