We have automated the patching by using the scheduler with Shavlik. We have set the weeks to patch to co-inside with the release of Microsoft Patches "Patch Tuesday" this has been fine so far as patch Tuesday is always the second Tuesday of every month so our dev boxes recieve the patches almost immediately after then test boxes the following week along with live.

I have noly just realised that what Microsoft call "Week 2" shavlik does not necessary call it the same week, this has caused for this month and will do for the next month four groups or servers to not be patched as day one of a month is the first week as far as Shavlik is concerned. Week 2 began on the 4th of November for Shavlik so our dev boxes auto patch ran on the 7th Microsoft patches were released on the 12th by which time all the dev boxes have not been patched so live servers have started to be patched without any testing being done.

This will happen again next month as the same problem will happen the 1st is on a Sunday so Shavlik will be a week ahead of Microsoft.

Is there anyway we can adjust when Shavlik believes the week starts?

We need it to believe that week 1 will always be the first full week of the month not from the 1st of every month.

Any help would be appricaited as I am having to go in and manually adjust the "automated" patching.

Patch deployment fails with the following error after machines were moved to a different domain :

The specified network name is no longer available: Error 64

Credentials entered in Manage Credentials contained the previous domain name in the User name field

Example:

OldDomain\username

Changed the User name field under Manage Credentials  to reflect the new domain membership of the target machines

Example:
Original User name field,  OldDomain\Username changed to NewDomain\Username                  

Shavlik Protect 9.x

When the Protect Console machine is upgraded from Window 8.0 to 8.1, Console is no longer able to deploy

The ST.Protect.native.usernamek@MachineName log shows E Deploy.cpp:1958 DeployMachine exception - class STWin32::CWin32Exception at

NetworkLogon.cpp:32: Error 1348: The validation information class requested was invalid

The local account profile used for Windows 8 was connected to a Microsoft Live Account. 

Credentials used in machine group to deploy to target machine contained a local account that was connected to a Microsoft Live account. An upgrade to windows 8.1 affects the Validation information class of local accounts that are connected to a Microsoft Live account

Remove the Microsoft Live Account connection from the local user profile or add the Microsoft live account to the credentials and use the Microsoft Account credentials to log in to the target workstation rather than the local user account.

Shavlik Protect 9.x

Hi Folks,

I'm new to Shavlik and am experimenting with patching a subset of management servers using Shavlik under the 30 day trial.

When running a deployment on say 10 servers discovered via vsphere, which are all in the one machine group using the same deployment template, the servers will only patch 2 at a time. So patches won't start installing on subsequent machines until the entire cycle including reboots has finished on the 1st two servers. I'd like deployment, installation and reboot of machines to be in parallel across the whole machine group. As some of our production environments contain hundreds of servers of the same type that should be patched together, doing 2 at a time will exceed matintence windows.

Is this a limitation of the trial or am I doing something wrong?

Cheers.

Edit: Sorry should add I want to deploy without agents if possible.

I'm about to begin a production deployment of shavlik protect for our server environment. Our environment consists of ±800 windows servers distributed across three data centres. The three DCs have excellent connections between them so bandwidth and latency are not an issue, for this reason my intention is not to use distribution servers.

I am however, curious about the use of multiple console servers. Currently I've got one console server deployed with 4 cores and 8GB of memory. My intention is to patch servers without agents. We have a resonabally short maintence window of 2 hours, once per week for most of our environments.

Will one server provide sufficent performance for an environment of this size, or should we look at a distributed console model?

I am trying to install the Shavlik client on a windows 2003 server. When I recieve the prompt for SQL not found on this system, I am selecting no because the SQL is on a different server. I am able to navigate the process normally until I reach the database setup tool. I am selecting the Use an existing database (link or upgrade) option and selecting next. I am entering the server name in which the SQL server is located, the database name, and using integrated windows authentication. When I test the connection the test result is successful. I select next and on the next screen see that the database link is complete. Console successfully linked to the existing database. I select next and recieve a screen prompting that installation is complete. I select Finish and the tool freezes. Then I recieve the following error: "Failed to commit the database installation or upgrade." I am neither trying to install or upgrade the database. I just want to install the client.

Shavlik Protect Event History displays the following error when trying to backup the Protect database in Database Maintenance: Generic data access layer exception. SQL exception message: Cannot open backup device [\\UNC Path of bak file location] Operating system error 5(Access is denied.)

User that is connecting to SQL database does not have access to the specified UNC Path

Modify connection information in Protect and/or modify rights to the unc path used for the backup location.

Step 1 Determine what SQL user is accessing the database Share

From the Windows Start Menu, Open the Protect Database Setup Tool

Start>All Programs>Shavlik Protect>Database Setup Tool

Select Use an Existing Database and click Next

Verify the credentials that will be used to access the Database

If Integrated Windows authentication is used for both interactive users and services connections the user name used will be the Domain\MachineName$ of the console machine. Otherwise note the credentials used in the User Name: field of "Choose how interactive users will connect to the database" or if "Use alternate credentials for console services" is checked, the User Name: field under "Choose how services will connect to the database.

Step 2.

From the SQL Machine attempt to access the UNC path using the credentials obtained from Step 1

The UNC path of the database backup is defined under Tools>Operations>Database Maintenance in the Protect Menu.  If a local drive letter is specified, it will look for the local drive letter on the SQL server, not the Protect Console.

Step 3.

Give user obtained in Step 1 read/write permission to the share specified in step 2 or change credentals in the Database Setup tool as outlined in Step 1 to a user that has read/write permissions to the share specified in Step 2

Shavlik Protect 9.x

This document outlines how to locate the Shavlik Protect license activation key in the console and transfer this key to a new or additional Protect console.

When migrating to a new Shavlik Protect server or setting up an additional Protect console machine- understanding where to find the license key and how to input it in to the new console is vital to maintaining Shavlik Protect functionality through this transition. As this process may not frequently performed by administrators, a reference/guide for this process may prove to be helpful.

Follow the process below to obtain your license key from your console machine. After locating the key in order to prepare to transfer the key to the new console machine, copy this 25-digit license key and make it readily available.

In Shavlik Protect 9.x:

     Help>About Shavlik Protect Advanced

In the About Shavlik Protect window, the license key can be found in the main text display under

     License Key:

          Activation Key: xxxxxxxxxxxxxxxxxxxxxxxxxx

In vCenter Protect 8:

This process is nearly identical to the process in Shavlik Protect 9.x. Refer to the images above.

To locate the license key follow this path:

          Help>About VMware vCenter Protect

In the About VMware vCenter Protect window, the license key can be found in the main text display under:

          License Key:

               Activation Key: xxxxxxxxxxxxxxxxxxxxxxxxx

Activation is the process by which the Protect software is validated as having been purchased.  In order for the new Protect console to fully function activation is required. Users are prompted after installing and opening Shavlik Protect to input their activation key, through the Shavlik Protect Activation window.

To transfer the license key from your previous console machine follow the directions in the window as ordered by number:

     1. Select an activation mode (on left portion of window)

          Select "Product or bundle license"

     2. Enter your activation key(s) (in center of window)

          In the text field below, paste or manually input your 25-digit Protect license key

          Click the "Add" button right of the text field.

     3. Select activation method (lower-center of window)

          Choose "Online activation" if you have an internet connection.

          Click "Activate online now"(at the lower-right corner)

If you require "Offline activation" see the following article- http://community.shavlik.com/docs/DOC-23010

If the software was previously launched and activated by selecting Trial mode, this window can be accessed through Protect by navigating to:

     Help>Enter/refresh license key...

• Protect 9 Installation Guide
• Protect 9 Upgrade Guide
• How to Activate Shavlik Protect
• Managing License Seat Usage
• Sales/Licensing Contact Information

Shavlik Protect 9.x
vCenter Protect 8.x

I've been unable to locate anything other than changing the amount of machines to scan at once. When a scan is initiated, no matter if it's scanning 10 machines at once or 2 machines at once, our bandwidth spikes anywhere from 30mbps to 60mbps.

It also doesn't matter if the template is scanning for both installed & missing patches, it still spikes ridiculously high.

Are there any settings that I'm missing to throttle the bandwidth consumption?

Good morning. I just read this info http://community.shavlik.com/docs/DOC-2185 and had not realized how important 'Refresh files' is to the functioning of Shavlik. [When is this training your are polling for?] Anyway, my question: is it recommended that everytime I get Shavlik-xml notification email, I should refresh files? I have clicked and refreshed files 4 times this morning (and I think it's a different set each time but I haven't paid close attention). Thanks

Hi, Is there a way to get the missing pathes for a set of software without installing them on real machines?

Eg:

I have PCs with different versions of Windows OS, MS Office and other Microsoft products. I need to have as many physical (Virtual) machines as the number of versions of the software to get the actual missing patches.

Instead of having physical machines, if vCenter can take a file which has all the information about installed software and gives me a list of missing patches on all machines will help me to reduce the dependency on real machines.

Is it possible with vCenter / Shavlik protect?

I am using vCenter protect 8.0

Thanks

Sriknath Badireddy

This document is meant to provide information about how to obtain information about Shavlik's XML updates (patch definitions).

Generally the Shavlik content team will provide patch definition updates every Tuesday and Thursday. However, there are three easy sources that can be used to see when new XML updates (patch definitions) are released.

1) XML Announcements Sign up: http://www.shavlik.com/support/xmlsubscribe/

You can sign up to receive Shavlik Protect content (patch definition) email notifications here.

2) Patch Data Information Blog Page: http://protect7.shavlik.com/

This web page displays all patch definitions released by the Shavlik content team for the Protect application.

3) Patch Data Information RSS Feed: http://protect7.shavlik.com/feed/

All the same information as protect7.shavlik.com in an RSS feed.

4) Patch Data Information Twitter: https://twitter.com/ShavlikXML

This Twitter account is updated every time an XML release is put out. This is a good alternative to recieving email notifications, depending upon your preferences.

Shavlik Protect 9.x

vCenter Protect 8.x

Shavlik Protect SDK

Shavlik Rebrands

Has the patch for KB2850061 been approved and pushed for Shavlik Protect yet?

MS says it was release 12/13/2013, and other patches released that day were approved by Shavlik a few days later per norm. However, I do not see that specific patch listed in the patch DB or available for adding to a patch group.

When Help>Refresh License key is selected in the Protect Console the following error is returned:

Could not establish trust relationship for the SSL/TLS secure channel with authority 'golicense.vmware.com'  or

Could not establish trust relationship for the SSL/TLS secure channel with authority 'golicense.shavlik.com'

Root Certificate Information on the Protect Console is out of date

Update Root Certificate Information on the Operating System running the Protect Console using the the following document:

Updating Root Certificates Information http://community.shavlik.com/docs/DOC-22945

WMware vCenter Protect 8.x

Shavlik Protect 9.X

Hi,

Is there a way to export/import patch groups in Protect 9?

Thanks

Patrick

Error Message while attempting a asset scan
[Machine Name] Cannot connect to WMI Service. It might be stopped or firewalled "Cannot connect to WMI Service.

Windows Management Instrumentation (WMI) service is Disabled/Off.

The neccessary ports for an Asset scan are not accessible from the Protect Console to the Target Workstation.

The Protect Console cannot perform proper DNS resolution to the target workstation.

The DNS server contains multiple reverse lookup entries for the same IP Address

WMI Services must be started for hardware asset scanning

Make sure IP Addresses are unique for target workstations in both the forward and reverse DNS Domain lookup

When performing an asset scan, Windows Management Instrumentation (WMI) service must be enabled on the target machine and the protocol allowed to the machine (TCP port 135).

In addition to the WMI port, other ports are necessary for an Asset scan to work properly.  Refer to the following document, Port Requirement for Shavlik Protect: http://community.shavlik.com/docs/DOC-2161

Protect Version: All

• Attempting to launch Shavlik Protect fails and returns with the following error:

"The database connection could not be made. This may be caused by a temporary interruption in the database server, or the machine hosting the database could have been renamed."

• Selecting "Launch the database configuration utility" and attempting to reconnect to SQL Server and Protect database fails, returning with error:

              "Failed to connect to SQL Server '(sql server path)'. Please verify the SQL name and credentials>"

• After verifying SQL server credentials user receives same error message.

This issue will occur if the SQL Server previously on the machine has been removed. Without the SQL Server installed on the console machine, despite retaining the Protect database, Protect will be unable to function. Some users may inadvertently uninstall the server software without being aware that doing so will not permit Shavlik Protect to run. Doing so will not delete the Protect database and Protect should be able to function again after reinstalling and configuring the SQL Server.

To resolve this issue you must:

1. Reinstall Microsoft® SQL Server Management Studio® software (the Protect installer installs SQL Server 2012 Express by default)

   2.  Reattach the Protect SQL database to the SQL server.

The remainder of this document will provide in-depth instructions on how to perform these tasks to resolve the database connection error.

If you will be using an Express Edition of Microsoft SQL Server, you should consider downloading and installing Microsoft SQL Server Management Studio. This free software can be used to perform backups and to manage your database. Additionally, it will make the process of reattaching the Protect database to the SQL server much simpler.

If you would like to follow the resolution outlined in this document, SQL Server Management Studio is required.

The Microsoft® SQL Server® 2012 Express installer can obtained for free at the following link:

http://www.microsoft.com/en-us/download/details.aspx?id=29062

To install both the SQL Server and the Server Management Studio Express, install the package containing the SQL Express Server and SQL Server Management Studio.

After installation, Protect will still not launch, attempts to reconnect to the SQL server will return with this error:

     "The database 'Protect' does not exist on the SQL Server  Please verify your configuration"

This error indicates that the protect database must be reattached to the SQL Express server, the easiest way to do this is through Microsoft SQL Server Management Studio. This process will be outlined in the next section of this article.

To reattach the Protect database to the SQL Express Server, open SQL Server Management Studio.

SQL Server Management Studio can be opened by following this path:

     Start->Micrsoft SQL Server 2012->SQL Server Management Studio

The "Connect to server" window will appear at launch.

For most users- including all who originally installed SQL Express through the Protect install package- none of the fields need to be modified.

Simply click connect to proceed to the next step in the process. Doing so will close the dialog box.

The SQL server should now be visible on the left in the Object Explorer pane. If the Databases subfolder is not visible, click the plus sign to the left of the entry containing the server path to display the server contents.

Right click this Databases directory and click "Attach..."

An "Attach Databases" dialog box will open.

Click Add in the right-center of the window to proceed. Doing so will open the Locate Database Files window.

Left-click the Protect.mdf file, which is located under DATA, then click OK.

This will attach the database file and close the window.

Click OK again to exit the Attach Databases window.

In the Object Explorer pane, the Protect database should now be visible, demonstrating that the Protect database has successfully been attached to the SQL Express server.

After completing these steps, the SQL Server should be configured properly to allow the Protect console to function as before. Opening Protect should launch the program without any of the previous errors. Protect should require no more additional configuration to resume functional operation.

Note: After the completion of these steps, if any further difficulty is encountered in attempting to connect to the database by Protect, use the Database Setup Tool to make sure that Protect database is configured properly. This can be located by going to:

Start->Shavlik Protect->Database Setup Tool

If you receive the same error message as above and verify that the SQL Server is installed, your SQL Server service may not be running.

http://community.shavlik.com/docs/DOC-23089

Restore Shavlik Database from backup using SQL Server Management Studion:

http://community.shavlik.com/docs/DOC-22956

Shavlik Protect 9.x

vCenter Protect 8.x

You are able to manually verify a Java installation exists on a target (client) system, but a patch scan with Protect does not list a Java patch as missing or installed.

There are three likely causes for this issue that should be evaluated first:

1. Verify the patch definitions for Protect are up to date by running Help > Refresh Files. You can verify the version of the patch definitions by going to Help > About > Version Info.  Look for Patch Assessment under the Definition area and then cross reference the version with this website http://protect7.shavlik.com/category/patch-and-bulletin-information/. 
2. Use a built-in patch scanning template (Security Patch Scan or WUScan template) when troubleshooting scan related issues. If not using the Security Patch Scan or WUScan template, verify the custom scan template does not include filtering that would limit what patches and products scanned. 
3. If you believe the Java patch is installed, manually verify the Java patch is listed as installed in Add/Remove Programs (Programs & Features).

Is Java Development Kit installed on the target (client) system? If Java Development Kit (JDK) is installed on the target system, you cannot patch Java on the system. The reason is that we do not support patching JDK, and we do not offer updates even for JRE in this instance because applying the JRE update will break JDK on the system. Another possible cause of the issue is a corrupt install of Java on the target (client) system.

The Shavlik Protect scan engine's detection logic verifies the version of the jvm.dll and java.exe files on the target machine. The scan engine determines the location of these files based on information stored in the registry on the client system. A scan issue occurs if the file location listed in the registry key does not match where the files are located on the system. You can manually verify this by navigating to one of the following registry location using regedit: 

• 32 bit: HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Runtime Environment
• 64 bit: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Runtime Environment

Navigate to one of the versions of Java listed under this key, then for each version there will be a "RuntimeLib" key. The value of the RuntimeLib key contains the location that we check during our patch scan process.

You can also perform a search for jvm.dll and/or java.exe on your system. If the files are not located in the directory specified in the value of the RuntimeLib registry key then you may have a bad install of Java. The best way to correct this is to manually apply the next Java patch or reinstall Java on the system.

If the instructions in this article do not help identify the root cause of this issue, contact the Shavlik support team and please provide the following information:

Logs: http://community.shavlik.com/docs/DOC-22921

DPD Trace: http://community.shavlik.com/docs/DOC-22997

Support Contact: http://www.shavlik.com/support/contact/

Shavlik Protect 9.x

vCenter Protect 8.x

This document contains information about the availability of patches and Shavlik updated XML files after vendor patch release.

While Shavlik aims to release updated assessment and deployment XML files on the same business day that a new security bulletin-related patch is released, we may require up to 24 hours after bulletin release to fully test the patches and release updated XML files. This is to ensure the proper amount of time for testing Protect's ability to scan, deploy and uninstall (where applicable) the latest patches on all affected systems.

New XML files can be downloaded by selecting Help > Refresh Files or by simply allowing a patch scan to automatically download them as part of the scanning process.

If you would like to be updated when new XML files have been released, please see the following resources:

Sign-up for XML announcement emails:

http://www.shavlik.com/support/xmlsubscribe/

XML Information page:

http://protect7.shavlik.com/

XML Twitter:

https://twitter.com/ShavlikXML

This document is meant to provide a checklist that will ensure successful deployment of patches when using agents with the Protect product.

Checklist for patch day when using agents with Protect

1) Make sure you are signed up for the XML Announcements list. This gives you up to date information on when XML releases and what new patches have been added into the product. Whenever our data content team releases new patch definitions for Protect you will be sent an email notification.

http://www.shavlik.com/support/xmlsubscribe/

You can also see the latest patch defiintion information at these sites:

http://protect7.shavlik.com/category/patch-and-bulletin-information/http://protectessentials.shavlik.com/

https://twitter.com/ShavlikXML

2) Once the latest XML is live make sure your Protect console is updated.  Run Tools > Refresh Files.  This will check in with XML.Shavlik.com and update any new XML and Engine files.

You can Automate this update by doing the following:

In Shavlik Protect 9: Go to Tools > Operations > Downloads. Under 'Schedule automatic downloads' choose Core engines/definitions in the drop down, then click the Add button to the left. You can then set up a schedule for the definitions to automatically download. You may also want to set up the same type of schedule for Threat Engines/Definitions.

In Protect 8: Go to Tools > Options > Definitions. Put a check next to 'Periodically download new definitions', and you can set the schedule.

3) Download patches you need to push for this patch cycle.

This step is required for agents using a distribution server for patch downloads, but is optional for agents set to download from vendor over internet. 

The best way to do this is to scan a test group of machines that include all products and platforms that would be found in your production environment.  From that scan result select and download all or selected patches. Another method is to search for the patches you want within View > Patches and download any that you know are required.

4) Synchronize your distribution servers. (Not required if your agent policy is set to downlaod via Vendor over Internet.)

How to do this:

In Protect 9: Go to Tools > Operations > Distribution Servers. Under 'Distribution Servers' highlight the distribution server you wish to synchronize. You must set up a scheduled sync - in the drop-down above the recommended method is to choose 'All engines, definitions, and patch downloads'. Then click on 'Add scheduled sync'. This allows the synchronization to take place on the schedule you set up, and you will now see the synchronization jobs listed under the 'Scheduled automatic synchronization' area. If you wish to run synchronization immediately you can highlight one of the scheduled syncs, then click 'Run now'.

In Protect 8: Go to Tools > Distribution Servers > Synchronization tab.  Synch Engines and XML and Download Center. You can also enable automatic synchronization, which would take place at the same time as the schedule set up under Tools > Options > Definitions for the automatic download.

5) Update any approved patch listing in the agent policy or patch groups that are being used. If you use these methods to limit what Protect can scan for or deploy you may need to update them accordingly to contain any newly released patches.

Shavlik Protect 9.x

vCenter Protect 8.x